this is getting a bit interesting.. (for me anyway
mainly because i'm not sure what i'm doing
)
searching from Windows Explorer, that directory does not exit.
i ran "unhide.exe" and still does not exist
from command prompt, i found it! using "dir /A"
the only file in it is the @ file that i guess was found before?
avast found 8000000cb.@ and 800000000.@ before in the U sub-dir, and recently 00000001.@ in same U dir.
I'll try deleting it from command prompt, reboot and see if i can find it again.
another random thing i found (from process explorer), the spoolsv.exe process had a *Crypt* thread associated with it (i didn't write down the full name) is that normal?
image of dir structure here
http://i301.photobucket.com/albums/nn77/oldcorollas/99d6dir.jpgdeleted the @ file ("del /A /S")
then removed the [99d6c928-147d-54d5-377f-bd821ed462e7] dir and sub-dir ("rmdir /s {99 etc}" ) (in command prompt, it had {..} instead of [..] for brackets...)
rebooting now to see if gone
edit: ok, that DIR stayed gone.
so i went back to avast to see what other files were detected, and there was one with name
c:\windows\installer\{99d6c928-147d-54d5-377f-bd821ed462e7}\U
checked in command prompt, and there is hidden dir of that name..... (from 20/5/2012, 3 days after detection in that folder)
in that folder there is also hidden file called @, along with 00000001.@ from 16/5/2012 (date of infection!
)
then rmdir'd that folder and dub-dir as well....
image of that dir structure here
http://i301.photobucket.com/albums/nn77/oldcorollas/installer-99d6dir.jpgfrom c:\ dir /S /A *.@ found nothing
from c:\ dir /S /A 800*.* and 800* found nothing sinister
new avast boot time scan, still nothing
AVP from normal mode found three vulnerabilities (old VLC, shockwave 11, and norton remnants from 2005)
but no nasties. have updated VLC and shockwave.
system is running good atm, nothing else to report.