URL: http://disorderstatus.ru/order.php
Infection: URL:Mal
Process: C:\Windows\system32\msiexec.exe
and
URL: http://differentia.ru/diff.php
Infection: URL:Mal
Process: C:\Windows\system32\msiexec.exe
Please help me its really annoying and its just keep on popping up after everyy 20 seconds please help
Please download Farbar Recovery Scan Tool and save it to your Desktop.
Note : You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select additions at the bottom
[*]Press Scan button.
https://dl.dropboxusercontent.com/u/73555776/frst.JPG
[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach both logs generated.
Hey as you described me i just installed that software and had that 2 text files here are both of them
Edit: hey by the way by opening Taskmanager and removing WindowsInstaller(r) from the list makes these errors permanently stopped i mean they dont appear again but again after rebooting that WindowsInstaller(r) is started again and gives these errors again and again
It will take a little more than that to stop it … Let me know how the computer is after the reboots
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
HKU\S-1-5-21-3125196987-1581937626-2010408027-1004\...\Run: [{EE5FA8F1-24CF-45B3-B63F-92C228FB918E}] => powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\JTTSTTHJUQMGTY').KQaPk)));
HKLM\...\Policies\Explorer\Run: [1717196244] => C:\ProgramData\msmekjj.exe [85650176 2010-11-20] ()
BHO: &Yahoo! Toolbar Helper -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll => No File
BHO: No Name -> {2EECD738-5844-4a99-B4B6-146BF802613B} -> No File
BHO: No Name -> {99079a25-328f-4bd4-be04-00955acaa0a7} -> No File
BHO: No Name -> {D4027C7F-154A-4066-A1AD-4243D8127440} -> No File
Toolbar: HKLM - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
Toolbar: HKLM - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll No File
Toolbar: HKLM - No Name - {99079a25-328f-4bd4-be04-00955acaa0a7} - No File
Toolbar: HKLM - No Name - !{98889811-442D-49dd-99D7-DC866BE87DBC} - No File
Toolbar: HKU\S-1-5-21-3125196987-1581937626-2010408027-1004 -> No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\ffxtlbr@babylon.com [2013-08-21] [not signed]
FF HKLM\...\Firefox\Extensions: [ocr@babylon.com] - C:\Program Files\Babylon\Babylon-Pro\Utils\ocr@babylon.com => not found
CHR HKLM\...\Chrome\Extension: [dkinklhnkmkhkhofcnapakaoehijaoih] - C:\Program Files\OnlineHD.TV\onhd10.crx
CHR HKLM\...\Chrome\Extension: [jplinpmadfkdgipabgcdchbdikologlh] - C:\Program Files\1ClickDownload\1click12.crx
2014-11-21 16:24 - 2014-11-21 16:24 - 0000000 _____ () C:\Users\Ayush II.ayush-PC\AppData\Local\{12E372D4-F5FE-4B4A-8BA1-2583803E1741}
2014-06-09 18:06 - 2014-06-09 18:06 - 0000000 _____ () C:\Users\Ayush II.ayush-PC\AppData\Local\{132E609C-7BDC-4FDA-ABEB-A55CE89634E1}
2015-09-06 02:39 - 2015-09-06 02:39 - 0000000 _____ () C:\Users\Ayush II.ayush-PC\AppData\Local\{2E9DF6DA-0BCD-4CD3-9340-9372B27846DD}
2015-11-01 21:01 - 2015-11-01 21:01 - 0000000 _____ () C:\Users\Ayush II.ayush-PC\AppData\Local\{2F198EF7-B9C3-45EE-8FE4-F83997F15807}
