Step by step, and no love. or spyware extermination.

Do not use Microsoft AntiSpyWare Beta! It has lots of problems right now and is not worth the trouble. It has False detections which results in removal of items you need and in some cases has even broken Microsofts own firewall. At this point you would be better off uninstalling it and use only what we indicate.

As Thug point out you do have a VX2 infection and also a few other problems. One is a O15 Trusted Zones hijack (I call it that for now). This Trusted Zones issue is a nightmare that about 10 people per day (maybe more) are now coming here to try and get fixed. They are a nightmare because they keep coming back.

Let's begin with the following steps.

Please download the following tools and save them where you will be able to find them. I save stuff like this to a C:\downloads\Spyware-Stuff folder and I put each in their own subfolder. It makes it easy to find. Make sure you download them from the links below:

L2MeFix Tool
Generic Detection Tool - NT/2000/XP
VX2.BetterInternet Finder XP/2k - Version Msg126
Pocket KillBox

Also please download http://ralphcaddell.com/Uploads/deldomains.zip and unzip it to your desktop. Do not run it yet.


Please make sure that Viewing of Hidden Files is Enabled as per the tutorial.

Please print out these instructions now or save locally so that you can operate with All Browser Windows CLOSED and with your connection to the internet physically unplugged.

Exit Browsers now before continuing and unplug your cable.


First Step:

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINNT\system32\pxrad.exe
C:\WINNT\system32\prfcons.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [u37R37l] pxrad.exe
O4 - HKLM\..\Run: [antiware] C:\winnt\system32\elitejei32.exe
O4 - HKCU\..\Run: [f0o5RXJtO] prfcons.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2****ed.biz
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINNT\isrvs\desktop.exe
C:\WINNT\isrvs\ffisearch.exe
C:\winnt\system32\pxrad.exe
C:\winnt\system32\elitejei32.exe
C:\winnt\system32\prfcons.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

Then, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Second Step:

Find the files from deldomains.zip on your Desktop and RightClick on the deldomains.inf file and select Install.


Third Step:
Reboot to Normal Windows. Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

NOTE: Please do not run any other options or files in the l2mfix Folder!

Fourth Step:

Extract all the files from the Generic Detection Tool into its own folder.
Then run find.bat. Post the log it creates back here as an attachment. Make sure you wait long enough for it to complete. A notepad window will pop up when done.

Fifth Step:

Plug your cable to the internet back in and run your browser and come back here and attach the l2mfix log, the output.txt file from find.batalong with a new HijackThis log. This will require two messages since there is a two attachment limit per message.

Please DO NOT REBOOT after scanning for these logs!! Otherwise problems may mutate and spread. Wait for me to get back to you with the next steps.

 

You forgot the attachment of the find.bat output.txt file. But don't worry about it now. Wait until the next steps!

 

Step 1:

Print or save these instructions locally now because you will have to be disconnected with no browsers open in the next step.

Please make sure ALL Browser Windows are Closed and also you should physically disconnect from the Internet by unplugging your cable.

Go to the L2MFix Folder on your Desktop and DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Just be patient and let it run. It should eventually spit out another log in Notepad. Please attach that log later when the remaining steps are completed.

Again, don't run any other files in the L2MFix folder.

Step 2:

Run "find.bat" from the Generic Detection Tool again!

Okay after doing the above DO NOT REBOOT. Now reconnect to the internet and come back here and post and attach the find.bat log along with the L2MeFix Log.

 

You have files that appear to be related to an HSA hijack problem. Did you have hijack issues at a point in time.

Use Windows Explorer to locate and delete the following in the system32 folder:

C:\WINNT\SYSTEM32\
appaq32.exe Tue Jan 18 2005 1:16:56p A.SH. 11,596 11.32 K
atlds.exe Sun Jan 30 2005 6:16:36p A.SH. 11,215 10.95 K
ckqkn.txt Tue Feb 1 2005 3:55:48p A.SH. 0 0.00 K
d3aj.exe Sat Jan 15 2005 6:42:22p A.SH. 10,824 10.57 K
javask.exe Wed Jan 12 2005 4:15:34a A.SH. 11,454 11.18 K
msci32.exe Thu Feb 3 2005 2:14:10p A.SH. 10,824 10.57 K
msda.exe Tue Feb 1 2005 8:51:58p A.SH. 11,032 10.77 K
netue.exe Fri Jan 14 2005 6:15:58p A.SH. 10,824 10.57 K
winjt32.exe Thu Jan 27 2005 9:53:08p A.SH. 0

Let me know if you have problems finding or deleting any of those.

Then, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Then reboot and get a new HJT log to post so we can work on the last few problems.

 

Please post questions for your problem/issues in your own threads. This question has nothing to do with this thread either.

 

You can attempt this in normal mode. If you have problems, try safe mode. Let me know the results.

 

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINNT\isrvs <-- the whole folder

Let me know if this folder cannot be deleted.

Then, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Find the files from deldomains.zip on your Desktop and RightClick on the deldomains.inf file and select Install.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

They are always annoying to get rid of!

Copy and paste the information in the below quote box to notepad. Save it to a file that you will have access to later when you boot into safe mode. Name it fix.reg. Then boot into safe mode, run Windows Explorer and locate the fix.reg file. Doubleclick it and grant it permission to add in the registry entries.

After that run HijackThis and fix (if still there):
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)


Then reboot in safe mode and delete the folder again if it is there.

Then reboot in normal mode and post a new HJT log.

Delete those EliteBar folders you saw too.

 

Yes! They are gone. But let's check again after a few reboots and some surfing. These have been very troublesome to remove permanently. They always seem to come back.

NOTE:
I would uninstall Microsoft AntiSpyware it is only a beta and has been more trouble than it's worth. Too many false detections and it has broken some items on users PCs in many cases. It has even broken Microsoft's own firewall in multiple cases.

Use the stuff we recommend instead in the below link. In fact make sure you do all the stuff (or there equivalents) in this link too:

How to Protect yourself from malware!