The checker, AVG from GriSoft, only detected some of the files: various names of DLL in C:\Windows\System32 and also in a few personal folders. It didn’t detect OSA.EXE, which is part of MS-Office, but which I think is also part of the virus. Don’t quote me on that.

Anyway, here’s the useful bit: the most stubborn element was nnnoonm.dll in C:\Windows\System32. I had been warned about this file by the fellow-sufferer at the other end of the offending conversation: in addition, it’s date and time was the time of attack. When I tried to delete it, I got the usual message about “being used by another process” (Why can’t Windows tell you what process is using it?). I couldn’t find any mention of this on the internet.

So I hunted down Unlocker from http://ccollomb.free.fr/unlocker/ (other similar apps are available). This let me see that the process winlogon.exe had two connections to nnnoonm.dll. As far as I could see, this was the legitimate winlogon.exe and not a fraud. Unlocker let me rename the dll to nnjunk.dll, although the computer instantly rebooted as my punishment. Happily, once the computer came alive again, I could see that the rename had worked, and this had cleared the lock. I immediately deleted the file and breathed more easily.