Mom's computer got the Cidox.b rootkit ?

[SkaarjMaster]

So, I basically did what Sick Willie said, but I added some stuff in between and stuff. Briefly, here's what I did with or without results (remember, I'm trying to be as "brief" as possible):

First, all below was done OFFLINE for now:
1. ran TweakNow RegCleaner, cleaned the registry up a bit
2. deleted some of the strange things in 9. above in post #5
3. ran Process Explorer (friend advised me on this), didn't see anything strange
4. ran RKill, then TDSSKiller, rebooted, ran RKill again, then TDSSKiller again (when you check all the items except verify sigs, you'll know what I'm talking about), nothing detected
5. ran TFC, but not much left to get rid of
6. ran MBAM, MBAR and SASW (MBAM still run with different subd name and different exe file name)
7. ran ComboFix (it thinks Avira Desktop is still running, so stopped it)
8. can't uninstall, so I deleted all of Avira AntiVir stuff in directories, subdirectories and registry
9. ran ComboFix again (still thinks Avira Desktop is running), even though a warning, I ran anyway (what choice did I have?), it got rid of some stuff that didn't look good
10. ran Adwcleaner and it didn't detect anything (I would hope at this point all spyware/adware is gone)
11. ran MBAM, MBAR and SASW one more time to make sure and detected nothing
12. Since MBAM and Avira AntiVir are now renamed to get them to run, I tried naming them back and the software policy restriction still remains. They do not show up in Add/Remove Programs either. I decided to delete all references to MBAM is subdirectories and registry also.

Second, this was a scan of HD from another computer:
13. At this point at the advice of Sick Willie, I removed the HD from the WinXP computer and installed as data drive in a Win7 computer and ran an updated MS Security Essentials on it. It detected 8 items (7 severe alert, but 3 were false positives (decided to deleted 7 of them anyway; last one was TDDSKiller that Quarantined "Virus: DOS/Rovnix.W", I'll delete this later if I can). The legitimate 5 were (exact names left out):
VirTool: Win32
Backdoor: Win32
Trojan Downloader: Win32
Backdoor: Win32
Trojan: Win32

Third, all below was done ONLINE:
14. ran TFC and Process Explorer and nothing strange
15. ran ComboFix (still thinks Avira is running for some odd reason), continued after warning; deleted a lot less than last time.
16. ran Adwcleaner and nothing detected, but after it ran got an almost infinite loop of Windows Installer window switching with Logitech QuickCam detection over and over again (I stopped it by killing processes until it went away).
17. ran RKill, TDSSKiller, RKill, TDSSKiller again and detected nothing
18. ran MBAM and detected same Trojan Downloaded as MS Security Essentials, so deleted again.
19. ran MBAR and SASW again with no detections
20. made a DriveImage backup of the C: drive
21. tried to reinstall the new version of Avira AntiVir, but got problems with Chrome and IE and which one was default; didn't like the way this new version was installing, so I decided not to use Avira this time around.
22. installed the newest version of Avast without the software updating crap and am running that now.
23. decided not to bother with HitManPro, Eset Online Scanner, Emsisoft Emergency Kit, or some of the others in links I haven't mentioned yet for now.

Also, I may try applying the WinXP security update fix at a later date (probably next weekend). Thank you everyone that helped (esp. Sick Willie)!

[Sick Willie]

I would've done #13 first.

Did I mention that I've made roughly half a million dollars (declared income) removing viruses?

[SkaarjMaster]

Awesome, then the right person responded. So, next time if a few scans with stuff I already have installed doesn't work (and/or they are locked and I have to change their names to work), whether WinXP, 7 or 8, you would suggest start with virusscan from another computer?

Also, any idea why ComboFix still thinks Avira is running and I can't find it and nothing else detects it as running?

[Sick Willie]

I always start with the drive connected to another machine irregardless of the version of Windows. Combofix uses a variety of different ways to detect AV software. Sometimes it misfires. I never uninstall the software and have never had an issue.