disorderstatus and differentia malware. HELP!!!

[REDACTED]

Avast keeps popping up on my PC which displays these:


Object: http://disorderstatus.ru/order.php
Infection: URL:Mal
Process: C:\Windows\system32\msiexec.exe

and


Object: http://disorderstatus.ru/order.php
Infection: URL:Mal
Process: C:\Windows\system32\msiexec.exe

I run the softwares listed on the other thread (needed before starting new topics) and here are the log files.
i stopped aswMBR scan as it took so much time.
Can somebody please help me fix this? Thank you so much in advance.

[essexboy]

Let me know if this stops it

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://websearch.searchsun.info/?pid=2134&r=2014/05/17&hid=18007715594285545861&lg=EN&cc=IN&unqvl=52
HKU\S-1-5-21-483985569-2991844374-3087840349-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://astromenda.com/?f=1&a=ast_ir_14_35_ff&cd=2XzuyEtN2Y1L1QzutDtDtC0F0DtD0EyByEtDyCtAtA0DyB0FtN0D0Tzu0SzyyBtCtN1L2XzutAtFtDtFtCtDtFyEtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StByDzz0FtD0E0E0CtG0B0D0C0AtGyCtC0AyDtG0A0F0D0CtGyEtCtA0FtB0C0E0AtAtCyBzy2QtN1M1F1B2Z1V1N2Y1L1Qzu2StCtB0CyEtByEyByCtGzyzztBtDtGyEyDtB0DtGzytD0DyCtGzzzyyD0E0B0E0AtAyB0ByEtD2Q&cr=1790537196&ir=
SearchScopes: HKLM -> DefaultScope {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} URL = hxxp://astromenda.com/results.php?f=4&q={searchTerms}&a=ast_ir_14_35_ff&cd=2XzuyEtN2Y1L1QzutDtDtC0F0DtD0EyByEtDyCtAtA0DyB0FtN0D0Tzu0SzyyBtCtN1L2XzutAtFtDtFtCtDtFyEtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StByDzz0FtD0E0E0CtG0B0D0C0AtGyCtC0AyDtG0A0F0D0CtGyEtCtA0FtB0C0E0AtAtCyBzy2QtN1M1F1B2Z1V1N2Y1L1Qzu2StCtB0CyEtByEyByCtGzyzztBtDtGyEyDtB0DtGzytD0DyCtGzzzyyD0E0B0E0AtAyB0ByEtD2Q&cr=1790537196&ir=
SearchScopes: HKLM -> {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL = hxxp://websearch.searchsun.info/?l=1&q={searchTerms}&pid=2134&r=2014/05/17&hid=18007715594285545861&lg=EN&cc=IN&unqvl=52
SearchScopes: HKLM -> {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} URL = hxxp://astromenda.com/results.php?f=4&q={searchTerms}&a=ast_ir_14_35_ff&cd=2XzuyEtN2Y1L1QzutDtDtC0F0DtD0EyByEtDyCtAtA0DyB0FtN0D0Tzu0SzyyBtCtN1L2XzutAtFtDtFtCtDtFyEtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StByDzz0FtD0E0E0CtG0B0D0C0AtGyCtC0AyDtG0A0F0D0CtGyEtCtA0FtB0C0E0AtAtCyBzy2QtN1M1F1B2Z1V1N2Y1L1Qzu2StCtB0CyEtByEyByCtGzyzztBtDtGyEyDtB0DtGzytD0DyCtGzzzyyD0E0B0E0AtAyB0ByEtD2Q&cr=1790537196&ir=
SearchScopes: HKU\S-1-5-21-483985569-2991844374-3087840349-1000 -> DefaultScope {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} URL = hxxp://astromenda.com/results.php?f=4&q={searchTerms}&a=ast_ir_14_35_ff&cd=2XzuyEtN2Y1L1QzutDtDtC0F0DtD0EyByEtDyCtAtA0DyB0FtN0D0Tzu0SzyyBtCtN1L2XzutAtFtDtFtCtDtFyEtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StByDzz0FtD0E0E0CtG0B0D0C0AtGyCtC0AyDtG0A0F0D0CtGyEtCtA0FtB0C0E0AtAtCyBzy2QtN1M1F1B2Z1V1N2Y1L1Qzu2StCtB0CyEtByEyByCtGzyzztBtDtGyEyDtB0DtGzytD0DyCtGzzzyyD0E0B0E0AtAyB0ByEtD2Q&cr=1790537196&ir=
SearchScopes: HKU\S-1-5-21-483985569-2991844374-3087840349-1000 -> {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL = hxxp://websearch.searchsun.info/?l=1&q={searchTerms}&pid=2134&r=2014/05/17&hid=18007715594285545861&lg=EN&cc=IN&unqvl=52
