Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

How do i get rid of funbangladesh virus?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

How do i get rid of funbangladesh virus?

Unread postby matrix151 » August 30th, 2006, 6:12 pm

Please can you help. When i switch my computer on the desktop screen I get directed to a blank page on the web called funbangladesh.com and have no idea how to remove it. I have tried a google search for a website to help me but the only one they had was in italian and im not very good with the lingo. I chanced upon your site and hope you can help me please. Thanks. :shock:
matrix151
Active Member
 
Posts: 2
Joined: August 30th, 2006, 5:52 pm
Top
Advertisement
Register to Remove

Unread postby Navigator » August 30th, 2006, 7:40 pm

Hello matrix151...welcome to Malware Removal!

Let's start by getting a HJT log. Please do this:

Click here to download HJTsetup.exe.
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop
  • By default it will install to C:\Program Files\Hijack This
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again. Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit>Select All; then click on Edit>Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri
Top

how do i get rid of funbangladesh virus

Unread postby matrix151 » August 31st, 2006, 3:56 am

here is the requested info:

Logfile of HijackThis v1.99.1
Scan saved at 08:40:29, on 08/31/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\pichx.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\5d0d0377.exe
C:\Program Files\Win Fixer 2006\WinFX6.exe
C:\Program Files\Common Files\Win Fixer 2006\wfcookwr.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\n?lookup.exe
C:\PROGRA~1\SEMBLY~1\netdde.exe
C:\Program Files\BBC News alerts\skinkers.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Online Services\Use MSN Explorer to sign up for Internet Access (US only).exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.clicktomakeasearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.clicktomakeasearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.clicktomakeasearch.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/cust ... ahoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.clicktomakeasearch.com/sp2.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A82F3E14-89F2-F605-D0EA-D30FA5E34892} - C:\WINDOWS\System32\ajkjye.dll
R3 - URLSearchHook: (no name) - {FD233A1F-D8A3-A702-D0EA-D30FA5E34891} - C:\WINDOWS\System32\ajkjye.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\SYSTEM\Userinit.exe
O2 - BHO: (no name) - {39906540-D3F2-A804-8558-AA7F1618D9C8} - (no file)
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\blueyonder\PCguard\pkR.dll
O2 - BHO: (no name) - {42BC412E-3C49-EF8C-A1FD-09523EC13084} - C:\Documents and Settings\Richard\Local Settings\Application Data\vwfcjvf.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\blueyonder\PCguard\FBHR.dll
O2 - BHO: (no name) - {A82F3E14-89F2-F605-D0EA-D30FA5E34892} - C:\WINDOWS\System32\ajkjye.dll
O2 - BHO: (no name) - {FD233A1F-D8A3-A702-D0EA-D30FA5E34891} - C:\WINDOWS\System32\ajkjye.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [sysPersonalFirewall] msnmssgr.exe
O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe
O4 - HKLM\..\Run: [NAV Auto Updates] slserves.exe
O4 - HKLM\..\Run: [qE9O36l] smsap32.exe
O4 - HKLM\..\Run: [Windows Process Manager] winproc.exe
O4 - HKLM\..\Run: [Microsoft Update 64 BIT] winman32.exe
O4 - HKLM\..\Run: [ICcontrol] C:\WINDOWS\iccontrol.exe
O4 - HKLM\..\Run: [REGWIN32] C:\pichx.exe
O4 - HKLM\..\Run: [REGMSYS] C:\klanp.exe
O4 - HKLM\..\Run: [3OKVA5] "C:\Program Files\InetGet2\CP.GH2.exe" /SHUN /PC=CP.GH2 /SHUN /PC=CP.GH2 /SHUN /PC=CP.GH2 /SHUN /PC=CP.GH2 /SHUN /PC=CP.GH2 /SHUN /PC=CP.GH2 /SHUN /PC=CP.GH2 /SHUN /PC=CP.GH2 /SHUN /PC=CP.GH2 /SHUN /PC=CP.GH2 /SHUN /PC=CP.GH2 /SHUN /PC=CP.GH2 /SHUN /PC=CP.GH2
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [5d0d0377.exe] C:\WINDOWS\System32\5d0d0377.exe
O4 - HKLM\..\Run: [Win_Fixer_2006] C:\Program Files\Win Fixer 2006\WinFX6.exe /min
O4 - HKLM\..\Run: [WinFX_cwr] C:\Program Files\Common Files\Win Fixer 2006\wfcookwr.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [kuafkbf.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\kuafkbf.dll,vytjpcd
O4 - HKLM\..\RunServices: [Windows Compliant] lhsunm.exe
O4 - HKLM\..\RunServices: [sysPersonalFirewall] msnmssgr.exe
O4 - HKLM\..\RunServices: [NAV Auto Updates] slserves.exe
O4 - HKLM\..\RunServices: [Windows Process Manager] winproc.exe
O4 - HKLM\..\RunServices: [Microsoft Update 64 BIT] winman32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [sysPersonalFirewall] msnmssgr.exe
O4 - HKCU\..\Run: [bpqERWJmg] panncode.exe
O4 - HKCU\..\Run: [NAV Auto Updates] slserves.exe
O4 - HKCU\..\Run: [Joyyh] C:\WINDOWS\System32\n?lookup.exe
O4 - HKCU\..\Run: [Leol] "C:\PROGRA~1\SEMBLY~1\netdde.exe" -vt ndrv
O4 - HKCU\..\Run: [5d0d0377.exe] C:\Documents and Settings\Richard\Local Settings\Application Data\5d0d0377.exe
O4 - HKCU\..\Run: [BBC News alerts] C:\Program Files\BBC News alerts\skinkers.exe
O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterpr ... ll_pre.php (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O20 - AppInit_DLLs: tracert.dll
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
matrix151
Active Member
 
