Hi I have difficulty with a tricky rootkit. I am saying rootkit because I can't even detect it with an offline scan of defender/security essentials. Few tell tales 1. can't install updates/checkSUR 2. event viewer shows that shutdown.exe is called periodically to restart my system. I have subsequently deleted shutdown.exe to sabotage the restart process. 3. after the restart the OS partition is switched to hidden, so that Windows doesn't boot all the that. I have to manually switch it to 0x07 offline. I ran GMER but didn't find anything. The only way that I'm thinking is to trace the processes and see when and how the partition is switched to hidden. Do you guys want an offline dump of my mbr and boot sector? I don't actually know the best tool to do it. I have already done both bootrec /fixmbr and /fixboot. No go.