windows\SysWOW64\msiexec.exe keeps popping

Sorry if posting it again but I am a complete newbie!!
A friend has two computers (Windows 8) infected, probably by a USB flash drive.
AVAST shows these two messages in both computers (copy pasted fron another topic as I get the same, in a different language though :P):

URL: http://disorderstatus.ru/order.php
Infección: URL:Mal
Proceso: C:\windows\SysWOW64\msiexec.exe

and

URL: http://disorderstatus.ru/order.php
Infección: URL:Mal
Proceso: C:\windows\SysWOW64\msiexec.exe

What tools should I use to completely remove the virus?
Please provide all the steps you can, because I have never done something like this before and I really don’t want to mess up!!
Thank you in advance!!

I 'm sorry, copy paste mistake, it was:

URL: http://disorderstatus.ru/order.php
Infección: URL:Mal
Proceso: C:\windows\SysWOW64\msiexec.exe

and

URL: http://differentia.ru/diff.php
Infección: URL:Mal
Proceso: C:\windows\SysWOW64\msiexec.exe

Hi MariosRethymno, welcome to the forum :slight_smile:

Please follow this turtorial https://forum.avast.com/index.php?topic=53253.0 and attach the requested logs in your next reply.
It is night here in Europe, so be patient, but as soon as an expert is online and available he/she will help you.

Greetz, Red.

Monitoring.

I followed the steps provided by the link Rednose posted.
The pop up stopped but I don’t know if the pc is clean.
Here are my logs.

And the MCShield log…

MCShield log must be copy and paste or we can’t read it (a forum bug)

Copy and paste from Android

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<

2/3/2016 8:01:28 μμ > Drive C: - scan started (OS ~452 GB, NTFS HDD )…

=> The drive is clean.

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<

2/3/2016 8:28:51 μμ > Drive E: - scan started (TOSHIBA ~7434 MB, FAT32 flash drive )…

E:\TOSHIBA (8GB).lnk - Malware > Deleted. (16.03.02. 20.30 TOSHIBA (8GB).lnk.717617; MD5: 9c2b69d6ec25342325ea7b3486161824)

Resetting attributes: E:\ < Successful.

=> Malicious files : 1/1 deleted.
=> Hidden folders : 1/1 unhidden.


::::: Scan duration: (Interactive mode) ::::


MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<

2/3/2016 8:32:47 μμ > Drive E: - scan started (TOSHIBA ~7434 MB, FAT32 flash drive )…

=> The drive is clean.

Thank you Pondus!!
I didn’t know that!!

[*]Step #1 Fix with AdwCleaner
[*]Download AdwCleaner by Xplode to your Desktop from the following link.
[list][]Download Link #1
[
]Download Link #2
[*]Right-click on AdwCleaner.exe and choose Run as administrator;
[*]Click on Option and put a tick mark on everything;
[*]Click on Scan and let the program run unhindered;
[*]When done, click on Clean and allow the system to reboot after it is done;
[*]A log will be opened automatically after the restart. If not, it is located in C:\AdwCleaner\AdwCleaner[CX].txt, where X is replaced with a number;
[*]Attach the contents of this log in your reply.[/list]


[*]Step #2 Fix with FRST
Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
[*]Open Notepad.exe. Do not use any other text editor software;
[*]Copy and Paste the contents inside the code-box to your Notepad

Start
CreateRestorePoint:
CloseProcesses:
EmptyTemp:
Hosts:
C:\ProgramData\msgjvcdoz.exe
HKU\S-1-5-21-3343954158-2557708410-4277959189-1001\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-3343954158-2557708410-4277959189-1001\...\Policies\Explorer: [] 
HKU\S-1-5-21-3343954158-2557708410-4277959189-1001\...\MountPoints2: {16ce5c89-87c7-11e5-bf20-1c3e84aba3fc} - "G:\Lenovo_Suite.exe" 
HKU\S-1-5-21-3343954158-2557708410-4277959189-1001\...\MountPoints2: {2190c6a3-fe23-11e2-be72-1c3e84aba3fc} - "E:\Startme.exe" 
HKU\S-1-5-21-3343954158-2557708410-4277959189-1001\...\MountPoints2: {82e897bf-767b-11e5-bf1d-1c3e84aba3fc} - "E:\LG_PC_Programs.exe" 
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3343954158-2557708410-4277959189-1001 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
AlternateDataStreams: C:\ProgramData\Temp:A1EDB939 [116]
CMD: bitsadmin /reset /allusers
End

[*]Click on File > Save as…
[list][*]Inside the File Name box type fixlist.txt
[*]From the Save as type drop down list, choose All Files
[*]Save the file to your Desktop;
[*]Re-run FRST.exe and click Fix;
[*]Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.[]After the completion, a log will be produced;
[
]Attach the log in your next reply.[/list]


[*]Required Log(s):
[]AdwCleaner Log
[
]FRST Fix Log

Regards,
Valinorum

Should I follow these steps?
The warning never popped up again.
Shall I copy paste the text in the box as it is?
What about these?
“G:\Lenovo_Suite.exe”
“E:\Startme.exe”
“E:\LG_PC_Programs.exe”
Where did they come from?
Thank you and sorry for all those questions!!

hey mariosrethymno plase follow the instructions from Valinorum even if you have no popup from avast does not mean your clean. valinorum will answer any question you have when he returs agian later today.

Should I follow these steps?
I advise you to do so.
Shall I copy paste the text in the box as it is?
Yes.
What about these? "G:\Lenovo_Suite.exe" "E:\Startme.exe" "E:\LG_PC_Programs.exe" Where did they come from?
Orphaned registry entries from previous installation.
Thank you and sorry for all those questions!!
You are welcome and no worries. Stay curious. ;)

Regards,
Valinorum

Valinorum thank you very much!! I am very sorry for the delay in posting, but I do not have that computer, I am doing all the work remotely via Teamviewer!!
I will send you the required logs as soon as my friend and her computer become available again!!

Acknowledged.

After a long time, I’m back with the laptop and some bad news…maybe!!
When I run the AdwCleaner and hit scan, I get 2 errors, one that says something about EVP_CIPHER_CTX_set_padding that could’t be found in C:\Users\user\AppData\Local\Temp\sqlite3.dll and one that says SQLite3.dll cannot be loaded.
I provide the 2 screenshots, but the first is in greek language.
Is the SQLite3.dll missing? Should I get that somehow? What should I do? Thank you in advance!!

hey agian mariosRethymno did you run the frst fix valinorum have done for you? if so please attach it here. there is other tools that can be run instead of adwclener but wait for furter instruction from valinorum.