Antichrist virus Options

[Ertan]

Greetings. I have picked up Antichrist virus (which was detected like "Worm.Win32.AutoRun.cny" by Kaspersky Internet Secuity 7).
I have Windows XP (SP2) and every time I start up my Windows it show me this message:


After that my Firefox (which is my default browser) open itself and show me this page:


Last night I started scan "My Computer" and Kaspersky Internet Secuity 7 found this:

deleted: virus Worm.Win32.AutoRun.cny File: J:\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\sys.exe
deleted: virus Worm.Win32.AutoRun.cny File: C:\WINDOWS\system32\sys.exe
deleted: virus Worm.Win32.AutoRun.cny File: C:\WINDOWS\shell.exe
deleted: virus Worm.Win32.AutoRun.cny File: C:\WINDOWS\vxds.exe
deleted: virus Worm.Win32.AutoRun.cny File: C:\WINDOWS\Help\hlps.exe
deleted: virus Worm.Win32.AutoRun.cny File: C:\WINDOWS\media\wma.exe
deleted: virus Worm.Win32.AutoRun.cny File: C:\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\sys.exe
deleted: virus Worm.Win32.AutoRun.cny File: C:\System Volume Information\_restore{1169DCFB-DE31-4773-82E3-9150E115F5CF}\RP382\A0041326.exe
deleted: virus Worm.Win32.AutoRun.cny File: C:\System Volume Information\_restore{1169DCFB-DE31-4773-82E3-9150E115F5CF}\RP382\A0041328.exe
deleted: virus Worm.Win32.AutoRun.cny File: C:\System Volume Information\_restore{1169DCFB-DE31-4773-82E3-9150E115F5CF}\RP382\A0041329.exe
deleted: virus Worm.Win32.AutoRun.cny File: C:\System Volume Information\_restore{1169DCFB-DE31-4773-82E3-9150E115F5CF}\RP382\A0041330.exe
deleted: virus Worm.Win32.AutoRun.cny File: C:\System Volume Information\_restore{1169DCFB-DE31-4773-82E3-9150E115F5CF}\RP382\A0041334.exe
deleted: virus Worm.Win32.AutoRun.cny File: C:\System Volume Information\_restore{1169DCFB-DE31-4773-82E3-9150E115F5CF}\RP382\A0041345.exe
deleted: virus Worm.Win32.AutoRun.cny File: D:\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\sys.exe
deleted: virus Worm.Win32.AutoRun.cny File: G:\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\sys.exe

C is my primary partition (where my Windows XP is installed) and D and G are another two partitions on my hard disk. J drive is my flashdisk from which I picked up this virus.

As you can see in report Kaspersky deleted this virus, but when I restart my computer message and page (which I have posted before) are showed again. And not just that. When I try to access to any of my hard disk partition from "My Computer" it show me a message: "Access denied". Although I can access to any of my partitions and files on them normaly (so far) from "Windows Explorer" and "Total Commander".

I scaned this morning "Critical areas", but Kaspersky didn't found anything.

I found very little about this virus on net and nothing on this forum. So, can someone help me? How can I remove this virus from my computer? Thank you in advance.

[Lucian Bara]

hello
post a combofix log please: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

[Ertan]

Here is Combofix log

ComboFix 08-02-17.2 - Ertan Ljajic 2008-02-17 13:28:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.525 [GMT 1:00]
Running from: C:\Documents and Settings\Ertan Ljajic\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
D:\Autorun.inf
G:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://au.downõj
hxxp:/
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm


((((((((((((((((((((((((( Files Created from 2008-01-17 to 2008-02-17 )))))))))))))))))))))))))))))))
.

