NETHKUXTM.DLL Win32:Malware-gen

Avast found this infected file which was moved to the virus chest. But now, anytime ANY .exe file tries to run I get " *.exe - Unable To Locate Component - This application has failed to start because nethkuxtm.dll was not found. Re-installing the application may fix this problem." This error pops up multiple times even before the login on a restart. Uninstalling and Re-installing the programs don’t even help. Even new programs installed have this popup error. Some programs will start if I keep pressing the " OK " button on the above error popup, but some won’t start at all.

The above error even pops up in the SAFE MODE.

I’ve tried all the checkmarks in the Trouble Shooting section of the Settings, no good.

I have tried restoring the above file and pressing No Action when Avast finds the file again, which keeps the popup error from coming up on some of the programs, but some of my major programs won’t even start, or giving an error that “*.exe - Application Error - The application failed to initialize properly (0xc0000022). Click on OK to terminate the application” or “(program) not installed correctly. Please reinstall (program)” which will be a pain since some of these programs are a pain to install then get all the upgrades.

This file has no Properties when you right click on it and it was apparently installed or changed on 2/9/09. This was after Avast had been installed on 1/19/09.

Any help or suggestions would be appreciated.

Extract the file out of the virus chest and upload it to VirusTotal or VirSCAN and post the results.

Was the file called desote.exe by any chance ?

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says “Error deleting file”, please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Then

To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link.

Download OTS to your Desktop

[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Under Additional Scans check the following:
[*]Reg - Shell Spawning
[*]File - Lop Check
[*]File - Purity Scan
[*]Evnt - EvtViewer (last 10)
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Thanks for the quick reply. I will try the other reply info shortly.

From VirusTotal.

File nethkuxtmold.dll.vir received on 2009.10.18 21:28:39 (UTC)

Result: 8/41 (19.52%)

Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.18 -
AhnLab-V3 5.0.0.2 2009.10.17 -
AntiVir 7.9.1.35 2009.10.18 -
Antiy-AVL 2.0.3.7 2009.10.16 -
Authentium 5.1.2.4 2009.10.18 -
Avast 4.8.1351.0 2009.10.18 Win32:Malware-gen
AVG 8.5.0.420 2009.10.18 -
BitDefender 7.2 2009.10.18 Trojan.Agent.ANQR
CAT-QuickHeal 10.00 2009.10.18 -
ClamAV 0.94.1 2009.10.17 -
Comodo 2648 2009.10.18 -
DrWeb 5.0.0.12182 2009.10.18 -
eSafe 7.0.17.0 2009.10.18 Suspicious File
eTrust-Vet 35.1.7072 2009.10.16 -
F-Prot 4.5.1.85 2009.10.18 -
F-Secure 9.0.15300.0 2009.10.16 Trojan.Agent.ANQR
Fortinet 3.120.0.0 2009.10.16 -
GData 19 2009.10.18 Trojan.Agent.ANQR
Ikarus T3.1.1.72.0 2009.10.18 -
Jiangmin 11.0.800 2009.10.18 -
K7AntiVirus 7.10.872 2009.10.16 -
Kaspersky 7.0.0.125 2009.10.18 -
McAfee 5775 2009.10.18 -
McAfee+Artemis 5775 2009.10.18 -
McAfee-GW-Edition 6.8.5 2009.10.18 Heuristic.LooksLike.Win32.NewMalware.C
Microsoft 1.5101 2009.10.18 -
NOD32 4520 2009.10.18 -
Norman 6.03.02 2009.10.17 -
nProtect 2009.1.8.0 2009.10.18 Trojan/W32.Agent.144948
Panda 10.0.2.2 2009.10.18 -
PCTools 4.4.2.0 2009.10.18 -
Prevx 3.0 2009.10.18 -
Rising 21.51.62.00 2009.10.18 -
Sophos 4.46.0 2009.10.18 -
Sunbelt 3.2.1858.2 2009.10.18 -
Symantec 1.4.4.12 2009.10.18 -
TheHacker 6.5.0.2.045 2009.10.17 -
TrendMicro 8.950.0.1094 2009.10.18 PAK_Generic.001
VBA32 3.12.10.11 2009.10.18 -
ViRobot 2009.10.17.1990 2009.10.17 -
VirusBuster 4.6.5.0 2009.10.18 -

Additional information
File size: 144948 bytes
MD5…: 60a198cbfe1c5406cfe71403f272cebd
SHA1…: fed542000f0c904e9b09a7ef0eb9f5a70e9ec416
SHA256: 1c80ed9e013a61857116cc3ad0cf476c483aa38cd2f02b5ab3bd282d821a8e07
ssdeep: 3072:b8Fy73Fh/E1Hu2RJQZ1tz/PR1sHbLiolw76fhVQDHFDNV7/r9/WA9Ym:/FK
Hu2LWzpK7Liol1fhejFpVDr9uA9j

PEiD…: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x37001
timedatestamp…: 0x4aba6e91 (Wed Sep 23 18:53:05 2009)
machinetype…: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x30000 0x1fa00 8.00 b82211e49bdfa2316abe00cd006b9c10
.bss 0x31000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0x32000 0x1000 0x800 3.97 3f74054dc03b528df6d08ce5cf0fc6c9
.data 0x33000 0x2000 0xc00 7.89 e2b99d36ccd0d01784bc7a0c51a45bcb
.reloc 0x35000 0x2000 0x1200 7.67 afd92ecacad8227b098137b27e698c02
.aspack 0x37000 0x2000 0x1200 5.63 3048c78b07c99e0f140a5349a422d9f6
.adata 0x39000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

( 2 imports )

kernel32.dll: GetProcAddress, GetModuleHandleA, LoadLibraryA
msvcrt.dll: __3@YAXPAX@Z

( 1 exports )
fmvaoks

RDS…: NSRL Reference Data Set

pdfid.: -
trid…: Win32 Executable Generic (38.5%)
Win32 Dynamic Link Library (generic) (34.2%)
Clipper DOS Executable (9.1%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
packers (Kaspersky): ASPack
sigcheck:
publisher…: n/a
copyright…: n/a
product…: n/a
description…: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments…: n/a
signers…: -
signing date.: -
verified…: Unsigned

packers (F-Prot): Aspack

This is from exeHelper.com. I will run the OTS shortly and post. Thanks.

exeHelper by Raktor
Build 20091018
Run at 17:40:27 on 10/18/09
Now searching…
Checking for numerical processes…
Checking for bad processes…
Checking for bad files…
Checking for bad registry entries…
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values…
Resetting policies…
–Finished–

OTS results link:

http://www.mediafire.com/?zizmv53jmwz

Edit:

I don’t recall seeing that file anywhere.

Hi maxvtol,

Continue the removal routines that essexboy is guiding you through to the dot.
Just additionally there are some disinfection removal tools for this specific malware to be found here (with instructions how to use):
http://www.sophos.com/support/disinfection/agentl.html
If needed run at the end of the removal routine,

polonus

OK you also have the AWF trojan, there are two ways to clean this - easy and hard. Lets do easy

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.


[Unregister Dlls]
[Registry - Safe List]
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-482890860-3427977408-3116954019-1005\] > -> HKEY_USERS\S-1-5-21-482890860-3427977408-3116954019-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> doginhispen.com .[*] -> Trusted sites
YN -> whataboutadog.com .[*] -> Trusted sites
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YY -> Winlogon -> C:\WINDOWS\System32\winmm64.dll
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YY -> "{EAD8F454-EC03-4B47-A5B7-6534DA513FA5}" [HKLM] -> C:\WINDOWS\System32\winmm64.dll [WinCheck]
[Files/Folders - Modified Within 30 Days]
NY -> nethkuxtmold.dll.vir -> C:\Documents and Settings\Joe\Desktop\nethkuxtmold.dll.vir
NY -> NETHKUXTM.DLL -> C:\Documents and Settings\Joe\Desktop\NETHKUXTM.DLL
[Files - No Company Name]
NY -> nethkuxtmold.dll.vir -> C:\Documents and Settings\Joe\Desktop\nethkuxtmold.dll.vir
NY -> NETHKUXTM.DLL -> C:\Documents and Settings\Joe\Desktop\NETHKUXTM.DLL
NY -> winmm64.dll -> C:\WINDOWS\System32\winmm64.dll
[Empty Temp Folders]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

I will review the information when it comes back in.

THEN

Download ComboFix from here:

Link

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Thanks so much for the help. I will run the ComoFix next.

Here are the results of the OTS Run Fix:

All Processes Killed
[Registry - Safe List]
Registry key HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\doginhispen.com not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID*\ not found.
Registry key HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\whataboutadog.com not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID*\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Winlogon\ deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\winmm64.dll
C:\WINDOWS\System32\winmm64.dll NOT unregistered.
C:\WINDOWS\System32\winmm64.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WinCheck deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{EAD8F454-EC03-4B47-A5B7-6534DA513FA5}\ deleted successfully.
File C:\WINDOWS\System32\winmm64.dll not found.
[Files/Folders - Modified Within 30 Days]
File C:\Documents and Settings\Joe\Desktop\nethkuxtmold.dll.vir not found!
File C:\Documents and Settings\Joe\Desktop\NETHKUXTM.DLL not found!
[Files - No Company Name]
File C:\Documents and Settings\Joe\Desktop\nethkuxtmold.dll.vir not found!
File C:\Documents and Settings\Joe\Desktop\NETHKUXTM.DLL not found!
File C:\WINDOWS\System32\winmm64.dll not found!
[Empty Temp Folders]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 150183 bytes
->FireFox cache emptied: 2494460 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Guest
->Temp folder emptied: 1119497683 bytes
->Temporary Internet Files folder emptied: 2000381 bytes
->Java cache emptied: 379697 bytes
->FireFox cache emptied: 20309210 bytes

