The newest variant of the VX2 infection is extremely nasty and at the moment it seems that there is no "automatic" utility which will remove it. Read our member "crunchie"'s posts in these recent threads on the subject for a bit more insight:

http://www.daniweb.com/techtalkforum...earchid=242139


In the mean time, please download the latest version of HijackThis from the link in my sig below. Once downloaded, follow these instructions to install and run the program:

Create a new separate folder on your drive for HijackThis, move the program into thids folder, and run it from there. (Don't run HJT from within any Temp or Temporary Internet folder, and don't run it directly from your desktop.) Do not have HJT fix anything yet, only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here. The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

Ok, This is my hijackthis log:


Logfile of HijackThis v1.99.0
Scan saved at 01:18:50, on 12/20/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\KM\My Documents\My Pictures\Utilities for CD\Ad-Aware SE\VX2 Cleaning add on\VX2Finder.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\KM\My Documents\My Pictures\Utilities for CD\Ad-Aware SE\VX2 Cleaning add on\DllCompare.exe
C:\WINDOWS\SYSTEM32\WrapperOuter.exe
C:\Documents and Settings\KM\My Documents\My Pictures\Utilities for CD\hijackthis v199\HijackThis.exe

O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #uto.search.msn.com
O1 - Hosts: 69.20.16.183 #earch.netscape.com
O1 - Hosts: 69.20.16.183 #eautosearch
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/comput...up/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1094843081852
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab31267.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3AEA3B5F-ADCF-4D63-82F8-EB3F08A3B516}: NameServer = 195.93.48.134
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

ALSO, I've found this topic on VX2 - http://www.daniweb.com/techtalkforum...15679-vx2.html - and have downloaded and ran VX2Finder and DllCompare.
Here's the log from VX2Finder:
Log for VX2.BetterInternet File Finder (ALL)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
MediaContentIndex
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

Guardian Key--- :

User Agent String---
{73AFE2EE-ABF9-4DD7-96B4-53BDF9FB3658}

And the DllCompare log:
* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\akicap32.dll Wed 15 Dec 2004 15:28:46 ..S.R 224,809 219.54 K
C:\WINDOWS\SYSTEM32\kbdfaib.dll Wed 16 Jun 2004 14:44:08 ....R 57,344 56.00 K
C:\WINDOWS\SYSTEM32\mrdemui.dll Wed 15 Dec 2004 17:33:38 ..S.R 223,108 217.88 K
C:\WINDOWS\SYSTEM32\oishel32.dll Mon 20 Dec 2004 1:01:02 ..S.R 225,816 220.52 K
C:\WINDOWS\SYSTEM32\mgpmspsv.dll Sat 11 Dec 2004 14:44:38 ..S.R 224,703 219.43 K
C:\WINDOWS\SYSTEM32\svlsrv32.dll Sat 11 Dec 2004 15:31:48 ..S.R 224,703 219.43 K
C:\WINDOWS\SYSTEM32\kfdsp.dll Mon 13 Dec 2004 14:05:48 ..S.R 226,169 220.87 K
C:\WINDOWS\SYSTEM32\oebcjt32.dll Sat 11 Dec 2004 15:53:16 ..S.R 224,703 219.43 K
C:\WINDOWS\SYSTEM32\n4p40e~1.dll Sun 19 Dec 2004 20:23:40 ..S.R 224,536 219.27 K
C:\WINDOWS\SYSTEM32\lvr609~1.dll Sat 11 Dec 2004 12:08:58 ..S.R 223,931 218.68 K
C:\WINDOWS\SYSTEM32\mzise.dll Sun 12 Dec 2004 16:13:58 ..S.R 226,169 220.87 K
C:\WINDOWS\SYSTEM32\wmwfax.dll Tue 14 Dec 2004 20:01:14 ..S.R 225,341 220.06 K
C:\WINDOWS\SYSTEM32\nscodins.dll Tue 14 Dec 2004 20:30:52 ..S.R 225,941 220.64 K
C:\WINDOWS\SYSTEM32\juau500.dll Tue 14 Dec 2004 11:52:08 ..S.R 224,703 219.43 K
C:\WINDOWS\SYSTEM32\dq16gt.dll Sat 11 Dec 2004 13:55:08 ..S.R 224,703 219.43 K
C:\WINDOWS\SYSTEM32\n6p4lg~1.dll Sat 11 Dec 2004 14:44:36 ..S.R 226,179 220.88 K
C:\WINDOWS\SYSTEM32\hrl805~1.dll Sat 11 Dec 2004 15:31:48 ..S.R 225,538 220.25 K
C:\WINDOWS\SYSTEM32\l46o0e~1.dll Tue 14 Dec 2004 17:47:44 ..S.R 225,705 220.41 K
C:\WINDOWS\SYSTEM32\m082la~1.dll Sun 19 Dec 2004 18:08:38 ..S.R 225,816 220.52 K
________________________________________________

1,438 items found: 1,438 files (18 H/S), 0 directories.
Total of file sizes: 283,571,926 bytes 270.43 M

Administrator Account = True

--------------------End log---------------------

OK- it looks like you may very well have the new VX2 variant. I haven't had much experience with that one, but crunchie seems to know how to deal with it. Let me contact him and see if he can have a look at this for you. Hang in there...

