Hello, This is my first post to this forum. I bought a roving license for TDS3 last week while trying to clean a friend's system. It's a wonderful tool... but I think I have run into a problem it can't solve (at least with my current level of expertise). My friend asked me to look at his system because it was "out of control". Indeed it was... his virus protection had been disabled, IE would launch itself without warning every couple of minutes, and huge popup windows would announce "YOU HAVE SPYWARE IN YOUR COMPUTER!". Using Pest Patrol, Spybot, Ad-aware, HJT, NAV, and finally TDS3, I was able to get rid of > 100 different viruses, trjoans, BHO's, etc. I finally got down to one problem, and that's what I'd like to ask for help with. The file is called ST.EXE. TDS3 identifies it as "TrojanDownloader.Win32.Small.oc". It disables Norton Personal Firewall. I have turned system restore off, killed the process in memory, and located and deleted the EXE file that launched it. TDS3 found two other encrypted copies in other files, and I deleted those as well. However, with every reboot, ST.EXE is back, and NPF is again disabled. Additionally the registry entry HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell is being changed to attempt to run C:\windows\system32\netdc.exe after every reboot, which may or may not be the same problem. (I earlier found and deleted the netdc.exe file that's being called for.) I have a zipped copy of the ST.EXE file. Any thoughts?