Win32:Cycler-l[trj] Found but can not remove

avast finds this file (actually it list it four times but only two different file locations)

c:\System Volume Information\Microsoft\services.exe
c:\System Volume Information\Microsoft\smss.exe
c:\System Volume Information\Microsoft\services.exe
c:\System Volume Information\Microsoft\smss.exe

When I try to remove it I get an error telling me that it can not find the file specified. Which honestly I find odd since it told me about it in the first place.

I tried booting into safe mode and running the scan and it finds the same files but instead of telling me that it can not find the file it tells me it does not have permission to access the file.

It appears to be opening up multiple instances of IE running hidden. They show up under processes but you do not see otherwise.

I did some searches online but did not find anything. Right now I have the computer in question unhooked from the internet.

Malwarebytes did not appear to even see it.

Any help would be great

Thanks

Until you get a more specialized help, I suggest:

  1. Clean your temporary files.
  2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
  3. Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, it is better and safer to send the infected file(s) to quarantine (Chest), rather than simply deleting them.
  4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
  6. Clean your Hosts file (replacing it) with HostsMan tool.
  7. Disable System Restore and then reenable it again.
  8. Immunize your system with SpywareBlaster.
  9. Check if you have insecure applications with Secunia Software Inspector.

Those files appear to be in System Restore and because of that, they would be protected.

You can try this. It will destroy all system restore points but should get rid of the problem.
Disable system restore, reboot the computer, and then activate system restore again.
I would give more detailed instructions but you neglected to mention the OS.

It will not hurt (and might help) to also do the other things that Tech suggested above.


XPHome SP3

I had already tried disabling the system restore. I have not turned it back on yet I will try that.
Already tried deleting the temp files. Did this when I was in safe mode. No joy on that either.

avast sees the problem just does not seem to be able to do anything about it.

Ran MBAM again it still does not see it though when it started avast gave me a little pop-up at the bottom right telling me it blocked the trojan.

Running CureIT right now we will see how it goes.

Thanks

Disabling system restore and re-enabling it did not clear up the problem.

avast is now only showing one of each instead of two so now I am only getting

c:\System Volume Information\Microsoft\services.exe
c:\System Volume Information\Microsoft\smss.exe

CureIT did not see the trojan at all

I will try the rest of the list.

Thanks

Found some file info…

ThreatExpert’s awareness of the file “services.exe”:
http://www.threatexpert.com/files/services.exe.html

Prevx - SERVICES.EXE
http://www.prevx.com/filenames/476339565022733292-X1/SERVICES.EXE.html

ThreatExpert’s awareness of the file “smss.exe”:
http://www.threatexpert.com/files/smss.exe.html

Prevx - SMSS.EXE
http://www.prevx.com/filenames/4065244556232787144-X1/SMSS.EXE.html

Have you tried

Malwarebytes > More tools > FileASSASSIN

no joy on the file assassin it sees the files but can not delete them. All the other programs as well, they either do not see the two files or see them and are not able to do anything to them.

I went in and gave the administrator extra privileges for the folder and it let me in to delete them but then would not let me because they were in use.

Tried shutting them done in the task manager but will not let me do that.

Tried booting up in safe mode to the command prompt and tried deleting them from there but will not let me because they are in use.

So it seems like I have found a way to get to the two files but because they are loading up as soon as windows does I can not delete them.

I guess I need a way to terminate them and that should let me delete them.

Any ideas?

Thanks.

Any ideas?
Nope......but i know one that might have.....Essexboy

Follow this guide from Essexboy and post the log`s in your next reply here as attachments
http://forum.avast.com/index.php?topic=53253.0

down left corner > additional options > attach (OTL.Txt / Extras.Txt. / MBAM log )

+1

Essexboy is the number 1 qualified malware eliminator here, and we also have oldman, but I haven’t seen much of that user lately, I hope he is fine, also top class for ye, and we have others in the pipeline coming out of the Hogwart Anti-Malware Online Academies,

polonus

Hi there this is a new kid on the block - and will require speciallised tools.

A few questions first :

What is the make of your computer i.e. Dell, HP

What is your Operating system Vista or XP ?

Do you have your windows disc ?

Download Bootkit remover to your desktop
This is a rar file if you do not have a programme to open it then download and install Peazip

Extract Remover.exe to your desktop
Right click Remover.exe and select Run as Administrator (if on Vista/7)
It will show a Black screen with some data on it
Right click on the screen and select > Select All
Press Control+C
Open a notepad and press Control+V

Post the resultant log here please

Hogwart Anti-Malware Online Academies,
Hogwart ......is that the same school Harry Potter went to ;D

Hi Pondus,

It is called after some of the tools they use there at geek2go, all in good humor of course, first there was hjt now they have ComboScript and various other specific script driven cleansing tools, essexboy is the expert there you should ask him,

polonus