Infected emails automatically sending

I 'acquired' SpySherrif which seems to have brought some friends with it. I believe I have gotten rid of SpySherrif, but Norton AntiVirus is catching a lot of outbound emails from me that are timing out or rejected by the host servers as spam. I'm not sending anything, so I have to assume this is malware...

I have looked at the FAQ, and attempted to run the recommended procedures.

I booted into safe mode.
CCleaner found nothing.
S+D found registry keys for smitfraud.c and activedesktop, and removed them.
MS Antispyware found a powerreg scheduler and quarantined it.
The computer reccomended a reboot after this, so I did, remaining in safe mode.
CWShredder found cws.msconfig, but said that none were infected.
kill2me did its thing, but didn't tell me if there were results.

I rebooted into safe mode with networking available.

BitDefender ran the online scan with no viruses found. But it became stuck checkin 42370 out of 42349 (more than I had, apparently), with a runtime remaining of 28:09:23 that did not increment. It did not finish, and I had to end it with Task Manager, so I don't have a log file.

Panda ActiveScan detected viruses, spyware and a dialer. The log should be attached.

Any help would be greatly appreciated.

 

Hijackthis log attached.

This was actually the second run-through of the procedures that I had done. I didn't follow the steps very closely the first time through and had not taken notes. Trying to make up for it now...

 

I didn't forget, but I ran into some problems uploading the file. Let's see if this works now...

I removed the files you said, except

C:\WINDOWS\system32\msctl32.dll
C:\WINDOWS\system32\msupdate32.dll

which I was told were write protected or in use. I think ewido got them when I ran it later.

Logs for ewido and hijackthis (ran after the other steps) included.

 

I'm still having problems attaching the hijackthis log. I'm unsure why.

I'll try again later.

(I don't seem to be experiencing the problem with the emailing any more; I reenabled Norton's automatic checks of outgoing email, and haven't gotten any more warnings since the other steps you reccomended.)

 

I was mistaken about the emails, they are still being sent out.

I keep timing out while trying to upload the hijackthis log. I'm not sure why.

Out of desperation, I'm posting it inline:

Edit by chaslang: Inline log attached.

 

I don't know why cmd.exe was running. I didn't see any command prompts open on my desktop.
I'm not sure how to fix it so msconfig isn't running start ups. I'm using msconfig to restart the computer in Safe and Normal mode, but when I click "Normal Startup" under the General tab of the System Configuration Utility, it automatically selects "/SAFEBOOT" under BOOT.INI and will reboot me into Safe mode. When I unselect "/SAFEBOOT", it automatically changes my selection under the General Tab to "Selective Startup".
Ran hijackthis and fixed the four items. When I rebooted into Safe Mode, I could not find msctl32.dll, but was able to find and delete msupdate32.dll
I deleted all files in the Prefetch folder (I am running XP).
I ran Ccleaner.
I selected Normal, unselected /SAFEBOOT (which switched it to Selective Startup) and rebooted.

*****

That was this morning. I've gone further than this, now. I did not have an updated Norton Antivirus, nor was Windows completely updated. I realize that having that done already would probably have alleviated many of the problems I've had. Now, I've done both of those things... Norton found and eradicated a worm, W32.SOBER.X, which seemed to be running my email for me. I rebooted into safe mode and ran a special removal tool to check on the worm: it was no longer present.

I again looked for those files, and they're still gone. I ran CCleaner. I still can't reboot into Normal mode...

 

hijackthis log attached. Command prompt issue is still there, because I'm still booting in Selective Start mode (and can't figure out how to get back to Normal).

 

Downloaded, unzipped, and ran getrunkeys.bat

Log attached.

 

hijackthis startuplog attached.

I've picked up some pieces of CoolWeb on my system. I need to redo the cleaning again, I think.

 

C:/WINDOWS/RMAgentOutput.dll <-- no Version tab
C:/WINDOWS/System32/a3wmme.u32 <-- no Version tab. Also found in \ASC\ASCOBJECT and \MACROMED\...
C:/WINDOWS/System32/asccom2.dll <-- not present
C:/WINDOWS/System32/ascutil.dll <-- not present
C:/WINDOWS/System32/cloak2.exe <-- no Version tab. Also found in \ASC
C:/WINDOWS/System32/listen.exe <-- no Version tab. Also found in \ASC
C:/WINDOWS/System32/listen1.exe <-- no Version tab


I applied the registry tab, and msconfig looks like it should allow me to start in Normal mode. Normal mode is selected, but /SAFEBOOT is not selected. However, I still wind up starting in Selective Startup. I'm going to try a few things, including going into Safe Mode to clean...

 

I ran in safe mode. Did the cleaning... was mostly clean.

Ccleaner - run
MS Anti Malware - nothing found
Ad-Aware - found cookies, removed
Spybot - found three registration keys, removed
MS Antispyware - nothing
Rebooted into safe with networking.
Bitdefender - nothing
Panda Activescan - found c:\WINDOWS\help_ecc.dll - AdClicker, maually removed

I still wind up booting into Selective Start, even though MSCONFIG lists me as Normal without Safe. I'm utterly confused about this... what it's showing me it will do and what it is doing are two different things.

I'll try renaming those files tonight...

 

Full path of ASC is:
C:\WINDOWS\system32\asc

Since there's an ASC folder in a folder marked Academics, I think these might be from some software that came with the computer. I'll check that out, too.