So have you had any luck with this yet? I am experiencing the same thing right now. I have noticed it deals with user32.dll and nvtpm32.dll. I have tried combofix, which doesnt detect either of those as suspicious. Malware Anitbytes was able to detect nvtpm32.dll as a virus and would state it needed to delete on reboot, which it would.. but about 15-20 seconds after system has loaded up the file reappears and the user32.dll file ends up having the same timestamp.
I also did a full reformat, with 2 quick formats, and low and behold the virus is still here. I have not restored any of the data at all, unless it can affect a computer by being part of an acronis true image file by being listed in a dir.
So im thinking bios based?
this is on a compaq presario r3000