Download
http://www.downloads.subratam.org/KillBox.exe

Stay offline when doing the following fix.

Open killbox and paste in C:\WINDOWS\SYSTEM32\akicap32.dll

With the full path to the file name in the topmost textbox, click the option *replace on reboot* and *Use Dummy* which will create a numbered dummy file instantly for you.

Click the Red X ...and for the confirmation message that will appear, you will need to click Yes
A second message will ask to Reboot now? you will need to click No (since you are not finished adding all related files in yet)

Repeat the above for each of these;

C:\WINDOWS\SYSTEM32\kbdfaib.dll
C:\WINDOWS\SYSTEM32\mrdemui.dll
C:\WINDOWS\SYSTEM32\oishel32.dll
C:\WINDOWS\SYSTEM32\mgpmspsv.dll
C:\WINDOWS\SYSTEM32\svlsrv32.dll
C:\WINDOWS\SYSTEM32\kfdsp.dll
C:\WINDOWS\SYSTEM32\oebcjt32.dll
C:\WINDOWS\SYSTEM32\n4p40e~1.dll
C:\WINDOWS\SYSTEM32\lvr609~1.dll
C:\WINDOWS\SYSTEM32\mzise.dll
C:\WINDOWS\SYSTEM32\wmwfax.dll
C:\WINDOWS\SYSTEM32\nscodins.dll
C:\WINDOWS\SYSTEM32\juau500.dll
C:\WINDOWS\SYSTEM32\dq16gt.dll
C:\WINDOWS\SYSTEM32\n6p4lg~1.dll
C:\WINDOWS\SYSTEM32\hrl805~1.dll
C:\WINDOWS\SYSTEM32\l46o0e~1.dll
C:\WINDOWS\SYSTEM32\m082la~1.dll
C:\Windows\System32\Guard.tmp

On that last file, close all programs and Reboot your computer.

Post another log from dllcompare please.

Go here and download FindIt.zip to your Desktop, unzip it and open the FindIt folder and doubleclick on find.bat. Let it run (please be patient, it will take a few minutes) and when it has finished gathering info, it will generate a file called Output.txt. Please copy it and paste it back in this thread.

Only reboot when I ask you to or the file names will change! In other words, do not switch off your PC. If you have already we need to start afresh.

Yup, sorry I did switch off my computer.

Here's the VX2finder log:
Log for VX2.BetterInternet File Finder (ALL)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
SharedDLLs
termsrv
wlballoon


Guardian Key--- is called:

Guardian Key--- :

User Agent String---
{2C5065D5-07B6-48AF-A859-5D7E9CC0547A}



* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\akicap32.dll Wed 15 Dec 2004 15:28:46 ..S.R 224,809 219.54 K
C:\WINDOWS\SYSTEM32\kbdfaib.dll Wed 16 Jun 2004 14:44:08 ....R 57,344 56.00 K
C:\WINDOWS\SYSTEM32\mrdemui.dll Wed 15 Dec 2004 17:33:38 ..S.R 223,108 217.88 K
C:\WINDOWS\SYSTEM32\irmpagnt.dll Mon 20 Dec 2004 15:35:44 ..S.R 225,816 220.52 K
C:\WINDOWS\SYSTEM32\ltwfx90n.dll Mon 20 Dec 2004 1:51:18 ..S.R 225,816 220.52 K
C:\WINDOWS\SYSTEM32\fpj003~1.dll Mon 20 Dec 2004 3:10:10 ..S.R 223,223 217.99 K
C:\WINDOWS\SYSTEM32\mgpmspsv.dll Sat 11 Dec 2004 14:44:38 ..S.R 224,703 219.43 K
C:\WINDOWS\SYSTEM32\svlsrv32.dll Sat 11 Dec 2004 15:31:48 ..S.R 224,703 219.43 K
C:\WINDOWS\SYSTEM32\kfdsp.dll Mon 13 Dec 2004 14:05:48 ..S.R 226,169 220.87 K
C:\WINDOWS\SYSTEM32\oebcjt32.dll Sat 11 Dec 2004 15:53:16 ..S.R 224,703 219.43 K
C:\WINDOWS\SYSTEM32\n4p40e~1.dll Sun 19 Dec 2004 20:23:40 ..S.R 224,536 219.27 K
C:\WINDOWS\SYSTEM32\lvr609~1.dll Sat 11 Dec 2004 12:08:58 ..S.R 223,931 218.68 K
C:\WINDOWS\SYSTEM32\mzise.dll Sun 12 Dec 2004 16:13:58 ..S.R 226,169 220.87 K
C:\WINDOWS\SYSTEM32\wmwfax.dll Tue 14 Dec 2004 20:01:14 ..S.R 225,341 220.06 K
C:\WINDOWS\SYSTEM32\nscodins.dll Tue 14 Dec 2004 20:30:52 ..S.R 225,941 220.64 K
C:\WINDOWS\SYSTEM32\juau500.dll Tue 14 Dec 2004 11:52:08 ..S.R 224,703 219.43 K
C:\WINDOWS\SYSTEM32\dq16gt.dll Sat 11 Dec 2004 13:55:08 ..S.R 224,703 219.43 K
C:\WINDOWS\SYSTEM32\n6p4lg~1.dll Sat 11 Dec 2004 14:44:36 ..S.R 226,179 220.88 K
C:\WINDOWS\SYSTEM32\hrl805~1.dll Sat 11 Dec 2004 15:31:48 ..S.R 225,538 220.25 K
C:\WINDOWS\SYSTEM32\l46o0e~1.dll Tue 14 Dec 2004 17:47:44 ..S.R 225,705 220.41 K
C:\WINDOWS\SYSTEM32\enrql1~1.dll Mon 20 Dec 2004 3:01:18 ..S.R 225,816 220.52 K
________________________________________________