2008-02-17 02:23 . 2008-02-17 02:53 <DIR> d-ahs---- C:\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}
2008-02-17 01:11 . 2008-02-17 02:26 4,190 --ahs---- C:\WINDOWS\system32\OEMLOGO.BMP
2008-02-17 01:11 . 2008-02-17 02:26 917 --ahs---- C:\WINDOWS\system32\blank.htm
2008-02-17 01:11 . 2008-02-17 02:26 392 --ahs---- C:\WINDOWS\system32\OEMINFO.INI
2008-02-16 13:00 . 2008-02-17 13:51 15,430,944 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-16 13:00 . 2008-02-17 13:45 213,716 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-16 13:00 . 2008-02-17 13:50 13,600 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-16 13:00 . 2008-02-17 13:45 4,364 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-16 12:55 . 2008-02-16 16:15 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-02-16 12:55 . 2008-02-16 12:55 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-02-16 12:53 . 2008-02-16 12:53 81,701 --a------ C:\WINDOWS\system32\drivers\klif.cab
2008-02-16 12:52 . 2008-02-16 12:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-02-14 02:04 . 2008-02-14 02:04 <DIR> d-------- C:\Program Files\Mobipocket.com
2008-02-14 02:04 . 2008-02-14 02:04 <DIR> d-------- C:\Program Files\Common Files\Mobipocket Shared
2008-02-13 13:28 . 2008-02-13 13:48 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-02-10 13:23 . 2008-02-10 13:32 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-10 00:06 . 2008-02-10 00:31 <DIR> d-------- C:\Program Files\DiskInternals
2008-02-06 01:03 . 2008-02-06 01:03 <DIR> d-------- C:\Program Files\Lonely Cat Games
2008-02-05 21:43 . 2008-02-05 21:43 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-02-05 21:41 . 2008-02-05 21:41 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-02-05 21:40 . 2007-02-22 10:15 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-02-05 21:40 . 2007-02-22 10:15 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-02-05 21:40 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-02-05 21:40 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-02-05 21:40 . 2007-02-22 10:15 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-02-03 02:11 . 2008-02-03 02:11 <DIR> d-------- C:\Program Files\Symbian OS Tools
2008-02-03 02:11 . 2008-02-03 02:11 <DIR> d-------- C:\Program Files\Common Files\Symbian
2008-02-03 01:13 . 2008-02-03 01:13 77 --------- C:\www.symbiansigned.com
2008-02-01 19:57 . 2008-02-01 19:57 <DIR> d-------- C:\Documents and Settings\Ertan Ljajic\Application Data\GARMIN
2008-02-01 19:31 . 2008-02-01 19:32 <DIR> d-------- C:\Garmin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 12:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-16 11:57 --------- d-----w C:\Program Files\Kaspersky Lab
2008-02-14 16:56 --------- d-----w C:\Program Files\Cerience
2008-02-11 19:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-05 22:04 --------- d-----w C:\Program Files\GoldWave
2008-02-05 20:43 --------- d-----w C:\Program Files\Nokia
2008-02-05 20:42 --------- d-----w C:\Program Files\Common Files\Nokia
2008-02-05 20:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-02-03 23:58 --------- d-----w C:\Documents and Settings\Ertan Ljajic\Application Data\uTorrent
2008-02-02 11:49 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-02 09:53 --------- d-----w C:\Documents and Settings\Ertan Ljajic\Application Data\Nokia
2008-02-01 01:17 --------- d-----w C:\Documents and Settings\Ertan Ljajic\Application Data\PC Suite
2008-01-20 12:11 --------- d-----w C:\Program Files\Planplus
2007-12-22 15:50 --------- d-----w C:\Documents and Settings\Ertan Ljajic\Application Data\MySQL
2007-12-18 16:27 --------- d-----w C:\Program Files\netbeans-5.5.1
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-17 23:43 23,396 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
2007-12-07 12:22 737,280 ----a-w C:\WINDOWS\iun6002.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 11:28 139264]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 21:48 68856]
"blank"="C:\WINDOWS\system32\blank.htm" [2008-02-17 02:26 917]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2004-11-03 23:48 94208]
"SoundMan"="SOUNDMAN.EXE" [2004-12-17 06:19 73728 C:\WINDOWS\SOUNDMAN.EXE]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-12-17 03:55 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-12-17 03:55 688218]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-08-06 16:48 385024]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2004-08-06 16:52 356352]
"NB Probe"="C:\Program Files\ASUS\NB Probe\NBProbe.exe" [2004-12-08 10:09 765952]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 16:34 213936]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 02:36 36975]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-16 21:42 185896]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2006-01-12 14:37 491520]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-12-18 00:43 227856]
"blank"="C:\WINDOWS\system32\blank.htm" [2008-02-17 02:26 917]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"LegalNoticeCaption"="[Antichrist]"
"LegalNoticeText"="[Day of judgment]"
"LogonPrompt"="[Day of judgment]"
"Welcome"="[Antichrist]"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-08-06 16:48 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RepliGo Assistant]
C:\Program Files\Cerience\RepliGo\RepliGoMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-17 21:48 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

