virus / malware nightmare

My wife recently infected a drive on my pc whilst using facebook, the message read windows security alert, stating that files are being copied and you need to click yes to remove the problem (Luckily she did not press yes) but i still have an advanced version of different maleware / virus contolling my drive.

I am fairly expierienced with removal but this case has me stumped and i need some expertise or i guess i reinstall may be needed.

Infection found Trojan.dropper/svhost-fake
\\globalroot\device\svhost.exe\svhost.exe, there are 2 files one in the memory and one in the windows system 32 file.
This program is very smart is has disabled my antivirus (webroot antivirus & spysweeper), it has disabled malewarebytes, superantivirus, all online scanners, spybot and hijackthis. RKILL stops the process running but it restarts immediatley.
It has disabled my disk drive.
I have no restore points.
It will not recognise and external drive or usb
it has now started a message due to significant changes in software windows needs to be reactivated in 3 days.
I ran cmd.exe using cacls.exe and tried resseting all users to full rights (cals/geveryone:f)- the message reads access denied.
I can only start the drive with a diagnostic start up or safe mode, in full start the system freezes.
I have also tried policy fix to restore registy and command details with no joy.
Any scanning program is shut down and the path is then changed.

I have identified antivirus 2010- and the trojan dropper but there may be others, this is now beyond my expertise as the combination of virus / maleware has left with no options for removal. With the current issues i have i am unsure how to post a log of my system as it has yet to let me record any file.

The drive infected is windows xp, i have a working drive using windows vista 64 bit.

I would be very impressed if this can be ressolved without wiping / reinstalling windows.

 

Is there any start up mode you recommend that will allow the system to operate and give me access to the internet?
As i have put this version is a pain as i can only use a diagnostic start up which does not give me internet access, any start up i seem to ue other than this the drive will not load.
As it has disabled my cdc room and will not detect my usb ports with dianostic start ups i am not sure how to get the suggested items onto the drive for scanning?

When the virus was first found i did have some access to the internet but i found eset was the only online scanner that was not shut down, this found and quarantined 2 of 4 threats but 2 could not be cleaned. After the clean i could no longer start the drive outside of diagnostic mode

 

Got in although very slow, did what you suggested and this is what i found (attached).
I did get a message that the orinal 1108 could not be located in the dynamic link wsock32.dll

Trying online scan now

 

I have tried the superantispyware again, i also tried housecall by microtrend, both are disablled as is every other program ive tried as soon as they start to scan.

 

Hi thankyou for the time spent looking at the issue, i have carried out what you have suggested where it was possible.

Spybot was unistalled completly.
3x runtime and java 6 update 7 removed.
I can not unistall antivirus 2010 as it no longer appears in the Add remove program files or anywhere else using uninstaller.
AV system is webroot antivirus with spysweeper, this was shutdown last time i ran the logs as the pc was running so slow.
The regedit file 4 succesfully merged with the registry.

The virus removal tool was a kaspersky tool i used. it has now been deleted.
H:\Documents and Settings\All Users\Application Data\.wtav-Removed
H:\Documents and Settings\colin mackenzie\Local Settings\Temp\7zS1.tmp-not present.

H:\Documents and Settings\colin mackenzie\Local Settings\Temp\divA.tmp- Unable to delete as being used by another program (nothing was running in task manager and i will try to delete in safe mode.
Log Mglogs attached
I can find no offer to run HJT.

I managed to fix the cd rom but it dissapeared again after a reboot.
Antivirus, malwarebytes and other scans are stilldisabelled or disabelled once installed.

Kind regards

 

Spybot was uninstalled
Webroot AV software is on this system but turned off last time i collected data

Use add/remove programs to uninstall:
Antivirus 2010-Not shown to removeJ2SE Runtime Environment 5.0 Update 1-Removed
J2SE Runtime Environment 5.0 Update 10-Removed
J2SE Runtime Environment 5.0 Update 11-Removed
Java(TM) 6 Update 7-Removed

What is this:
H:\Documents and Settings\colin mackenzie\Desktop\Virus Removal Tool-Was a Kasperstky removal tool (deleted)

Quote:
REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssqonOFW]-Successfully merged

Now use windows explorer to find and delete:
H:\Documents and Settings\All Users\Application Data\.wtav-Removed
H:\Documents and Settings\colin mackenzie\Local Settings\Temp\7zS1.tmp-Not found
H:\Documents and Settings\colin mackenzie\Local Settings\Temp\divA.tmp-In use could not be deleted trying safe modeIt appears as though you did not make the agreement to run HJT when you ran MGTools. Please do so the next time you run it. No agreement offered for HJT?
Now run the C:\MGtools\GetLogs.bat file Then attach the below logs:
* C:\MGlogs.zip-Log attatched


Still can not run any antivirus or scanning program.

Kind regards

 

The antivirus does load up but is disabled, i tried a scan with eset before and it cound not remove the virus.

New problem
Since performing the last suggestions the drive no longer reboots, as soon as the xp screen load boots it blue screens. This happens on all start modes from mlast know good configerationand safe mode.
I am now using my vista drive and have lost the will to live.
System restore is turned off and i can no longer get to the desk top

 

yes i found this myself (my first mail line 5) but could not find how to contain it.
Just incast it helps you for future problems one of the files you asked me to dlete (H:\Documents and Settings\colin mackenzie\Local Settings\Temp\divA.tmp) was protected and i had to use file shredder in safe mode to remove it. It eventually was removed and this is when the pc blue screened.
I will now run a clean install again.

Thanks for your help