Help - Search - Members
Full Version: Antichrist virus
Kaspersky Lab Forum > English User Forum > Virus-related issues
Ertan
17.02.2008 15:09
Greetings. I have picked up Antichrist virus (which was detected like "Worm.Win32.AutoRun.cny" by Kaspersky Internet Secuity 7).
I have Windows XP (SP2) and every time I start up my Windows it show me this message:


After that my Firefox (which is my default browser) open itself and show me this page:


Last night I started scan "My Computer" and Kaspersky Internet Secuity 7 found this:

deleted: virus Worm.Win32.AutoRun.cny File: J:\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\sys.exe
deleted: virus Worm.Win32.AutoRun.cny File: C:\WINDOWS\system32\sys.exe
deleted: virus Worm.Win32.AutoRun.cny File: C:\WINDOWS\shell.exe
deleted: virus Worm.Win32.AutoRun.cny File: C:\WINDOWS\vxds.exe
deleted: virus Worm.Win32.AutoRun.cny File: C:\WINDOWS\Help\hlps.exe
deleted: virus Worm.Win32.AutoRun.cny File: C:\WINDOWS\media\wma.exe
deleted: virus Worm.Win32.AutoRun.cny File: C:\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\sys.exe
deleted: virus Worm.Win32.AutoRun.cny File: C:\System Volume Information\_restore{1169DCFB-DE31-4773-82E3-9150E115F5CF}\RP382\A0041326.exe
deleted: virus Worm.Win32.AutoRun.cny File: C:\System Volume Information\_restore{1169DCFB-DE31-4773-82E3-9150E115F5CF}\RP382\A0041328.exe
deleted: virus Worm.Win32.AutoRun.cny File: C:\System Volume Information\_restore{1169DCFB-DE31-4773-82E3-9150E115F5CF}\RP382\A0041329.exe
deleted: virus Worm.Win32.AutoRun.cny File: C:\System Volume Information\_restore{1169DCFB-DE31-4773-82E3-9150E115F5CF}\RP382\A0041330.exe
deleted: virus Worm.Win32.AutoRun.cny File: C:\System Volume Information\_restore{1169DCFB-DE31-4773-82E3-9150E115F5CF}\RP382\A0041334.exe
deleted: virus Worm.Win32.AutoRun.cny File: C:\System Volume Information\_restore{1169DCFB-DE31-4773-82E3-9150E115F5CF}\RP382\A0041345.exe
deleted: virus Worm.Win32.AutoRun.cny File: D:\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\sys.exe
deleted: virus Worm.Win32.AutoRun.cny File: G:\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\sys.exe

C is my primary partition (where my Windows XP is installed) and D and G are another two partitions on my hard disk. J drive is my flashdisk from which I picked up this virus.

As you can see in report Kaspersky deleted this virus, but when I restart my computer message and page (which I have posted before) are showed again. And not just that. When I try to access to any of my hard disk partition from "My Computer" it show me a message: "Access denied". Although I can access to any of my partitions and files on them normaly (so far) from "Windows Explorer" and "Total Commander".

I scaned this morning "Critical areas", but Kaspersky didn't found anything.

I found very little about this virus on net and nothing on this forum. So, can someone help me? How can I remove this virus from my computer? Thank you in advance.
Lucian Bara
17.02.2008 15:12
hello
post a combofix log please: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Ertan
17.02.2008 16:04
Here is Combofix log
QUOTE
ComboFix 08-02-17.2 - Ertan Ljajic 2008-02-17 13:28:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.525 [GMT 1:00]
Running from: C:\Documents and Settings\Ertan Ljajic\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
D:\Autorun.inf
G:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://au.downõj
hxxp:/
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm


((((((((((((((((((((((((( Files Created from 2008-01-17 to 2008-02-17 )))))))))))))))))))))))))))))))
.