User: Joe
->Temp folder emptied: 129532759 bytes
->Temporary Internet Files folder emptied: 79869624 bytes
->Java cache emptied: 147716862 bytes
->FireFox cache emptied: 161805299 bytes
->Apple Safari cache emptied: 254522915 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 246162 bytes

User: NetworkService
->Temp folder emptied: 1004790 bytes
->Temporary Internet Files folder emptied: 337385101 bytes

%systemdrive% .tmp files removed: 0 bytes
C:\WINDOWS\msdownld.tmp folder deleted successfully.
%systemroot% .tmp files removed: 2169587 bytes
%systemroot%\System32 .tmp files removed: 2675729 bytes
File delete failed. C:\WINDOWS\temp_avast4_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_608.dat scheduled to be deleted on reboot.
Windows Temp folder emptied: 65600578 bytes
RecycleBin emptied: 50208 bytes

Total Files Cleaned = -1876.31 mb

< End of fix log >
OTS by OldTimer - Version 3.0.22.0 fix logfile created on 10192009_173318

Files\Folders moved on Reboot…
File move failed. C:\WINDOWS\temp_avast4_\Webshlock.txt scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_608.dat moved successfully.

Registry entries deleted on Reboot…

Hallelujah!!! :slight_smile: :smiley: ;D

Only problems I had running the ComboFix was because I had to keep pressing “OK” button from the " *.exe - Unable To Locate Component - This application has failed to start because nethkuxtm.dll was not found. Re-installing the application may fix this problem." error pop up dozens if not a 100 or more times. But everything went smoothly. Avast came back up after the reboot, even though I turned it off before the running the fix, but didn’t seem to cause any problems.

All my programs seem to be running fine, no need for re-installation of them.

You guys are AWESOME, thank you ever so much.

Results of ComboFix log were too long to post here, posted to MediaFire:

http://www.mediafire.com/?ttdgtnbdyuq

Please let me know if you need any more information. And thank you, again.

Infected copy of c:\windows\system32\imm32.dll was found and disinfected
That was the main problem, so lets clear the remanants of AWF
  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:


AWF::
c:\program files\NovaNet-WEB Backup\bak\TrayControl.exe
c:\program files\QuickTime\bak\qttask.exe
c:\windows\SYSTEM32\bak\ctfmon.exe
c:\program files\iTunes\bak\iTunesHelper.exe

  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt [*]A new OTListit log.

I assume you mean another OTS log, no other log showed up from the ComboFix. If not please let me know.

I ran OTS scan with settings from previous post. Both ComboFix and OTS logs are here:

http://www.mediafire.com/?sharekey=a85b8a206a98c44faf924764f9977b1dbe2335de59b8ba3a9b20786b9a6e1ed0

My error I meant OTS

Just a tidying up exercise now

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.


[Unregister Dlls]
[Driver Services - Safe List]
YY -> (catchme) catchme [Kernel | On_Demand | Running] -> 
[Custom Items]
:files
c:\program files\Ahead\Nero BackItUp\bak
c:\program files\ATI Technologies\ATI Control Panel\bak
c:\program files\Common Files\InstallShield\UpdateService\bak
c:\program files\Common Files\Sonic\Update Manager\bak
c:\program files\CyberLink\PowerDVD\bak
c:\program files\Java\jre1.6.0_02\bin\bak
c:\program files\NovaNet-WEB Backup\bak
c:\program files\QuickTime\bak
c:\windows\SYSTEM32\bak
c:\windows\SYSTEM32\dla\bak
:end

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

XP
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

[*]Select Start > All Programs > Accessories > System tools > System Restore.
[*]On the dialogue box that appears select Create a Restore Point
[*]Click NEXT
[*]Enter a name e.g. Clean
[*]Click CREATE

You now have a clean restore point, to get rid of the bad ones:

[*]Select Start > All Programs > Accessories > System tools > Disk Cleanup.
[*]In the Drop down box that appears select your main drive e.g. C
[*]Click OK
[*]The System will do some calculation and the display a dialogue box with TABS
[*]Select the More Options Tab.
[*]At the bottom will be a system restore box with a CLEANUP button click this
[*]Accept the Warning and select OK again, the program will close and you are done

SPRING CLEAN

Download TFC to your desktop

[*]Open the file and close any other windows.
[*]It will close all programs itself when run, make sure to let it run uninterrupted.
[*]Click the Start button to begin the process. The program should not take long to finish its job
[*]Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

THEN

Download and run Auslogics Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[]SpywareBlaster to help prevent spyware from installing in the first place.
[
]SuperAntispyware Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :wave:

;D

I guess you are happy - keep safe ;D

Hi Essexboy !

