disorderstatus.ru/order.php malware help!

Viruses and worms
1

Since yesterday I have been receiving pop-ups from avast with

disorderstatus.ru/order.php and http://disorderstatus.ru/diff.php and http://differentia.ru/diff.php

HELP PLEASE THANK YOU!

2

follow instructions here https://forum.avast.com/index.php?topic=53253.0
attach Malwarebytes and Farbar Recovery Scan Tool logs … 3 logs total

below the box you write in here, see Attachments and other options

3

here it is THANKS!

4

Let me know if this stops it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKLM\...\Run: [InstallerLauncher] => "C:\Program Files\Common Files\Bitdefender\SetupInformation\{6F57816A-791A-4159-A75F-CFD0C7EA4FBF}\setuplauncher.exe" /run:"C:\Program Files\Common Files\Bitdefender\SetupInformation\{6F57816A-791A-41 (the data entry has 36 more characters). HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION SearchScopes: HKU\S-1-5-21-1459307754-3812077432-1172366821-1003 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://isearch.omiga-plus.com/web/?type=dspp&ts=1420684330&from=cor&uid=ST1000LM024XHN-M101MBB_S2TTJ9CC822327&q={searchTerms} SearchScopes: HKU\S-1-5-21-1459307754-3812077432-1172366821-1003 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://isearch.omiga-plus.com/web/?type=dspp&ts=1420684330&from=cor&uid=ST1000LM024XHN-M101MBB_S2TTJ9CC822327&q={searchTerms} SearchScopes: HKU\S-1-5-21-1459307754-3812077432-1172366821-1003 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = https://mysearch.avg.com/search?cid={7BB4FDD7-AA9E-46DB-926F-E934D0B3100D}&mid=a3bc3f2fbbcf47cda3a7f15f9eff8628-74771b1b62bc8d14c1767d08c10e15546df4f759&lang=en&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-12-18 13:14:28&v=4.0.5.7&pid=wtu&sg=&sap=dsp&q={searchTerms} SearchScopes: HKU\S-1-5-21-1459307754-3812077432-1172366821-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://isearch.omiga-plus.com/web/?type=dspp&ts=1420684330&from=cor&uid=ST1000LM024XHN-M101MBB_S2TTJ9CC822327&q={searchTerms} SearchScopes: HKU\S-1-5-21-1459307754-3812077432-1172366821-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://isearch.omiga-plus.com/web/?type=dspp&ts=1420684330&from=cor&uid=ST1000LM024XHN-M101MBB_S2TTJ9CC822327&q={searchTerms} SearchScopes: HKU\S-1-5-21-1459307754-3812077432-1172366821-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = https://mysearch.avg.com/search?cid={7BB4FDD7-AA9E-46DB-926F-E934D0B3100D}&mid=a3bc3f2fbbcf47cda3a7f15f9eff8628-74771b1b62bc8d14c1767d08c10e15546df4f759&lang=en&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-12-18 13:14:28&v=4.0.5.7&pid=wtu&sg=&sap=dsp&q={searchTerms} BHO: No Name -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> No File Toolbar: HKU\S-1-5-21-1459307754-3812077432-1172366821-1003 -> No Name - {472734EA-242A-422B-ADF8-83D1E48CC825} - No File Toolbar: HKU\S-1-5-21-1459307754-3812077432-1172366821-1003 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File Toolbar: HKU\S-1-5-21-1459307754-3812077432-1172366821-1003 -> No Name - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} - No File Toolbar: HKU\S-1-5-21-1459307754-3812077432-1172366821-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> No Name - {472734EA-242A-422B-ADF8-83D1E48CC825} - No File Toolbar: HKU\S-1-5-21-1459307754-3812077432-1172366821-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File Toolbar: HKU\S-1-5-21-1459307754-3812077432-1172366821-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> No Name - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} - No File Winsock: Catalog9 01 C:\WINDOWS\SysWOW64\LavasoftTcpService.dll [342016 2015-07-25] (Lavasoft Limited) Winsock: Catalog9 02 C:\WINDOWS\SysWOW64\LavasoftTcpService.dll [342016 2015-07-25] (Lavasoft Limited) Winsock: Catalog9 03 C:\WINDOWS\SysWOW64\LavasoftTcpService.dll [342016 2015-07-25] (Lavasoft Limited) Winsock: Catalog9 04 C:\WINDOWS\SysWOW64\LavasoftTcpService.dll [342016 2015-07-25] (Lavasoft Limited) Winsock: Catalog9 16 C:\WINDOWS\SysWOW64\LavasoftTcpService.dll [342016 2015-07-25] (Lavasoft Limited) Winsock: Catalog9-x64 01 C:\WINDOWS\system32\LavasoftTcpService64.dll [422400 2015-07-25] (Lavasoft Limited) Winsock: Catalog9-x64 02 C:\WINDOWS\system32\LavasoftTcpService64.dll [422400 2015-07-25] (Lavasoft Limited) Winsock: Catalog9-x64 03 C:\WINDOWS\system32\LavasoftTcpService64.dll [422400 2015-07-25] (Lavasoft Limited) Winsock: Catalog9-x64 04 C:\WINDOWS\system32\LavasoftTcpService64.dll [422400 2015-07-25] (Lavasoft Limited) Winsock: Catalog9-x64 16 C:\WINDOWS\system32\LavasoftTcpService64.dll [422400 2015-07-25] (Lavasoft Limited) 2015-07-25 20:10 - 2015-07-25 20:10 - 00000124 _____ C:\prefs.js 2015-07-25 12:02 - 2015-07-25 12:02 - 00000000 ____D C:\searchplugins 2015-07-25 12:01 - 2015-07-25 20:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lavasoft 2015-07-25 12:01 - 2015-07-25 12:01 - 00002920 _____ C:\WINDOWS\SysWOW64\LavasoftTcpServiceOff.ini 2015-07-25 12:01 - 2015-07-25 12:01 - 00002920 _____ C:\WINDOWS\system32\LavasoftTcpServiceOff.ini 2015-07-25 12:00 - 2015-07-25 12:00 - 00422400 _____ (Lavasoft Limited) C:\WINDOWS\system32\LavasoftTcpService64.dll 2015-07-25 12:00 - 2015-07-25 12:00 - 00342016 _____ (Lavasoft Limited) C:\WINDOWS\SysWOW64\LavasoftTcpService.dll 2015-07-21 02:13 - 2015-07-21 02:40 - 00000000 ____D C:\Program Files (x86)\AVG 2015-07-21 02:13 - 2015-07-21 02:13 - 00000000 ____D C:\Users\Christian\AppData\Local\Avg 2015-07-21 02:09 - 2015-07-25 11:59 - 00000000 ____D C:\Users\Christian\AppData\Roaming\OpenCandy 2015-07-21 02:11 - 2014-02-15 21:42 - 00000000 ____D C:\ProgramData\AVG 2015-04-14 00:02 - 2014-10-29 09:52 - 100040320 ___SH () C:\ProgramData\msmivkh.exe Task: {0166A5F5-8023-4ED1-A481-8BA111D2CD48} - System32\Tasks\4917 => Wscript.exe C:\Users\Asustek\AppData\Local\Temp\launchie.vbs //B <==== ATTENTION Task: {6D21F291-9BAB-4C73-872A-F2B2EBC8DB5E} - System32\Tasks\0 => Iexplore.exe <==== ATTENTION C:\Program Files\Common Files\Bitdefender CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

