EDIT-> ALL OF THIS APPLIES TO XP. I HAVEN'T YET HAD TO CLEAN UP WIN 7, SO I DON'T HAVE ANY ADVICE THERE.
It sounds like one of the spamware programs that binds itself into winlogon or as a GINA. Unfortunately, the first thing that most of this crapware does is damage the AV software so it can't work anymore. And once it's damaged the AV, you're toast. For about the last 18 months, what I've been seeing is crapware that loads several components simultaneously, each of which is constantly checking to make sure that the others are running. As soon as it detects that one of the other processes is not running, it reinstalls that process. I think the check runs with each timer tick, and you can't possibly kill both or all 3 processes fast enough that they aren't reinstalled, unless you use a tool like process explorer and "suspend" each and every process relating to it first, and then kill them off one at a time. And then, you have to clear the registry BEFORE you remove the files related to the infection, or you risk Windows failing to boot.
Unfortunately, having messed it up - probably by removing the infected file but not the registry entries - you might be toast unless you are capable of dealing with an offline registry editor, like the one that comes with chpwnt (from
http://pogostick.net/~pnh/ntpasswd/).
What I'd try if you don't think you know how to clean up winlogon via an offline registry editor (which sounds likely to be the case) is to try to boot into safe mode. I honestly doubt it will, but if it does, run MSCONFIG, and select the "Diagnostic Startup" option. You can then reboot Windows in the normal mode, but it won't load ANYTHING that's not absolutely required. The problem is that winlogon processes and GINA entries are considered necessary, so a) you might not be able to get into safe mode in the first place, and b) you might still not boot Windows in standard mode even with if you do. Then, you can start cleaning up and scanning.
EDIT -> Sometimes you can use the system restore feature to recover the registry and system files to a point in time before when you were infected, but generally not. Most often, along with killing any of the well-known AV's, the crapware destroys the system restore points previous to when it installed, so that you can't use them to recover. I've had some successes in the past by finding copies of the registry in the hidden "System Volume Information" folder where system restore points are kept, but fixing Windows that way requires really knowing what you are doing.
Honestly though, unless you are very good at dealing with infections and WILLING TO RISK THAT IT MIGHT NOT EVER BE REALLY AND TRULY REMOVED - I'd suggest
a) remove the now infected drive, get a new drive, install that in the system
b) Reinstall Windows (and eventually your applications)
c) MAKE SURE YOUR AV IS INSTALLED AND UP TO DATE!
d) reattach your old drive as a second drive.
e) AV scan it, Threatfire scan it, malwarebytes scan it, adaware (lavasoft) scan it, THEN
c) move your documents and any special folders and files (like AH settings) to the new drive.
Sorry dude. Malware sucks. Those who write it suck more. May their 8@115 be roasted over an eternal flame in the next life...
(3 replies while I was typing, maybe others have some good advice too)
<S>
