Virus and Registry help

[RMB]

I have this virus which shuts down Norton antivirus and
firewall. I have 6 corrupted files: windows\winlogon.exe,
windows\system\service.exe, windows\systme32\fservice.exe
wincom.exe wininv.dll and winkey.dll. I cannot delete
the .dll files, even in safe mode as I am denied access.
I am told that the virus exists in the winkey.dll file.
I can delete the fservice and sservice, but they are
regenerated inmmediately(not so under safe mode, but once
reboot normal and they are there again). Registry changes
noted by norton and sophos I have found and deleted, but
they too are immediately replaced upon exiting registry,
again even under safe mode. Have noted no infestation (or
odd changes) of win.ini or system.ini files. In the
registry I notice that the HK
Root\htafile\shell\open\command is modified with a
mshta.exe file as is the
HKLM\software\classes\htafile\shell\open\command key and I
have read that these are 2 common places for virus
startup.

My questions are (and excuse the small list):

How do I delete the .dll files?
What is the mshta.exe file that exists in the WIN system
32 file and would deleting its reference from the registry
hurt?
How can this virus monitor reg changes and fix
immediately, even in safe mode and can I overcome.

I have windows XP pro with all updates. I appreciate
anyones assistance on this as Norton to date has not been
any help.
..

 

[MAP]

-----Original Message-----
I have this virus which shuts down Norton antivirus and
firewall. I have 6 corrupted files: windows\winlogon.exe,
windows\system\service.exe, windows\systme32 \fservice.exe
wincom.exe wininv.dll and winkey.dll. I cannot delete
the .dll files, even in safe mode as I am denied access.
I am told that the virus exists in the winkey.dll file.
I can delete the fservice and sservice, but they are
regenerated inmmediately(not so under safe mode, but once
reboot normal and they are there again). Registry changes
noted by norton and sophos I have found and deleted, but
they too are immediately replaced upon exiting registry,
again even under safe mode. Have noted no infestation (or
odd changes) of win.ini or system.ini files. In the
registry I notice that the HK
Root\htafile\shell\open\command is modified with a
mshta.exe file as is the
HKLM\software\classes\htafile\shell\open\command key and I
have read that these are 2 common places for virus
startup.

My questions are (and excuse the small list):

How do I delete the .dll files?
What is the mshta.exe file that exists in the WIN system
32 file and would deleting its reference from the registry
hurt?
How can this virus monitor reg changes and fix
immediately, even in safe mode and can I overcome.

I have windows XP pro with all updates. I appreciate
anyones assistance on this as Norton to date has not been
any help.
..
.
And the name of the virus is?

 

[Guest]

It is a new version of the backdoor.prorat. I believe it
is backdoor.proratD. Nortons instructions to remove do
not work as they are predicated upon being able to delete
the files using their software, which is disabled.

 

[Guest]

-----Original Message-----
You must disable system restore before doing any of

system changes such is deleting files ect.

If You can't delete .dll files boot your machine with ERD

commander or some 3rd party software from CD. then You be
able to delete .dll files.

.
Thanks Bill,. I have diabled Sys Restore. ERD

Commander? is this freeware? Never heard of it.