Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Zip the log, and attach zipped file to your next reply.

1. Please download The Avenger to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
• Follow the prompts and extract the Avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Code:

Begin copying here:
Files to move:
C:\WINDOWS\system32\ReinstallBackups\0083\DriverFiles\nvata.sys | C:\WINDOWS\system32\drivers\nvata.sys

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
• You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
• Click on Execute
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command windowon your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also back up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

5. Please copy/paste the content of c:\avenger.txt into your reply

No, you don't have to disable anything.

I want you to re-run OTL...

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:


netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
CREATERESTOREPOINT


* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

Still not good

Please download Sophos Anti-rootkit & save it to your desktop.

IMPORTANT!

• Disconnect from the Internet or physically unplug you Internet cable connection.
• Clean out your temporary files.
• Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
• Temporarily disable your anti-virus and real-time anti-spyware protection.
• After starting the scan, do not use the computer until the scan has completed.
• When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

• Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
• Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
• A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
• Make sure the following are checked:
  
  • Running processes
  • Windows Registry
  • Local Hard Drives
  
  
• Click Start scan.
• Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
• When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
• Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
  
  • Files tagged as Removable: No are not marked for removal and cannot be removed.
  • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
  • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  
  
• Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
• A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
• After reboot, a dialog box displays the files you selected for removal and the action taken.
• Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
• When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
• This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\

What about running Sophos?

Means?