Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some kind of japanese malware


  • This topic is locked This topic is locked
5 replies to this topic

#1 JamieCampos

JamieCampos

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 24 October 2017 - 12:33 PM

I was visiting some Japanese websites to view manga images.   I notiiced later a file in my download folder.  Foolishly, I clicked on it, and watched in horror as it installed sometthing.

 

Now, every 5 minutes a window pops up with japanese porno on it.

 

I saved the original file, and have it zipped up.  It seems to be a self-executing zip file in exe format.

 

When I log on to the computer, I can see a windows command window open and doing something.  There is a file listed in 'applications' running, and i am unable to terminate it.

 

I can see nothing unusual in hijack this logs or malwarebytes scans.

 

The file infected a non-privleged account, and the administrator account is not infected.

 

Attached are two screen shots, one of the pop-up window, and one of the task manager,

 

I was unable to upload the 7-zip file that includes the original executable that I ran to get infected, it was rejected, however I can email it.

 

Jamie

 

Attached Files



BC AdBot (Login to Remove)

 


#2 JamieCampos

JamieCampos
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 24 October 2017 - 04:36 PM

Here is an update:

 

Apparently the extracted files create a registry entry that runs an HTML-application

 

The registry entry: HKU\S-1-5-21-6372259613-1446327078-3904827135-1003\Software\Microsoft\CurrentVersion\Run\webkirin

 

will execute c;\ProgramData\kirin\MPM4P73S.bat

 

which will start "MSHTA MP4P73S.d"   which is a local web page with obfuscated javascript that lazy-loads content from Japan or China.

 

Deleting the registry entries and the folder (C:\ProgramData\kirin) should fix this.


Edited by JamieCampos, 24 October 2017 - 04:36 PM.


#3 satchfan

satchfan

  • Malware Response Team
  • 2,863 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:01:59 AM

Posted 24 October 2017 - 04:59 PM

Hello JamieCampos and welcome to Bleeping Computer.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

===================================================

Note: Please follow these instructions in the order given.

===================================================

Download and run AdwCleaner

Download AdwCleaner from here and save it to your desktop.


  • run AdwCleaner by clicking on Scan
  • when it has finished, leave everything that was found checked, (ticked), then click on Clean
  • if it asks to reboot, allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

Download and run Junkware Removal Tool

Please download Junkware Removal Tool to your desktop.

  • shut down your protection software now to avoid potential conflicts.
  • run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator"
  • the tool will open and start scanning your system
  • please be patient as this can take a while to complete depending on your system's specifications
  • on completion, a log (JRT.txt) is saved to your desktop and will automatically open
  • post the contents of JRT.txt into your next message.

===================================================

Run Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • press Scan button
  • it will produce a log called Frst.txt in the same directory the tool is run from
  • please copy and paste log back here.
  • the first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the Frst.txt into your reply.

Logs to include with next post:

AdwCleaner log
JRT.txt
Frst.txt
Addition.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#4 JamieCampos

JamieCampos
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 25 October 2017 - 07:16 AM

I  already solved this.

 

 

Deleting the registry entries and the folder (C:\ProgramData\kirin) fixed this.


Edited by JamieCampos, 25 October 2017 - 07:17 AM.


#5 satchfan

satchfan

  • Malware Response Team
  • 2,863 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:01:59 AM

Posted 25 October 2017 - 07:51 AM

Thanks for letting me know.

 

It's possible that there is more than just that so if you'd like a check then please run the scans but if I don't hear from you within 24 hours then I'll close the topic as 'solved'.

 

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#6 satchfan

satchfan

  • Malware Response Team
  • 2,863 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:01:59 AM

Posted 26 October 2017 - 07:48 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users