Help me locate a trojan spamming virus (I know my way around the OS - not noob)

I have an old Kaspersky.
By being old I mean I have Kaspersky v8.
It its quite legal and quite updated.

However I've got some sort of virus running lose that the AV can't seem to catch.

This virus is constantly trying to create trojan executables. Luckily Kaspersky does not let that happen and nail's each and every file it tries to make.
The problem is - its getting very annoying - I've had it for three days and its already attempted to create over 2000 files. Even without any notifications Kaspersky is slowing the machine while dealing with this every couple of hours.

Just in case someone recognizes the bugger here is a behavior pattern.
All the files it tries to create are located "C:\Documents and Settings\All Users\Documents\*in every available folder in there*"

Files are named in relation to folder and contents. So if you have "C:\Documents and Settings\All Users\Documents\*Family Pictures*"
in there its going to try to create stuff like Family.exe,scr,bat etc.

Kaspersky identifies the nasty files as what you can see on this link:
http://www.securelist.com/en/descriptions/Backdoor.Win32.Zepfod.an
And also this.
http://www.securelist.com/en/descriptions/Backdoor.Win32.Zepfod.v


Now I'd rather hunt down the thing my self.
Anyone know a good software to manage processes and disk writing permissions? With that I can at least locate the process thats making these files. I have seen software that completely locks down the machine and nothing runs without manual permission (you know except for the software and its needed components which are protected)

That might not cut it but at least I'll have a better lead ...

 

Sorry for double posting ... 10 minutes passed - can't edit my main.

... I am open to other suggestions offcourse. I have ran Ad-Aware free in order to try and deal with it but all it did was delete files without asking me, so I had to go to their forums and ask the stupid developers "How do I track down the havoc that your program is causing". Seriously, haven't these people ever heard of "ASK before you delete".
All it did was delete 6 no-cd executables for old games I have. At least they had the decency to an ambiguously named log file, which they told me how to find.

If you are going to suggest some Trojan cleaning software - I'm not running anything that does things without asking or reporting for that matter.

I've have a pc for 8 years now. My OS is reinstalled only once. It only crashed because I was messing with it on purpose. 4 Years now, there hasn't been anything that I didn't handle with a few google searches and some snooping around so you won't have to hold my hand through this. A just need some pointers.

 

Very well... I did read your instructions before I posted the thread...

Now I've played with your toys and I've jumped through your hoops.

These are MB,Sas and MG logs.

All you will find in the first two is that you left some of my games without no cd cracks that have been on the machine long long before I had the problem I started the thread for. They were even kind enough to disclose to me the important information that my win autoupdate option is not on.

Now, if you've bothered to read what I've said you might get an idea of why I can't turn my AV off and run RootRepeal and ComboFix. Tough I am reluctant to run combofix at all, in my experience its just a piece of underdeveloped software, doesn't matter if it has any usefulness. Often does more damage than help.(don't think I haven't read the instructions on it)

While I've run your standard procedure my AV has been constantly taking out additional spawned files of the same type I described.

Now is this sufficient for you to actually read my post or need I do more?

As far as leads... I can relate the infection to one of two possible sources.
Saints Row 2 - of razor1911 which is highly unlikely. CCproxy which removed already. Ad-aware choose to dispatch of it in a hurry. Tough its surprising to download a infected piece of software from its own homepage. It might not be both But I haven't put anything else on the machine so far as I can tell.

Infection is not more than 7 days old. Current count of deleted files is 1951.

Also. Best copy any of your "HOW TO" guides that are on bleepingcomputer.com because its dead most of the time and your average user won't know how to use google's cache.



View attachment BM log.txt

View attachment SAS.log

View attachment MGlogs.zip

 

Since your obviously not going to bother and read my two primary posts I'm going to spell it out for you.

The moment I turn Kaspersky off - I am going to get more infected than I already am and combofix can't do squat about that... I won't repeat it all because its explained in clear detail the first time.

You probably wasted 3 times the time going through logs that you would have spent if you simply read my primary posts and given an answer off the top of your mind.

I do want to thank you for your time despite the fact you completely ignored what I said and just copy paste things to me.

Have a good one.
Obviously I'd better take this elsewhere.

 

Here is the bottom line.

What I suggested worked.

Few hours ago, I installed online armor, a process manager and some other things.

With those. I got a full list of what is running on the machine. When the virus started spawing executables there were only a few processes active at that time. I tracked and identified all of them - found the problem and found a manual removal guide. Deleted a couple of archives, executables, a few registry fixes and amazingly the virus is no more.

And I did recall thanking your for your time.
I will tell you why your method is infective. -I know every file on this machine. By the time you know whats going on it, I would have done the job my self, if you just said if you know or don't know the kind of software I was looking for... Besides who knows - you might have seen the virus - it won't be the first time I've seen some virus that another person has a problem with or the other way around and we point each other to the removal manual...

And if the thank you kinda slips through your mind again - THANK YOU AGAIN!

Thread - Resolved.