Posts: 2
Joined: August 30th, 2006, 5:52 pm
Top

Unread postby Navigator » August 31st, 2006, 7:46 pm

Hello matrix151....

Ouch.

Your computer is SEVERELY infected, to the extent that I have serious doubts as to the systems security. If you use this computer for any confidential/secure transactions I would take steps to ensure the integrity of those accounts, such as immediately changing all passwords for possible affected accounts (from a non-infected computer) coupled with close monitoring of these accounts (or notification of financial institutions that your account may be compromised). I am not saying that anything HAS happened to your accounts and/or information, just that the possibility exists based on the capabilities of the infections present.

I count at least 3 Trojan/Rbots on your system, all of which have potential backdoor capabilities which may then allow unauthorized access to your computer. The reference for one of these Rbot infections is here:

http://www3.ca.com/securityadvisor/viru ... x?id=39437

While we can try and clean the computer (which may or may not be possible), even if we get the computer 'clean' there may be hidden damage that continues to compromise the system's security. There is considerable debate among malware fighting experts as to what the proper course of action at this point would be...to either clean the computer or have the victim reformat and reinstall the OS.

There are a lot of points to consider to arrive at the proper decision such as, is the computer used for secure transactions or business? Is there personal information stored on the computer that you would not want compromised? There is a good read about this subject here: http://www.dslreports.com/faq/10063 .

Let me know what you want to do...try and clean it or reformat it and reinstall the OS.

In the meantime, it would be helpful for us to check for the presence of a rootkit and also check an uninstall list from HJT:

1. Download and Save Blacklight to your desktop:

  • Doubleclick on blbeta.exe.
  • Click on Scan.
  • Once the Scan is Finished, click on Next.
  • Click on Exit.
  • A new document will be produced on the desktop.
  • Open this document with Notepad.
  • Copy and Paste its contents in a reply.


Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

2. Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Post back and let me know what you would like to do, along with the Blacklight log and the HJT uninstall list....
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri
Top

Unread postby agrarianmonk » September 15th, 2006, 1:54 pm

Whilst we appreciate that you may be busy, it has been 14 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am
Top
Advertisement
Register to Remove
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 195 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index