system
November 18, 2015, 8:19am
1
This morning I got pop ups from Avast saying:
URL: http://disorderstatus.ru/order.php
Infection: URL:Mal
Process: C:\Windows\SysWOW64\msiexec.exe
URL: http://differentia.ru/diff.php
Infection: URL:Mal
Process: C:\Windows\SysWOW64\msiexec.exe
I haven’t done anything but a scan from Avast, because after reading this topic https://forum.avast.com/index.php?topic=53253.0 I’m not sure what are the first steps I should do.
system
November 18, 2015, 9:11am
2
Ok, I followed the steps and here are the logs (attachements).
I would really appreciate the help.
Let me know if this stops it
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
HKU\S-1-5-21-1282577008-4036829767-2089237545-1000\...\CurrentVersion\Windows: [Load] C:\ProgramData\msrtv.exe <===== ATTENTION
2015-09-14 20:17 - 2015-06-15 22:42 - 89971584 ___SH () C:\ProgramData\msrtv.exe
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt , in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
system
November 18, 2015, 12:50pm
6
No, it’s still happening.
But after I got the Fixlog, it was quiet for like a few minutes and then I plugged in my usb drive and it started again, although MCShield said that there is no malware on it. I’m not sure if it’s related.
system
November 18, 2015, 1:33pm
7
And now MCShield detects a malware on the usb drive…
Your USB is the source of the infection. Let MCShield clean it then post a fresh FRST log
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
HKU\S-1-5-21-1282577008-4036829767-2089237545-1000\...\CurrentVersion\Windows: [Load] C:\ProgramData\msrtv.exe <===== ATTENTION
2015-09-14 20:17 - 2015-06-15 22:42 - 76138112 ___SH () C:\ProgramData\msrtv.exe
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt , in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
system
November 18, 2015, 6:37pm
11
I think it’s solved. There’s no pop up messages, for now. Hope there won’t be any more. And I can successfully format my usb without leftover folders.
I was in a hurry today, so I took a second usb drive to take some files with me, and now I’m not sure if it’s infected as well. I’m hesitating to plug that one in. Will I need to repeat all of this again with the second usb?
Thank you for your help and patience.
When you insert the USB hold the shift key down and it will not autorun, then scan with MCShield