2008-02-17 02:23 . 2008-02-17 02:53 <DIR> d-ahs---- C:\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}
2008-02-17 01:11 . 2008-02-17 02:26 4,190 --ahs---- C:\WINDOWS\system32\OEMLOGO.BMP
2008-02-17 01:11 . 2008-02-17 02:26 917 --ahs---- C:\WINDOWS\system32\blank.htm
2008-02-17 01:11 . 2008-02-17 02:26 392 --ahs---- C:\WINDOWS\system32\OEMINFO.INI
2008-02-16 13:00 . 2008-02-17 13:51 15,430,944 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-16 13:00 . 2008-02-17 13:45 213,716 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-16 13:00 . 2008-02-17 13:50 13,600 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-16 13:00 . 2008-02-17 13:45 4,364 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-16 12:55 . 2008-02-16 16:15 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-02-16 12:55 . 2008-02-16 12:55 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-02-16 12:53 . 2008-02-16 12:53 81,701 --a------ C:\WINDOWS\system32\drivers\klif.cab
2008-02-16 12:52 . 2008-02-16 12:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-02-14 02:04 . 2008-02-14 02:04 <DIR> d-------- C:\Program Files\Mobipocket.com
2008-02-14 02:04 . 2008-02-14 02:04 <DIR> d-------- C:\Program Files\Common Files\Mobipocket Shared
2008-02-13 13:28 . 2008-02-13 13:48 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-02-10 13:23 . 2008-02-10 13:32 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-10 00:06 . 2008-02-10 00:31 <DIR> d-------- C:\Program Files\DiskInternals
2008-02-06 01:03 . 2008-02-06 01:03 <DIR> d-------- C:\Program Files\Lonely Cat Games
2008-02-05 21:43 . 2008-02-05 21:43 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-02-05 21:41 . 2008-02-05 21:41 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-02-05 21:40 . 2007-02-22 10:15 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-02-05 21:40 . 2007-02-22 10:15 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-02-05 21:40 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-02-05 21:40 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-02-05 21:40 . 2007-02-22 10:15 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-02-03 02:11 . 2008-02-03 02:11 <DIR> d-------- C:\Program Files\Symbian OS Tools
2008-02-03 02:11 . 2008-02-03 02:11 <DIR> d-------- C:\Program Files\Common Files\Symbian
2008-02-03 01:13 . 2008-02-03 01:13 77 --------- C:\www.symbiansigned.com
2008-02-01 19:57 . 2008-02-01 19:57 <DIR> d-------- C:\Documents and Settings\Ertan Ljajic\Application Data\GARMIN
2008-02-01 19:31 . 2008-02-01 19:32 <DIR> d-------- C:\Garmin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 12:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-16 11:57 --------- d-----w C:\Program Files\Kaspersky Lab
2008-02-14 16:56 --------- d-----w C:\Program Files\Cerience
2008-02-11 19:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-05 22:04 --------- d-----w C:\Program Files\GoldWave
2008-02-05 20:43 --------- d-----w C:\Program Files\Nokia
2008-02-05 20:42 --------- d-----w C:\Program Files\Common Files\Nokia
2008-02-05 20:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-02-03 23:58 --------- d-----w C:\Documents and Settings\Ertan Ljajic\Application Data\uTorrent
2008-02-02 11:49 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-02 09:53 --------- d-----w C:\Documents and Settings\Ertan Ljajic\Application Data\Nokia
2008-02-01 01:17 --------- d-----w C:\Documents and Settings\Ertan Ljajic\Application Data\PC Suite
2008-01-20 12:11 --------- d-----w C:\Program Files\Planplus
2007-12-22 15:50 --------- d-----w C:\Documents and Settings\Ertan Ljajic\Application Data\MySQL
2007-12-18 16:27 --------- d-----w C:\Program Files\netbeans-5.5.1
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-17 23:43 23,396 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
2007-12-07 12:22 737,280 ----a-w C:\WINDOWS\iun6002.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 11:28 139264]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 21:48 68856]
"blank"="C:\WINDOWS\system32\blank.htm" [2008-02-17 02:26 917]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2004-11-03 23:48 94208]
"SoundMan"="SOUNDMAN.EXE" [2004-12-17 06:19 73728 C:\WINDOWS\SOUNDMAN.EXE]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-12-17 03:55 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-12-17 03:55 688218]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-08-06 16:48 385024]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2004-08-06 16:52 356352]
"NB Probe"="C:\Program Files\ASUS\NB Probe\NBProbe.exe" [2004-12-08 10:09 765952]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 16:34 213936]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 02:36 36975]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-16 21:42 185896]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2006-01-12 14:37 491520]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-12-18 00:43 227856]
"blank"="C:\WINDOWS\system32\blank.htm" [2008-02-17 02:26 917]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"LegalNoticeCaption"="[Antichrist]"
"LegalNoticeText"="[Day of judgment]"
"LogonPrompt"="[Day of judgment]"
"Welcome"="[Antichrist]"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-08-06 16:48 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RepliGo Assistant]
C:\Program Files\Cerience\RepliGo\RepliGoMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-17 21:48 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

