C:\WINDOWS\Installer - In Virus Chest, Now What?

[RobinSaysHi]

Hey guys! I've been using Avast! for about three months, and over the past two days, I've seen two files that are located in "C:\WINDOWS\Installer" pop up in my Virus Chest over and over again. I haven't been receiving alerts about this - I just happened to look in the Virus Chest and notice the high level of activity. The files are named "80000000.@" and "800000cb.@". I tried doing a System Restore for July 6 (the first time these files were transferred was on the 7th), but Avast! is still picking up these two files. I'm not tech-saavy, so I have no idea what to do at this point, or if it's even a problem, since they're in the Virus Chest. I'm running Windows XP, if that matters.

[mikaelrask]

welcome to the forum. the files can't do anything to your system when they are in the avast chest.

but to be one the safe side use this guide an attach the recommended scans.

http://forum.avast.com/index.php?topic=53253.0

good luck

[SafeSurf]

If they are still in the Virus Chest (VC), have you rescanned them from the VC to see if they are still infected?

[RobinSaysHi]

welcome to the forum. the files can't do anything to your system when they are in the avast chest.

but to be one the safe side use this guide an attach the recommended scans.

http://forum.avast.com/index.php?topic=53253.0

good luck

Thanks, I'll do that as soon as I can. OTL's server seems to be busy, so I can't download it.

If they are still in the Virus Chest (VC), have you rescanned them from the VC to see if they are still infected?

How do I re-scan them from the Virus Chest?

[SafeSurf]

Thanks, I'll do that as soon as I can. OTL's server seems to be busy, so I can't download it.

http://forum.avast.com/index.php?topic=53253.0 - scroll down the page for instructions

If they are still in the Virus Chest (VC), have you rescanned them from the VC to see if they are still infected?

How do I re-scan them from the Virus Chest?[/quote]
Right click and you will see options, one of them is to rescan the file.  If it is clean you can delete it if is a restore or temp. Internet file.  If it is a system file, you can try to restore it.

[RobinSaysHi]

SafeSurf, I can't download OTF. It says, "503 Service Unavailable": http://oldtimer.geekstogo.com/OTL.exe

Also, I only see "Scan," not "Rescan." It looks like there's an option "Delete," too, so should I go ahead and select that?

Here's the log from Malwarebytes:

---

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.07.09.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
Robin :: ROBIN-S [administrator]

7/8/2012 11:11:02 PM
mbam-log-2012-07-08 (23-11-02).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 223035
Time elapsed: 16 minute(s), 43 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\Documents and Settings\All Users\Application Data\TheBflix (PUP.BFlix) -> Quarantined and deleted successfully.

Files Detected: 8
C:\Documents and Settings\All Users\Application Data\TheBflix\bhoclass.dll (PUP.DownloadnSave) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robin\My Documents\Downloads\DownloadSetup.exe (Affiliate.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Installer\{fca29a0e-e1db-a0f1-3e89-719e09029518}\n (Trojan.Dropper.PE4) -> Quarantined and deleted successfully.
c:\windows\installer\{fca29a0e-e1db-a0f1-3e89-719e09029518}\u\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\TheBflix\background.html (PUP.BFlix) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\TheBflix\content.js (PUP.BFlix) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\TheBflix\gfmndcojhdapjcgchebmbojbkijdomhp.crx (PUP.BFlix) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\TheBflix\settings.ini (PUP.BFlix) -> Quarantined and deleted successfully.

(end)

[SafeSurf]

MBAM did it's job, but it's not complete.

You did not go to the link I gave you and that is why you cannot get in correctly.  Go here: https://forum.avast.com/index.php?topic=53253.0.  READ the instructions on the logs you need to obtain and ATTACH to your next post. 

You still need to get:
1. OTL logs (save them as ANSI)
2. aswMBR log 
Post the logs as an attachment (Additional Options > Attach > Post). 

I am going to refer you to our Certified Malware expert, named Essexboy.  He will also review your logs and give you further instructions, however he comes on the forum late UK time (6 - 8 PM).  He will respond to you in this thread, so remember to check this thread daily.

Please do not make any further changes to your machine after you have provided the logs.

IMPORTANT: If you are on a home network, disconnect the affected machine from the network.  Do not share a USB/flash drive with this affected machine.  Do not use this machine unless Essexboy instructs you do to malware removal instructions; use a different machine to check email, sync your phone or other devices.

Let me know if you have any questions.  Thank you.

Essexboy has been notified.

[RobinSaysHi]

SafeSurf, I don't mean to tick you off, but I DID go to that thread, and I clicked on the link where it says, "THEN Download OTL to your Desktop." The link took me to a page that says, "503 Service Unavailable." I don't know what other link you could be talking about. I will gladly post the other two logs once I can actually download the program.

[SafeSurf]

You didn't tick me off, so don't worry, I'm here to help you.  I suspect that a lot of people are getting malware and the site is busy.  Why don't you get the other logs and attach them to your next post so we have something.  Then try accessing the site later when hopefully less people are online or went to work or are asleep.

I have already notified Essexboy, our malware removal specialist to assist you.  In the meantime, perhaps later before he arrives on the forum try to get the OTL logs after your other logs.  Otherwise we'll see what we can do, but the OTL logs give us a LOT of important information.  Thank you.

[Pondus]

Try Download from here

http://majorgeeks.com/OTL_OldTimers_List-It_d7074.html

[SafeSurf]

Thanks Pondus. 

[RobinSaysHi]

Okay, let's see if I did this right... here are the other logs.

[magna86]

The logs show the remains of the loading point for ZeroAccess rootkit.


> Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

> Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.

> Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.

> When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
  Post log reports ( ComboFix.txt) back to topic.

[SafeSurf]

Thank you RobinSaysHi, and thank you Magna86.

[argus]

CF automatically changes the infected services.exe, and delete the orphans  ZA. No need for OTL tool.