Need help http://differentia.ru/diff.php and http://disorderstatus.ru/order.php

Viruses and worms
1

Please help!

Since yesterday, I kept getting notifications from avast saying Threat has been detected!

Both of them appear at the same time

Here are the reports:

Object: http://differentia.ru/diff.php
Infection: URL:Mal
Process: C:\Windows.…\msiexec.exe

Object: http://disorderstatus.ru/order.php
Infection: URL:Mal
Process: C:\Windows.…\msiexec.exe

What should I do?

2

https://forum.avast.com/index.php?topic=53253.0

3

Sorry it took quite long.

Here are the logs.

4

Hey sorry, this is the correct MalwareBytes logs

5

Let me know of any problems after this

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: IFEO\bitguard.exe: [Debugger] tasklist.exe IFEO\bprotect.exe: [Debugger] tasklist.exe IFEO\bpsvc.exe: [Debugger] tasklist.exe IFEO\browserdefender.exe: [Debugger] tasklist.exe IFEO\browserprotect.exe: [Debugger] tasklist.exe IFEO\browsersafeguard.exe: [Debugger] tasklist.exe IFEO\dprotectsvc.exe: [Debugger] tasklist.exe IFEO\jumpflip: [Debugger] tasklist.exe IFEO\protectedsearch.exe: [Debugger] tasklist.exe IFEO\searchinstaller.exe: [Debugger] tasklist.exe IFEO\searchprotection.exe: [Debugger] tasklist.exe IFEO\searchprotector.exe: [Debugger] tasklist.exe IFEO\searchsettings.exe: [Debugger] tasklist.exe IFEO\searchsettings64.exe: [Debugger] tasklist.exe IFEO\snapdo.exe: [Debugger] tasklist.exe IFEO\stinst32.exe: [Debugger] tasklist.exe IFEO\stinst64.exe: [Debugger] tasklist.exe IFEO\umbrella.exe: [Debugger] tasklist.exe IFEO\utiljumpflip.exe: [Debugger] tasklist.exe IFEO\volaro: [Debugger] tasklist.exe IFEO\vonteera: [Debugger] tasklist.exe IFEO\websteroids.exe: [Debugger] tasklist.exe IFEO\websteroidsservice.exe: [Debugger] tasklist.exe Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File 2015-07-15 17:19 - 2015-06-16 04:42 - 80668544 ___SH () C:\ProgramData\mscfhqxd.exe CustomCLSID: HKU\S-1-5-21-3215671141-2693329682-2736129479-1000_Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InprocServer32 -> C:\Users\User\AppData\Roaming\tricomfi\tivesen.dll No File <==== ATTENTION C:\Users\User\AppData\Roaming\tricomfi Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

6

I believe that this is the fixlog that is generated, please check it.

7

Have the alerts ceased

8

They have, but I’m not very sure the malwares or viruses have gone

9

Why ? What problems are you having

10

Now it appears again, after I plugged in my USB, the notifications start to pop up again, what should I do?

11

Your USB is infected

Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG

Plug in the drive and McShield will start a scan

Then get the log which will be located under the logs tab on the main page

And post that

THEN

Run a fresh FRST scan please

12

Here are the logs.

13

Could you copy and paste the MCShield log as it is corrupted when attached

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: 2015-07-15 17:19 - 2015-06-16 04:42 - 72947328 ___SH () C:\ProgramData\mscfhqxd.exe EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

14

MCShield log:

MCShield AllScans.txt <<<

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2015.8.23.1 / Windows 7 <<<

06-Sep-15 19:39:43 > Drive C: - scan started (no label ~466 GB, NTFS HDD )…

=> The drive is clean.

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2015.8.23.1 / Windows 7 <<<

06-Sep-15 19:40:48 > Drive E: - scan started (ANDRE ~15343 MB, FAT32 flash drive )…

=> The drive is clean.

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2015.8.23.1 / Windows 7 <<<

06-Sep-15 19:42:45 > Drive E: - scan started (ANDRE ~15343 MB, FAT32 flash drive )…

=> The drive is clean.

After I run FRST, my computer restarted, and the notification doesn’t appear anymore. My USB is still plugged. So, is the virus removed? Both from my computer and my USB?

15

Looks like MCShield is not finding it so I would recommend that you wipe the drive

16

What do you mean by wipe the drive??

17

Reformat it