R0 rmedia;Ricoh MediaCard Driver;C:\WINDOWS\system32\DRIVERS\rmedia.sys [2004-05-17 16:11]
R1 cpuidlep;CpuIdle Pro System Driver;C:\WINDOWS\system32\drivers\cpuidlep.sys [2007-02-28 00:11]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys []
S3 IBMWAS6Service - localhostNode01;IBM WebSphere Application Server V6 - localhostNode01;"C:\Program Files\IBM\WebSphere\AppServer\bin\wasservice.exe" "IBMWAS6Service []
S3 Tomcat5;Apache Tomcat;"C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe" [2007-03-05 16:26]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b60d702-f7d8-11db-a9e8-0012f006f003}]
\Shell\Auto\command - Cn911.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 13:50:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\wudfhost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2008-02-17 13:58:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-17 12:58:33
.
2008-02-16 03:27:37 --- E O F ---
Lucian Bara
17.02.2008 16:23
open regedit.
and navigate to HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
on the right side delete the "LogonPrompt" and "Welcome" values. and set the "LegalNoticeText" and "LegalNoticeCaption" values to black (double click them and delete the text).
then delete the following key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2 an d import this into the registry (double click the reg file): http://dougknox.com/xp/fileassoc/xp_drive_...ciation_fix.zip
download superantispyware and perform a full scna with it too: http://www.superantispyware.com/ remove the detected items
Ertan
17.02.2008 16:56
I'm downloading SuperAntiSpyware and then I will do what you sad me to do.
One more thing: I have noticed file "Internet Explorer" on my Desktop which was created after I run ComboFix. When I click "right click - Properties" it open window "Internet properties" with "file:///C:/WINDOWS/system32/blank.htm" like homepage. What should I do with this file? I didn't open Internet Explorer since I had this virus and I did't doubleclick on this file "Internet Explorer" on my Desktop.
Lucian Bara
17.02.2008 17:47
it's normal, combofix resets some of the policies. you can choose use blank as the homepage for example.
Ertan
17.02.2008 18:35
@Lucian Bara, first I would like you to thank you very much for helping me wink.gif

I have done everything you have told me to do. Message "Antichrist - Day of judgment" disapeared, but Firefox still open the "file:///C:/WINDOWS/system32/blank.htm" on Windows startup. Also when I start installing SuperAntiSpyware (free version) I have noticed that fields for "Name" and "Organisation" were fielded with "Antichrist" value. SuperAntiSpyware detected that someone or something is trying to change Home page for Internet Explorer (trying to set it on: "file:///C:/WINDOWS/system32/blank.htm"), but I disabled this.

It seems that this virus and his legacy is pretty hard to remove. That's why is so odd that there is very little information about this virus on internet.
Lucian Bara
17.02.2008 18:47
for the blank.htm on windows startup open msconfig through start>run>msconfig, go to the startup tab and uncheck "blank".
did superantispyware detected anything during the scan?
Ertan
17.02.2008 19:28
Unchecking "blank" field worked smile.gif Also, now I can access my hard disk partitions from My Computer too. Thank you very much smile.gif

SuperAntiSpyware Quarantined 44 Items in "Adaware.Tracking Cookie". All those items were located in "C:\Documents and Settings\Ertan Ljajic\Cookies" so I don't think that any of it refer on Antichrist virus. But if you want I can post all 44 items here.

SuperAntiSpyware additionaly had detect 3 more threats during scaning, but I forgot to see which threats that were and I can't find any report about that scaning now. But I can tell you that those 3 threats were different kind of those 44 which had been quarantined. Those 3 threats were removed too by SuperAntiSpyware.
Ertan
17.02.2008 19:32
Now I'm scaning my computer again and SuperAntiSpyware again detect those 3 threats I mentioned in my previos post. In Threat Description is: "Trojan.Unlassified/Loader-Suspicious".
Ertan
17.02.2008 19:44
This "Trojan.Unlassified/Loader-Suspicious" refer on my JCreator.
dawgg
17.02.2008 23:45
QUOTE(Ertan @ 17.02.2008 16:44) *
This "Trojan.Unlassified/Loader-Suspicious" refer on my JCreator.

If you think its referring to a legitimate file, it may be a False-Positive on SuperAntiSpyware's behalf.
SAS's name for the file is a generic/heuristic name, so the chance of it being a false-positive is slightly higher.
werooz
5.03.2008 08:07
and delete HKEY_CURRENT_USER\Software\Microsoft\Command Processor\autorun with this value:
"dir /s *.exe && TITLE [Day of judgment] && COLOR AC && CLS && ECHO [Antichrist]"

this command executes each time you run command prompt and searches .exe files add "Day of judgment" to them. like internet explorer.
reject
17.03.2008 17:38
I have the same problem. I did everything that is said, and the first time I restart nothing appears, but the next time the welcome note and the page in firefox are back.
dave16
17.03.2008 17:51
QUOTE(reject @ 17.03.2008 10:38) *
I have the same problem. I did everything that is said, and the first time I restart nothing appears, but the next time the welcome note and the page in firefox are back.

Did you try a safe mode scan?
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.