Sorry, I was gone all day yesterday. So, I re-ran the scans. Still had the same problems.
1) I still could not could not delete the "r" named file from the system32 folder. I got the same error message when I tried to delete it. "Cannot delete. File being used by another person or program.... etc." So it's still there.
Also..
Do not just go by size. Make sure the name corresponds with the one in that 04 entry of HJT
I've found that as soon as I fix the entry, it changes names, so I
can't go just by the name that corresponds with the entry. Searching by size is the only way I can find it expediently. It changes everything (date created, etc.).. except size and version type (something like 1.1.0.3 or whatever).
Anyhoo. I still couldn't delete it, so it's still there. Looks like the next step is necessary.
Note also that when I ran HiJackThis, the svcproc.exe line item didn't show up..
023 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
..I didn't see this in the list of items to delete.
Ok.. here are the log files:
Hijackthis
..............
Logfile of HijackThis v1.99.1
Scan saved at 11:17:17 AM, on 8/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
c:\windows\system32\lubjwa.exe
C:\Documents and Settings\Riverstone\Desktop\michael\virus\hijackthis\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [nyfbqg] c:\windows\system32\lubjwa.exe r
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft....467&clcid=0x409O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -
http://messenger.msn...pdownloader.cabO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
.............
Ewido Scan
..............
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 11:05:47 AM, 8/3/2005
+ Report-Checksum: 33964380
+ Scan result:
[772] c:\windows\system32\udzsif.exe -> Adware.BetterInternet : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.101:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.130:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.132:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.138:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.140:C:\Documents and Settings\Riverstone\Application Data\Mozilla\Firefox\Profiles\ntbe57fm.Liveyolife\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Riverstone\Cookies\riverstone@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Program Files\amda\uacn.exe -> TrojanDownloader.PurityScan.y : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\ActiveX.ocx -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\hpdbze.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\igfxtray.exe -> TrojanDropper.Paradrop.a : Cleaned with backup
C:\WINDOWS\system32\udzsif.exe -> Adware.BetterInternet : Cleaned with backup
::Report End