hmm interesting...

While I have checked for the gaobot family, and the automated scan showed nothing and a visual check of the registry has drawn a blank.. I just had an interesting event..

I had also run another check for CooWebSearch .. yep now i have found the mscconfig varient.. missed on HJT/ cwshredder, and visual scanns.. earlier..

While switching users on the machine Regprot poped up telling me that a startup registry item was being added a program called "eamnfed.exe" Strange I had removed it from startup as well as from the windows folder , but it seems that I didn't clear the prefetch..
/Note to self: Clear the prefetch folder on future virus removals

Also interesting..
Used Spybot s&d to clear out the trash.. a series of DSO exploites 5 in total.. the little buggers came back..just edited them manualy out of the registry and restarting the machine.... yep gone ..for now..

Adaware is also comming up clean..

Found a Reg key..
HKLM\SOFTWARE\Microsoft\Shared Tools\ MSConfig\stsrtupreg\Microsoft Update ... and the Value "eamnfed.exe"
While this key seems to be a listing for the disabled startup items. and would be mostly harmless . it is now a deleted entry..


BTW no reply yet from any of the Av co's I submitted the sample file to...


Cheers


For those who wish to look and play.. the zipped file is the file in question.. The password is "und3rtak3r" with out the quotes.. ONLY D/L IF YOU ARE AWARE OF THE DANGERS. Do so at your own risk (pity I got rid of the original eamnfed.exe would have been interesting to look at)