Don't use the tool just above to do with photorec etc.

we need a exported winlogin key to see the ID etc.

I will also PM you with instructions for the file.

as for the If I didn't stop it................................., all you have to do is shift the files to another location to make them dormant but not delete them from the PC and don't alter the registry.

Quads

Thanks, I have the files I will have to unpack and repack.   The guy for free that will try the work has gone to bed, we are also trying to get the files from Bleeping Computers thread to help with this and to compare.

Quads

where would i find it in my computer? i used norton to clean my computer after i was infected. thats all i did. i did not go to my registry or anything like that. so how do i proceed?

I think wpbt0.dll was in C:\windows\system32 or syswow64.  It might have been deleted.  Look for it!

herman1134

Do you know how to use regedit,??  What is your operating system??

Quads

I also have had this virus infect my computer.  Most of my files are backed up but not the most recent one.  I would like to save the encrypted .jpg if possible.  I have not deleted anything.  Is there anything I can add to help?

guys on this thread for a minute just please slow down, I would rather do that as this involves personal files OK.

lh 

can you find the the registry key I mentioned previously, very slowly as I DON"T want it deleted but exported  DON"T DELETE!!!!!

Quads

Looking at HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon there is a registry setting for 'id'  but not 'bdgid".

Export that key

Quads