Jump to content
Sign in to follow this  
Metallica

Removal instructions for FunnyMall

Recommended Posts

What is FunyMall?

The Malwarebytes research team has determined that FunyMall is Adware. Adware (or spyware) is a small program that is designed to show advertisements (in various form and degrees of intrusiveness) on your computer. It often reports personal information back to its owners. As a result your sense of privacy can be violated.

How do I know if I am infected with FunyMall?

You will find this Browser Helper Object in your Internet Explorer add-ons.

BHOaddon2.png

How did FunyMall get on my computer?

Adware usually promises to do something for you for free, that you would have to pay for in other software.

How do I remove FunyMall?

Our program Malwarebytes' Anti-Malware can detect and remove this adware.

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware

    [*]Then click Finish.

    [*]If an update is found, it will download and install the latest version.

    [*]Once the program has loaded, select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected. Reboot your computer if prompted.

    [*]When completed, a log will open in Notepad. The adware should now be gone.

Is there anything else I need to do to get rid of FunyMall?

  • No, Malwarebytes' Anti-Malware removes FunyMall completely.

How would the full version of Malwarebytes' Anti-Malware help protect me?

We hope our application has helped you eradicate this malicious software. If your current security solution let this infection through, you might please consider purchasing the FULL version of Malwarebytes' Anti-Malware for additional protection.

As you can see below the full version of Malwarebytes' Anti-Malware would have protected you against the FunyMall adware. It would have warned you before the adware could install itself, giving you a chance to stop it before it became too late.

protection1.png

protection.png

Technical details for experts

Signs in a HijackThis log:

O2 - BHO: FunyMallDoc - {6C327875-C031-4397-B532-4B82F8F1F1A3} - C:\Program Files\FunyMall Auction Works\FunyMall.dll
O4 - HKLM\..\Run: [FunyMall] "C:\Program Files\FunyMall Auction Works\FunyMallUpdate.exe"

Alterations made by the installer:

  File System
===============
Adds the folder C:\Documents and Settings\{username}\Application Data\FunyMall
Adds the folder C:\Program Files\FunyMall Auction Works
Adds the file uninstall.exe"="10:30 13/03/10 68048 bytes
Adds the file msvcr80.dll"="14:03 01/12/06 626688 bytes
Adds the file Microsoft.VC80.CRT.manifest"="14:03 01/12/06 1869 bytes
Adds the file FunyMallUpdate.exe"="06:59 05/02/10 339968 bytes
Adds the file FunyMall.dll"="02:31 08/02/10 258048 bytes
Adds the folder C:\Program Files\FunyMall Auction Works\temp
Adds the folder C:\Program Files\FunyMall Auction Works\html

In the existing folder C:\WINDOWS\system32\wbem\Repository\FS
Alters the file INDEX.MAP
10:28 13/03/10 524 bytes ==> 10:32 13/03/10 524 bytes
Alters the file MAPPING.VER
10:28 13/03/10 4 bytes ==> 10:32 13/03/10 4 bytes
Alters the file MAPPING2.MAP
10:28 13/03/10 3172 bytes ==> 10:32 13/03/10 3172 bytes
Alters the file OBJECTS.MAP
10:28 13/03/10 2648 bytes ==> 10:32 13/03/10 2648 bytes

