Hi Folks - I switched from McAffeee to Norton in early July, partly due to McAfee acting strangely. When I did, I discovered multiple infections, one of which was exactly as described in this thread - an infected services.exe file and an 800000xx.@ trojan in a directory of windows installer I couldn't access. After lots of effort over a few days, I thought I'd cleaned everything (Norton and Malwarebytes scans came up clean) until Norton gave me a realtime warning about a trojan. Here's the waring:
*******
Full Path: c:\windows\installer\{10219958-271e-31d2-73cf-780f6504c73e}\u\80000032.@
Threat: Trojan.Gen
____________________________
____________________________
On computers as of Not Available
Last Used 7/11/2012 at 12:57:09 AM
Startup Item No
Launched No
____________________________
____________________________
Unknown
Number of users in the Norton Community that have used this file: Unknown
____________________________
Unknown
This file release is currently not known.
____________________________
High
This file risk is high.
____________________________
Threat Details
Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.
____________________________
____________________________
File Actions
File: c:\windows\installer\{10219958-271e-31d2-73cf-780f6504c73e}\u\80000032.@
Removed
____________________________
File Thumbprint - SHA:
7cd14a8950762755a97b92d48472d3cfcbbbc86288ea0e9a0db0e1bce42eeec3
____________________________
File Thumbprint - MD5:
084d88af194644b8f8f62da894b00d5f
**********
I went to the c:\windows\installer\{10219958-271e-31d2-73cf-780f6504c73e}\u\ directory, which I could now access, and found another file of the form 800000xx.@, which I deleted. (directory modified on 7/11/2012 - the day I deleted the file)
I've been running daily malwarebytes quick scans, and the occasional Norton full scan since then. I've also been monitoring the c:\windows\installer\{10219958-271e-31d2-73cf-780f6504c73e}\u\ directory, which has remained empty. But yesterday for some reason I decided to look at the c:\windows\installer\{10219958-271e-31d2-73cf-780f6504c73e}\ directory and dsicovered that there was a @ file in it, as well as an L subdirectory.
@ is described as a 2KB system file created Sunday, January 15, 2012 and modified Thursday, Nov 14 2011.
In the L directory (modified on 7/72012) are three files:
1afb2d56 created on 7/6/2012 at 3:35 pm 1KB
00000004.@ created on 7/6/2012 at 3:44 pm 1KB
201d3dde created on 7/6/2012 at 3:44 pm 1KB
Under properties, 1afb2d56 and 201d3dde are descibed as files, 00000004.@ is decribed as a @ file, which opens with Windows Shell Common Dll
7/6 was the day I first installed Norton 360.
I've scanned all files mentioned above with both Norton and Malwarebytes, and they come up clean, but both of them missed
the 800000xx.@ files during earlier scans. I couldn't find any reference to .@ files when I searched or to a @ system file, and I am disturbed that the 00000004.@ has the same sort of name as the trojans had.
So what do people think? Am I infected, or clean?
[edit: Clarified subject.]