My harddrive kept clicking away all the time unless I unhooked from lan. Running AVG as firewall. Did a weekly run of Superantispyware for a cookie burn; Spybot Search and Destroy, and AVG got it's turn too. (Oh, Windows XP Pro with service packs and using Mozilla Firefox for browser) Started getting notices my messages couldn't be delivered to mostly .ru addresses from postmaster at some URL with .ru ..a few a week. Started digging. THEN started having Google redirect, and with a vengeance. As in try to type in www.microsoft.com, it would start to connect (loading and the circle going around) then show up with 'your system is infected let us scan it and fix it for you' as a great majority of the time. Type in www.microsoft.com again, and.. once in awhile it offered to let me download some antivirus program, even Norton on occasion. It might take five times to get to microsoft. And trying to navigate once AT microsoft, there I could be hijacked again. googlead.sgdoubleclick.net, CPAdominator.com, 113594url.cputgt.com, PCspeedmaximizerdownload.sg.amazonaws.com ... recognize any of these? A few would fire in a row before you got to the 'let us scan your computer and fix it for you' Repeated manual cookie burns; temp file purges, tell browser history to 'forget about this site' and run software to clean stuff up until I was blue in the face. Update everything, UNPLUG from LAN and run stuff until it all said nothing found... plug in and it kept right on going. Noticed my AVG firewall was disabled for over a minute at startup so would startup with lan unplugged and that screen up, when it turned green, plug in lan. Still not getting anywhere. Uploaded Malwarebytes; it found five things in files and a Hijacker and a Trojan in the HKEY files. Let it do it's magic. Rogue installer, file: c:\Documents and Settings\(me)\mydocuments\downloads\setup.exe c:\Documents and Settings\(me)\mydocuments\downloads\setupxv.exe c:\Documents and Settings\(me)\mydocuments\downloads\setupxv[2].exe c:\systemvolumeinformation\_restore{63e7c4e9-6da2-4dd4-a055-c8lafba893be}\RP156\a0028346.exe Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WindowsNT\CurrentVersion\imagefileexecutionoptions\setup.exe Trojan Hiloti.gen c:\windows\henige.dll PUM.Hijack.Startmenu Registry Data HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\currentversion\explorer\advanced\start_showsearch [handwritten notes for above, did best I could on decipher] Went right around the merrygoround again. Loaded IE8 and let them have a crack at cleaning as well. Went right around the circle again. Paid Malwarebytes for full functionality... It is saying I'm clean, but something is still trying to call out. Wrote down several IP addresses or address blocks; looked them up in a physical IP locator and most are in Russia, a few in Switzerland, one in Pennsylvania, etc... and it still is trying to call home and Malwarebytes is blocking it, sometimes it gets in a tantrum and tolls a different one every minute for fifteen or twenty minutes. 206.161.121.100 208.94.233.34 68.169.64.131 68.169.92.41 66.230.188.67 68.169.92.54 68.169.92.39 64.15.72.154 64.15.72.104 66.230.188.67 64.111.196.118 78.140.143.83 173.236.56.93 65.79.193.14 64.15.72.46 91.200.240.32 <Switzerland address 91.212.226.6 <Server.Lu A(name) Z(name) A(name) eastern russian area 62.122.75.136 <Leksim LTD, Switzerland (very popular, comes up a lot, also from same block, .138) 94.60.205.232 <Baltic Center of Innovations/TechPROMinvest Ltd Russia Why is Malwarebytes missing what's sending this this? Oh, Combofix. I had something doing keylogger about a year ago; trying to fix it I ended up having to try combofix and ended up zorching everything. Three years of work gone off that drive, yes I did try to retrieve it. My other option is to say bleep with it, I can still get to my graphics and text files, write off some software licenses I bought and move to Windows7 Suggestions while I save files to backup media and squeeze my budget for Windows7?