Registry
===============
[HKEY_CLASSES_ROOT\FunyMall.FunyMallDoc]
"(Default)"="'FunyMallDoc Class'"
[HKEY_CLASSES_ROOT\FunyMall.FunyMallDoc\CurVer]
"(Default)"="'FunyMall.FunyMallDoc.1'"
[HKEY_CLASSES_ROOT\FunyMall.FunyMallDoc\CLSID]
"(Default)"="'{6C327875-C031-4397-B532-4B82F8F1F1A3}'"
[HKEY_CLASSES_ROOT\FunyMall.FunyMallDoc.1]
"(Default)"="'FunyMallDoc Class'"
[HKEY_CLASSES_ROOT\FunyMall.FunyMallDoc.1\CLSID]
"(Default)"="'{6C327875-C031-4397-B532-4B82F8F1F1A3}'"
[HKEY_CLASSES_ROOT\FunyMall.GuideObj]
"(Default)"="'GuideObj Class'"
[HKEY_CLASSES_ROOT\FunyMall.GuideObj\CurVer]
"(Default)"="'FunyMall.GuideObj.1'"
[HKEY_CLASSES_ROOT\FunyMall.GuideObj\CLSID]
"(Default)"="'{26E9F120-A74D-43F0-9404-8C1BC3CDDE10}'"
[HKEY_CLASSES_ROOT\FunyMall.GuideObj.1]
"(Default)"="'GuideObj Class'"
[HKEY_CLASSES_ROOT\FunyMall.GuideObj.1\CLSID]
"(Default)"="'{26E9F120-A74D-43F0-9404-8C1BC3CDDE10}'"
[HKEY_CLASSES_ROOT\AppID\{5E50D1EF-9E7E-4456-A58C-52770F6783D7}]
"(Default)"="'FunyMall'"
[HKEY_CLASSES_ROOT\AppID\FunyMall.DLL]
"AppID"="'{5E50D1EF-9E7E-4456-A58C-52770F6783D7}'"
[HKEY_CLASSES_ROOT\CLSID\{26E9F120-A74D-43F0-9404-8C1BC3CDDE10}]
"AppID"="'{5E50D1EF-9E7E-4456-A58C-52770F6783D7}'"
"(Default)"="'GuideObj Class'"
[HKEY_CLASSES_ROOT\CLSID\{26E9F120-A74D-43F0-9404-8C1BC3CDDE10}\VersionIndependentProgID]
"(Default)"="'FunyMall.GuideObj'"
[HKEY_CLASSES_ROOT\CLSID\{26E9F120-A74D-43F0-9404-8C1BC3CDDE10}\TypeLib]
"(Default)"="'{DE33A0AD-7445-4212-B22B-9A3CBF690B0F}'"
[HKEY_CLASSES_ROOT\CLSID\{26E9F120-A74D-43F0-9404-8C1BC3CDDE10}\Programmable]
[HKEY_CLASSES_ROOT\CLSID\{26E9F120-A74D-43F0-9404-8C1BC3CDDE10}\ProgID]
"(Default)"="'FunyMall.GuideObj.1'"
[HKEY_CLASSES_ROOT\CLSID\{26E9F120-A74D-43F0-9404-8C1BC3CDDE10}\InprocServer32]
"ThreadingModel"="'Apartment'"
"(Default)"="'C:\Program Files\FunyMall Auction Works\FunyMall.dll'"
[HKEY_CLASSES_ROOT\CLSID\{26E9F120-A74D-43F0-9404-8C1BC3CDDE10}\Implemented Categories\{00021493-0000-0000-C000-000000000046}]
[HKEY_CLASSES_ROOT\CLSID\{6C327875-C031-4397-B532-4B82F8F1F1A3}]
"AppID"="'{5E50D1EF-9E7E-4456-A58C-52770F6783D7}'"
"(Default)"="'FunyMallDoc Class'"
[HKEY_CLASSES_ROOT\CLSID\{6C327875-C031-4397-B532-4B82F8F1F1A3}\VersionIndependentProgID]
"(Default)"="'FunyMall.FunyMallDoc'"
[HKEY_CLASSES_ROOT\CLSID\{6C327875-C031-4397-B532-4B82F8F1F1A3}\TypeLib]
"(Default)"="'{DE33A0AD-7445-4212-B22B-9A3CBF690B0F}'"
[HKEY_CLASSES_ROOT\CLSID\{6C327875-C031-4397-B532-4B82F8F1F1A3}\Programmable]
[HKEY_CLASSES_ROOT\CLSID\{6C327875-C031-4397-B532-4B82F8F1F1A3}\ProgID]
"(Default)"="'FunyMall.FunyMallDoc.1'"
[HKEY_CLASSES_ROOT\CLSID\{6C327875-C031-4397-B532-4B82F8F1F1A3}\InprocServer32]
"ThreadingModel"="'Apartment'"
"(Default)"="'C:\Program Files\FunyMall Auction Works\FunyMall.dll'"
[HKEY_CLASSES_ROOT\Interface\{47050D55-1D25-4894-A9C8-7282F1BF0E36}]
"(Default)"="'IFunyMallDoc'"
[HKEY_CLASSES_ROOT\Interface\{47050D55-1D25-4894-A9C8-7282F1BF0E36}\TypeLib]
"Version"="'1.0'"
"(Default)"="'{DE33A0AD-7445-4212-B22B-9A3CBF690B0F}'"
[HKEY_CLASSES_ROOT\Interface\{47050D55-1D25-4894-A9C8-7282F1BF0E36}\ProxyStubClsid32]
"(Default)"="'{00020424-0000-0000-C000-000000000046}'"
[HKEY_CLASSES_ROOT\Interface\{47050D55-1D25-4894-A9C8-7282F1BF0E36}\ProxyStubClsid]
"(Default)"="'{00020424-0000-0000-C000-000000000046}'"
[HKEY_CLASSES_ROOT\Interface\{E93C2241-B598-4261-8780-AAED2D6D5BBE}]
"(Default)"="'IGuideObj'"
[HKEY_CLASSES_ROOT\Interface\{E93C2241-B598-4261-8780-AAED2D6D5BBE}\TypeLib]
"Version"="'1.0'"
"(Default)"="'{DE33A0AD-7445-4212-B22B-9A3CBF690B0F}'"
[HKEY_CLASSES_ROOT\Interface\{E93C2241-B598-4261-8780-AAED2D6D5BBE}\ProxyStubClsid32]
"(Default)"="'{00020424-0000-0000-C000-000000000046}'"
[HKEY_CLASSES_ROOT\Interface\{E93C2241-B598-4261-8780-AAED2D6D5BBE}\ProxyStubClsid]
"(Default)"="'{00020424-0000-0000-C000-000000000046}'"
[HKEY_CLASSES_ROOT\TypeLib\{DE33A0AD-7445-4212-B22B-9A3CBF690B0F}\1.0]
"(Default)"="'FunyMall 1.0 ???? ???????'"
[HKEY_CLASSES_ROOT\TypeLib\{DE33A0AD-7445-4212-B22B-9A3CBF690B0F}\1.0\HELPDIR]
"(Default)"=""
[HKEY_CLASSES_ROOT\TypeLib\{DE33A0AD-7445-4212-B22B-9A3CBF690B0F}\1.0\FLAGS]
"(Default)"="'0'"
[HKEY_CLASSES_ROOT\TypeLib\{DE33A0AD-7445-4212-B22B-9A3CBF690B0F}\1.0\0\win32]
"(Default)"="'C:\Program Files\FunyMall Auction Works\FunyMall.dll'"
[HKEY_LOCAL_MACHINE\SOFTWARE\FunyMall]
"today"="'100313'"
"install"="'C:\Program Files\FunyMall Auction Works'"
"version"="'20100208'"
"pid"="'funymall'"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C327875-C031-4397-B532-4B82F8F1F1A3}]
"NoExplorer"="1"
"(Default)"="'FunyMallDoc'"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FunyMall"="'"C:\Program Files\FunyMall Auction Works\FunyMallUpdate.exe"'"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FunyMall]
"DisplayIcon"="'"C:\Program Files\FunyMall Auction Works\uninstall.exe"'"
"UninstallString"="'"C:\Program Files\FunyMall Auction Works\uninstall.exe"'"
"DisplayName"="'Auction shopping FunyMall'"
[HKEY_CURRENT_USER\Software\AppDataLow\Software\FunyMall]
"install"="'C:\Program Files\FunyMall Auction Works'"
"pid"="'funymall'"
[HKEY_CURRENT_USER\Software\FunyMall]
"start"="'03/13/10'"
"install"="'C:\Program Files\FunyMall Auction Works'"
"pid"="'funymall'"

