Win32:Trojan-gen help...

Not exactly sure when this started occuring or how I got it, just recently installed vista on this machine after a fresh format, and got everything on here installed and what not, and put avast on as I had it on my XP build and I like it. Just recently 2 things have started happening; a) everytime I scan w/ avast! it finds these viruses, and even if i do the boot scan it doesnt get rid of them…here are the exact problems:

Infection: Win32: Trojan-gen (other)
Name of File: C:\RECYCLER\S-1-5-21-6697609671-7746727148-625473393-5926\TRZ942F.tmp

and there is another one with a similar name found in the same location…

Also i noticed that it found these on my old hd in the windows folder and is unable to scan due to access being denied…let me know what u think:
E:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0_b03f5f7f11d50a3a

and

E:\Windows\assemble\GAC_MSIL\IEExecRemote\2.0.0.0_b03f5f7f11d50a3a

Also just recently whenever I restart, I get a repetetive message saying that my Windows Explorer is not responding from vista, then I will say restart or close or whatever, then it will come up again with a program saying it’s not responding…and loop like this for like 6-10times…is this all connected? driving me crazy…

anyways heres a hijackthis log, sorry for talking so much and i really hope someone can help me out here!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:17 PM, on 5/19/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Users\Ivona\Desktop\WC3 List Checker\pickup.listchecker.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\helppane.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\Windows Live\Messenger\msnmsgr.exe” /background
O4 - HKCU..\Run: [Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - HKCU..\Run: [Lsass Service] C:\Users\Ivona\AppData\Local\Temp\96868.exe
O4 - HKCU..\Run: [DAEMON Tools Pro Agent] “C:\Program Files\DAEMON Tools Pro\DTProAgent.exe”
O4 - HKUS\S-1-5-19..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-19..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘NETWORK SERVICE’)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O13 - Gopher Prefix:
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.8.110.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip..{4C568ABB-9CF6-4BED-97D3-7857A5ECBB9F}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip..{951CC46D-ADC8-4899-82D2-D56603DD1B58}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe


End of file - 5607 bytes

Let me know if there’s anything else I should include!! thanks again

Hijackthis log looks ok, nothing really stands out.

Did you install a real version of Vista, or a cracked one?

I only had a quick look at the log, do you know anything about O1 - Hosts: ::1 localhost, to me that entry is suspicious.
Also the entry O4 - HKCU..\Run: [Lsass Service] C:\Users\Ivona\AppData\Local\Temp\96868.exe would appear bad. Can you locate the file 96868.exe, and send it to V.T http://www.virustotal.com/

it’s default entry (at least in vista)


# Comment
127.0.0.1       localhost
::1             localhost

Download, install and update these programs (just use Offline update installer if you cannot use Live Update to update your programs):

[tr]
	[td][b]Program[/b][/td]
	[td][b]Download[/b][/td]
	[td][b]Offline Updater[/b][/td]
[/tr]
[tr]
	[td][b]Malwarebytes Antimalware[/b][/td]
	[td][url=http://www.malwarebytes.org/mbam.php]Download[/url][/td]
	[td][url=http://www.malwarebytes.org/mbam/database/mbam-rules.exe]Updater[/url][/td]
[/tr]
[tr]
	[td][b]SUPERAntiSpyware[/b][/td]
	[td][url=http://downloads.superantispyware.com/downloads/SUPERAntiSpyware.exe]Download[/url][/td]
	[td][url=http://www.superantispyware.com/downloads/SASDEFINITIONS.EXE]Updater[/url][/td]
[/tr]
[tr]
	[td][b]SpyBot S&D[/b][/td]
	[td][url=http://www.safer-networking.org/en/mirrors/index.html]Download[/url][/td]
	[td][url=http://www.spybotupdates.biz/updates/files/spybotsd_includes.exe]Updater[/url][/td]
[/tr]

scan your computer using them, also during installation of SpyBot S&D disable all residents.

do you know anything about O1 - Hosts: ::1 localhost

That’s the new IPV6. Any double “::” mean that it’s truncating zeros in the address, just FYI. Oh, it can only be done once per IP address. For instance, if there are two sections of zeros, only one can be truncated.