Avast WEBforum

Other => Viruses and worms => Topic started by: REDACTED on August 03, 2015, 10:41:58 AM

Title: http://disorderstatus.ru/order.php alert persists
Post by: REDACTED on August 03, 2015, 10:41:58 AM

Hoping to get help with this new detection repeatedly popping up on Avast:

Recently, every 3-5 minutes, Avast Web Shield would pop up with the following alert:

Avast Web Shield has blocked a harmful webpage or file
URL: http://disorderstatus.ru/order.php
Infection: URL:Mal
Process: C:\Windows\SysWOW64\msiexec.exe

I have run numerous virus/malware applications, yet the problem still persists.
I downloaded Zoek and attached the generated report.

Can anyone please assist with the removal of this virus?

Thanks in advance!

Title: Re: http://disorderstatus.ru/order.php alert persists
Post by: Pondus on August 03, 2015, 01:03:01 PM

follow instructions and attach requested logs   https://forum.avast.com/index.php?topic=53253.0

Title: Re: http://disorderstatus.ru/order.php alert persists
Post by: mchain on August 03, 2015, 01:16:57 PM

http://zulu.zscaler.com/submission/show/e277a5f2b437522a18f0bbb36268c92a-1438600267 (http://zulu.zscaler.com/submission/show/e277a5f2b437522a18f0bbb36268c92a-1438600267)
http://urlquery.net/report.php?id=1438600387348 (http://urlquery.net/report.php?id=1438600387348)
https://www.virustotal.com/en/url/9327dba6048752b51c9d8e1d76cf2b6df7a34efdd4fae7ff51ac4c9e3abe2d8d/analysis/ (https://www.virustotal.com/en/url/9327dba6048752b51c9d8e1d76cf2b6df7a34efdd4fae7ff51ac4c9e3abe2d8d/analysis/)
http://quttera.com/detailed_report/disorderstatus.ru (http://quttera.com/detailed_report/disorderstatus.ru)

Title: Re: http://disorderstatus.ru/order.php alert persists
Post by: REDACTED on August 04, 2015, 08:24:13 AM

Hi Pondus

Thanks for responding.
Please see attached requested logs

Thanks =)

Title: Re: http://disorderstatus.ru/order.php alert persists
Post by: Pondus on August 04, 2015, 08:25:10 AM

malware experts will be online later today ....

Title: Re: http://disorderstatus.ru/order.php alert persists
Post by: essexboy on August 04, 2015, 04:21:19 PM

This was a present with the cracked Adobe you installed

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

Quote

CreateRestorePoint:
HKU\S-1-5-21-2369146234-665257770-333335392-1000\...\Run: [AdobeBridge] => [X]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
2015-08-04 06:53 - 2015-08-04 06:53 - 00000000 ____D C:\Program Files (x86)\Easy Auto Refresh
2015-08-04 06:52 - 2015-08-04 06:54 - 00000000 ____D C:\Program Files (x86)\bestadblocker
2015-08-04 06:50 - 2015-08-04 06:50 - 00000000 ____D C:\Program Files (x86)\CutThePirIcE
2015-08-04 06:48 - 2015-08-04 07:10 - 00000390 _____ C:\Windows\Tasks\TransmitAll.job
2015-08-04 06:48 - 2015-08-04 06:48 - 00003304 _____ C:\Windows\System32\Tasks\TransmitAll
2015-08-04 06:48 - 2015-08-04 06:48 - 00000000 ____D C:\Users\Armand\Downloads\Adobe_Sounbooth_CS5_3_keygen_by_orion (2)
2015-08-04 06:48 - 2015-08-04 06:48 - 00000000 ____D C:\ProgramData\{c7e36294-d8bc-3619-c7e3-36294d8b8a53}
2015-08-04 06:45 - 2015-08-04 06:46 - 00204920 _____ C:\Users\Armand\Downloads\Adobe_Sounbooth_CS5_3_keygen_by_orion (2).zip
2015-08-04 06:44 - 2015-08-04 06:44 - 01678049 _____ C:\Users\Armand\Downloads\Adobe_Sounbooth_CS5_3_keygen (2).zip
2009-07-14 01:31 - 2009-07-14 03:14 - 90646400 ___SH () C:\ProgramData\msihrbtj.exe
Task: {0C232C2B-617C-4217-8202-0AB3BA71A6C6} - System32\Tasks\TransmitAll => c:\programdata\{c7e36294-d8bc-3619-c7e3-36294d8b8a53}\adobe_sounbooth_cs5_3_keygen_by_orion.exe [2015-08-04] () <==== ATTENTION
Task: C:\Windows\Tasks\TransmitAll.job => c:\programdata\{c7e36294-d8bc-3619-c7e3-36294d8b8a53}\adobe_sounbooth_cs5_3_keygen_by_orion.exe <==== ATTENTION
c:\programdata\{c7e36294-d8bc-3619-c7e3-36294d8b8a53}
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe
(https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG)
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/) by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
  
• Click on Scan.
  
• After the scan is complete click on "Clean"
• Confirm each time with Ok.
  
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S0].txt as well.
  

Title: Re: http://disorderstatus.ru/order.php alert persists
Post by: REDACTED on August 05, 2015, 05:13:01 PM

Hi essexboy

Thank you for your response
Please find attached logfiles requested.

Thanks =)

Title: Re: http://disorderstatus.ru/order.php alert persists
Post by: essexboy on August 05, 2015, 07:09:09 PM

Have the alerts now ceased ?