Repeated finding of same virus in same programs

I seem to have a “recurring” infection of a trojan in two files and i don’t know how to permanently get rid of them. I tried removing all past restore points (i read something in the Microsoft support area about deleting them). I have done the recommended “boot scan”; I tried starting in safe mode and they were still there; I can’t get into the folder where they seem to reoccurr (System Volume Information). I am particularly concerned because i get strange error messages when i load Mozilla; when i access sites which are password-protected, i get an initial error saying the information was incorrect; i click the link again and i get in. I am concerned that something might be capturing key strokes.

Below is the Avast Report log dating from June 2010. Yesterday i ran a scan of only the System Volume folder; the resulting report appears at the end of the Avast Report log. You will notice that it is always the same two files that are said to be infected (smss.exs and services.exe) Please let me know if you have any ideas. Thank you.

David M.

06/27/2010 22:39
Scan of all local drives

File C:\Documents and Settings\David Miron\Local Settings\Temp\loader.exe is infected by Win32:Cycler-F [Trj], Deleted
File C:\Documents and Settings\David Miron\Local Settings\Temp\smss.exe is infected by Win32:Cycler-F [Trj], Deleted
File C:\Documents and Settings\David Miron\My Documents\My Downloads\Setup.EXE|>Wise0006.bin Error 42145 {Installer archive is corrupted.}
File C:\System Volume Information\Microsoft\services.exe is infected by Win32:Cycler-F [Trj], Deleted
File C:\System Volume Information\Microsoft\smss.exe is infected by Win32:Cycler-F [Trj], Deleted
File C:\System Volume Information_restore{2ECACBB6-D9AF-4EDD-9E9F-872D2F2C01F8}\RP274\A0036441.exe is infected by Win32:Adware-gen [Adw], Deleted
File C:\System Volume Information_restore{2ECACBB6-D9AF-4EDD-9E9F-872D2F2C01F8}\RP280\A0038108.exe is infected by Win32:Adware-gen [Adw], Deleted
File C:\System Volume Information_restore{2ECACBB6-D9AF-4EDD-9E9F-872D2F2C01F8}\RP281\A0040373.dll is infected by Win32:Trojan-gen, Deleted
File C:\System Volume Information_restore{2ECACBB6-D9AF-4EDD-9E9F-872D2F2C01F8}\RP281\A0040374.dll is infected by Win32:Trojan-gen, Deleted
File C:\WINDOWS\system32\trz1B.tmp is infected by Win32:Trojan-gen, Deleted
Number of searched folders: 9320
Number of tested files: 994490
Number of infected files: 9


06/28/2010 20:57
Scan of all local drives

File C:\Documents and Settings\David Miron\My Documents\My Downloads\Setup.EXE|>Wise0006.bin Error 42145 {Installer archive is corrupted.}
File C:\System Volume Information\Microsoft\services.exe is infected by Win32:Cycler-F [Trj], Deleted
File C:\System Volume Information\Microsoft\smss.exe is infected by Win32:Cycler-F [Trj], Deleted
Number of searched folders: 9081
Number of tested files: 952680
Number of infected files: 2


02/19/2011 13:52
Scan of all local drives

File C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\i8042prt.sys.vir_ is infected by Win32:Alureon-FZ, Deleted
File C:\System Volume Information\Microsoft\services.exe is infected by Win32:Cycler-F [Trj], Deleted
Number of searched folders: 9562
Number of tested files: 1073816
Number of infected files: 2


03/16/2011 06:50
Scan of all local drives

File C:\System Volume Information\Microsoft\services.exe is infected by Win32:Cycler-F [Trj], Deleted

Scanning aborted
Number of searched folders: 7153
Number of tested files: 531779
Number of infected files: 1


03/17/2011 18:52
Scan of all local drives

File C:\System Volume Information\Microsoft\services.exe is infected by Win32:Cycler-F [Trj], Deleted
File C:\System Volume Information\Microsoft\smss.exe is infected by Win32:Cycler-F [Trj], Deleted
Number of searched folders: 10007
Number of tested files: 1131939
Number of infected files: 2


03/25/2011 08:59
Scan of all local drives

File C:\System Volume Information\Microsoft\services.exe is infected by Win32:Cycler-F [Trj], Deleted
File C:\System Volume Information\Microsoft\smss.exe is infected by Win32:Cycler-F [Trj], Deleted
Number of searched folders: 9981
Number of tested files: 1108039
Number of infected files: 2


03/27/2011 11:35
Scan of all local drives

File C:\System Volume Information\Microsoft\services.exe is infected by Win32:Cycler-F [Trj], Deleted
File C:\System Volume Information\Microsoft\smss.exe is infected by Win32:Cycler-F [Trj], Deleted
Number of searched folders: 9961
Number of tested files: 1106959
Number of infected files: 2


03/30/2011 02:50
Scan of all local drives

File C:\System Volume Information\Microsoft\services.exe is infected by Win32:Cycler-F [Trj], Deleted
Number of searched folders: 9820
Number of tested files: 1061152
Number of infected files: 1

  • avast! Scan Report
  • This file is generated automatically
  • Scan name: Quick scan
  • Started on: Monday, April 04, 2011 4:18:28 PM
  • VPS: 110404-1, 04/04/2011

C:\System Volume Information\Microsoft\services.exe [L] Win32:Cycler-F [Trj] (0)
File will be deleted during the next system start…
C:\System Volume Information\Microsoft\smss.exe [L] Win32:Cycler-F [Trj] (0)
File was successfully deleted…
Infected files: 2
Total files: 16354
Total folders: 7353
Total size: 4.8 GB

  • Scan stopped: Monday, April 04, 2011 4:33:43 PM
  • Run-time was 15 minute(s), 15 second(s)

I assume that after these detections avast also suggested that you do a boot-time scan ?

If so did you schedule a boot-time scan ?

This one:
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\i8042prt.sys.vir_ is infected by Win32:Alureon-FZ

You have had a previous infection and have used combofix as this is the combofix quarantine area, once you have done with combofix, it isn’t something to keep installed as it is constantly updated, so should have been removed along with its quarantined folder/files.

Alureon is a rootkit and if not fully removed could still be hiding some other malware, possibly a trojan downloader and the constant recurrence of these is an indication that there is a hidden or undetected piece of malware (probably a downloader) left on your system.

File C:\Documents and Settings\David Miron\Local Settings\Temp\loader.exe is infected by Win32:Cycler-F [Trj], Deleted
File C:\Documents and Settings\David Miron\Local Settings\Temp\smss.exe is infected by Win32:Cycler-F [Trj], Deleted

So the first thing that I would suggest that you schedule a boot-time scan, avastUI, Scan Computer, Boot-time scan. Don’t go deleting thins as your first option (you have none left), select Send to Chest.

If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.
Also available, a portable version of SAS, http://www.superantispyware.com/portablescanner.html, no installation required.