R0 rmedia;Ricoh MediaCard Driver;C:\WINDOWS\system32\DRIVERS\rmedia.sys [2004-05-17 16:11]
R1 cpuidlep;CpuIdle Pro System Driver;C:\WINDOWS\system32\drivers\cpuidlep.sys [2007-02-28 00:11]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys []
S3 IBMWAS6Service - localhostNode01;IBM WebSphere Application Server V6 - localhostNode01;"C:\Program Files\IBM\WebSphere\AppServer\bin\wasservice.exe" "IBMWAS6Service []
S3 Tomcat5;Apache Tomcat;"C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe" [2007-03-05 16:26]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b60d702-f7d8-11db-a9e8-0012f006f003}]
\Shell\Auto\command - Cn911.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 13:50:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\wudfhost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2008-02-17 13:58:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-17 12:58:33
.
2008-02-16 03:27:37 --- E O F ---

[Lucian Bara]

open regedit.
and navigate to HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
on the right side delete the "LogonPrompt" and "Welcome" values. and set the "LegalNoticeText" and "LegalNoticeCaption" values to black (double click them and delete the text).
then delete the following key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2 an d import this into the registry (double click the reg file): http://dougknox.com/xp/fileassoc/xp_drive_...ciation_fix.zip
download superantispyware and perform a full scna with it too: http://www.superantispyware.com/ remove the detected items

[Ertan]

I'm downloading SuperAntiSpyware and then I will do what you sad me to do.
One more thing: I have noticed file "Internet Explorer" on my Desktop which was created after I run ComboFix. When I click "right click - Properties" it open window "Internet properties" with "file:///C:/WINDOWS/system32/blank.htm" like homepage. What should I do with this file? I didn't open Internet Explorer since I had this virus and I did't doubleclick on this file "Internet Explorer" on my Desktop.

[Lucian Bara]

it's normal, combofix resets some of the policies. you can choose use blank as the homepage for example.

[Ertan]

@Lucian Bara, first I would like you to thank you very much for helping me

I have done everything you have told me to do. Message "Antichrist - Day of judgment" disapeared, but Firefox still open the "file:///C:/WINDOWS/system32/blank.htm" on Windows startup. Also when I start installing SuperAntiSpyware (free version) I have noticed that fields for "Name" and "Organisation" were fielded with "Antichrist" value. SuperAntiSpyware detected that someone or something is trying to change Home page for Internet Explorer (trying to set it on: "file:///C:/WINDOWS/system32/blank.htm"), but I disabled this.

It seems that this virus and his legacy is pretty hard to remove. That's why is so odd that there is very little information about this virus on internet.

This post has been edited by Ertan: 17.02.2008 18:38

[Lucian Bara]

for the blank.htm on windows startup open msconfig through start>run>msconfig, go to the startup tab and uncheck "blank".
did superantispyware detected anything during the scan?

[Ertan]

Unchecking "blank" field worked Also, now I can access my hard disk partitions from My Computer too. Thank you very much

SuperAntiSpyware Quarantined 44 Items in "Adaware.Tracking Cookie". All those items were located in "C:\Documents and Settings\Ertan Ljajic\Cookies" so I don't think that any of it refer on Antichrist virus. But if you want I can post all 44 items here.

SuperAntiSpyware additionaly had detect 3 more threats during scaning, but I forgot to see which threats that were and I can't find any report about that scaning now. But I can tell you that those 3 threats were different kind of those 44 which had been quarantined. Those 3 threats were removed too by SuperAntiSpyware.

[Ertan]

Now I'm scaning my computer again and SuperAntiSpyware again detect those 3 threats I mentioned in my previos post. In Threat Description is: "Trojan.Unlassified/Loader-Suspicious".

[Ertan]

This "Trojan.Unlassified/Loader-Suspicious" refer on my JCreator.

[dawgg]

This "Trojan.Unlassified/Loader-Suspicious" refer on my JCreator.

If you think its referring to a legitimate file, it may be a False-Positive on SuperAntiSpyware's behalf.
SAS's name for the file is a generic/heuristic name, so the chance of it being a false-positive is slightly higher.

[werooz]

and delete HKEY_CURRENT_USER\Software\Microsoft\Command Processor\autorun with this value:
"dir /s *.exe && TITLE [Day of judgment] && COLOR AC && CLS && ECHO [Antichrist]"

this command executes each time you run command prompt and searches .exe files add "Day of judgment" to them. like internet explorer.

[reject]

I have the same problem. I did everything that is said, and the first time I restart nothing appears, but the next time the welcome note and the page in firefox are back.

[dave16]

I have the same problem. I did everything that is said, and the first time I restart nothing appears, but the next time the welcome note and the page in firefox are back.

Did you try a safe mode scan?