the horse is in the city

I'm trying to help a friend who is running a WinXP system (service pack 3), AVG free anti-virus, and Comodo free firewall. The internet connection is a cable modem, and Mozilla Firefox. I'm trying, not because I know very much, but because he is totally clueless.

The basic question, is there some on-line service that might have a good chance of interactively scanning and fixing his system, without causing more problems in the process? Just getting to that service will require letting something(s) on the computer out through the firewall.

HISTORY
Last week he was suddenly blocked from doing almost anything by a nasty program that put up a screen screaming that his system was infected with various malware, and demanding $79 paid to somewhere online to clear the problems. Almost nothing on his system could start, not the firewall, the browser, the anti-virus, or most other programs.

I followed the breadcrumbs and found a recently dated application in his download folder. Once I deleted that and rebooted, their front-end interference was gone. I updated the anti-virus, firewall, and browser. The (latest) AVG scan said it found a trojan and took care of it. Everything seemed good for a week.

CURRENT
Now suddenly something from the AVG start up process put up a screen saying it found four instances of a different trojan, each instance associated with some Windows service. Attempts to deal with it were unsuccessful -- access denied.

A regular AVG scan of the computer system failed to locate that or anything else, either in user mode or admin mode, and restarting the system does not bring up the messages again. However, according to the firewall, attempts to get on-line with the browser, the AVG program, or the firewall itself, find all sorts of services that are "new" and need permission to communicate. These are mostly, or entirely, modules that were fine the day before, so either the firewall itself, or who knows how many other programs, have been modified by whatever is causing the problem.

Of course this trojan may be communicating with the outside just fine, but making it difficult for anything else to be done with the system. Regardless, the options seems to be

try to give permission to the firewall to get out and get somewhere that may be able to help, if I knew where to go once on-line
or
download something on another system that can be installed on a USB flash drive or (preferably) a CD-R, perhaps that can boot independently of the Windows OS, and might have a good chance of cleaning and repairing the system.
or
(a very distant third) throw out the two hard drives and start over. This will still require doing something useful about the problem because he has years of data that would be hard to give up. Maybe the experience will get him to finally make the effort to do backups, but that is definitely a side issue at the moment.

Some of you probably have experience that could be helpful. Any suggestions?

This sounds very suspiciously like something that happened to my Brother-in-Law.  He suddenly found he could not access any programs or the net; he'd become infected by a "program" called "MS Removal Tool", yes, it did claim to be from Microsoft.

Since he lives on the other side of the country to me and despite my best attempts to help him via the telephone (he's also not very computer-literate) he eventually had to take his computer to a local shop and have them sort it out for him!

However, on the positive side for you, if your friend's computer has become infected by that particular nasty (and it appears it may well have "left its calling card behind" despite your attempts to remove it) if you Google "MS Removal Tool" you will find there are a number of web sites, many at least apparently genuine, which will give detailed instructions on how to remove the infection.

My commiserations to you and your Friend!

I don't know if the current problem is a left over from the original problem of a week ago or he just has a tenancy to blunder into the wrong places. The current symptoms are rather different from last week's problem.

I'm pretty sure last week's  nasty program that dominated the screen, and prevented almost anything else from loading, was Defender.exe. The trojan that AVG reported found and eliminated, after I updated everything, had some other name, involving the word trojan, some number, and possibly some alpha prefix or suffix.

The current symptoms don't prevent anything from running locally but any attempt to reach any web page is blocked by the firewall, pending the user's approval of a "new" application or service "attempting to communicate with the internet." Most, or all of these "new" things have the same name as legitimate parts of the anti-virus program, the browser, the firewall program, the Windows OS, etc..

That makes fighting the thing from his system difficult. If we allow these components to communicate, in order to access the internet and seek help, do we really just increase the problem by allowing the trojan to have greater access?

In the meantime, I might as well see what the "MS Removal Tool" removal instructions say. Maybe there will be something useful there.

Malwarebytes has a free version is excellent at sorting these sort of problems.

http://www.malwarebytes.org/products/malwarebytes_free

Have you tried booting in safe mode then running AV progs.
Often solves the problem of access denied.

As ryclark suggests malwarebytes as well as YogiBoar's safe-mode suggestion are certainly worth a try.
I would suggest getting hold of an 'Avira rescue disk' http://www.avira.com/en/support-download-avira-antivir-rescue-system

I would also suggest that your friend uses Avira rather than AVG.
I have the Premium version (I was so impressed with the free one that I bought 5 licences) and I have found Avira to be the best free AV going around.

Thanks. Now I'm going to have to try to get access to some other broadband connection to download these tools before I visit him again. Downloading here would tie up my phone line for days, but at least I now have a starting point.

I've had excellent luck with Microsoft's Security Essentials. It's free and does work with XP.
Not one virus have I had since installing it.

http://www.microsoft.com/en-us/security_essentials/Default.aspx

While I feel like collaborating with the ememy, me to found Microsoft Security Essentials a better alternative for AVG. I have always used it on pc's for family members but beyond version 7.something it used so much cpu/hd that it became a nuisance.

Another thing you could do is to run msconfig.exe. It will give you a list of what starts at boot time. You might find something that looks suspicious and guve you a direction to search further. Also take a look in the registry for what is listed under the ../run and ../run_once keys. A lot of malware sits there often. Always take a look and use google (and read several responses) before taking any action.

Malware/viruses also lurk in the 'restore' points - so turning off System Restore for a while also helps.

There is usually no one cure but rather a number of steps many of which have been suggested.

Sorry I only just saw this post, but if I recommend you follow something like the script here: http://www.dslreports.com/faq/8428. I know it seems like a lot of steps, but this is the only way to be sure you have gotten rid of everything. A lot of malware plants software deep in your system and prevents normal AV software from getting rid of it.
If this doesn't help follow the link on the page for getting help - It isn't easy and it isn't fun, but it is worth it. The alternative is to reformat your freinds harddisk and reinstall the OS and software. Which is easier?

Good Luck!