How to get rid of differentia.ru and disorderstatus.ru ?

Viruses and worms
1

Hello,
yesterday I plugged my USB into a work computer and plugged it back into my laptop. Since then I’ve been getting non-stop messages from Avast, warning me about http://differentia.ru/diff.php and http://disorderstatus.ru/order.php malware.
How can I get rid of it? :frowning:
Thank you

2

Attach your basic diagnostic logs. (MBAM, FRST and aswMBR)
Instructions: https://forum.avast.com/index.php?topic=53253.0

3

Here are my FRST and MBAM logs. Everytime I run aswMBR it crashes : “avast rootkit has stopped working”

4

To protect yourself from infected USB then download and install the following programme

Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG

Plug in the drive and McShield will start a scan

Then get the log which will be located under the logs tab on the main page

And post that

THEN

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: URLSearchHook: [S-1-5-21-2176711472-335398132-2919127008-1010] ATTENTION => Default URLSearchHook is missing BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File Toolbar: HKU\S-1-5-21-2176711472-335398132-2919127008-1004 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File FF user.js: detected! => C:\Users\Marwan\AppData\Roaming\Mozilla\Firefox\Profiles\21tcfost.default\user.js [2015-02-28] 2012-07-26 05:06 - 2012-07-26 06:20 - 100797184 ___SH () C:\ProgramData\msndlbck.exe 2014-06-14 17:54 - 2014-06-14 17:54 - 0000000 _____ () C:\Users\Marwan\AppData\Local\{A8AAE567-4AD6-493F-8B8E-3B37CCC3D759} C:\Program Files (x86)\SweetIM C:\Program Files (x86)\Protected Search

Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: Reg Delete “HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg” /F
Reg: Reg Add “HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg” /F
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

FINALLY

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.