help please - cannot remove spyware

Please read and follow ALL the instructions in step 7 of the READ & RUN ME again. You did not install HJT properly. You must fix this before we continue. You have multiple problems to fix.

Also I do not know what you are referring to about your desktop being a file. All you posted was a screen snapshot showing Bitdefender running.

Did you do step 0 from the READ ME? I see iMesh installed. Have you uninstalled it yet?

Also it is a bad idea to goto cracking sits like below:
:\Documents and Settings\End User\Desktop\Dave's\CrackSearcher-[by_Armisael].exe
Infected with: Virtool.Cracksearch.A

 

Why is this HJT log so different? Was the previous one from safe mode?

 

Look in Add/Remove programs for UnSpyPC and uninstall if found.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

• Save it to your desktop and then run it by double clicking on it. It creates a folder named c:\fixwareout.
• Click Next, then Install.
• Then make sure Run fixit is checked (this runs C:\fixwareout\fixit.bat). And then click Finish.
• The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so.
• Your system may take longer than usual to load; this is normal.
• When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items if they still exist:

O4 - HKLM\..\Run: [yaemu.exe] C:\WINDOWS\system32\yaemu.exe
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O4 - HKLM\..\Run: [TaskControlLog] csrdeu32.exe
O4 - HKLM\..\Run: [hyzar] C:\WINDOWS\hyzar.exe
O4 - HKCU\..\Run: [Clal] C:\Documents and Settings\End User\Application Data\cbbo.exe
O15 - Trusted IP range: 206.161.125.149
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C7CD29D-B81C-41E6-948F-A0D59D36EC2B}: NameServer = 85.255.116.112,85.255.112.232
O17 - HKLM\System\CS1\Services\Tcpip\..\{0C7CD29D-B81C-41E6-948F-A0D59D36EC2B}: NameServer = 85.255.116.112,85.255.112.232



After clicking Fix Checked, close HijackThis, and click OK to proceed.

At the end of the fix, reboot into safe mode and use Windows Explorer to double check for the below files and delete if found:
C:\WINDOWS\system32\yaemu.exe
C:\Program Files\Windows ControlAd <--- delete the whole folder if found
C:\WINDOWS\system32\csrdeu32.exe
C:\WINDOWS\hyzar.exe
C:\Documents and Settings\End User\Application Data\cbbo.exe
C:\Program Files\UnSpyPC <--- delete the whole folder if found

Delete all files in your c:\windows\Prefetch folder now.
Now empty your Recycle Bin.

Now reboot into normal mode and please attach the contents of the logfile C:\fixwareout\report.txt

There could be additional cleanup to do from Wareout and it the log will let us know.

Also attach a new HijackThis log.

 

That report from FixWareOut does not look correct. Did you post the correct log? If so, it may have had an error but it also may have partially worked.

Run whichever of the below is appropriate for your OS:

For Windows XP Pro: download and run XPproFix
For Windows XP Home: download and run XPHomeFix

The run FixWareout again and attach the log. Just ignore the step with HJT and if it opens just close it. You have nothing in the log to fix.

How are thing working now?

 

Please run the below steps!

Fixing Locked Desktop
Also you should right click on your Desktop and select Properties. Then click the Desktop tab and then the Customize Desktop button. Now in the next window that comes up click the Web tab. Make sure at the bottom that Lock desktop items is unchecked. Then in the Web pages: box delete all items but My Current Home Page and make sure it is unchecked too. Then click OK. Apply. OK.


Run the steps in Using GetRunKey and attach the requested log.

 

It should not be empty! Something is wrong! Try it again!

Did you extract both files from the ZIP file? Did you put both of them in the same location?

 

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Reboot and now tell me how everything is working.

 

Since you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

You're welcome. Surf safely!