Need help removing this virus.

[The Entire Country Of Russia]

I'm trying to get rid of this Windows Security Center virus and any other things I might have on here.
Windows Security Center seems completely disabled.
Please help. Went crazy trying to figure this out. :crazy:

 

[The Entire Country Of Russia]

Added screenshot attachments, switched it to 64 bit, and shortened it way down by making the logs attachments

 

[Fiery]

Hello, welcome to MT!

I'm Fiery and I will help you with your issue.

WARNING: Please note that your computer may have been infected with a malware that steals personal information. I would advise you to change your banking information on a CLEAN computer and any other passwords that you may have entered on this computer.

Step 1: Open OTL, Under custom scan/fixes, Copy and paste the following:

:OTL

IE - HKCU\..\URLSearchHook: {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - No CLSID value found
O2 - BHO: (JollyWallet) - {11111111-1111-1111-1111-110111251155} - C:\Program Files (x86)\JollyWallet\JollyWallet.dll File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0B7C6A63-F272-49C7-9582-E9E210BD1530}: NameServer = 8.8.8.8,8.8.8.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.24​7.20,156.154.70.1,156.154.71.1


:Files
ipconfig /flushdns /c

:Commands
[EMPTYJAVA]
[EMPTYFLASH]

Then hit "Run fix"

Next,

Step 2: Please download Combofix

* make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.

* Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

* Double click on ComboFix.exe & follow the prompts.

* As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

* Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

 

[The Entire Country Of Russia]

Done. All went smoothly.

 

[Fiery]

Looking better.

Open up Notepad and paste the following:

DDS::
TCP: Interfaces\{0B7C6A63-F272-49C7-9582-E9E210BD1530}: NameServer = 8.8.8.8,8.8.8.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1

DirLook::
c:\windows\83B952C7F8F34CA3B4C533C85B24E478.TMP
c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP

* Save the above as CFScript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe

* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Next,
Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
• Click on Search.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S1].txt as well.

Then,

Download & SAVE to your Desktop RogueKiller or from here

• Quit all programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or Windows 7, right-click and select "Run as Administrator to start"
• Wait until Prescan has finished ...
• Then Click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• Click on "Report" and copy/paste the content of the Notepad into your next reply.
• The log should be found in RKreport[1].txt on your Desktop
  Exit/Close RogueKiller+

 

[The Entire Country Of Russia]

Smooth again, RogueKiller gave me bad news. See for yourself in the log. :black_eye:

 

[Fiery]

Open RogueKiller and do a search again. After it finishes, click delete . Post the log after.

 

[The Entire Country Of Russia]

Done. Log attached.

 

[Fiery]

Ok good, next, open Roguekiller again and click the DNS tab, make sure these 2 entries are selected

[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{0B7C6A63-F272-49C7-9582-E9E210BD1530} : NameServer (8.8.8.8,8.8.8.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{0B7C6A63-F272-49C7-9582-E9E210BD1530} : NameServer (8.8.8.8,8.8.8.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1) -> FOUND

then click on the DNS Fix button.

Download TDSSKiller (.exe one) from here and save it to your Desktop.

• Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
• If an infected file is detected, the default action will be Cure, click on Continue.
• If a suspicious file is detected, the default action will be Skip, click on Continue.
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Then, Download Malwarebytes' Anti-Malware(download link) to your desktop

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• Malwarebytes Anti-Malware will now start and you'll be prompted to start a trial period , please select '<>Decline</>'
  <img title="Decline trial period in Malwarebytes Anti-Malware" src="http://malwaretips.com/images/removalguide/mbam3.PNG" alt="[Image: Decline Malwarebytes trial]" width="432" height="165" border="0" />
  [*]If an update is found, it will download and install the latest version.
  
  
  
  
  
  
  [*]Once the program has loaded, select Perform quick scan, then click Scan.
  [*]When the scan is complete, click OK, then Show Results to view the results.
  
  
  
  
  
  
  
  [*]Be sure that everything is Checked (ticked) and click on Remove Selected.
  [*]Reboot your computer if prompted.

