Good morning,
I just discovered that I have several rootkits on my computer. one of them is the MBROOT. I’ve run aswMBR succesfully. Now it still says the virus is there, it just isn’t highlighted in red anymore. It also does not seem the only problem - and aswroot doesn’t seem to be able to fix any of them. Both AVG and Malwarebytes scanner cannot find anything. Screenshot below - can anyone please help?
regards,
Wouter
Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here and not in the guide )
To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTL log / aswMBR log ) save OTL log as ANSI
Essexboy will look at the logs when he arrive here later today…
Both AVG and Malwarebytes scanner cannot find anythingdo you have AVG and avast installed ?
having multiple AV installed can/will create all kind of windows errors and false positive detections…
Never install two antivirus (see reply from quietman7)
http://www.bleepingcomputer.com/forums/index.php?s=7c8217673a726b92cfc91ecfd4294a29&showtopic=260844&view=findpost&p=1441638
Good afternoon,
I only have AVG installed - I’m aware of the issues involved with multiple virusscanners;)
Attached the log files requested… really hope you guys can help me!
regs,
Wouter
Lucky you…running AVG and getting help in avast forum 
essexboy is notified…
I reviewed your OTL log but i am not familiriazed with OTL.I would like to ask if you are getting google redirects as well?
Btw,your hosts file is heavily infected
O1 - Hosts: 127.0.0.1 ww.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 ww.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 ww.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 ww.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 ww.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 ww.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 ww.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 ww.100888290cs.com
O1 - Hosts: 127.0.0.1 ww.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 ww.10sek.com
O1 - Hosts: 127.0.0.1 ww.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 15032 more lines… LOL :o
Poor Essex,hehehe ;D
You may have had a double MBR infection, I can see the old mebroot remains (harmless now) but I would like to investigate the unknown a little deeper. The Host file has the MSVp Host entries, they all loop back to the host system
What are your current problems ?
Please read carefully and follow these steps.
[*]DownloadTDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKiller%20shots/TDSSKillermain.png
[*]If an infected file is detected, the default action will be Cure, click on Continue.
http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKiller%20shots/TDSSKillerMal-1.png
[*]If a suspicious file is detected, the default action will be Skip, click on Continue.
http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKiller%20shots/TDSSKillerSuspicious.png
[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.
http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKiller%20shots/TDSSKillerCompleted.png
[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.
The HOSTS file isn’t infected, it is being used to actually block these sites.
e.g. http://www.mywot.com/en/scorecard/007guard.com
So I would certainly leave this to essexboy and watch.
log attached, no infections found
I’ve also ran the kaspersky trojan killer…it found a few things, but none the aswMBR reports.
The isolation of mebroot has helpen a little. What I notice is:
Oh, and my bank cut off acces to internet banking, due to a virus that I apparently have, that records usernames and passwords (an MBR virus) 
That is actually what triggered me.
Suspicious service (NoAccess): 053ABD10B32BD920 053ABD10B32BD920 - detected LockedService.Multi.Generic (1)This deserves further investigation as it is not a known service
Download and Install Combofix
Download ComboFix from one of the following locations:
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Notes:
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
I ran Combofix - attached is the logfile. Computer runs better now - at least, I haven’t noticed a slowdown so far:D Would it be safe to access internetbanking again, or still to early?
anyone here know what the process: C:\WINDOWS\system32\Drivers\sptd.sys does?
Probably that’s the only way to affect hosts,that’s why i said infected.
OK lets remove what remains. Once done let me know how the computer is behaving. And then we will revisit the internet banking advice
File:: c:\docume~1\ADMINI~1\LOCALS~1\Temp\MUPO.exe c:\docume~1\ADMINI~1\LOCALS~1\Temp\OJB.exeSave this as CFScript.txt, in the same location as ComboFix.exeFolder::
c:\documents and settings\standaard\Bureaublad\053ABD10B32BD920Registry::
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“3389:TCP”=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
“klsgczppbczcdummsndxTaskMgr”=-Driver::
053ABD10B32BD920
MUPO
OJB
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
done -attached the logfile.
Looks much better, any remaining problems ?
Nope, everything seems to work fine…I’ll reactivate internet banking and see what happens…The bank takes a couple of days to reactivate…old school “mail” (ie post)
Thanks a million!
so now you need to uninstall AVG…and install avast!.. if not, essexboy will put the virus back ;D
Subject to no further problems 
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean 
A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands [resethosts] [purity] [emptytemp] [EMPTYFLASH] [CLEARALLRESTOREPOINTS] [Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
Remove ComboFix
[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall
(Notice the space between the “x” and “/”)
then click OK
http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg
[]Follow the prompts on the screen
[]A message should appear confirming that ComboFix was uninstalled
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.
http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.
Upgrading Java:
[] Go to this site and click Do I have Java
[] It will check your current version and then offer to update to the latest version
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.
Update and run weekly to keep your system clean
Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe 