quick question...

It's a VX2 infection. You have some work cut out for you. But first the standard cleanup must be done.

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

After doing what is in my previous message, please download the following tools and save them where you will be able to find them. I save stuff like this to a C:\downloads\Spyware-Stuff folder and I put each in their own subfolder. It makes it easy to find. Make sure you download them from the links below. Do not run them yet until I tell you to do so.

L2MeFix Tool
Generic Detection Tool - NT/2000/XP
VX2.BetterInternet Finder XP/2k - Version Msg126
Pocket KillBox
LSP - Fix

 

Please explain why you did not run the TrendMicro online scan!

And when you said

Do you mean no scans found any problems at all?

First Step:

Now run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the aklsp.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move aklsp.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

Second Step:

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system32\wrifil32.exe
C:\WINDOWS\system32\wowfg32.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [xsEP32j] wrifil32.exe
O4 - HKCU\..\Run: [gBxFRSH6T] wowfg32.exe
O9 - Extra button: Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\Program Files\Internet Explorer\Toolbar\toolbar.hta
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\Program Files\Internet Explorer\Toolbar\toolbar.hta
O23 - Service: koijxwjwinrz - Unknown - C:\WINDOWS\system32\bczeptug5.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\wrifil32.exe
C:\WINDOWS\system32\wowfg32.exe
C:\Program Files\Internet Explorer\Toolbar <--- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

OK! Thanks for the additional info. It is important for us to know that information. It gives us a better understanding of what has been going on with your PC.

Just continue with the instructions! You can run TrendMicro later as an additional safe guard. Sometimes it is surprising to see the results of these online scanners when you think you are clean.
I had one case where a user's HJT log looked okay and his Symantec AV said everything was fine. And a scan with TrendMicro found 25 trojan files.

 

Okay! We'll get to everything in due time. Let's continue with the below steps!

First Step:

Extract all the files from the Generic Detection Tool into its own folder.
Then run find.bat. Post the log it creates back here as an attachment . Make sure you wait long enough. A notepad window should popup when complete. Don't do anything else while this is running.

Second Step:
Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

NOTE: Please do not run any other options or files in the l2mfix Folder!

Third Step:

Come back here and post as attachments the l2mfix log the find.bat log (normally already named output.txt). Based on those logs, we will determine the next steps. Please DO NOT REBOOT after scanning for these logs!! Otherwise problems may mutate and spread. Wait for me to get back to you with the next steps.

 

Step 3:

Print or save these instructions locally now because you will have to be disconnected with no browsers open in the next step.

Please make sure ALL Browser Windows are Closed and also you should physically disconnect from the Internet by unplugging your cable.

Go to the L2MFix Folder on your Desktop and DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go bazonkers (now there's a great technical term!) for a bit, but just let it run. It should eventually spit out another log in Notepad.

Again, don't run any other files in the L2MFix folder.

Okay after doing the above DO NOT REBOOT.

Step 4:
Get a new HJT log


Now reconnect to the internet and come back here and attach the L2MeFix Log and the new HJT log.

 

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side.
Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\system32\regcz1.exe
C:\Program Files\CxtPls\CxtPls.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKCU\..\Run: [gBxFRSH6T] regcz1.ex

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\AutoUpdate <-- the whole folder
C:\WINDOWS\system32\regcz1.exe
C:\Program Files\CxtPls <-- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Let me know if you have any problems finding or deleting any of these files.

Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

You're log is clean! Make sure you follow the steps in the below thread (some of which you already have):

How to Protect yourself from malware!

 

You're quite welcome!