Help! disorderstatus.ru/order.php and http://differentia.ru/diff.php

[REDACTED]

Hello. I started getting popups from Avast around 30 mins ago and they haven't stopped. Is it a consistent/continuous malware attack? I don't know anything at all  was hoping to get some help as to how I can get this virus/malware cleaned from my system.

1st Popup:

URL: http://disorderstatus.ru/order.php
Infection: URL:Mal
Process: C:\Windows\SysWOW64\msiexec.exe


2nd Popup:

URL: http://differentia.ru/diff.php
Infection: URL:Mal
Process: C:\Windows\SysWOW64\msiexec.exe

thank you very much! and good day

[Asyn]

Attach your basic diagnostic logs. (MBAM, FRST and aswMBR)
Instructions: https://forum.avast.com/index.php?topic=53253.0

[REDACTED]

Will do so now

[TwinHeadedEagle]

Monitoring...

[REDACTED]

Malwarebytes Scan Log
FRST Scan Log
ADDITION Log
aswMBR Scan Log

sorry for the little bit late reply. Power was out.

*note: Popups stopped appearing right after MalwareBytes detected, and deleted, 3 infection.

[TwinHeadedEagle]

MalwareBytes deleted registry entries, but file is still there:


Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
  
• Press the Fix button just once and wait.
  
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.
  

Please attach it to your reply.

[REDACTED]

Here it is

[REDACTED]

Would also like to follow on the status of my flash drive. I'm only guessing that this is where I got the infection in the first place? Would want to know how I could clean it, if ever; and if I have to do the whole cleaning process again if ever I plug my flash drive into my laptop

[TwinHeadedEagle]

Please download MCShield from one of the following links:

MCShield -Official download link

• Double click on MCShield-Setup to install the application.
  Next => I Agree => Next => Install ... per installation click on Run! button.
  
• Wait a few seconds to MCShield finish initial HDD scan...
• Connect all your USB storage devices to the computer one at a time. Scanning will be done automatically.
• When all scanning is done, you need to post a logreport that MCShield has created.

Under Logs tab (in Control Center) for AllScans.txt log section click on Save button. AllScanst.txt report shall be located on your Desktop.

=> Post here AllScanst.txt


Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

[REDACTED]

Here is all scans log from MCShield. Are we all clean now?

[TwinHeadedEagle]

Can you copy/paste MCShield report?

[REDACTED]

>>> MCShield AllScans.txt <<<

-----------------------------




MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2015.7.25.1 / Windows 8.1 <<<


8/5/2015 7:39:00 PM > Drive C: - scan started (Acer ~719 GB, NTFS HDD )...



=> The drive is clean.


8/5/2015 7:39:01 PM > Drive E: - scan started (no label ~195 GB, NTFS HDD )...



=> The drive is clean.





MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2015.7.25.1 / Windows 8.1 <<<


8/5/2015 7:39:55 PM > Drive G: - scan started (Sandisk ~7632 MB, NTFS flash drive )...


>>> G:\Sandisk (8GB).lnk - Malware > Deleted. (15.08.05. 19.39 Sandisk (8GB).lnk.402355; MD5: e7c10cf75a4f66f2039b52be686d0df7)

> Resetting attributes: G:\  < Successful.


=> Malicious files   : 1/1 deleted.
=> Hidden folders    : 1/1 unhidden.

____________________________________________

::::: Scan duration: 1sec ::::::::::::::::::
____________________________________________




MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2015.7.25.1 / Windows 8.1 <<<


8/5/2015 7:41:59 PM > Drive G: - scan started (Sandisk ~7632 MB, NTFS flash drive )...



=> The drive is clean.





MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2015.7.25.1 / Windows 8.1 <<<


8/5/2015 7:43:34 PM > Drive G: - scan started (Sandisk ~7632 MB, NTFS flash drive )...



=> The drive is clean.

[REDACTED]

was that the report you were looking for?

[TwinHeadedEagle]

Yes, and with this report we're done here

Post-cleanup procedures:

Download DelFix by Xplode and save it to your desktop.

• Run the tool by right click on the icon and Run as administrator option.
  
• Make sure that these ones are checked:
• Remove disinfection tools
• Purge system restore
• Reset system settings
• Push Run and wait until the tool completes his work.
  
• All tools we used should be gone. Tool will create an report for you (C:\DelFix.txt)
  

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

[REDACTED]

Thank you very much!! a great first time asking for help on the avast forums. big thumbs up