Avast is detecting Trojans but cannot remove them.

Windows XP Home. Using Avast Free as real time virus protection, and Spyware Blaster for malware protection.

Avast is detecting 2 Trojans, after Boot Scans, Quick Scan and Full Scans.

It describes them as:

C:\System Volume Information\Microsoft\services.exe
Severity:High
Status: Threat:Win32:Cycler-F [Trj]

C:\System Volume Information\Microsoft\sms
s.exe
Severity:High
Status: Threat:Win32:Cycler-F [Trj]

During a boot scan when it discovers these it gives me a choice of action - I’ve run the boot scan at least 3 times, and tried selecting: #3 - “Move to Chest”, after which it says “Moved to Chest”; #5 “Repair”, after which it says “Repaired”; #1 “Delete”, after which it says “Deleted”.
However, it is still there.
If I run a Quick Scan or Full Scan, it discovers them again. In those modes, when I try each of those 3 options, after each one it lets me know that it was unsuccessful.

Doing a google search, I see posts across many of the antivirus forums, describing this problem, beginning especially during June 2010.

This post describes it perfectly, as well as unsuccessful attempts to solve the problem:
http://www.bleepingcomputer.com/forums/topic326120-30.html

I’ve run scans with Malwarebyes, Spybot, a-squared and Super anti-spyware. Most of these detect the same 2 problems.
And with the same results - they cannot remove it.

Please help. Thanks.

I need some clarification…are the infections currently in your Virus Chest now while others got deleted and repaired?

While majorgeeks report it as a MBR infection, nobody seems to know how one gets infected with it.

Regardless how you got it, I need to know where it is on your machine in Avast now. Is it sitting in the Virus Chest now? First priority is to keep your/your machine safe from more harm…and don’t boot the machine.

Just ran (the 3rd or 4th) Avast Boot Scan.

Once again it found the 2 Trojans I listed. I selected “Delete” for Action, and it then said “Deleted” and continued scanning.

Just ran an Avast Quick Scan, it found the same 2 Trojans once again. When I try to Delete, it says “Error: The system cannot find the file specified (2)”.

Please do NOT do anymore Boot Scans, and do NOT turn the machine off.

Please answer the question I have asked several times…is there anything in your Virus Chest?

I first posted on Avast finding 8 items in this thread - http://forum.avast.com/index.php?topic=61174.0

That post of mine explains everything that avast found.
At that time I didn’t realize the problem that those 2 Trojans cause, and how they are recently spreading thru the community.

I started this thread as my problem has changed to “I can’t eliminate these Trojans”.

Looking in the Avast Virus Chest now, there are 5 items mentioned in the thread I link to above, plus:

Name - services.exe ; Original Location: C:\System Volume Information\Microsoft
is listed 4 times (different dates from 4 different removal attempts)

and

Name - smss.exe ; Original Location: C:\Documents and Settings\Owner\Local Settings\Temp
is listed once,

and

smss.exe ; Original Location - C:\System Volume Information\Microsoft

is listed twice.

More info coming shortly - I need to check the virus chest of another antivirus I tried using to remove these Trojans.

The Trojans are on my old computer - it is currently offline. I’m typing this on my newer computer. Need to tie up this computer for awhile taking care of something else urgent - then will post again.

I appreciate the responses and the concern of SafeSurf.
Back in a while, and thanks for all help.

A suggestion for the future would be to have you continue with your current problem with the thread you first created instead of starting a new thread. But since you have already started one…we will work from here.

When you say you need to check the “virus chest of another antivirus I tried using…,” do you have 2 resident AV’s or is the other AV an on-demand?

I will be signing off shortly, but others will be able to help you.

SafeSurf - “When you say you need to check the “virus chest of another antivirus I tried using…,” do you have 2 resident AV’s or is the other AV an on-demand?”

Avast free is my realtime AV (I guess that’s what “resident” refers to). I have several others I use “on-demand” when I want to run a scan by another AV.

When Avast found these problems, I ran some other scans to confirm, including a-squared free.
It came up with some stuff that the other virus programs didn’t list. I realize this is very likely because the other virus programs including avast didn’t feel these were real or important problems.
I decided to let it move to its Virus Chest the problems it found.
Much of it was tracking cookies and old files from a poker site.
But it also recognized the System Volume Information Trojans, and it has those in its virus chest as well.

I imagine I should let a-squared delete all that’s in its Virus Chest, in case that’s some of what the Avast scans are detecting at this point. But will do nothing until I get advice from this site.

Probably going to sleep, but will follow thru on any advice tomorrow.

As you also have a², they can help you remove the threat here:
http://support.emsisoft.com/forum/6-malware-removal-help/
asyn

Was there a specific thread there that has helpful info, or do you mean that you would rather me get help at that forum than at this forum?
If so, why? Avast is my resident AV, and would like help from avast.

Wouldn’t Avast want to figure out how to prevent these Trojans from getting into the computers of other Avast users?
And come up with a solution for other Avast users who come down with this problem?

Hi Bosco,
the link is for help on malware removal. (If you should need it.)
No more, no less… :wink:
asyn

hello i am wondering if you can help me. i cannot move a trojan to the virus chest it’s a C32 trojan gen? what should i do?

I suggest:

  1. Clean your temporary files.
  2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
  3. Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, it is better and safer to send the infected file(s) to quarantine (Chest), rather than simply deleting them.
  4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
  6. Clean your Hosts file (replacing it) with HostsMan tool.
  7. Disable System Restore and then reenable it again.
  8. Immunize your system with SpywareBlaster.
  9. Check if you have insecure applications with Secunia Software Inspector.

Oops didn’t realise this thread was old

@ Essexboy, it’s (kind of) not. A new OP added to an old thread with a malware issue.