help: differentia.ru/diff.php and disorderstatus.ru/order.php threat

I’ve been getting notices by Avast that ot’s blocking a couple of threats
Object: http://differentia.ru/diff.php
Infection : URL:Mal
Process: C:\Windows\SysWOW64\msiexec.exe

and

Object: http://disorderstatus.ru/order.php
Infection : URL:Mal
Process: C:\Windows\SysWOW64\msiexec.exe

I’m afraid I picked it up on a USB flash drive that I connected to other computer, so as well as cleaning my computer I’d like to clean the drive that might also have this thing.

Any help will be greatly appreciated!!

then this is next to get it removed

follow instructions here https://forum.avast.com/index.php?topic=53253.0
we need Malwarebytes and Farbar Recovery Scan Tool logs, attach the logs, 3 logs total

see below the box you write in … Attachments and other options

when done, scroll down to > SPECIFIC INFECTIONS LOGS
Follow instructions for MCShield … this log you copy and paste here

A malware expert will then assist you when online

Hello,

Here are the logs I got when I ran Malwarebytes Anti-Malware (1 log), Farbar Recovery Scan Tool (2 logs), and this is the log I got from MCShield:

MCShield AllScans.txt <<<


MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<

3/12/2016 3:29:28 PM > Drive C: - scan started (Windows ~442 GB, NTFS HDD )…

=> The drive is clean.

3/12/2016 3:29:29 PM > Drive D: - scan started (RECOVERY ~23 GB, NTFS HDD )…

=> The drive is clean.

3/12/2016 3:29:29 PM > Drive E: - scan started (no label ~7784 MB, FAT32 flash drive )…

=> The drive is clean.

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<

3/12/2016 3:30:44 PM > Drive F: - scan started (USB DISK ~3721 MB, FAT32 flash drive )…

=> The drive is clean.

Malware experts will be back online tomorrow

Hmm intriguing as there is no indication of the normal trigger. Are the alerts still appearing ?

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKU\S-1-5-21-203731310-3523526864-2080244404-1001\...\MountPoints2: {0b62cf55-a7c2-11e5-826e-d05349d5a39a} - "C:\Windows\system32\RunDLL32.EXE" Shell32.DLL,ShellExec_RunDLL E:\Start.exe U3 McAPExe; no ImagePath U3 McMPFSvc; no ImagePath U3 McNaiAnn; no ImagePath U3 mfecore; no ImagePath Task: {19F7B575-F7BB-4A8C-A1EB-AA77A8470242} - System32\Tasks\FileAdvisorUpdate => C:\Program Files (x86)\File Type Advisor\fileadvisor.exe [2015-07-15] (File Type Advisor) Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

Hello!

Sorry for the long wait on replying.

The alerts did stop after running the first batch of tools and they did not appear at all on the following days. I still ran the FRST64 and AdwCleaner as advised. I’m attaching the logs that were generated afterwards… :slight_smile:

Any further problems ?

No problems! Everything has been running smoothly since that first batch of tools… Thank you very much!!!