5

I guess it stopped it. THANKS!
I’ll update you again later if it pops-up again.

Thumbs up man! Thank you very much ;D

6

Hi. I’ve been having this EXPLORER.EXE error during start up after I log-in to my PC.
It doesn’t say anything(blank pop-up) but it always pop-up. HELP PLS THANKS

7

Could you run a fresh FRST scan please and I will have a look

8

here it is

9

Could you let me know if this cures it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: Task: {61615683-25D7-465A-8D1D-F4B4329BC88D} - System32\Tasks\ASOService => C:\Program Files (x86)\Advanced System Optimizer 3\ASO3.exe Task: {0DA6C82D-82C2-4750-B3F4-45E94FF3ADEE} - System32\Tasks\BtvStack => C:\Program Task: {8A0D8907-E434-4954-886B-F245ABBC6AC8} - System32\Tasks\BtTray => C:\Program Task: {ECB8751E-5B28-4DA8-864F-84F2EC59AB20} - System32\Tasks\{8607BEEC-DA67-4943-A89A-736E0ADB5AB1} => pcalua.exe -a G:\setup.exe -d G:\ -c /autorun EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

10

btw this is the error. here’s a screenshot

edit: here is the log

11

Could you temporarily disable all Iobit programmes from start using Taskmanager and see if that cures it