Chinese malware

Hi,

I have this problem with my computer that it keeps on installing new programs. Some of them are chinese. There are some changes in my browsers too. For example mylucky123 as a search engine. Please find my logs attached. Thank you in advance.

Up

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 

Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:
Hosts:

HKU\S-1-5-18\...\Run: [] => 0
HKLM\...\Providers\25zww50t: C:\_\local64spl.dll
HKLM\...\Providers\50zpsas3: C:\\local64spl.dll [142848 2016-10-25] ()
HKLM\...\Providers\638fs7ol: D:\Web Development_\local64spl.dll [142848 2016-10-25] ()
HKLM\...\Providers\9f88yy9f: D:\Dokumenty_\local64spl.dll [142848 2016-10-25] ()
HKLM\...\Providers\aq4cax80: D:\Torrenty_\local64spl.dll [142848 2016-10-25] ()
HKLM\...\Providers\t3mjc97d: D:\Web Development\\local64spl.dll [142848 2016-10-25] ()
HKLM\...\Providers\va97s1dx: D:\Torrenty\\local64spl.dll [142848 2016-10-25] ()
HKLM\...\Providers\veyjbtt3: D:\Dokumenty\\local64spl.dll [142848 2016-10-25] ()
HKLM\...\Providers\yvs3ud5b: D:\Gry\\local64spl.dll [142848 2016-10-25] ()
HKLM\...\Providers\zr52og7w: D:\Gry_\local64spl.dll [142848 2016-10-25] ()
ShellIconOverlayIdentifiers: [KzShlobj2] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F3} =>  No File
GroupPolicy: Restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-1828617473-2846505221-2361362635-1000 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
FF ProfilePath: C:\Users\Szymon\AppData\Roaming\Mozilla\Firefox\naweriweentcofise\Profiles\u2ez73io.default\Profiles\u2ez73io.default [not found]
FF Homepage: Mozilla\Firefox\Profiles\u2ez73io.default -> hxxp://www.mylucky123.com/?type=hp&ts=1477468201&z=d92f435a30c17fe9829f944g5zam5mez0qab1o3e4c&from=interhop1024&uid=HGSTXHTS545050A7E680_TMA55C4T0595BL0595BLX
CHR HomePage: ChromeDefaultData -> hxxp://www.mylucky123.com/?type=hp&ts=1477468201&z=d92f435a30c17fe9829f944g5zam5mez0qab1o3e4c&from=interhop1024&uid=HGSTXHTS545050A7E680_TMA55C4T0595BL0595BLX
CHR StartupUrls: ChromeDefaultData -> "hxxp://www.mylucky123.com/?type=hp&ts=1477468201&z=d92f435a30c17fe9829f944g5zam5mez0qab1o3e4c&from=interhop1024&uid=HGSTXHTS545050A7E680_TMA55C4T0595BL0595BLX"
CHR DefaultSearchURL: ChromeDefaultData -> hxxp://www.mylucky123.com/search/?type=ds&ts=1477468201&z=d92f435a30c17fe9829f944g5zam5mez0qab1o3e4c&from=interhop1024&uid=HGSTXHTS545050A7E680_TMA55C4T0595BL0595BLX&q={searchTerms}
CHR DefaultSearchKeyword: ChromeDefaultData -> mylucky123
CHR Profile: C:\Users\Szymon\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2016-10-26] <==== ATTENTION
CHR Extension: (Platnosci w sklepie Chrome Web Store) - C:\Users\Szymon\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-10-20]
CHR Extension: (Chrome Media Router) - C:\Users\Szymon\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-10-20]
CHR Extension: (Platnosci w sklepie Chrome Web Store) - C:\Users\Szymon\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-06-18]
CHR Extension: (Chrome Media Router) - C:\Users\Szymon\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-10-10]
R2 Archer; C:\Program Files (x86)\WinArcher\Archer.dll [337920 2016-10-26] () [File not signed]
R2 WinSAPSvc; C:\ProgramData\WinSAPSvc\WinSAP.dll [218624 2016-10-26] () [File not signed]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
Task: {8BCF5675-C3C0-4DFB-A028-8860B3BA481A} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe
Task: C:\Windows\Tasks\AutoKMS.job => C:\Windows\AutoKMS\AutoKMS.exe
C:\Windows\AutoKMS
C:\_\local64spl.dll
C:\\local64spl.dll
D:\Web Development_\local64spl.dll
D:\Dokumenty_\local64spl.dll
D:\Torrenty_\local64spl.dll
D:\Web Development\\local64spl.dll
D:\Torrenty\\local64spl.dll
D:\Dokumenty\\local64spl.dll
D:\Gry\\local64spl.dll
C:\Users\Szymon\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm
C:\Users\Szymon\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
C:\Users\Szymon\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
C:\Users\Szymon\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm
C:\Program Files (x86)\WinArcher
C:\ProgramData\WinSAPSvc

End

Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F

Clean the Firefox Cache.
https://kb.iu.edu/d/ahic#firefox
<<<>>>

Please let me know what problem persists with this computer.

Sadly there are still some local64spl.dll files in many different locations.

Please run the Farbar Recovery Scan Tool. Enter local64spl.dll in the Search Box and hit the File Search button.
Post the content of the Search.txt in your next reply.

The list is empty but files are still on my HDD. Please find photo as a proof attached.

Search for this file.

local64spl.dll.ini

There are not only ini files.

So what about other local64spl files on partition D? Do I remove them the same way as you did it on partition C? Or maybe should I scan the system once again so you can check what else is worth closing.

 

Thank you.

Edited by szakala, 29 October 2016 - 09:04 AM.

The fixlog showed that these files were moved/deleted.

D:\Web Development_\local64spl.dll => moved successfully
D:\Dokumenty_\local64spl.dll => moved successfully
D:\Torrenty_\local64spl.dll => moved successfully
D:\Web Development\\local64spl.dll => moved successfully
D:\Torrenty\\local64spl.dll => moved successfully
D:\Dokumenty\\local64spl.dll => moved successfully
D:\Gry\\local64spl.dll => moved successfully

If not the case or you have others delete them.

Restart the computer normally.

Check to see if they return.

Thank you very much for your time and help.

Glad we could help.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/