XPantivirus?? HELP!

[bk]

Hi All,

 I was in regeditor and noticed for the second time that a new unfamilar key had been added to it
(i had seen it once before, and deleted it) or so I thought.
Not long ago I got hit my a rogue antivirus scanner (XPantivirus),  some how got on and started
scanning (no permission required apparently) and since then I have had 1 other scare, but not as
bad as the first. After restoring the system to a earlier checkpoint everything seems to be better,
but just found the weird key again in my register and was wondering if anyone could shed some light
on what it is? and why it keeps coming back to haunt my computer. Will it strike again or what?

the key is called onemorekey (subkey) options and goes as follows:

Key Name:          HKEY_CURRENT_USER\Software\OneMoreKey\Options
Class Name:        <NO CLASS>
Last Write Time:   3/9/2008 - 4:52 PM
Value 0
  Name:            Aff
  Type:            REG_SZ
  Data:            880155

Value 1
  Name:            FirstRunUrl
  Type:            REG_SZ
  Data:            http://xpantivirus.com/firstrun.php?product=%product%&aff=%aff%&update=%update%

Value 2
  Name:            AfterRegisterUrl
  Type:            REG_SZ
  Data:            http://xpantivirus.com/confirm.php?product=%product%&aff=%aff%&email=%email%&update=%update%&cookie_type=%cookie_type%&cookie=%cookie%

Value 3
  Name:            LabelUrl
  Type:            REG_SZ
  Data:           

Value 4
  Name:            TermsUrl
  Type:            REG_SZ
  Data:            http://xpantivirus.com/terms.php

Value 5
  Name:            HelpURL
  Type:            REG_SZ
  Data:            http://xpantivirus.com/help.php

Value 6
  Name:            BillingURL
  Type:            REG_SZ
  Data:            http://xpantivirus.com/license.php?Email=%email%&AffiliateID=%aff%

Value 7
  Name:            BillingUrlApproved
  Type:            REG_SZ
  Data:           

Value 8
  Name:            TransactionKey
  Type:            REG_SZ
  Data:            XsHrUGEutblgVFNM

Value 9
  Name:            BillingRegURL
  Type:            REG_SZ
  Data:            http://xpantivirus.com/order_xp.php?ver=%aff%

Value 10
  Name:            BillingURL2
  Type:            REG_SZ
  Data:           

Value 11
  Name:            BillingUrlApproved2
  Type:            REG_SZ
  Data:           

Value 12
  Name:            LastRun
  Type:            REG_SZ
  Data:            3/9/2008

Value 13
  Name:            SecurityVector
  Type:            REG_SZ
  Data:            22222222222222222222222222222222222222222222222222222222222222222

Value 14
  Name:            Scans
  Type:            REG_SZ
  Data:            1

Value 15
  Name:            LastScan
  Type:            REG_SZ
  Data:            09.03.2008 16:48:46

 It looks to me like one url is pointing to a site where you have to order or your stuck!, which i do
remember popping up frequently and not being able to go anywhere else.
 Should I deleted the etire key again?
  If you can shed any light my way it would be much appreciated!
    Thanks much!
        BK

[bk]

Hi Again,

 This is a logfile from hijackthis....   

 Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:12:22 AM, on 4/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.att.net
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202135110446
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1202136599130
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5543/mcfscan.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: IomegaAccess -  Iomega Corporation - C:\WINDOWS\system32\IomegaAccess.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\system32\ZipToA.exe

--
End of file - 4719 bytes

   Maybe this will help??   thanks!

[micky77]

Do a scan with MBAM, it will find any keys infected with xpantivirus.Also modify the links you have posted, hxxp instead of http

http://filehippo.com/download_malwarebytes_anti_malware/

[Pondus]

Jepp MBAM and SuperantiSpyware  http://filehippo.com/download_superantispyware/

[bk]

 
 Thanks for the quick response Micky77 and Pondus........

 Was looking through the register again and found yet another key in
 HKEY_USERS\S-1-5-21-725345543-1563985344-1957994488-1004\Software\OneMoreKey\Options
 
 Key Name:          HKEY_USERS\S-1-5-21-725345543-1563985344-1957994488-1004\Software\OneMoreKey\Options
Class Name:        <NO CLASS>
Last Write Time:   3/9/2008 - 4:52 PM
Value 0
  Name:            Aff
  Type:            REG_SZ
  Data:            880155

Value 1
  Name:            FirstRunUrl
  Type:            REG_SZ
  Data:            http://xpantivirus.com/firstrun.php?product=%product%&aff=%aff%&update=%update%

Value 2
  Name:            AfterRegisterUrl
  Type:            REG_SZ
  Data:            http://xpantivirus.com/confirm.php?product=%product%&aff=%aff%&email=%email%&update=%update%&cookie_type=%cookie_type%&cookie=%cookie%

Value 3
  Name:            LabelUrl
  Type:            REG_SZ
  Data:           

Value 4
  Name:            TermsUrl
  Type:            REG_SZ
  Data:            http://xpantivirus.com/terms.php

Value 5
  Name:            HelpURL
  Type:            REG_SZ
  Data:            http://xpantivirus.com/help.php