Malwarebytes' Anti-Malware log:

Malwarebytes' Anti-Malware 1.44
Database version: 3862
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

3/13/2010 10:42:16 AM
mbam-log-2010-03-13 (10-42-16).txt

Scan type: Quick Scan
Objects scanned: 104833
Time elapsed: 2 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 17
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\funymall.funymalldoc (Adware.ColorSoft) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{de33a0ad-7445-4212-b22b-9a3cbf690b0f} (Adware.ColorSoft) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{47050d55-1d25-4894-a9c8-7282f1bf0e36} (Adware.ColorSoft) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e93c2241-b598-4261-8780-aaed2d6d5bbe} (Adware.ColorSoft) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{26e9f120-a74d-43f0-9404-8c1bc3cdde10} (Adware.ColorSoft) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6c327875-c031-4397-b532-4b82f8f1f1a3} (Adware.ColorSoft) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6c327875-c031-4397-b532-4b82f8f1f1a3} (Adware.ColorSoft) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6c327875-c031-4397-b532-4b82f8f1f1a3} (Adware.ColorSoft) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funymall.funymalldoc.1 (Adware.ColorSoft) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funymall.guideobj (Adware.ColorSoft) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funymall.guideobj.1 (Adware.ColorSoft) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{5e50d1ef-9e7e-4456-a58c-52770f6783d7} (Adware.ColorSoft) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\FunyMall.DLL (Adware.ColorSoft) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FunyMall (Adware.ColorSoft) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunyMall (Adware.ColorSoft) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\FunyMall (Adware.ColorSoft) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\AppDataLow\Software\FunyMall (Adware.ColorSoft) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\funymall (Adware.ColorSoft) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\{username}\Application Data\FunyMall (Adware.ColorSoft) -> Quarantined and deleted successfully.
C:\Program Files\FunyMall Auction Works (Adware.ColorSoft) -> Quarantined and deleted successfully.
C:\Program Files\FunyMall Auction Works\html (Adware.ColorSoft) -> Quarantined and deleted successfully.
C:\Program Files\FunyMall Auction Works\temp (Adware.ColorSoft) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\FunyMall Auction Works\FunyMall.dll (Adware.ColorSoft) -> Quarantined and deleted successfully.
C:\Program Files\FunyMall Auction Works\FunyMallUpdate.exe (Adware.ColorSoft) -> Quarantined and deleted successfully.
C:\Program Files\FunyMall Auction Works\uninstall.exe (Adware.ColorSoft) -> Quarantined and deleted successfully.

As mentioned before the full version of Malwarebytes' Anti-Malware could have protected your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention

Save yourself the hassle and get protected.

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.