Malware PC2

Hi. as spoken from my previous thread. i have another PC affected by the same malware. Attached are the logs. Hope any expert can help! thanks in advance. This is PC2

URL: http://disorderstatus.ru/order.php
Infection: URL:Mal
Process: C:\Windows\SysWOW64\msiexec.exe

URL: http://disorderstatus.ru/diff.php
Infection: URL:Mal
Process: C:\Windows\SysWOW64\msiexec.exe

apologize for being hasty. any experts help?

when they are online :wink: at the moment none are

Could you let me know if this stops it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: 2012-08-31 05:12 - 2010-11-20 20:17 - 70271360 ___SH () C:\ProgramData\msequupj.exe 2015-04-02 06:13 - 2015-04-02 16:59 - 0000000 _____ () C:\Users\PC1\AppData\Local\{52628801-7BDE-4B1A-BEA9-14C99D7F008E} RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

hi, the system seems cleaned. I will monitor for 24hrs for any recurrence.
here are the fixlogs

Fix result of Farbar Recovery Scan Tool (x86) Version:09-08-2015
Ran by PC1 (2015-08-10 03:45:52) Run:2
Running from C:\Users\PC1\Desktop
Loaded Profiles: PC1 (Available Profiles: PC1)
Boot Mode: Normal

==============================================

fixlist content:


CreateRestorePoint:
2012-08-31 05:12 - 2010-11-20 20:17 - 70271360 ___SH () C:\ProgramData\msequupj.exe
2015-04-02 06:13 - 2015-04-02 16:59 - 0000000 _____ () C:\Users\PC1\AppData\Local{52628801-7BDE-4B1A-BEA9-14C99D7F008E}
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers


Restore point was successfully created.
Could not move “C:\ProgramData\msequupj.exe” => Scheduled to move on reboot.
C:\Users\PC1\AppData\Local{52628801-7BDE-4B1A-BEA9-14C99D7F008E} => moved successfully.

========= RemoveProxy: =========

HKU.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings => value removed successfully.
HKU.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings => value removed successfully.
HKU\S-1-5-21-831649127-2642341190-1748921548-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings => value removed successfully.
HKU\S-1-5-21-831649127-2642341190-1748921548-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings => value removed successfully.

========= End of RemoveProxy: =========

========= bitsadmin /reset /allusers =========

BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

Unable to cancel {DEC3C6B5-ACB9-4ECF-8A87-AF32A8C26083}.
{27F63B7F-5388-4BE4-8D5B-C0B6D286BEC1} canceled.
{FF689439-AE35-4775-B6B3-66A0C6282AC5} canceled.
2 out of 3 jobs canceled.

========= End of CMD: =========

EmptyTemp: => 990.7 MB temporary data Removed.

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 2015-08-10 03:49:42)<=

C:\ProgramData\msequupj.exe => is moved successfully

==== End of Fixlog 03:49:43 ====

so far so good. keeping my fingers crossed

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix
Select the options as shown

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

If you do need to keep Java then download JavaRa
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version

https://dl.dropboxusercontent.com/u/73555776/javara.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Malwarebytes

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme :wink:

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave: