Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Chinese malware


  • This topic is locked This topic is locked
12 replies to this topic

#1 szakala

szakala

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 26 October 2016 - 05:04 PM

Hi,

I have this problem with my computer that it keeps on installing new programs. Some of them are chinese. There are some changes in my browsers too. For example mylucky123 as a search engine. Please find my logs attached. Thank you in advance.

Attached Files



BC AdBot (Login to Remove)

 


#2 szakala

szakala
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 27 October 2016 - 02:33 PM

Up



#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,254 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:18 AM

Posted 28 October 2016 - 10:54 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:
Hosts:

HKU\S-1-5-18\...\Run: [] => 0
HKLM\...\Providers\25zww50t: C:\_\local64spl.dll
HKLM\...\Providers\50zpsas3: C:\\local64spl.dll [142848 2016-10-25] ()
HKLM\...\Providers\638fs7ol: D:\Web Development_\local64spl.dll [142848 2016-10-25] ()
HKLM\...\Providers\9f88yy9f: D:\Dokumenty_\local64spl.dll [142848 2016-10-25] ()
HKLM\...\Providers\aq4cax80: D:\Torrenty_\local64spl.dll [142848 2016-10-25] ()
HKLM\...\Providers\t3mjc97d: D:\Web Development\\local64spl.dll [142848 2016-10-25] ()
HKLM\...\Providers\va97s1dx: D:\Torrenty\\local64spl.dll [142848 2016-10-25] ()
HKLM\...\Providers\veyjbtt3: D:\Dokumenty\\local64spl.dll [142848 2016-10-25] ()
HKLM\...\Providers\yvs3ud5b: D:\Gry\\local64spl.dll [142848 2016-10-25] ()
HKLM\...\Providers\zr52og7w: D:\Gry_\local64spl.dll [142848 2016-10-25] ()
ShellIconOverlayIdentifiers: [KzShlobj2] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F3} =>  No File
GroupPolicy: Restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-1828617473-2846505221-2361362635-1000 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
FF ProfilePath: C:\Users\Szymon\AppData\Roaming\Mozilla\Firefox\naweriweentcofise\Profiles\u2ez73io.default\Profiles\u2ez73io.default [not found]
FF Homepage: Mozilla\Firefox\Profiles\u2ez73io.default -> hxxp://www.mylucky123.com/?type=hp&ts=1477468201&z=d92f435a30c17fe9829f944g5zam5mez0qab1o3e4c&from=interhop1024&uid=HGSTXHTS545050A7E680_TMA55C4T0595BL0595BLX
CHR HomePage: ChromeDefaultData -> hxxp://www.mylucky123.com/?type=hp&ts=1477468201&z=d92f435a30c17fe9829f944g5zam5mez0qab1o3e4c&from=interhop1024&uid=HGSTXHTS545050A7E680_TMA55C4T0595BL0595BLX
CHR StartupUrls: ChromeDefaultData -> "hxxp://www.mylucky123.com/?type=hp&ts=1477468201&z=d92f435a30c17fe9829f944g5zam5mez0qab1o3e4c&from=interhop1024&uid=HGSTXHTS545050A7E680_TMA55C4T0595BL0595BLX"
CHR DefaultSearchURL: ChromeDefaultData -> hxxp://www.mylucky123.com/search/?type=ds&ts=1477468201&z=d92f435a30c17fe9829f944g5zam5mez0qab1o3e4c&from=interhop1024&uid=HGSTXHTS545050A7E680_TMA55C4T0595BL0595BLX&q={searchTerms}
CHR DefaultSearchKeyword: ChromeDefaultData -> mylucky123
CHR Profile: C:\Users\Szymon\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2016-10-26] <==== ATTENTION
CHR Extension: (Platnosci w sklepie Chrome Web Store) - C:\Users\Szymon\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-10-20]
CHR Extension: (Chrome Media Router) - C:\Users\Szymon\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-10-20]
CHR Extension: (Platnosci w sklepie Chrome Web Store) - C:\Users\Szymon\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-06-18]
CHR Extension: (Chrome Media Router) - C:\Users\Szymon\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-10-10]
R2 Archer; C:\Program Files (x86)\WinArcher\Archer.dll [337920 2016-10-26] () [File not signed]
R2 WinSAPSvc; C:\ProgramData\WinSAPSvc\WinSAP.dll [218624 2016-10-26] () [File not signed]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
Task: {8BCF5675-C3C0-4DFB-A028-8860B3BA481A} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe
Task: C:\Windows\Tasks\AutoKMS.job => C:\Windows\AutoKMS\AutoKMS.exe
C:\Windows\AutoKMS
C:\_\local64spl.dll
C:\\local64spl.dll
D:\Web Development_\local64spl.dll
D:\Dokumenty_\local64spl.dll
D:\Torrenty_\local64spl.dll
D:\Web Development\\local64spl.dll
D:\Torrenty\\local64spl.dll
D:\Dokumenty\\local64spl.dll
D:\Gry\\local64spl.dll
C:\Users\Szymon\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm
C:\Users\Szymon\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
C:\Users\Szymon\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
C:\Users\Szymon\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm
C:\Program Files (x86)\WinArcher
C:\ProgramData\WinSAPSvc

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F

Clean the Firefox Cache.
https://kb.iu.edu/d/ahic#firefox
<<<>>>

Please let me know what problem persists with this computer.

#4 szakala

szakala
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 28 October 2016 - 11:49 AM

Sadly there are still some local64spl.dll files in many different locations.

Attached Files



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,254 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:18 AM

Posted 28 October 2016 - 12:44 PM

Please run the Farbar Recovery Scan Tool. Enter local64spl.dll in the Search Box and hit the File Search button.
Post the content of the Search.txt in your next reply.

#6 szakala

szakala
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 28 October 2016 - 01:01 PM

The list is empty but files are still on my HDD. Please find photo as a proof attached.

Attached Files



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,254 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:18 AM

Posted 28 October 2016 - 01:07 PM

Search for this file.

local64spl.dll.ini



#8 szakala

szakala
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 28 October 2016 - 01:10 PM

There are not only ini files.

Attached Files



#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,254 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:18 AM

Posted 29 October 2016 - 08:26 AM

 
One file but distributed in 2 folders.
 
Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start
 
CloseProcesses:
 
C:\local64spl.dll.ini
C:\_\local64spl.dll.ini
 
End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.
 
Run FRST and click Fix only once and wait.
 
Restart the computer normally to reset the registry.
 
The tool will create a log (Fixlog.txt) please post it to your reply.
===
 
 
If all is well.
 
To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.


#10 szakala

szakala
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 29 October 2016 - 08:53 AM

So what about other local64spl files on partition D? Do I remove them the same way as you did it on partition C? Or maybe should I scan the system once again so you can check what else is worth closing.

 

Thank you.

Attached Files


Edited by szakala, 29 October 2016 - 09:04 AM.


#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,254 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:18 AM

Posted 29 October 2016 - 10:24 AM


The fixlog showed that these files were moved/deleted.

D:\Web Development_\local64spl.dll => moved successfully
D:\Dokumenty_\local64spl.dll => moved successfully
D:\Torrenty_\local64spl.dll => moved successfully
D:\Web Development\\local64spl.dll => moved successfully
D:\Torrenty\\local64spl.dll => moved successfully
D:\Dokumenty\\local64spl.dll => moved successfully
D:\Gry\\local64spl.dll => moved successfully


If not the case or you have others delete them.

Restart the computer normally.

Check to see if they return.

#12 szakala

szakala
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 29 October 2016 - 10:51 AM

Thank you very much for your time and help.



#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,254 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:18 AM

Posted 30 October 2016 - 07:53 AM

Glad we could help.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users