1,440 items found: 1,440 files (20 H/S), 0 directories.
Total of file sizes: 284,020,965 bytes 270.86 M

Administrator Account = True

--------------------End log---------------------


I'll leave my pc on now until I hear back from you, thanks.

Stay offline when doing the following fix.

Open killbox and paste in C:\WINDOWS\SYSTEM32\akicap32.dll

With the full path to the file name in the topmost textbox, click the option *replace on reboot* and *Use Dummy* which will create a numbered dummy file instantly for you.

Click the Red X ...and for the confirmation message that will appear, you will need to click Yes
A second message will ask to Reboot now? you will need to click No (since you are not finished adding all related files in yet)

Repeat the above for each of these;

C:\WINDOWS\SYSTEM32\kbdfaib.dll
C:\WINDOWS\SYSTEM32\mrdemui.dll
C:\WINDOWS\SYSTEM32\irmpagnt.dll
C:\WINDOWS\SYSTEM32\ltwfx90n.dll
C:\WINDOWS\SYSTEM32\fpj003~1.dll
C:\WINDOWS\SYSTEM32\mgpmspsv.dll
C:\WINDOWS\SYSTEM32\svlsrv32.dll
C:\WINDOWS\SYSTEM32\kfdsp.dll
C:\WINDOWS\SYSTEM32\oebcjt32.dll
C:\WINDOWS\SYSTEM32\n4p40e~1.dll
C:\WINDOWS\SYSTEM32\lvr609~1.dll
C:\WINDOWS\SYSTEM32\mzise.dll
C:\WINDOWS\SYSTEM32\wmwfax.dll
C:\WINDOWS\SYSTEM32\nscodins.dll
C:\WINDOWS\SYSTEM32\juau500.dll
C:\WINDOWS\SYSTEM32\dq16gt.dll
C:\WINDOWS\SYSTEM32\n6p4lg~1.dll
C:\WINDOWS\SYSTEM32\hrl805~1.dll
C:\WINDOWS\SYSTEM32\l46o0e~1.dll
C:\WINDOWS\SYSTEM32\enrql1~1.dll
C:\Windows\System32\Guard.tmp

On that last file, close all programs and Reboot your computer.

Post another log from dllcompare please.

Go here and download FindIt.zip to your Desktop, unzip it and open the FindIt folder and doubleclick on find.bat. Let it run (please be patient, it will take a few minutes) and when it has finished gathering info, it will generate a file called Output.txt. Please copy it and paste it back in this thread.

Ok I've done the above and here's the latest dll.compare log:

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\kbdfaib.dll Wed 16 Jun 2004 14:44:08 ....R 57,344 56.00 K
________________________________________________

1,441 items found: 1,441 files, 0 directories.
Total of file sizes: 279,520,529 bytes 266.57 M

Administrator Account = True

By the way, that link to "FindIt.zip" doesn't seem to work.

--------------------End log---------------------

P.S I just ran Ad-aware and VX2 is no longer on my system!
Does anyone know what causes it?

Try this link. http://computercops.biz/zx/Zupe/Find...20NT-2K-XP.zip

You may have caused the dll's to change by running adaware. Please post another dllcompare log and a find it log. Adaware cannot detect this latest infection.