Hi again,

Just a little post. The file that I couldn't find to delete? I found it... sort of...

Turns out, its being loaded as a hidden device driver. I found it in Device Manager under Hidden Devices. Very tricky, cause that means it was getting loaded under all circumstances, and wasn't a running process, and wasn't starting with "startup processes" under Windows XP.

I've disabled it tonight. I'll attempt to delete it tomorrow with Recovery Console.

BUT: Word of warning to those out there: This process was running as a spamming generator! Its just spamming and spamming. The only reason I knew it was even there was because my client got listed on about 6 spam blockers, and all their emails were getting rejected.

I haven't found this mal-ware with any tool around. Spybot, Adaware, HiJack This, CWShredder, SmitFraudFix. Nothing.

We're running Trend Micro Client Server Messaging Suite. That didn't find it.

I have scanned this machine about 30 times. I've done a System Restore. I've deleted all files that came onto the machine the day it got infected.

I ran WireShark and that didn't see any SMTP requests. The firewall didn't block it, even though I explicity blocked port 25, and it was blocking my attempts to telnet into mail servers. Then I blocked all network activity, and it was still occuring.

Netstat -oa didn't show any open or listening SMTP ports.

Its a really tricky one. I've been pulling my hair out for weeks! (I know most of you are wondering why I haven't reinstalled Windows yet... my client just doesn't want me to do that right now... And I really wanted to find it!!!)

So, in closing! Thanks to RootAlyzer. Its the only clue I had.

Cateyed