Print Page - Help! disorderstatus.ru/order.php and http://differentia.ru/diff.php

Other => Viruses and worms => Topic started by: REDACTED on August 05, 2015, 08:51:22 AM

Title: Help! disorderstatus.ru/order.php and http://differentia.ru/diff.php
Post by: REDACTED on August 05, 2015, 08:51:22 AM

Hello. I started getting popups from Avast around 30 mins ago and they haven't stopped. Is it a consistent/continuous malware attack? I don't know anything at all :-\ was hoping to get some help as to how I can get this virus/malware cleaned from my system.

1st Popup:

URL: http://disorderstatus.ru/order.php
Infection: URL:Mal
Process: C:\Windows\SysWOW64\msiexec.exe

2nd Popup:

URL: http://differentia.ru/diff.php
Infection: URL:Mal
Process: C:\Windows\SysWOW64\msiexec.exe

thank you very much! and good day

Title: Re: Help! disorderstatus.ru/order.php and http://differentia.ru/diff.php
Post by: Asyn on August 05, 2015, 08:52:33 AM

Attach your basic diagnostic logs. (MBAM, FRST and aswMBR)
Instructions: https://forum.avast.com/index.php?topic=53253.0

Title: Re: Help! disorderstatus.ru/order.php and http://differentia.ru/diff.php
Post by: REDACTED on August 05, 2015, 08:57:07 AM

Will do so now

Title: Re: Help! disorderstatus.ru/order.php and http://differentia.ru/diff.php
Post by: TwinHeadedEagle on August 05, 2015, 10:18:40 AM

Monitoring...

Title: Re: Help! disorderstatus.ru/order.php and http://differentia.ru/diff.php
Post by: REDACTED on August 05, 2015, 12:10:44 PM

Malwarebytes Scan Log
FRST Scan Log
ADDITION Log
aswMBR Scan Log

sorry for the little bit late reply. Power was out.

*note: Popups stopped appearing right after MalwareBytes detected, and deleted, 3 infection.

Title: Re: Help! disorderstatus.ru/order.php and http://differentia.ru/diff.php
Post by: TwinHeadedEagle on August 05, 2015, 12:29:10 PM

MalwareBytes deleted registry entries, but file is still there:

(https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif) Fix with Farbar Recovery Scan Tool

(https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif) This fix was created for this user for use on that particular machine. (https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif)
(https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif) Running it on another one may cause damage and render the system unstable. (https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif)

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

Right-click on (https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif) icon and select (https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg) Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
Press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

Title: Re: Help! disorderstatus.ru/order.php and http://differentia.ru/diff.php
Post by: REDACTED on August 05, 2015, 12:41:24 PM

Here it is

Title: Re: Help! disorderstatus.ru/order.php and http://differentia.ru/diff.php
Post by: REDACTED on August 05, 2015, 12:53:43 PM

Would also like to follow on the status of my flash drive. I'm only guessing that this is where I got the infection in the first place? Would want to know how I could clean it, if ever; and if I have to do the whole cleaning process again if ever I plug my flash drive into my laptop

Title: Re: Help! disorderstatus.ru/order.php and http://differentia.ru/diff.php
Post by: TwinHeadedEagle on August 05, 2015, 01:42:30 PM

Please download MCShield from one of the following links:

MCShield -Official download link (http://'http://www.mcshield.net/download.html')

Double click on MCShield-Setup to install the application.
Next => I Agree => Next => Install ... per installation click on Run! button.
Wait a few seconds to MCShield finish initial HDD scan...
Connect all your USB storage devices to the computer one at a time. Scanning will be done automatically.
When all scanning is done, you need to post a logreport that MCShield has created.

Under Logs tab (in Control Center (http://'http://www.mcshield.net/personal/magna86/Images/MCShield%27s%20Control%20Center.jpg')) for AllScans.txt log section click on Save button. AllScanst.txt report shall be located on your Desktop.

=> Post here AllScanst.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

Title: Re: Help! disorderstatus.ru/order.php and http://differentia.ru/diff.php
Post by: REDACTED on August 05, 2015, 02:01:36 PM

Here is all scans log from MCShield. Are we all clean now? :)

Title: Re: Help! disorderstatus.ru/order.php and http://differentia.ru/diff.php
Post by: TwinHeadedEagle on August 05, 2015, 02:19:50 PM

Can you copy/paste MCShield report?

Title: Re: Help! disorderstatus.ru/order.php and http://differentia.ru/diff.php
Post by: REDACTED on August 05, 2015, 02:23:25 PM

>>> MCShield AllScans.txt <<<

-----------------------------

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2015.7.25.1 / Windows 8.1 <<<

8/5/2015 7:39:00 PM > Drive C: - scan started (Acer ~719 GB, NTFS HDD )...

=> The drive is clean.