Lastly, remove any left over malicious files with HitmanPro
<ol>
<li>This step can be performed in <>Normal Mode</> ,so please <>download the latest official version of HitmanPro</>.
<a href="http://malwaretips.com/download-hitmanpro" rel="nofollow" target="_blank"> <>HITMANPRO DOWNLOAD LINK</></a> <em>(This link will open a download page in a new window from where you can download HitmanPro)</em></li>
<li><>Double click on the previously downloaded file</> to start the HitmanPro installation.
<img title="HitmanPro Installer" src="http://malwaretips.com/images/removalguide/hpro1.png" alt="[Image: hitmanpro-icon.png]" width="54" height="58" border="0" />
<>IF</> you are experiencing problems while trying to starting HitmanPro, you can use the "<em>Force Breach</em>" mode.To start this program in Force Breach mode,<> hold down the left CTRL-key when you start HitmanPro</> and all non-essential processes are terminated, including the malware process. (<a href="http://www.youtube.com/watch?feature=player_embedded&v=m6eRWTv2STk" target="_blank">How to start HitmanPro in Force Breach mode - Video</a>)</li>
<li>Click on <>Next </>to install HitmanPro on your system.
<img title="HitmanPro installation process" src="http://malwaretips.com/images/removalguide/hpro2.png" alt="[Image: installing-hitmanpro.png]" width="532" height="421" border="0" /></li>
<li>The setup screen is displayed, from which you can decide whether you wish to install HitmanPro on your machine or just perform a one-time scan, select a option then click on <>Next </>to start a system scan.
<img title="HitmanPro setup options" src="http://malwaretips.com/images/removalguide/hpro3.png" alt="[Image: hitmanpro-setup-options.png]" width="532" height="421" border="0" /></li>
<li>HitmanPro will start scanning your system for malicious files. Depending on the the size of your hard drive, and the performance of your computer, this step will take several minutes.
<img title="HitmanPro scanning for Win 8 Security System" src="http://malwaretips.com/images/removalguide/hpro4.png" alt="[Image: hitmanpro-scanning.png]" width="532" height="421" border="0" /></li>
<li>Once the scan is complete,a screen displaying all the malicious files that the program found will be shown as seen in the image below.After reviewing each malicious object click <>Next</>.
<img title="HitmanPro Win 8 Security System scan results" src="http://malwaretips.com/images/removalguide/hpro5.png" alt="[Image: hitmanpro-scan-results.png]" width="532" height="421" border="0" /></li>
<li>Click <>Activate free license </>to start the free 30 days trial and remove the malicious files.
<img title="Activate HitmanPro free license to remove detected infections" src="http://malwaretips.com/images/removalguide/hpro6.png" alt="[Image: hitmanpro-activation.png]" width="532" height="421" border="0" /></li>
<li>HitmanPro will now start removing the infected objects, and in some instances, may suggest a reboot in order to completely remove the malware from your system. In this scenario, always confirm the reboot action to be on the safe side.</li>
</ol>

 

[The Entire Country Of Russia]

Control set 002 is the only one after I scanned. Good news is that Security Center works from all the stuff you made me too. Most likely some more stuff still on there though.

 

[Fiery]

Ok, check that and click the Fix DNS button and proceed to the next step. Make sure to upload the Roguekiller log afterwards so I can make sure that entry is deleted.

 

[The Entire Country Of Russia]

I have used HitmanPro before and the trial license is expired.

 

[Fiery]

That is fine, how did the other steps go? Please post the logs for roguekiller, tdss and malwarebytes.

Thanks!

 

[The Entire Country Of Russia]

Here you go. The thing is with HitmanPro is that I scanned with it and it detected these Funmood things and also detected Babylon, which is known to be malware.

 

[Fiery]

Ok, do a scan with adwCleaner and this time, hit the delete button. Post the log after that.

Open up Notepad and paste the following:

Folder:: 
c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
c:\windows\83B952C7F8F34CA3B4C533C85B24E478.TMP

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe

* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below


Then,
Eset NOD32 Online AntiVirus

Run Eset NOD32 Online AntiVirus

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Disable your current Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is checked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Anvirisus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Let me know how everything is after that.