Infected with MBR Rootkit, avast doesn't remove

Hi everybody. I'm infected with an MBR Rootkit, Avast detect it but, when I program a scan on startup, it scans everything but it doesn't remove it. It seems to have no effect on my system but some spam messages "I" sent to my contacts (all of them! professors too!). Well, down here there's DDS log file. Thank you to everybody in advance.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by BiagioP at 17.19.24,21 on 26/03/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.2047.1241 [GMT 1:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Programmi\Alwil Software\Avast5\AvastSvc.exe
C:\windows\Explorer.EXE
C:\Programmi\Alwil Software\Avast5\avastUI.exe
C:\Programmi\3 Internet\3 Internet.exe
C:\windows\system32\ctfmon.exe
C:\windows\system32\spoolsv.exe
C:\windows\System32\svchost.exe -k imgsvc
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Mozilla Firefox\plugin-container.exe
C:\Programmi\Mozilla Firefox\plugin-container.exe
C:\DOCUME~1\BiagioP.BIAGIO\Impostazioni locali\Temp\Rar$EX00.735\gmer.exe
C:\Documents and Settings\BiagioP.BIAGIO\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Mobile Partner] "c:\programmi\3 internet\3 Internet.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [avast5] "c:\programmi\alwil software\avast5\avastUI.exe" /nogui
uPolicies-explorer: NoInstrumentation = 1 (0x1)
uPolicies-explorer: NoAutoUpdate = 1 (0x1)
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
TCP: {C761BC1F-8450-40C5-8B43-BBA9CDC0372F} = 62.13.173.93 62.13.173.92
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\biagiop.biagio\dati applicazioni\mozilla\firefox\profiles\1ujh3nvf.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it
FF - plugin: c:\programmi\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\programmi\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\programmi\mozilla firefox\plugins\NPLV80Win32.dll
FF - plugin: c:\programmi\mozilla firefox\plugins\NPLV82Win32.dll
FF - plugin: c:\programmi\mozilla firefox\plugins\nplv85win32.dll
FF - plugin: c:\programmi\quicktime\plugins\npqtplugin8.dll
FF - plugin: d:\vlc\npvlc.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\programmi\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\programmi\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\programmi\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\programmi\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
.
============= SERVICES / DRIVERS ===============
.
R0 nipbcfk;National Instruments Class Upper Filter Driver;c:\windows\system32\drivers\nipbcfk.sys [2007-7-10 15448]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-5-11 294608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-5-11 17744]
R2 avast! Antivirus;avast! Antivirus;c:\programmi\alwil software\avast5\AvastSvc.exe [2010-4-16 40384]
R2 nipxirmk;nipxirmk;c:\windows\system32\drivers\nipxirmkl.sys [2007-2-22 11552]
R2 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiKl.sys [2007-7-19 11360]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-1-27 1390976]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 lvalarmk;lvalarmk;c:\windows\system32\drivers\lvalarmk.sys [2007-1-11 20256]
S3 ni1006k;NI PXI-1006 Chassis Pilot;c:\windows\system32\drivers\ni1006k.sys [2007-2-22 25888]
S3 ni1045k;NI PXI-1045 Chassis Pilot;c:\windows\system32\drivers\ni1045kl.sys [2007-2-22 11552]
S3 ni1065k;NI PXIe-1065 Chassis Pilot;c:\windows\system32\drivers\ni1065k.sys [2007-5-25 22360]
S3 ni488lock;NI-488.2 Locking Service;c:\windows\system32\drivers\ni488lock.sys [2007-2-26 16672]
S3 nicdrk;nicdrk;c:\windows\system32\drivers\nicdrkl.sys [2007-7-15 11352]
S3 nidimk;nidimk;c:\windows\system32\drivers\nidimkl.sys [2007-7-12 11360]
S3 nidmxfk;nidmxfk;c:\windows\system32\drivers\nidmxfkl.sys [2007-7-13 11336]
S3 nidsark;nidsark;c:\windows\system32\drivers\nidsarkl.sys [2007-7-19 11344]
S3 niemrk;niemrk;c:\windows\system32\drivers\niemrkl.sys [2007-7-24 11336]
S3 niesrk;niesrk;c:\windows\system32\drivers\niesrkl.sys [2007-7-24 11336]
S3 nifslk;nifslk;c:\windows\system32\drivers\nifslkl.sys [2007-7-15 11352]
S3 nimru2k;nimru2k;c:\windows\system32\drivers\nimru2kl.sys [2007-7-24 11360]
S3 nimsdrk;nimsdrk;c:\windows\system32\drivers\nimsdrkl.sys [2007-7-18 11392]
S3 nimslk;nimslk;c:\windows\system32\drivers\nimslk.dll [2007-6-21 14464]
S3 nimsrlk;nimsrlk;c:\windows\system32\drivers\nimsrlk.dll [2007-6-21 151683]
S3 nimstsk;nimstsk;c:\windows\system32\drivers\nimstskl.sys [2007-7-13 11360]
S3 nimxpk;nimxpk;c:\windows\system32\drivers\nimxpkl.sys [2007-7-13 11368]
S3 ninshsdk;ninshsdk;c:\windows\system32\drivers\ninshsdkl.sys [2007-7-19 11360]
S3 nipalfwedl;nipalfwedl;c:\windows\system32\drivers\nipalfwedl.sys [2007-7-18 11904]
S3 nipalusbedl;nipalusbedl;c:\windows\system32\drivers\nipalusbedl.sys [2007-7-18 11896]
S3 nipxigpk;NI PXI Generic Chassis Pilot;c:\windows\system32\drivers\nipxigpk.sys [2007-2-22 20768]
S3 niscdk;niscdk;c:\windows\system32\drivers\niscdkl.sys [2007-7-19 11376]
S3 nisdigk;nisdigk;c:\windows\system32\drivers\nisdigkl.sys [2007-7-17 11352]
S3 nisftk;nisftk;c:\windows\system32\drivers\nisftkl.sys [2007-7-16 11344]
S3 nispdk;nispdk;c:\windows\system32\drivers\nispdkl.sys [2007-7-19 11376]
S3 nissrk;nissrk;c:\windows\system32\drivers\nissrkl.sys [2007-7-24 11336]
S3 nistc2k;nistc2k;c:\windows\system32\drivers\nistc2kl.sys [2007-7-15 11312]
S3 nistcrk;nistcrk;c:\windows\system32\drivers\nistcrkl.sys [2007-7-15 11360]
S3 niswdk;niswdk;c:\windows\system32\drivers\niswdkl.sys [2007-7-17 11336]
S3 nitiork;nitiork;c:\windows\system32\drivers\nitiorkl.sys [2007-7-18 11360]
S3 NiViFWK;NI-VISA FireWire Driver;c:\windows\system32\drivers\NiViFWKl.sys [2007-7-19 11384]
S3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciKl.sys [2007-7-19 11360]
S3 niwfrk;niwfrk;c:\windows\system32\drivers\niwfrkl.sys [2007-7-24 11336]
S3 nixsrk;nixsrk;c:\windows\system32\drivers\nixsrkl.sys [2007-7-24 11336]
S3 usb6xxxk;usb6xxxk;\??\c:\windows\system32\drivers\usb6xxxkl.sys --> c:\windows\system32\drivers\usb6xxxkl.sys [?]
S3 vvftav211;vvftav211;c:\windows\system32\drivers\vvftav211.sys [2010-4-14 480128]
S3 ZSMC30x;USB PC Camera Service ZSMC30x;c:\windows\system32\drivers\ZS211.sys [2010-4-14 1537024]
S4 CTUPnPSv;Creative Centrale Media Server;c:\programmi\creative\creative centrale\CTUPnPSv.exe [2008-5-21 64000]
S4 MSSQLServerADHelper100;Servizio SQL Server Active Directory Helper;c:\programmi\microsoft sql server\100\shared\sqladhlp.exe [2009-7-21 47128]
S4 ni488enumsvc;NI-488.2 Enumeration Service;c:\windows\system32\nipalsm.exe [2007-2-16 12696]
S4 nidevldu;NI Device Loader;c:\windows\system32\nipalsm.exe [2007-2-16 12696]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\programmi\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
S4 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-03-26 12:54:51 89088 ----a-w- C:\mbr.exe
2011-03-21 22:15:48 -------- d-----w- c:\programmi\uTorrent
2011-02-27 21:15:30 151552 ----a-w- c:\windows\system32\nvRegDev.dll
2011-02-27 21:12:28 -------- d-----w- c:\programmi\NVIDIA GPU Computing Toolkit
2011-02-27 19:35:35 -------- d-----w- c:\docume~1\biagiop.biagio\dati applicazioni\NVIDIA
.
==================== Find3M ====================
.
2011-02-18 20:24:57 242268 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-02-18 20:24:57 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-02-18 20:24:23 242268 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-01-13 18:36:41 716153 ----a-w- c:\windows\system32\unins000.exe
2011-01-13 08:47:35 38848 ----a-w- c:\windows\avastSS.scr
2008-03-09 06:25:10 236 ----a-w- c:\programmi\file comuni\dx.reg
.
============= FINISH: 17.19.44,40 ===============

Attached File(s)

Attach.txt (16.86K)
Number of downloads: 0
ark.txt (94.88K)
Number of downloads: 0

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

Do not run any other tool untill instructed to do so!
Please Do not Attach logs or put in code boxes.
Tell me about any problems that have occurred during the fix.
Tell me of any other symptoms you may be having as these can help also.
Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

DeFogger

desktop

DeFogger

The application window will appear
Click the Disable button to disable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger may ask you to reboot the machine, if it does - click OK

Do not

Download DDS:

DDS by sUBs

Link1

Link2

Link3

Please disable any anti-malware program that will block scripts from running before running DDS.

Double-Click on dds.scr and a command window will appear. This is normal.
Shortly after two logs will appear:
- DDS.txt
- Attach.txt
A window will open instructing you save & post the logs
Save the logs to a convenient place such as your desktop
Copy the contents of both logs & post in your next reply

Scan With RKUnHooker

Please Download Rootkit Unhooker Save it to your desktop.
Now double-click on RKUnhookerLE.exe to run it.
Click the Report tab, then click Scan.
Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
Wait till the scanner has finished and then click File, Save Report.
Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

"just click on Cancel, then Accept".

information and logs:

In your next post I need the following

.logs from DDS
log from RKUnHooker
let me know of any problems you may have had

Gringo

BleepingComputer.com: Infected with MBR Rootkit, avast doesn't remove

Forum Guidelines