SearchScopes: HKU\S-1-5-21-483985569-2991844374-3087840349-1000 -> {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} URL = hxxp://astromenda.com/results.php?f=4&q={searchTerms}&a=ast_ir_14_35_ff&cd=2XzuyEtN2Y1L1QzutDtDtC0F0DtD0EyByEtDyCtAtA0DyB0FtN0D0Tzu0SzyyBtCtN1L2XzutAtFtDtFtCtDtFyEtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StByDzz0FtD0E0E0CtG0B0D0C0AtGyCtC0AyDtG0A0F0D0CtGyEtCtA0FtB0C0E0AtAtCyBzy2QtN1M1F1B2Z1V1N2Y1L1Qzu2StCtB0CyEtByEyByCtGzyzztBtDtGyEyDtB0DtGzytD0DyCtGzzzyyD0E0B0E0AtAyB0ByEtD2Q&cr=1790537196&ir=
FF DefaultSearchEngine: Astromenda
FF DefaultSearchEngine,S: WebSearch
FF DefaultSearchUrl: hxxp://websearch.searchsun.info/?pid=2134&r=2014/05/17&hid=18007715594285545861&lg=EN&cc=IN&unqvl=52&l=1&q=
FF SearchEngineOrder.1: WebSearch
FF SearchEngineOrder.1,S: WebSearch
FF SelectedSearchEngine: Astromenda
FF SelectedSearchEngine,S: WebSearch
FF Homepage: hxxp://astromenda.com/?f=1&a=ast_ir_14_35_ff&cd=2XzuyEtN2Y1L1QzutDtDtC0F0DtD0EyByEtDyCtAtA0DyB0FtN0D0Tzu0SzyyBtCtN1L2XzutAtFtDtFtCtDtFyEtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StByDzz0FtD0E0E0CtG0B0D0C0AtGyCtC0AyDtG0A0F0D0CtGyEtCtA0FtB0C0E0AtAtCyBzy2QtN1M1F1B2Z1V1N2Y1L1Qzu2StCtB0CyEtByEyByCtGzyzztBtDtGyEyDtB0DtGzytD0DyCtGzzzyyD0E0B0E0AtAyB0ByEtD2Q&cr=1790537196&ir=
FF Keyword.URL: hxxp://websearch.searchsun.info/?pid=2134&r=2014/05/17&hid=18007715594285545861&lg=EN&cc=IN&unqvl=52&l=1&q=
FF SearchPlugin: C:\Users\kandhan\AppData\Roaming\Mozilla\Firefox\Profiles\63b3dk12.default\searchplugins\Astromenda.xml [2014-08-30]
FF SearchPlugin: C:\Users\kandhan\AppData\Roaming\Mozilla\Firefox\Profiles\63b3dk12.default\searchplugins\WebSearch.xml [2014-05-19]
FF Extension: YoutubeAdblocker - C:\Users\kandhan\AppData\Roaming\Mozilla\Firefox\Profiles\63b3dk12.default\Extensions\mmjvgcpt-au@fob-imucx.co.uk [2014-05-19]
FF Extension: savue neTa - C:\Users\kandhan\AppData\Roaming\Mozilla\Firefox\Profiles\63b3dk12.default\Extensions\s.a@spxgcwzsjp.co.uk [2014-05-19]
CHR HKU\S-1-5-21-483985569-2991844374-3087840349-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\kandhan\AppData\Local\Google\Drive\user_default\apdfllckaahabafndbhieahigkjlhalf_live.crx [2014-09-15]
CHR HKU\S-1-5-21-483985569-2991844374-3087840349-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-483985569-2991844374-3087840349-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pfkfdlcdbajamklbneflfbcmfgddmpae] - https://clients2.google.com/service/update2/crx
2014-12-02 15:49 - 2014-12-02 15:49 - 0022528 _____ () C:\Users\kandhan\AppData\Local\dsisetup21179782.exe
2014-12-18 20:49 - 2014-12-18 20:49 - 0022528 _____ () C:\Users\kandhan\AppData\Local\dsisetup37922282.exe
2014-04-08 20:54 - 2010-11-20 17:47 - 94796288 ___SH () C:\ProgramData\msdtsjnq.exe
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
  
• Click on Scan.
  
• After the scan is complete click on "Clean"
• Confirm each time with Ok.
  
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S0].txt as well.
  

[REDACTED]

Thank you so much....!!!!!

It stopped pooping up.
is my system safe?

i have attached the documents you mentioned.

[essexboy]

Any further problems