2015-01-23 10:56 - 2015-01-23 10:57 - 0000000 _____ () C:\Users\Ayush II.ayush-PC\AppData\Local\{381C0502-6105-4D3E-A17E-6D7F3FE3F248}
2014-10-14 16:44 - 2014-10-14 16:44 - 0000000 _____ () C:\Users\Ayush II.ayush-PC\AppData\Local\{55D50B84-E8BE-49C9-9C54-A8936043FB7F}
2014-09-01 14:56 - 2014-09-01 14:56 - 0000000 _____ () C:\Users\Ayush II.ayush-PC\AppData\Local\{6A2EB58B-2CA8-4142-B594-DADFC5876F1F}
2015-08-13 11:02 - 2015-08-13 11:03 - 0000000 _____ () C:\Users\Ayush II.ayush-PC\AppData\Local\{7508A4B3-D471-4971-9C58-6F04F0D5AB0D}
2016-04-02 19:26 - 2016-04-02 19:26 - 0000000 _____ () C:\Users\Ayush II.ayush-PC\AppData\Local\{985A7368-D6CA-40DA-B4A0-A6726930AA4F}
2015-10-30 09:49 - 2015-10-30 09:50 - 0000000 _____ () C:\Users\Ayush II.ayush-PC\AppData\Local\{C3C6B75B-6DA2-4C0A-8E61-0292D5742C02}
2014-08-31 14:52 - 2014-08-31 14:52 - 0000000 _____ () C:\Users\Ayush II.ayush-PC\AppData\Local\{D8D840F7-E8F1-431A-A69E-739D97333E33}
2015-11-11 18:11 - 2015-11-11 18:11 - 0000000 _____ () C:\Users\Ayush II.ayush-PC\AppData\Local\{EBA57DA2-D7A0-4D56-B85A-66A9B23668AA}
2011-12-27 01:38 - 2010-11-20 17:47 - 85650176 ___SH () C:\ProgramData\msmekjj.exe
Task: {003CD11D-9CE5-4385-8E11-80D02444E9C5} - System32\Tasks\{29D5E0CD-B15B-461A-A526-DCC3FBBBF0E5} => pcalua.exe -a C:\Windows\iun503.exe -c C:\Program Files\GameLibrary\MEGA MAN X3\irunin.ini <==== ATTENTION
Task: {EB7E0F21-21F0-4258-9E67-F3E66C848814} - System32\Tasks\CIS_{15198508-521A-4D69-8E5B-B94A6CCFF805} => C:\Users\AYUSHI~1.AYU\AppData\Local\Temp\cisE31D.exe <==== ATTENTION
Task: {F5872FCC-3D33-4E3C-A12B-2E560BB749BB} - System32\Tasks\EPUpdater => C:\Users\AYUSHI~1.AYU\AppData\Roaming\BABSOL~1\Shared\BabMaint.exe <==== ATTENTION
Task: {FD13A5C6-6877-4157-8632-86C4E7B51837} - System32\Tasks\SymInstallStub => C:\Users\ayush\AppData\Local\Temp\nsh70B0.tmp\SymInstallStub.exe <==== ATTENTION
Task: C:\Windows\Tasks\SymInstallStub.job => C:\Users\ayush\AppData\Local\Temp\nsh70B0.tmp\SymInstallStub.exex/partnerid=opencandy /productlist=rm /staging=true /delay=0 /lang=English /desktopshortcut=0 /startmenushortcut=1 /task C:\Users\ayush\AppData\Local\Temp\nsh70B0.tmp <==== ATTENTION
C:\Users\AYUSHI~1.AYU\AppData\Roaming\BABSOL~1
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg delete HKCU:\Software\Classes\JTTSTTHJUQMGTY /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt , in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan .
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok .
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.
Thank you for the help that popup has been removed here are those log files
And i can now remove all these files from my computer??
I mean all these logs ?? and that software ?
Pondus
May 18, 2016, 10:00pm
6
And i can now remove all these files from my computer??
I mean all these logs ?? and that software ?
Essexboy will remove all tools used when finish ;)
I made a minor transcription error that needs fixing then we will tidy up
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
Reg: reg delete HKCU\Software\Classes\JTTSTTHJUQMGTY /f
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt , in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that