Greetings and thanks for looking at this post! I'd like to share an interesting malware problem:

I've been assigned to fix a friend's PC which was absolutely plagued with spyware to the extent that upon startup CPU power was at 100% at all times, it took minutes just to open a folder, the machine was unusable. I cleaned it up pretty well using Spybot and HJT, removing many items in the prescribed way, HOWEVER: although it's running much better, application load times are still slow, CPU power is still too high, and there is ONE thing Spybot still recognizes for removal. It's called MyWay, located at C/Program Files/MyWay/MyWay.dll. Spybot told me it was in memory and couldn't be deleted until I reboot and run Spybot on startup, so I did that to no avail, the .dll file remained, but the file extension changed to .tobedeleted(x18)!!! I tried to delete it in Safe Mode, but as soon as I click on the file the PC freezes completely and I have to do a hard shut-down. Left click, right click, it doesn't matter, total freeze. So I do a little research and decide to unregister the file first using "regsvr32 /u file.dll" per recommendations found on forums about MyWay.dll. Here's where it gets interesting: the file extension changed to .tobedeleted x 18, right? Well there's a character limit in the Run Programs field, the length of which is "regsvr32 /u MyWay.tobedeleted(x18)" minus 1 character!!!!! Completely untouchable file (as far as I know)! Very nasty! Googling this issue barely returns anything. Does anyone have any experience with this? Thanks!!!

Hi severinarson

Please go here and follow instructions.
http://forums.spybot.info/showthread.php?t=288
Post the Hijackthis and online scan log's here in this thread.
Someone will then take a look at the system and advise you.

Logfile of HijackThis v1.99.1
Scan saved at 9:05:05 AM, on 7/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SCMain.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\The Gentlings\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/chsi.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - Global Startup: Stardust Screen Saver Control 2003.lnk = C:\WINDOWS\SCMain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Plug-in) -
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

That log looks ok
Im not sure i understand

Copy the contents of the quote box below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.



@echo off
del "C:\Program Files\MyWay\*.*"
rd "C:\Program Files\MyWay"
dir "C:\Program Files\MyWay" >logit.txt
notepad logit.txt


Run check.bat and post the logit.txt if any files are listed

This topic is closed.

If you need it re-opened please send me a pm and provide a link to the thread.
Applies only to the original topic starter.