Hey guys! I’ve been using Avast! for about three months, and over the past two days, I’ve seen two files that are located in “C:\WINDOWS\Installer” pop up in my Virus Chest over and over again. I haven’t been receiving alerts about this - I just happened to look in the Virus Chest and notice the high level of activity. The files are named “80000000.@” and “800000cb.@”. I tried doing a System Restore for July 6 (the first time these files were transferred was on the 7th), but Avast! is still picking up these two files. I’m not tech-saavy, so I have no idea what to do at this point, or if it’s even a problem, since they’re in the Virus Chest. I’m running Windows XP, if that matters.
welcome to the forum. the files can’t do anything to your system when they are in the avast chest.
but to be one the safe side use this guide an attach the recommended scans.
http://forum.avast.com/index.php?topic=53253.0
good luck
If they are still in the Virus Chest (VC), have you rescanned them from the VC to see if they are still infected?
Thanks, I’ll do that as soon as I can. OTL’s server seems to be busy, so I can’t download it.
How do I re-scan them from the Virus Chest?
http://forum.avast.com/index.php?topic=53253.0 - scroll down the page for instructions
How do I re-scan them from the Virus Chest?
[/quote]
Right click and you will see options, one of them is to rescan the file. If it is clean you can delete it if is a restore or temp. Internet file. If it is a system file, you can try to restore it.
SafeSurf, I can’t download OTF. It says, “503 Service Unavailable”: http://oldtimer.geekstogo.com/OTL.exe
Also, I only see “Scan,” not “Rescan.” It looks like there’s an option “Delete,” too, so should I go ahead and select that?
Here’s the log from Malwarebytes:
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org
Database version: v2012.07.09.04
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
Robin :: ROBIN-S [administrator]
7/8/2012 11:11:02 PM
mbam-log-2012-07-08 (23-11-02).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 223035
Time elapsed: 16 minute(s), 43 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 1
C:\Documents and Settings\All Users\Application Data\TheBflix (PUP.BFlix) → Quarantined and deleted successfully.
Files Detected: 8
C:\Documents and Settings\All Users\Application Data\TheBflix\bhoclass.dll (PUP.DownloadnSave) → Quarantined and deleted successfully.
C:\Documents and Settings\Robin\My Documents\Downloads\DownloadSetup.exe (Affiliate.Downloader) → Quarantined and deleted successfully.
C:\WINDOWS\Installer{fca29a0e-e1db-a0f1-3e89-719e09029518}\n (Trojan.Dropper.PE4) → Quarantined and deleted successfully.
c:\windows\installer{fca29a0e-e1db-a0f1-3e89-719e09029518}\u\800000cb.@ (Rootkit.0Access) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\TheBflix\background.html (PUP.BFlix) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\TheBflix\content.js (PUP.BFlix) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\TheBflix\gfmndcojhdapjcgchebmbojbkijdomhp.crx (PUP.BFlix) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\TheBflix\settings.ini (PUP.BFlix) → Quarantined and deleted successfully.
(end)
MBAM did it’s job, but it’s not complete.
You did not go to the link I gave you and that is why you cannot get in correctly. Go here: https://forum.avast.com/index.php?topic=53253.0. READ the instructions on the logs you need to obtain and ATTACH to your next post.
You still need to get:
- OTL logs (save them as ANSI)
- aswMBR log
Post the logs as an attachment (Additional Options > Attach > Post).
I am going to refer you to our Certified Malware expert, named Essexboy. He will also review your logs and give you further instructions, however he comes on the forum late UK time (6 - 8 PM). He will respond to you in this thread, so remember to check this thread daily.
Please do not make any further changes to your machine after you have provided the logs.
IMPORTANT: If you are on a home network, disconnect the affected machine from the network. Do not share a USB/flash drive with this affected machine. Do not use this machine unless Essexboy instructs you do to malware removal instructions; use a different machine to check email, sync your phone or other devices.
Let me know if you have any questions. Thank you.
Essexboy has been notified.
SafeSurf, I don’t mean to tick you off, but I DID go to that thread, and I clicked on the link where it says, “THEN Download OTL to your Desktop.” The link took me to a page that says, “503 Service Unavailable.” I don’t know what other link you could be talking about. I will gladly post the other two logs once I can actually download the program.
You didn’t tick me off, so don’t worry, I’m here to help you. I suspect that a lot of people are getting malware and the site is busy. Why don’t you get the other logs and attach them to your next post so we have something. Then try accessing the site later when hopefully less people are online or went to work or are asleep.
I have already notified Essexboy, our malware removal specialist to assist you. In the meantime, perhaps later before he arrives on the forum try to get the OTL logs after your other logs. Otherwise we’ll see what we can do, but the OTL logs give us a LOT of important information. Thank you.
Try Download from here
Thanks Pondus. 
Okay, let’s see if I did this right… here are the other logs.
The logs show the remains of the loading point for ZeroAccess rootkit.
Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.
Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.
Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Post log reports ( ComboFix.txt) back to topic.
Thank you RobinSaysHi, and thank you Magna86.
CF automatically changes the infected services.exe, and delete the orphans ZA. No need for OTL tool.
Okay, here’s the ComboFix log…
Step 1
Open notepad and copy/paste the text present inside the code box below:
ClearJavaCache::
DDS::
uStart Page = hxxp://search.babylon.com/?affID=112463&babsrc=HP_ss&mntrId=e0d9c9e8000000000000001b7752c556
Firefox::
FF - ProfilePath - c:\documents and settings\Robin\Application Data\Mozilla\Firefox\Profiles\3eavm3ir.default\
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?affID=112463&babsrc=KW_ss&mntrId=e0d9c9e8000000000000001b7752c556&q=
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=112463
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - e0d9c9e8000000000000001b7752c556
FF - user.js: extensions.BabylonToolbar_i.hardId - e0d9c9e8000000000000001b7752c556
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15457
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.170:46
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
Save this as CFScript.
http://img213.imageshack.us/img213/1218/cfscript1.gif
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )
Step 2
Check USB storage devices / removable drives
Download MCShield.
Official site
[*] Double click MCShield-Setup to install the application.
[*] Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
[*] Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.
When all scanning is done, you need to attach a logreport that has made MCShield.
Start → All Programs → MCShield → Logs
Attach here → AllScans.txt
Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.
Here you go…
Logs are clean and no signs of active malware.
It is necessary to uninstall Combofix
Start >> Run
Combofix /Uninstall
Enter
I recommend you to keep MCShield.
This light program will protect your system from any malware that can spread via USB devices.
ComboFix has been uninstalled, and I’ve kept MCShield.
Thank you so much to everyone on this thread who helped me out! 
I like the Avast! program, but it’s especially comforting to know that there are people in the Avast! forum who go the extra mile to help solve problems like these!