disorderstatus malware

[REDACTED]

Hi,
I recently had repeated and continuing popup messages from Avast having blocked
http://disorderstatus.ru/order.php
and
http://differentia.ru/diff.php
both appearing on the process: C:\Windows\SysWOW64\msiexec.exe

I ended the process using task manager and the symptoms have ceased. I doubt this has rectified my problem.
Scans with avast didn't detect any infected files.

I was fairly certain it started after using a usb pen drive. I installed MCShield which scanned the drive and deleted malware. Scan log attached.

I installed MBAM and FRST and scanned with both. Logs attached.

I was silly and the first time I ran MBAM I didn't export log information. It detected and quarantined 1 item:
Vendor: PUP.Optional.PageStarter
Type: Registry Value
Location: HKU\S-1-5-21-2141295651-759630508-1624318672-1000\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|Load

Any further assistance in removing this malware would be greatly appreciated.

[Pondus]

I installed MCShield which scanned the drive and deleted malware. Scan log attached.

MCShield log must be copy and paste (not attach) or we cant read it ... some forum issue

[REDACTED]

MCShield log:

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2015.9.13.1 / Windows 7 <<<


13/09/2015 02:28:20 PM > Drive E: - scan started (VERBATIM ~3693 MB, FAT32 flash drive )...


>>> E:\VERBATIM (4GB).lnk - Malware > Deleted. (15.09.13. 14.28 VERBATIM (4GB).lnk.213406; MD5: 1e18d60eae2be0d9ec9aa4ca1fdf41b6)

> Resetting attributes: E:\  < Successful.


=> Malicious files   : 1/1 deleted.
=> Hidden folders    : 1/1 unhidden.

____________________________________________

::::: Scan duration: 4sec ::::::::::::::::::
____________________________________________

[Pondus]

there may be some waiting time, Essexboy that does most of the fixes here is on vacation (think he is back tomorrow) and the other guys are in different time zones

[REDACTED]

That's no problem. I appreciate the response.

[dbrisendine]

FIRST >>>>

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.


SECOND >>>>

AdwCleaner by Xplode

Download AdwCleaner from here or from here. Save the file to the desktop.


NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

• Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
  You will see the following console:
  
  
• Click the Scan button and wait for the scan to finish.
• After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Waiting for action. Please uncheck elements you don't want to remove.
• Click the Clean button.
• Everything checked will be deleted.
• When the program has finished cleaning a report appears.
• Once done it will ask to reboot, allow this

• On reboot a log will be produced; please attach that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C0].txt
  
  Optional:
  
  NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.

[REDACTED]

I've attached both scan logs. Both programs required a system reboot. As I said in my first post, there are now no symptoms of the initial infection. The system seems to be running normally.

Thanks for your help so far.

[dbrisendine]

The logs look great; you're on your way then!!


Clean up of Malware Removal Tools
Now that we are through using these tools, let's clean them off your system so that should you ever need to have malware removed again (we hope not) fresh, updated copies will be downloaded.

• Download Delfix from here to your desktop and double click it to start the program
  
• Ensure Remove disinfection tools is ticked
  Also tick:
  
• Activate UAC
• Create registry backup
• Purge system restore
• Reset system settings

• Click Run
  
• The program will run for a few moments and then notepad will open with a log. Please attach the log in your next reply.
  

You can delete any log files left on your desktop as these are no longer needed.

[REDACTED]

I ran Delfix, and AdwCleaner and FRST appear to be removed. Everything seems hunky dory. I've attached the last log.

Thanks so much for all your help. All the instructions were really easy to follow. This forum is a real asset!

Hopefully my baby's clean again 

[REDACTED]

Hi, sorry for barging in on your topic, but did you clean everything that AdwCleaner found or just suspicious files?

I've got the exact same issue since I plugged my usb memory stick into one of college computers a day ago. Avast didn't find anything related with a full system scan.

AdwCleaner log:

# AdwCleaner v5.007 - Logfile created 15/09/2015 at 12:13:12
# Updated 08/09/2015 by Xplode
# Database : 2015-09-10.1 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : User - USER
# Running from : C:\Users\User\Desktop\adwcleaner_5.007.exe
# Option : Scan
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

Folder Found : C:\ProgramData\EmailNotifier
Folder Found : C:\Users\User\AppData\Local\Innovative Solutions
Folder Found : C:\Users\User\AppData\Roaming\dvdvideosoftiehelpers
Folder Found : C:\Users\User\AppData\Roaming\WebExtend

***** [ Files ] *****

File Found : C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\w1tq8ttt.default\Extensions\{b64d9b05-48e1-4ceb-bf58-e0643994e900}.xpi

***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\Google\Chrome\Extensions\nikpibnbobmbdbheedjfogjlikpgpnhp
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6}
Key Found : HKCU\Software\Softonic
Key Found : HKLM\SOFTWARE\SiteSee
Key Found : [x64] HKCU\Software\Softonic

***** [ Web browsers ] *****


########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1539 bytes] ##########