Quote from: TongyHey fella,

This is a big download so do it if you like...

Bitdefender have a rescue boot CD you can cut onto a disk (if you can access another machine).

http://download.bitdefender.com/rescue_cd/bitdefender_2008_RescueCD_v2.iso

Cheers,
Tongy

This looks like it could do the job. Fired up its malware scanner automatically, and is already scanning away here. hopefully itll clear up any issues left on here

How is it comming along ?

Well depending of space in your centos partition, a virtual machine in linux to install XP to build a bootable XP CD maybe could be a way to go.

Not good.

Somehow my computer is now spankingly clean according to the following.

F-Prot
NOD32
AVG Spyware
HijackThis (cant see a thing thats odd there...)
Bit Defender.
Stinger

All with the latest defs.

Yet if I start up in normal mode, NOD32s firewall takes up 100% cpu as its blocking all the SMTP requests from the "system" process.

Seriously... my system is totally clean according to all that.

Only thing left to try is housecall online.

Well AVG rootkit revealer have u tried that ?

also install something else than NOD32 , check your PM

Install something else other than nod32?

I have AVG, Spybot, F-Prot, think I already scanned it with Alwil, and ANTIVIR, Stinger.

Whatever I have, I think nothing can find it.

Nod32s firewall is the only thing stopping my computer sending out several million emails a minute.

What is sending out all those emails ? Is it through Outlook ?

Remove outlook and get a another mailprogram like
Foxmail, Thunderbird or the like.

and u got a new PM

Quote from: bearWhat is sending out all those emails ? Is it through Outlook ?

Remove outlook and get a another mailprogram like
Foxmail, Thunderbird or the like.

and u got a new PM

Nope Its going as the system process according to netstat -b.

I dont suppose it would be quicker to reinstall?

Check the number of active users, some set up their own account and hide that way.

Quote from: M3ta7h3ad

Quote from: bearWhat is sending out all those emails ? Is it through Outlook ?

Remove outlook and get a another mailprogram like
Foxmail, Thunderbird or the like.

and u got a new PM

Nope Its going as the system process according to netstat -b.

Is it through an instance of svchost ? check if it is located somewhere else
than in \system32 xp uses svchost but there can be false ones, one can try
turning them of one at the time to see if the emailing stops.

Not SVChost, but actually the system process.

Its the hardest core thing ive ever had to deal with, the little bastard appears to have added its own code to a system dll or something, hooked into the system process and blammo... despite all other trails of it being removed, this one last thing is screwing it all up.

A reinstall would be faster yes, but ugh... I just didnt want to hose this installation. Guess only path left is the hosage way really.

Hard work but u could replace all *.dll with fresh ones.

Have you downloaded all security uppdates ?

Try windizupdate.com

If I remember rightly I thinks theres an SFV check I can do that will do the same from a cd. May try that first before a wipe

run webroot system analyser to see what its got in there.  Itll uaully give you a pretty good report.  Then run spysweeper.  user the "Masters" files from System analyser rather than the ones in spysweeper and itll normally pick things up better.  After that if it still wont shift then you may need to try Counterspy.  This is provided you have managed to get it booting.  

Quote from: Beakerrun webroot system analyser to see what its got in there.  Itll uaully give you a pretty good report.  Then run spysweeper.  user the "Masters" files from System analyser rather than the ones in spysweeper and itll normally pick things up better.  After that if it still wont shift then you may need to try Counterspy.  This is provided you have managed to get it booting.  

Decided to wipe it after all. Now just to get pxeboot working.

Got it as far as mounting a network share, just need to get the installer working.