Value 6
  Name:            BillingURL
  Type:            REG_SZ
  Data:            http://xpantivirus.com/license.php?Email=%email%&AffiliateID=%aff%

Value 7
  Name:            BillingUrlApproved
  Type:            REG_SZ
  Data:           

Value 8
  Name:            TransactionKey
  Type:            REG_SZ
  Data:            XsHrUGEutblgVFNM

Value 9
  Name:            BillingRegURL
  Type:            REG_SZ
  Data:            http://xpantivirus.com/order_xp.php?ver=%aff%

Value 10
  Name:            BillingURL2
  Type:            REG_SZ
  Data:           

Value 11
  Name:            BillingUrlApproved2
  Type:            REG_SZ
  Data:           

Value 12
  Name:            LastRun
  Type:            REG_SZ
  Data:            3/9/2008

Value 13
  Name:            SecurityVector
  Type:            REG_SZ
  Data:            22222222222222222222222222222222222222222222222222222222222222222

Value 14
  Name:            Scans
  Type:            REG_SZ
  Data:            1

Value 15
  Name:            LastScan
  Type:            REG_SZ
  Data:            09.03.2008 16:48:46

 don't know how I missed it before, anyways thanks alot! and will do as you both suggested.

             bk

[bk]

 
  Ok, ran Superantispyware and it seemed to do the trick! found 48 different items and quarintined

  them all. Then I deleted them all.... seemed pretty harmless to wipe em out. I was wanting to ask also
  about Windows defender (which I also have).. from what I gather it's not to smart to run more than
  1 resident scanner at once? (super anti is currently set to not use resident scanner). which is best?>
  (Wdefender dropped the ball on this one I guess). I
  haven't installed the other one yet.. it has a resident scanner also, should I?

  Thanks for all the help micky77 and pondus! whew..... I feel alot better now...

 

[Confused Computer User]

The versions of Super Anti-Spyware (SAS) and MalwareBytes Anti-Malware (MBAM) that you were provided are free.

For both these apps. you have to pay a one time fee in order to use their resident protection. Most forum members recommend these as a secondary and tertiary scanner. Having SAS and MBAM on your computer (the free versions) will not cause problems.

As far as I know both applications have a god resident protection. So up to you to choose which you wish to activate (pay the one time fee)

In terms of Wdefender, you can leave it running. It's light on system resources and doesn't conflict with other security programs.

[bk]

    WOW,

     Thanks confused... (although you don't seem all that confused to me).... Thats good info to
     know.
     Will check into a subscription for one or the other.. In the meantime i did install Malewarebytes
     and ran it and found yet more stuff and deleted it.. hope that was cool?

     Malwarebytes' Anti-Malware 1.36
Database version: 1966
Windows 5.1.2600 Service Pack 3

4/11/2009 11:51:25 AM
mbam-log-2009-04-11 (11-51-08).txt

Scan type: Quick Scan
Objects scanned: 79867
Time elapsed: 12 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 4
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\OneMoreKey (Rogue.Installer) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\AdwareAlert (Rogue.AdwareAlert) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\Documents and Settings\BK\Application Data\AdwareAlert (Rogue.AdwareAlert) -> No action taken.
C:\Documents and Settings\BK\Application Data\AdwareAlert\Log (Rogue.AdwareAlert) -> No action taken.
C:\Documents and Settings\BK\Application Data\AdwareAlert\Settings (Rogue.AdwareAlert) -> No action taken.
C:\Program Files\DomPlayer (Trojan.Lop) -> No action taken.

Files Infected:
C:\Documents and Settings\BK\Application Data\AdwareAlert\rs.dat (Rogue.AdwareAlert) -> No action taken.
C:\Documents and Settings\BK\Application Data\AdwareAlert\Log\2008 Mar 09 - 10_51_08 PM_914.log (Rogue.AdwareAlert) -> No action taken.
C:\Documents and Settings\BK\Application Data\AdwareAlert\Log\2008 Mar 09 - 10_51_16 PM_144.log (Rogue.AdwareAlert) -> No action taken.
C:\Documents and Settings\BK\Application Data\AdwareAlert\Settings\ScanResults.pie (Rogue.AdwareAlert) -> No action taken.
   (although i don't know why it says No Action Taken for all of them now, when it said they were
     deleted? does that cost too?) (now I'm confused)

    Thanks!
       bk

[DavidR]

Run MBAM again and this time when the scan is complete, all detections should have a check mark in the box to the left of the entry, leave them selected (or select if not selected). At the bottom of the window there is a button, Remove Selected, click that and the items will be removed.

[Confused Computer User]

    WOW,

     Thanks confused... (although you don't seem all that confused to me).... Thats good info to
     know.
     Will check into a subscription for one or the other.. In the meantime i did install Malewarebytes
     and ran it and found yet more stuff and deleted it.. hope that was cool?

Just follow DavidR's instructions.

   
   (although i don't know why it says No Action Taken for all of them now, when it said they were
     deleted? does that cost too?) (now I'm confused)

The removal of malware is free. The fee only applies for resident or real-time protection. (that's it that's all)