Dear Gentlemen,
I am now with a second request. Just posted another one.
I kept getting notifications from avast saying Threat has been detected!
Both of them appear at the same time
Here are the reports:
Object: http://differentia.ru/diff.php
Infection: URL:Mal
Process: C:\Windows.…\msiexec.exe
Object: http://disorderstatus.ru/order.php
Infection: URL:Mal
Process: C:\Windows.…\msiexec.exe
Attached are 2 screen shots and the reports from FRST
Hello, this business computer with ‘home’ license? And, are you using PriceGong app for Firefox?
Also, do not use USB devices untill me wake shure your hosts PC is malware free. Later, MCShield will be used to clean malware trigers from your USB memory devices.
First, we shall execute FRST’s script to remove active malware and some PUP remains;
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
CreateRestorePoint:CloseProcesses:
HKLM-x32.…\Run: =>
SearchScopes: HKU\S-1-5-21-2056669733-938145784-4001458402-1001 → {2fa28606-de77-4029-af96-b231e3b8f827} URL = hxxp://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
SearchScopes: HKU\S-1-5-21-2056669733-938145784-4001458402-1001 → {EEE6C360-6118-11DC-9C72-001320C79847} URL = hxxp://mysearch.sweetpacks.com?src=6&q={searchTerms}&barid=&
Toolbar: HKU\S-1-5-21-2056669733-938145784-4001458402-1001 → No Name - {EEE6C35B-6118-11DC-9C72-001320C79847} - No FileHosts:
C:\ProgramData\mstacv.exe
C:\Users\Todos os Usuários\mstacv.exe
C:\Program Files (x86)\SweetIM
C:\Windows\SysWOW64\shoA689.tmp
C:\Windows\SysWOW64\sho4540.tmpRemoveProxy:
FirewallRules: [{E430E810-7903-40DF-9A8E-7A3B421BA698}] => (Allow) C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe
FirewallRules: [{E48F6016-4D8F-4B10-B55F-6C1A5C3DEFC4}] => (Allow) C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exeAlternateDataStreams: C:\Windows\System32:B2286196_Abn.gbp
AlternateDataStreams: C:\Windows\System32:B2286196_Uni.gbpEmptyTemp:
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
====================
Please go here to read how to reset Google Chrome back to defaults settings;
https://support.google.com/chrome/answer/3296214?hl=en
=====================
Please, run FRST again, hit Scan button and post me the fresh created FRST.txt logreport.
Dear Magna86,
First of all, thanks a lot for your help.
This is a home computer, it is used by a student only and there’s not Firefox installed.
Attached are the files you requested.
I have already reset Google Chrome to its default settings.
Please let me know if there is anything else I should do.
Other than that, what can I to make sure the pendrives we have are free of any potential harmful stuff?
Best,
Luiz
Hello luiz.oliveira,
Please stay with me until given the ‘all clear’ even if symptoms seemingly abate as I need to have a word with FRST’s author regarding logs output.
To clean USB mem. devices, first we had to make shure a host computer is malware free. Now we may carry forward to clean USB malware triggers.
Please download MCShield from one of the following links:
MCShield -Official download link
[*]Double click on MCShield-Setup to install the application.
Next => I Agree => Next => Install … per installation click on Run! button.
[]Wait a few seconds to MCShield finish initial HDD scan…
[]Connect all your USB storage devices to the computer one at a time. Scanning will be done automatically.
[*]When all scanning is done, you need to post a logreport that MCShield has created.
Under Logs tab (in Control Center) for AllScans.txt log section click on Save button. AllScanst.txt report shall be located on your Desktop.
=> Post here AllScanst.txt
Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.
Hi luiz.oliveira,
When work with MCShield is completed, please run FRST tool again and wait for tool to update itself. When tool is ready to use, press Scan button and post me the fresh FRST.txt logreprot.
Also, please upload the following files if you may;
C:\Users\Eduarda\AppData\Local\Google\Chrome\User Data\Default[b]Preferences[/b]
C:\Users\Eduarda\AppData\Local\Google\Chrome\User Data\Default[b]Secure Preferences[/b]
You can upload these files using this link;
http://wikisend.com/
Do not attach download link here, as I don’t wanna any misuse, rather send me the down. link via private message.
Bump!
Are you still with me?
Magna86,
I followed your instructions and got the message in the screen shot attached.
I am attaching the log file and the other files you mentioned (I changed their extentions so make it easier).
Can we work that way?
Best,
-Luiz
Hello, sry for late respond, I had some personal work to do.
Thank you for the uploads and error reporting, I will report the error to the tool author. Thank you again for contribute.
Please await my reply. 
Hello luiz.oliveira,
This should be fixed now. Please run FRST, allow the update and post fresh logfile for last analysist.
Also, AllScans.txt is required as well as some good news. How is the computer running now after these fixes?
magna86,
When I run FRST I keep getting the error message I have sent you and when I click on the OK button the application closes.
Thanks,
Luiz
Can you please delete the current version of the tool and download new, fresh copy of the tool and preform scanning?
http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/
If error still occurs (the same line error and sintax) please notify me.
magna86,
attached are the files created during the new scan.
best,
-Luiz
Hi luiz.oliveira,
Logs looking Okay. How is the computer behavior now?
magna6,
Sorry for taking so long, life has been a whirlwind down here.
Everything seems to be fine except that sometimes when using Google Chrome the whole system seems to start working weird and when pressing “S” it opens a “Save As” window.
Thanks,
-Luiz
