User Tag List

Japanese Porn Malware

This is a discussion on Japanese Porn Malware within the Inactive Malware Help Topics forums, part of the Tech Support Forum category. I was visiting some Japanese websites to view manga images. I notiiced later a file in my download folder. Foolishly,


 
 
Thread Tools Search this Thread
Old 10-24-2017, 11:29 AM   #1
Registered Member
 
Join Date: Oct 2017
Posts: 2
OS: Windows-7



I was visiting some Japanese websites to view manga images. I notiiced later a file in my

download folder. Foolishly, I clicked on it, and watched in horror as it installed sometthing.

Now, every 5 minutes a window pops up with japanese porno on it.

I saved the original file, and have it zipped up. It seems to be a self-executing zip file in exe

format.

When I log on to the computer, I can see a windows command box (black box) open and doing

something. There is a file listed in 'applications' with no name that I am unable to terminate.

I can see nothing unusual in hijack this logs or malwarebytes scans.

The file infected a non-privleged account, and the administrator account is not infected.

Attached are two screen shots, one of the pop-up window, and one of the task manager,

I was unable to upload the 7-zip file that includes the original executable that I ran to get

infected, it was rejected, however I can email it.

Jamie

[IMG]hxxp://uploads.im/0JIZF.png[/IMG]
[IMG]hxxp://uploads.im/UDhqr.png[/IMG]

Viewing image 0JIZF.png

Viewing image UDhqr.png
jamiecampos is offline  
Sponsored Links
Advertisement
 
Old 10-24-2017, 02:40 PM   #2
Registered Member
 
Join Date: Oct 2017
Posts: 2
OS: Windows-7



Here is an update:

Apparently the extracted files create a registry entry that runs an HTML-application

The registry entry: HKU\S-1-5-21-6372259613-1446327078-3904827135-1003\Software\Microsoft\CurrentVersion\Run\webkirin

will execute C:\ProgramData\kirin\MPM4P73S.bat

which will start "MSHTA MP4P73S.d" which is a local web page with obfuscated javascript that lazy-loads content from Japan or China.

Deleting the registry entries and the folder (C:\ProgramData\kirin) should fix this.
jamiecampos is offline  
Old 10-24-2017, 07:01 PM   #3
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Scan
  • Once the Scan is done, select Clean
  • Once done it will ask to reboot, please allow the reboot.
  • On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[C#].txt
  • Please copy/paste the contents of the log in your next reply.
------------------------------------------------------

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to the disclaimer.
  • Make sure the Addition.txt button is ticked.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • It also makes another log (Addition.txt). Please attach it to your reply.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 11-26-2017, 12:30 PM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

IMPORTANT - Read This Before Posting For Malware Removal Help

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Microsoft partners with Interpol, industry to disrupt global malware attack affecting
Microsoft partners with Interpol, industry to disrupt global malware attack affecting more than 770,000 PCs in past six months Microsoft partners with Interpol, industry to disrupt global malware attack affecting more than 770,000 PCs in past six months - Microsoft Malware Protection Center -...
JMH3143 Computer Security News 0 04-13-2015 02:13 AM
Web ads eclipse porn as leading source of mobile malware
Web ads eclipse porn as leading source of mobile malware | ZDNet
JMH3143 Computer Security News 0 03-07-2014 02:59 PM
Stubborn malware in HP2000 laptop
Hello everyone, I need help with the family's laptop, it's a Hewlet Packard 2000 which came with Windows 7 installed but due to an upgrade program from retailer, it's running on Windows 8 now, it worked good for at least 2 years then it started having strange performance issues like having to click...
Jo-Diaz02 Resolved HJT Threads 24 01-05-2014 06:56 PM
Police arrest three over ransom malware attacks
The UK’s Police Central e-Crime Unit (PCeU) has announced the arrest of three of three people in connection with alleged ransom malware attacks against PC users. In what counts as the first significant arrests for this type of malware made in the UK, the two men and a woman were picked up in...
Glaswegian Computer Security News 0 12-13-2012 01:00 PM
OTL Tutorial
Written by emeraldnzl and reposted here with permission and thanks. Introduction Regularly check your canned. Make sure it is up to date with changes (this tool is updated frequently) and that you have the correct download link. The correct ones for the latest version at time of writing are...
tetonbob The Annex 4 06-07-2010 08:29 AM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 06:29 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts