Very often the victim will appear to have a clean HJT log, no pnpsvc running service, but will be complaining about being redirected to Invariably this entry will be present:


F2 - REG:system.ini: UserInit=Userinit.exe, 


If you want to confirm infection, checking Winlogon with Shadowwar's pv tool will reveal something like this near the bottom of the log:

TGBRFV_5.dll 1380000 229376 C:\WINDOWS\System32\TGBRFV_5.dll  

Alternatively, use DllCompare to identify it. Removal Instructions:


Click here to download Pocket Killbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it.

Select the Delete on reboot option.

In the 'Full Path of File to Delete' box, copy and paste the following, clicking the 'Delete File' button (red circle with a white X) after pasting:


It will prompt you to reboot, press the NO button. Instead, copy and paste the following and click the 'Delete File' button again:


When it prompts you to reboot this time, press the YES button.

After restarting, with only HijackThis running, scan and when complete, remove the following entry by checking the box to the left and clicking 'fixed checked':

F2 - REG:system.ini: UserInit=Userinit.exe,

Reboot again when done, rescan with HJT and post a new log here for a final check over.