I love the fact that people at my workplace come and ask *me* when their computers screw themselves up. Of course, we have an MIS department (of which I am *not* an employee), but waiting for them can sometime take an eternity.
So, when a co-worker asks me, "Have you ever heard of Vundo-1?" my interest was piqued. Quick Google, looks like a typical spyware, and of course I volunteered to see if I could help him get rid of it. Not like I had much better to do, considering that my project is at least two weeks behind due to a production backlog.
The antivirus suite knew that gebbywt.dll was the guilty party. Tried a Vundo remover utility - cannot delete. Cannot delete after reboot. Lovely.
Can we just delete it? Nope, locked. Who's using it? Fire up Process Explorer. Hmm, hooked Explorer twice, and Winlogon. Winlogon? Ohboy.
Fire up Autoruns and Regedit, try to delete all obvious references to it and reboot. Still there.
Try to boot into Recovery Console. Recovery Console is not installed, and cannot be installed since we only have XPSP1 CDs and the machines are all up to XPSP2 now. Great.
Safe mode - pointless, since the user cannot remember his local password (and Winlogon is loaded anyway).
Googled some more, found a CLI-based utility called 'Trinity Rescue CD'. Grabbed the ISO, burned it, booted up the infected PC with it. OK, how to mount the NTFS drives?
Bingo. Browse to \Windows\SYSTEM32 and nuke the offending gebbywt.dll. Reboot, and all is blissful.
I'm now seriously considering getting a small pen drive just to keep this disk close to me. It's great for this sort of work. Highly recommended.