popup box for mwsbar.dll, 2nd of 4 profiles

I have been working to get a pc used primarily my by niece & nephew repaired. My brother, and a friend of my niece also use it occasionally. It is running XP svc pack 2. It has 4 different user profiles.

It had been running slow for ages. In all profiles on start up a dialogue box appears: rundll, error loading c:\proga~1\mywebs~1\bar\1.bin\mwsbar.dll, the specified module could not be found.

I hope that I have correctly followed all of the 7 steps for removing malware.. I did each step to each user profile then moved on to the next step for each profile. Before completing all the steps the dialog box stopped appearing, but I did not think to note when that happened. I continued on completing all of the steps. I then toggled system restore.

I then restored running teatime.exe to each profile. I then ran a scan using Spybot S&D. It reported one problem:sbi$ebeb7409 mywebsearchbar, hkey_local_machine\software\Microsoft\windows\current version\run\my websearch bar. I had Spybot remove it. The pop up dialog box began to show up again once I did that. Running regedit and deleting the line did not help. On reboot the line would reappear in the registry and the popup box kept coming back. I did a restore that stopped it from appearing. I then scaned again using Spybot. It again found the same problem. This time I did not have Spybot remove it. The pop up dialog box began to show up once again. I again did a restore, which has stopped it.

It appeared that the pc still had malware on it. So I am here requesting assistance.

Kestrel13! has assisted me to clean to clean 1 profile. I am now requesting help to clean the 2nd profile.

I have the log files from both my original attempt to clean up profile 2, and the new logs that I have after profile 1 is now clean.

I will post the more recent ones first.

Thank you.

 

current log 5

this is the last of the current logs

 

logs 1 to 4 of the original logs

these are the earlier logs

 

last log of earlier ones

this is the 5th log of the earlier logs

 

“Why are there two sets of logs here?”

I apologize for not correctly following the instructions. I have tried my best and will continue to do so. The problem PC is not mine. I have taken it from my brother’s house to try and get it running properly for him and his family. Primarily my teen-age niece & nephew use it. It has 4 user profiles. All 4 profiles seemed to have the same problem.

My knowledge of how malware removal tools work with multiple profiles is zero. I did each step one at a time to each profile. I ended up with 20 logs for posting. I started a thread with 5 log files from one of the profiles. I explained in that first post that there were 4 profiles on the PC all with the same apparent problems. Kestrel13! Assisted me in cleaning up that profile.

http://forums.majorgeeks.com/showthread.php?t=219219

I was not sure then if the other profiles needed to be cleaned up, but I suspected that they did. Since I had made changes to the PC as requested by Kestrel13!, I was not sure if new logs had to now be generated. I thought your volunteers would want to work with new ones, but that they might still want to see the older ones. I then posted both set of logs. I apologize for doing this incorrectly.

Which ones should I remove, the newer ones or the original ones?

“---Quote (Originally by dancer1)---
I I continued on completing all of the steps. I then toggled system restore.
---End Quote---
System Restore should not be toggled until your logs were verified to be clean.”

The Windows XP Cleaning Procedure says:

* No, I’m not having any problems
o If you are sure everything is okay and that you do not need to request any help, then jump to the next step below.

Step 4: Toggle System Restore

I was very undecided what to do next. The problem appeared to have gone away. I did not want to bother your volunteers needlessly so I did the Toggle System Restore. Clearly that was a mistake. I apologize for this mistake.

“ --Quote (Originally by dancer1)---
I then restored running teatime.exe to each profile.
---End Quote---
Also should not be done while you are still posting here for help since it would just get in the way of any cleaning steps and the first thing we would be telling you would be to disable Teatimer.”

Same response as to why I toggled the restore feature. The problem appeared to have gone away. It thought the profile was clean. I apologize again.

“---Quote (Originally by dancer1)---
Running regedit and deleting the line did not help. On reboot the line would reappear in the registry and the popup box kept coming back. I did a restore that stopped it from appearing.
---End Quote---

A restore of what? “

I ran MS Windows System Restore.

“I'm not sure why you are posting here if you are going to be doing things on your own which is exactly the opposite of what is stated in the first section of: READ & RUN ME FIRST. Malware Removal GuideI have the log files from both my original attempt to clean up profile 2, and the new logs that I have after profile 1 is now clean.

If you are having problems with what Spybot is reporting and not removing, you will have to attach a log from Spybot. Most of the time it is just an insignificant registry entry.”

Spybot may now be fine in all profiles after cleaning profile 1. I do not know. I realized that I had made a mistake by not posting the first profiles log before I began to restore things so I am here now trying not to make that same mistake again.

”Why do you have all of those Desktop Component entries showing in HijackThis? What is the user doing on this account? “

As far as I know they were part of my nieces desktop background. They were thumbnail size icon images. I am not sure if they were all used or how it was created. She did not create it. A friend did it for her. They are not currently displaying, probably because they are links to a web site, and that PC is not connect to the internet right now. She does not care if they are deleted/removed, or moved.

”Why is LiveUpdate from Symantec running? Do you have any software from Symantec still installed?”

They used to have a Norton Suite on it. They are no longer using anything from Symantec, and would like to have Symantec LiveUpdate removed.

 

“Quote:
Originally Posted by dancer1
Primarily my teen-age niece & nephew use it. It has 4 user profiles. All 4 profiles seemed to have the same problem.

“Which is what? The rundll, error at startup related to MyWay? “

Yes, that and the PC was running slow in all profiles.

“Is this still happening on this profile?”

It is not happening on start up. However, running a scan using Spybot after following the Run & Read Me Instructions along with the XP steps caused it to come back prior to receiving help from Kestrel3! for profile 1.

I just ran a scan using Spybot while in profile 2. It was clean, and after reboot the rundll error did not reappear.

Profile 2 appears to be running fine now.

“Quote:
Originally Posted by dancer1
I ran MS Windows System Restore.

"But you already stated that you toggled System Restore. The only restore point would be the one created after re-enabling System Restore and if you restored to this and had no problems, then you were already clean.”

Yes, that was the point that I restored to, but I was not clean. Running a Spybot scan caused the rundll error to reappear in all profiles, not a scan and clean just a scan caused it to reappear. Kestrel13! had me do a number of things before she said I was clean for profile 1.

Quote:
Originally Posted by dancer1
”They used to have a Norton Suite on it. They are no longer using anything from Symantec, and would like to have Symantec LiveUpdate removed.

"Then just uninstall it via Add/Remove Programs."

I have now removed it.

Am I correct that I should now start a new thread, and post the original logs only for profile number 3 to be looked at?

Thank you very much for your help it is greatly appreciated.