I could read your valuable info/advise regarding Win32:Malware-gen.

I got also infected by “Win32:Malware-gen” and had then troubles when running some programs.
So I did restore my system to 15 Dec. (before the presumed date of infection).
I then made then a bootscan of avast 4.8 pro and got the following report:


01/09/2010 20:20
Scan of all local drives

File C:\Documents and Settings\Richard\Application Data\ESTsoft\ALUpdate\ALZIP\newfile\TEMP\ALZip.exe$INSTDIR$PLUGINSDIR\Alupdate\ALUpdateSetup_en-US.exe\Inno0001.bin Error 42146 {Installer archive is corrupted.}
File C:\Documents and Settings\Richard\Application Data\ESTsoft\ALUpdate\ALZIP\newfile\TEMP\ALZip.exe$INSTDIR$PLUGINSDIR\Alupdate\ALUpdateSetup_en-US.exe\Inno0002.bin Error 42146 {Installer archive is corrupted.}
File C:\System Volume Information_restore{0C32D206-01C6-47E7-93B1-FBFE835B4ABF}\RP460\A0094012.exe$INSTDIR$PLUGINSDIR\Alupdate\ALUpdateSetup_en-US.exe\Inno0001.bin Error 42146 {Installer archive is corrupted.}
File C:\System Volume Information_restore{0C32D206-01C6-47E7-93B1-FBFE835B4ABF}\RP460\A0094012.exe$INSTDIR$PLUGINSDIR\Alupdate\ALUpdateSetup_en-US.exe\Inno0002.bin Error 42146 {Installer archive is corrupted.}
File C:\WINDOWS$hf_mig$\KB951978\SP3QFE\cscript.exe is infected by Win32:Malware-gen, Moved to chest
File C:\WINDOWS\system32\cscript.exe is infected by Win32:Malware-gen, Moved to chest
File C:\WINDOWS\system32\dllcache\cscript.exe is infected by Win32:Malware-gen, Moved to chest
Number of searched folders: 11265
Number of tested files: 989543
Number of infected files: 3

Although the system seems to work OK so far, do you think that I should do something more ?
What to do with the infected files in the chest ?

Many thanks in advance for your help.

The restore would have reset registry entries so that the malware was no longer run but some files may still be dormant on your system. Removal from the system restore actually breaks the chain so restore may not work now - lets cure that first

XP
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

[*]Select Start > All Programs > Accessories > System tools > System Restore.
[*]On the dialogue box that appears select Create a Restore Point
[*]Click NEXT
[*]Enter a name e.g. Clean
[*]Click CREATE

You now have a clean restore point, to get rid of the bad ones:

[*]Select Start > All Programs > Accessories > System tools > Disk Cleanup.
[*]In the Drop down box that appears select your main drive e.g. C
[*]Click OK
[*]The System will do some calculation and the display a dialogue box with TABS
[*]Select the More Options Tab.
[*]At the bottom will be a system restore box with a CLEANUP button click this
[*]Accept the Warning and select OK again, the program will close and you are done

VISTA
To manually create a new Restore Point
[*]Go to Control Panel and select System and Maintenance
[*]Select System
[*]On the left select Advance System Settings and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create
Now we can purge the infected ones

[*]Go back to the System and Maintenance page
[*]Select Performance Information and Tools
[*]On the left select Open Disk Cleanup
[*]Select Files from all users and accept the warning if you get one
[*]In the drop down box select your main drive i.e. C
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[
]Select Delete
You are now done

THEN

To ensure there is no residue

http://www.geekstogo.com/misc/guide_icons/OTLI.gif
OTL

[]Download OTL to your Desktop
[*]Double click on the OTL icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Under the Custom Scan box paste this in:
netsvcs
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
c:\windows\system32*.dll /lockedfiles
c:\windows\system32\drivers*.sys /lockedfiles
%systemroot%*. /mp /s
CREATERESTOREPOINT

[
]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan won’t take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and attach them into your reply.