Rob, sent you a mail message, pm box was full.

If you cannot find it. Then nuke the system and reinstall. Use Firefox (free) for Internet surfing. Using Internet Explorer is a surefire way to get infected again. Also use Thunderbird (free) for your Email. Outlook express and it's big brother Outlook (part of microsoft office) SHOULD NOT BE USED IF YOU OPEN ATTACHMENTS. While I'm on Microsoft office there are a number of exploits that can be used against it as well. Word macro's and Exel macro's. Update your Microsoft office with all the latest security fixes. Do NOT disable automatic updates once the box is fixed. DO buy and use a hardware router between your computer and your cable/dsl modem that is connected to the internet. Change that router box's password and disable remote (ie internet) admin/updating.

If you are already using a router is it a wired or wireless router. Wireless routers can be compromised. 128 Bit WEP has been compromised and is no longer safe. WPA with TKIP authentication/encryption is the only way to go now. Do not use AES as it also has been compromised.

I myself recently had to fend off a series of downloaders that kept showing up and came in through IE due to a momentary lapse into stupidity on my part. After trying all the things you used and not getting it removed. I then went into the windows and 'documents and settings' directories and NUKED (From a Linux system) any file that apeared after the date I knew for a fact the infection happend on. I then used safe mode to edit the registry and took out a few suspsious entries. Long story short I nailed it and it is no longer a problem.

I feel your pain.

sparkeyjames

Try RootkitRevealer to see if someone has installed a "root kit" (a root kit is software that loads at such a low level that it is capable of hiding its files from the Windows API):

Sysinternals RootkitRevealer located here, I believe:
http://www.microsoft.com/technet/sys...tRevealer.mspx

Next idea would be to remove the hard drive and put it in another machine as a slave. Then use anti-virus software to scan it. That way, none of the software has a chance to actually run and hide or "protect" itself from subsequent scans.

If you have the facts right (that is, it IS sending E-Mail, it DID stop for two nights, it HAS started again), then I would imagine that there is a back door installed on it and I would be hesitant to allow the machine to be on a corporate network w/ any sensitive data.

Finally, www.portablefreeware.com has a lot of good utilities for removing back doors/trojans/root kits. I would try pretty much all of them and see if they find anything.

Oh, and one more thing. I'd find a copy of sysinternals procexp.exe. This is like task manager, but it also displays signatures. Processes signed by the big guys ("microsoft," "symantec," "adobe," etc.) are usually safe. Unsigned processes and those with dubious signatures are suspect and may give you a starting point to do a little google research.