For a complete listing of the registry keys, etc. for all of the malware Spybot found on the system, see Search results from Spybot - Search & Destroy 9/3/2006 6:56:08 PM.
I found a FunWebProducts folder under C:\Program Files. Within that folder were two subfolders: ScreenSaver and Shared. The ScreenSaver directory had only an Images directory beneath it and that directory was empty. The Shared directory had one file in it, 0DE1CE0C.dat, which was dated April 3, 2006 and a Cache directory. The Cache directory had the following 4 HTML files within it:
09/03/2006 06:39 PM 107,229 CursorManiaBtn.html 08/25/2006 08:52 AM 58,071 FunBuddyIconBtn.html 08/24/2006 05:08 PM 19,131 MyFunCardsIMBtn.html 02/21/2006 03:06 PM 1,407 res100.html 09/03/2006 06:39 PM 400,089 SmileyCentralBtn.html
Zip file of contents of FunWebProducts folder
The FunWebProducts directory had a creation timestamp of Tuesday, February 21, 2006, 3:01:21 PM. When I looked under Add or Remove Programs for any references to "FunWeb" or "FunWebProducts", I found none, but I did see My Web Search (Smiley Central). Spybot also reported it found MyWay.MyWebSearch and MyWebSearch. It did not have any information on those products. I did find a C:\Program Files\MyWebSearch directory. It had a creation timestamp of Tuesday, February 21, 2006, 3:01:16 PM, so apparently came along with FunWebProducts.
Zip file of contents of MyWebSearch folder
The only other items Spybot found, aside from FunWeb, FunWebProducts, MyWay.MyWebSearch, and MyWebSearch, which all seem to be related, were advertising cookies, which are relatively innocuous. It also reported "Windows Security Center.AntiVirusOverride", but I had set that registry key for Symantec AntiVirus Corporate Edition 8.0. So all of the malware on the system apparently came with FunWebProducts.
When I switched Spybot to "advanced mode" and looked for BHOs under Tools, I saw "MyWebSearch Search Assistant BHO" and "mwsBar BHO" labelled as malware (a white "X" in a red octagon). They were the only two labelled as malware (see Spybot BHO Report) The creation date for both was listed as 7/19/2006, but they may have been updated since the malware was first installed.
If you export the BHO information to a file in Spybot, you will see references to Doxdesk's parasite information page on MySearch at http://www.doxdesk.com/parasite/MySearch.html. Unfortunately, the parasite database on that website, which was an excellent source of information on malware, has been taken down. The Internet Archive, aka the "Wayback Machine", has archived copies of the Doxdesk MySearch webpage at http://web.archive.org/web/*/http://www.doxdesk.com/parasite/MySearch.html . The last time that page was archived was November 29, 2004. I've also stored an archived copy of the page at MySearch. That webpage indicates that MySearch is linked to iWon.com, which is also linked to the Aornum parasite.
The FunWebProducts adware is apparently bundled with a number of "free" products offered by iWon, including Smiley Central, PopSwatter, My Mail Signature, My Mail Stationery, My Mail Stamp, and Cursor Mania. The last product is a cursor chooser while the others are touted as enhancements for email. The user had a rose cursor on the system. Perhaps that was from Cursor Mania. When I had Spybot remove the malware it found, the cursor was back to the default one when I logged into the user's account afterwards.
I had Spybot remove all of the malware it found and the advertising cookies as well.
References:
Created: Sunday September 3, 2006