disorderstatus.ru/differentia.ru malware pop-up

URL: http://disorderstatus.ru/order.php
Infection: URL:Mal
Process: C:\Windows\system32\msiexec.exe

and
URL: http://differentia.ru/diff.php
Infection: URL:Mal
Process: C:\Windows\system32\msiexec.exe

Please help me its really annoying and its just keep on popping up after everyy 20 seconds please help

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select additions at the bottom
[*]Press Scan button.

https://dl.dropboxusercontent.com/u/73555776/frst.JPG

[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach both logs generated.

Hey as you described me i just installed that software and had that 2 text files here are both of them

Edit: hey by the way by opening Taskmanager and removing WindowsInstaller(r) from the list makes these errors permanently stopped i mean they dont appear again but again after rebooting that WindowsInstaller(r) is started again and gives these errors again and again

It will take a little more than that to stop it … Let me know how the computer is after the reboots

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKU\S-1-5-21-3125196987-1581937626-2010408027-1004\...\Run: [{EE5FA8F1-24CF-45B3-B63F-92C228FB918E}] => powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\JTTSTTHJUQMGTY').KQaPk))); HKLM\...\Policies\Explorer\Run: [1717196244] => C:\ProgramData\msmekjj.exe [85650176 2010-11-20] () BHO: &Yahoo! Toolbar Helper -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll => No File BHO: No Name -> {2EECD738-5844-4a99-B4B6-146BF802613B} -> No File BHO: No Name -> {99079a25-328f-4bd4-be04-00955acaa0a7} -> No File BHO: No Name -> {D4027C7F-154A-4066-A1AD-4243D8127440} -> No File Toolbar: HKLM - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} - No File Toolbar: HKLM - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll No File Toolbar: HKLM - No Name - {99079a25-328f-4bd4-be04-00955acaa0a7} - No File Toolbar: HKLM - No Name - !{98889811-442D-49dd-99D7-DC866BE87DBC} - No File Toolbar: HKU\S-1-5-21-3125196987-1581937626-2010408027-1004 -> No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} - No File FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\ffxtlbr@babylon.com [2013-08-21] [not signed] FF HKLM\...\Firefox\Extensions: [ocr@babylon.com] - C:\Program Files\Babylon\Babylon-Pro\Utils\ocr@babylon.com => not found CHR HKLM\...\Chrome\Extension: [dkinklhnkmkhkhofcnapakaoehijaoih] - C:\Program Files\OnlineHD.TV\onhd10.crx CHR HKLM\...\Chrome\Extension: [jplinpmadfkdgipabgcdchbdikologlh] - C:\Program Files\1ClickDownload\1click12.crx 2014-11-21 16:24 - 2014-11-21 16:24 - 0000000 _____ () C:\Users\Ayush II.ayush-PC\AppData\Local\{12E372D4-F5FE-4B4A-8BA1-2583803E1741} 2014-06-09 18:06 - 2014-06-09 18:06 - 0000000 _____ () C:\Users\Ayush II.ayush-PC\AppData\Local\{132E609C-7BDC-4FDA-ABEB-A55CE89634E1} 2015-09-06 02:39 - 2015-09-06 02:39 - 0000000 _____ () C:\Users\Ayush II.ayush-PC\AppData\Local\{2E9DF6DA-0BCD-4CD3-9340-9372B27846DD} 2015-11-01 21:01 - 2015-11-01 21:01 - 0000000 _____ () C:\Users\Ayush II.ayush-PC\AppData\Local\{2F198EF7-B9C3-45EE-8FE4-F83997F15807} 2015-01-23 10:56 - 2015-01-23 10:57 - 0000000 _____ () C:\Users\Ayush II.ayush-PC\AppData\Local\{381C0502-6105-4D3E-A17E-6D7F3FE3F248} 2014-10-14 16:44 - 2014-10-14 16:44 - 0000000 _____ () C:\Users\Ayush II.ayush-PC\AppData\Local\{55D50B84-E8BE-49C9-9C54-A8936043FB7F} 2014-09-01 14:56 - 2014-09-01 14:56 - 0000000 _____ () C:\Users\Ayush II.ayush-PC\AppData\Local\{6A2EB58B-2CA8-4142-B594-DADFC5876F1F} 2015-08-13 11:02 - 2015-08-13 11:03 - 0000000 _____ () C:\Users\Ayush II.ayush-PC\AppData\Local\{7508A4B3-D471-4971-9C58-6F04F0D5AB0D} 2016-04-02 19:26 - 2016-04-02 19:26 - 0000000 _____ () C:\Users\Ayush II.ayush-PC\AppData\Local\{985A7368-D6CA-40DA-B4A0-A6726930AA4F} 2015-10-30 09:49 - 2015-10-30 09:50 - 0000000 _____ () C:\Users\Ayush II.ayush-PC\AppData\Local\{C3C6B75B-6DA2-4C0A-8E61-0292D5742C02} 2014-08-31 14:52 - 2014-08-31 14:52 - 0000000 _____ () C:\Users\Ayush II.ayush-PC\AppData\Local\{D8D840F7-E8F1-431A-A69E-739D97333E33} 2015-11-11 18:11 - 2015-11-11 18:11 - 0000000 _____ () C:\Users\Ayush II.ayush-PC\AppData\Local\{EBA57DA2-D7A0-4D56-B85A-66A9B23668AA} 2011-12-27 01:38 - 2010-11-20 17:47 - 85650176 ___SH () C:\ProgramData\msmekjj.exe Task: {003CD11D-9CE5-4385-8E11-80D02444E9C5} - System32\Tasks\{29D5E0CD-B15B-461A-A526-DCC3FBBBF0E5} => pcalua.exe -a C:\Windows\iun503.exe -c C:\Program Files\GameLibrary\MEGA MAN X3\irunin.ini <==== ATTENTION Task: {EB7E0F21-21F0-4258-9E67-F3E66C848814} - System32\Tasks\CIS_{15198508-521A-4D69-8E5B-B94A6CCFF805} => C:\Users\AYUSHI~1.AYU\AppData\Local\Temp\cisE31D.exe <==== ATTENTION Task: {F5872FCC-3D33-4E3C-A12B-2E560BB749BB} - System32\Tasks\EPUpdater => C:\Users\AYUSHI~1.AYU\AppData\Roaming\BABSOL~1\Shared\BabMaint.exe <==== ATTENTION Task: {FD13A5C6-6877-4157-8632-86C4E7B51837} - System32\Tasks\SymInstallStub => C:\Users\ayush\AppData\Local\Temp\nsh70B0.tmp\SymInstallStub.exe <==== ATTENTION Task: C:\Windows\Tasks\SymInstallStub.job => C:\Users\ayush\AppData\Local\Temp\nsh70B0.tmp\SymInstallStub.exex/partnerid=opencandy /productlist=rm /staging=true /delay=0 /lang=English /desktopshortcut=0 /startmenushortcut=1 /task C:\Users\ayush\AppData\Local\Temp\nsh70B0.tmp <==== ATTENTION C:\Users\AYUSHI~1.AYU\AppData\Roaming\BABSOL~1 Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg delete HKCU:\Software\Classes\JTTSTTHJUQMGTY /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

Thank you for the help that popup has been removed here are those log files

And i can now remove all these files from my computer??
I mean all these logs ?? and that software ?

And i can now remove all these files from my computer?? I mean all these logs ?? and that software ?
Essexboy will remove all tools used when finish ;)

I made a minor transcription error that needs fixing then we will tidy up

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: Reg: reg delete HKCU\Software\Classes\JTTSTTHJUQMGTY /f EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that