Hello,

My friend has got 3 entries that cannot be removed using Spybot S&D.

These are 3 FunWebProducts(PUPS) entries:

The entries are displayed in Spybot as follows:

(SBI $724750D4) Program Directory
C:\ProgramFiles\FunWebProducts\ScreenSaver

(SBI $B71E4FFD) Program Directory
C:\ProgramFiles\FunWebProducts

(SBI $B71E4FFD) Program Directory
C:\ProgramFiles\funWebProducts (NB notice lower case f !)

I tried to correct these problems with Spybot and got the message:

"Warning: Some problems couldn't be fixed; the reason could be that the associated files are still in use(in memory).
This could be fixed after a restart.
May Spybot-S&D run on your next system startup ? (YES/NO)"

To which I replied "Yes", saw Spybot S&D run again
Not sure if it was startup or shutdown but but think the latter as only Spybot was shown on the desktop)
Anyway, I saw it find the same errors, which I tried to fix again but to no avail, with the same error message

I then thought I would(rightly or wrongly) try to restore the PC back to an earlier time,
but this did not work either (who knows if this is related.....)

Anyway I did a search for "FunWebProducts" on the forum and found the post named:

"Manual Removal Guide for FunWebProducts"
http://forums.spybot.info/showthread.php?t=40380

which seems to be what I need to do ?

However due to my lack of registry and FileAlyzer knoweldge I am a bit hesitant to step right in to action.

I have checked for the files named on the above thread (turning on display hidden folders for C:\) and cannot find any of them except for:

"<$PROGRAMFILES>\FunWebProducts\ScreenSaver".
"<$PROGRAMFILES>\FunWebProducts".

Using Windows explorer, all I can see (with hidden folders ON) are the folders within:
"Program Files/FunWebproducts/Screensaver/Cache" structure
i.e. can see no other files or folders in any of these (sub)folders

(Notice too Spybot S&D also found the "funwebproducts" folder in addition to the "FunWebProducts" folder.
I can see the "FunWebProducts" folder but not the "funwebproducts" folder under /Program Files !??)

The "Manual Removal Guide for FunWebProducts" thread says:
"If FunWebProducts uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins."

Forgive my lack of knowledge - what does this mean ?
Does FunWebProducts use Rootkit technologies ?
Is that what the "SBI" in the results is referring to ?
Do I need to use FileAlyzer or something else to locate any potential rootkits ?

Can anyone advise me what to do ?
Do I need to search for these rootkits ? If so which program should I use ?
Or should I go ahead and try deleting the folders manually first ?

Many thanks in advance for any advice, much appreciated.

Hello mariner77,

At the end of Manual Removal Guide:

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,

Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.

If you wish to start a topic in Malware removal please read that forum's stickied faq beforehand. ;)

"Please read these instructions before requesting assistance" is here:
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Best regards.

Hello mariner77,

At the end of Manual Removal Guide:
If you wish to start a topic in Malware removal please read that forum's stickied faq beforehand. ;)

"Please read these instructions before requesting assistance" is here:
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Best regards.

Many thanks for the guidance Tashi.

I did actually read the final words, but to explain, was a bit confused by:
"If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help"

since:

a) I didn't exhaustively follow the guidance on the "Manual Removal Guide" but simply wanted advice on whether I should follow it or not.
b) For some bizarre reason I thought "one on one help" meant e-mailing your support team ! :laugh:

Anyhow I see that you only want threads in the "Malware Removal" section once all other options have been exhausted so thankyou for that help, I know better not to do that now !

If I may I ask here..... ?

Isn't deleting the entries manually in "Manual Removal Guide" a possible solution before asking the Malware removal team to fix a problem I may be able to fix myself ?
That's what I need advice with really - about whether and how I need to identify possible rootkit entries. I'm a novice with the registry........

If not, then just to be sure of what I am doing, I will follow the preliminary notes including disabling TeaTimer, backup my registry using ERUNT, do a "HijackThis" log etc etc then post a new thread up in the Malware removal forum with the log ?

And if/when I do do that, should I re-include all the initial details of the problem I gave in this thread again in the new thread, or just the log ?

Sorry for my lack of knowledge - maybe I'm not looking hard enough for the answers, I'm just a little confused about the correct procedure.

Many thanks for all your help, most appreciated.

Kind regards,
mariner77.

Hi there,


I'm a novice with the registry........

