Check for msrtwd.exe running. We had an infestation of a spybot variant that would also leave a complete attack log as c:\debug.crf. Stinger cleaned the systems and we even had fully updated NortonAV!! Obviously the systems were lacking on a few patches, SUS took care of that.