8/5/2015 7:39:01 PM > Drive E: - scan started (no label ~195 GB, NTFS HDD )...

=> The drive is clean.

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2015.7.25.1 / Windows 8.1 <<<

8/5/2015 7:39:55 PM > Drive G: - scan started (Sandisk ~7632 MB, NTFS flash drive )...

>>> G:\Sandisk (8GB).lnk - Malware > Deleted. (15.08.05. 19.39 Sandisk (8GB).lnk.402355; MD5: e7c10cf75a4f66f2039b52be686d0df7)

> Resetting attributes: G:\ < Successful.

=> Malicious files : 1/1 deleted.
=> Hidden folders : 1/1 unhidden.

____________________________________________

::::: Scan duration: 1sec ::::::::::::::::::
____________________________________________

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2015.7.25.1 / Windows 8.1 <<<

8/5/2015 7:41:59 PM > Drive G: - scan started (Sandisk ~7632 MB, NTFS flash drive )...

=> The drive is clean.

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2015.7.25.1 / Windows 8.1 <<<

8/5/2015 7:43:34 PM > Drive G: - scan started (Sandisk ~7632 MB, NTFS flash drive )...

=> The drive is clean.

Title: Re: Help! disorderstatus.ru/order.php and http://differentia.ru/diff.php
Post by: REDACTED on August 05, 2015, 02:23:50 PM

was that the report you were looking for?

Title: Re: Help! disorderstatus.ru/order.php and http://differentia.ru/diff.php
Post by: TwinHeadedEagle on August 05, 2015, 02:29:12 PM

Yes, and with this report we're done here :)

Post-cleanup procedures:

Download DelFix (http://www.bleepingcomputer.com/download/delfix/) by Xplode and save it to your desktop.

Run the tool by right click on the (http://www.imgdumper.nl/uploads6/51a5ce45267c1/51a5ce45263de-delfix.png) icon and Run as administrator option.
Make sure that these ones are checked:

Remove disinfection tools
Purge system restore
Reset system settings

Push Run and wait until the tool completes his work.
All tools we used should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

Title: Re: Help! disorderstatus.ru/order.php and http://differentia.ru/diff.php
Post by: REDACTED on August 05, 2015, 02:46:33 PM

Thank you very much!! a great first time asking for help on the avast forums. big thumbs up

Title: Re: Help! disorderstatus.ru/order.php and http://differentia.ru/diff.php
Post by: REDACTED on August 06, 2015, 03:03:44 PM

hello sir. I stumbled on this thread looking for solutions for the same problem. i was about to do the same but you said that "This fix was created for this user for use on that particular machine." please help me with this problem also. Thanks in advance :)

Title: Re: Help! disorderstatus.ru/order.php and http://differentia.ru/diff.php
Post by: Asyn on August 06, 2015, 03:38:58 PM

Quote from: jhuz17 on August 06, 2015, 03:03:44 PM

hello sir. I stumbled on this thread looking for solutions for the same problem. i was about to do the same but you said that "This fix was created for this user for use on that particular machine." please help me with this problem also. Thanks in advance :)

Start a new topic in V&W and post your logs there: https://forum.avast.com/index.php?action=post;board=4.0

Title: Re: Help! disorderstatus.ru/order.php and http://differentia.ru/diff.php
Post by: REDACTED on August 09, 2015, 04:20:36 AM

Same problem here. I am using Win7. Should I do the same process that you have instructed?

Title: Re: Help! disorderstatus.ru/order.php and http://differentia.ru/diff.php
Post by: Asyn on August 09, 2015, 06:29:27 AM

Quote from: AuSalCo on August 09, 2015, 04:20:36 AM

Same problem here. I am using Win7. Should I do the same process that you have instructed?

Start a new topic in V&W and post your logs there: https://forum.avast.com/index.php?action=post;board=4.0

Title: Re: Help! disorderstatus.ru/order.php and http://differentia.ru/diff.php
Post by: REDACTED on November 30, 2015, 03:23:56 AM

Hai, my name is Hendra. I'm from indonesia. I get same problem with this malware
What should I do to fix the problem? Or I should be re-instal my PC? :-\
Thank you , please help as soon as possible :)

Title: Re: Help! disorderstatus.ru/order.php and http://differentia.ru/diff.php
Post by: Asyn on November 30, 2015, 04:27:51 AM

Quote from: Hendra4 on November 30, 2015, 03:23:56 AM

Hai, my name is Hendra. I'm from indonesia. I get same problem with this malware
What should I do to fix the problem? Or I should be re-instal my PC? :-\
Thank you , please help as soon as possible :)

Start a new topic in V&W and post your logs there: https://forum.avast.com/index.php?action=post;board=4.0

Avast WEBforum

Other => Viruses and worms => Topic started by: REDACTED on August 05, 2015, 08:51:22 AM