Then best to leave it alone, no-one wants a PC doorstop. ;)



If not, then just to be sure of what I am doing, I will follow the preliminary notes including disabling TeaTimer, backup my registry using ERUNT, do a "HijackThis" log etc etc then post a new thread up in the Malware removal forum with the log ?

And if/when I do do that, should I re-include all the initial details of the problem I gave in this thread again in the new thread, or just the log ?


From the sticky,

Provide: The HJT log only.

<snip>

The topic's title should be the problem you believe you may have.

You could provide a link back to this topic along with the log.

By the way, :cowboy:

Did you run a Spybot-S&D scan in safe mode?
Scanning with Spybot-S&D in safe mode allows the program to try and remove items that keep reappearing after a scan, despite having been 'fixed'.

Reboot the computer into SafeMode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, begin tapping F8.
* Instead of Windows loading as normal, a menu should appear.
* Select the first option, to run Windows in Safe Mode.

Open Spybot-S&D while still in safe mode.

* Close all browsers, check for problems and fix everything found in red
* Repeat until no more items are found in red
* Close Spybot-S&D
* Reboot back into Windows


How to Start Vista in Safe Mode
Windowshelp-Microsoft (http://windowshelp.microsoft.com/Windows/en-us/help/323ef48f-7b93-4079-a48a-5c58eec904a11033.mspx)

A description of the Safe Mode Boot options in Windows XP
http://support.microsoft.com/kb/315222

How to Start a Windows 98-Based Computer in Safe Mode
http://support.microsoft.com/kb/180902


Best regards. :)

Many thanks for your reply tashi,



Then best to leave it alone, no-one wants a PC doorstop. ;)

Oh absolutely !

But to be clear, are you saying that even if I've got malware in the form of hidden rootkits then it's best to leave it be if I don't know what I'm doing ?

I did wonder (as I'm not sure whether I have them or not), if I might try just deleting these /Program Files/FunWebProducts folders and try re-scanning ?

Or is this totally pointless because I DO have them ?

If so isn't there anything I can do to fix it ?
Like either learn about the registry, try the manual removal guide or post a HJ log ?



By the way, :cowboy:


Good one ! :laugh:
Given my awful knowledge you're probably right, I try my best(however awful that may be) to learn though.....

Maybe this a better one ! :clown: :D:



Did you run a Spybot-S&D scan in safe mode?
Scanning with Spybot-S&D in safe mode allows the program to try and remove items that keep reappearing after a scan, despite having been 'fixed'.

Well, it wasn't that I fixed them and they re-appeared.
Spybot just doesn't seem to fix them.
I tried turning off the "TeaTimer" thingy(as in the prelimanary steps you showed me) in the Advanced settings, but no joy.

Should I still try scanning in safe mode though to try and fix them ?
Or manually delete the folders ?
Or follow the preliminary steps and post a "Hijack this" log in a new thread of the "Malware remover" forum ?

Yes I'm ashamed to admit, I'm walking blind in the dark ! ;)
It's about time I made another donation to your site I think..... :laugh:

Kind regards and many thanks tashi.

Hello mariner77,


I tried to correct these problems with Spybot and got the message:

"Warning: Some problems couldn't be fixed; the reason could be that the associated files are still in use(in memory).
This could be fixed after a restart.
May Spybot-S&D run on your next system startup ? (YES/NO)"

To which I replied "Yes", saw Spybot S&D run again
Not sure if it was startup or shutdown but but think the latter as only Spybot was shown on the desktop)
Anyway, I saw it find the same errors, which I tried to fix again but to no avail, with the same error message




Well, it wasn't that I fixed them and they re-appeared.
Spybot just doesn't seem to fix them.


Should I still try scanning in safe mode though to try and fix them ?
Yes, in safe mode you have access to only basic files and drivers. When the machine is operating in normal mode all processes are running.



But to be clear, are you saying that even if I've got malware in the form of hidden rootkits then it's best to leave it be if I don't know what I'm doing ?

As no one has seen a log yet an analyst has not determined that there is a rootkit. ;)



If so isn't there anything I can do to fix it ?
Like either learn about the registry, try the manual removal guide or post a HJ log ?



Or follow the preliminary steps and post a "Hijack this" log in a new thread of the "Malware remover" forum ?

If safe mode doesn't fix the problem please follow the instructions to post a HJT log yes. :)

Best regards.

Thanks for the advice tashi, I'll give it a go and get back to you in a couple of days.

Kind regards,

Happy Easter !