popups! disorderstatus.ru/order.php and/differentia.ru/diff.php

[REDACTED]

Hello! I've been getting these popups today on avast every 30 seconds or so ever since i had to use a friends usb. I already tried checking to see if it could be uninstalled in the 'programs and features' or if maybe it was installed w/o my knowledge as an extension on chrome. PLS HELP! Im worried that the longer this is left unresolved the more likely the situation for my laptop could get worse.

1st Popup:

URL: disorderstatus.ru/order.php
Infection: URL:Mal
Process: C:\Windows\SysWOW64\msiexec.exe


2nd Popup:

URL: differentia.ru/diff.php
Infection: URL:Mal
Process: C:\Windows\SysWOW64\msiexec.exe

thank youuuuu!

(will follow up with attachments soon)

[Pondus]

Follow Instructions here https://forum.avast.com/index.php?topic=53253.0
Attach Malwarebytes and Farbar Recovery Scan Tool logs ....  3 logs total


See below the box you write in ... Attachments and other options

[Pondus]

ever since i had to use a friends usb.

so most likely Your friends computer also have a infection and should get in checked here also
we can also clean the USB stick used ...

[Eddy]

oppai hoodie

make the links not clickable.
We do not want people to visit malicious websites.

[REDACTED]

The thing is my friend doesn't have a computer so I have no idea where she got the infection. 
btw after i had a threat scan the popups have stopped. does this mean the infection is completely gone or is there a chance that its still hiding somewhere?

also a big thank you again for looking into this

[REDACTED]

oppai hoodie

make the links not clickable.
We do not want people to visit malicious websites.

oh damn. sorry about that
thanks for pointing that out

[essexboy]

Did you install windivert ?

WinDivert is a user-mode capture/sniffing/modification/blocking/re-injection package for Windows Vista, Windows Server 2008, Windows 7, and Windows 8. WinDivert can be used to implement user-mode packet filters, packet sniffers, firewalls, NAT, VPNs, tunneling applications, etc., without the need to write kernel-mode code.

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
BHO: No Name -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> No File
BHO-x32: No Name -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> No File
S5 WinDivert1.1;  <===== ATTENTION: Locked Service
cmd: sc stop WinDivert1.1
cmd: sc delete WinDivert1.1
2013-08-22 11:56 - 2013-08-22 11:56 - 104827520 ___SH () C:\ProgramData\msjzsvc.exe
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

[REDACTED]

Did you install windivert ?

Nope. Do I still have to?
I mean the popups have stopped right after I dl malwarebytes and had a threat scan.

[essexboy]

Run FRST as MBAM did not kill the file

[REDACTED]

Here it is:

[essexboy]

That service did not want to go .. Is your windows genuine ?

[REDACTED]

im actually not sure. i think i just had a friend install it for me 

[essexboy]

It appears to be illegal

Download Security Check by screen317 from here or here.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

[REDACTED]

It appears to be illegal

oh geez. i had a feeling it was
sorry if this makes things more of a hassle

Download Security Check by screen317 from here or here.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

will get right to it now

[REDACTED]

done