spyware problems

In the Special Removal Procedures sticky (which is mentioned in the READ ME) there is a procedure you probably should have followed:

Look2Me VX2 Removal


After doing the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis:

Downloading, Installing, and Running HijackThis

.

 

We need to take care of a few issues first and then we will move on to your Virtumundo infection.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to CWShredder Service ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

CWShredder Service

Now exit HJT and do not reboot if it asks you to do so. We will reboot later.

Are you sure you ran Ccleaner! It should have removed something that I saw running in your HJT log.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\geede.dll <--- this is Virtumundo and will come back
O4 - HKLM\..\Run: [NI.UWFX5_0001_LP1014] "C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\JVZ2YPM9\WinFixer2005ScannerInstall[1].exe"
O20 - Winlogon Notify: geede - C:\WINDOWS\system32\geede.dll <--- this is Virtumundo and will come back

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\JVZ2YPM9\WinFixer2005ScannerInstall[1].exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

After the above we can proceed to the Vundo fix. If you would like to try to continue, before I get back then do the below. These steps must be run exactly as specfied.

1) Download this Symantec Trojan.Vundo Removal Tool to a location where you can find it later
2) Make sure you do not run anything but what is specified. DO NOT OPEN any browsers during this process below so print or save these unstructions locally so you know what to do while offline.
3) Boot into safe mode and physically unplug your cable to the internet
4) Run the fixvundo.exe tool downloaded above and save the log
5) Immediately reboot in normal mode and run the fixvundo.exe tool again. Save the log.
6) Immediately reboot again into normal mode and now reconnect your cable to the internet.
7) Now run HJT and save a new log
8) Open a browser and come back here and post your logs from running fixvundo and also the new HJT log. Also tell me how these steps went. Any problems?

 

Looks clean! How is everything working?

 

You're welcome! Now to help keep you clean work thru the below and complete all the steps not already completed:

How to Protect yourself from malware!