I was in regeditor and noticed for the second time that a new unfamilar key had been added to it
(i had seen it once before, and deleted it) or so I thought.
Not long ago I got hit my a rogue antivirus scanner (XPantivirus), some how got on and started
scanning (no permission required apparently) and since then I have had 1 other scare, but not as
bad as the first. After restoring the system to a earlier checkpoint everything seems to be better,
but just found the weird key again in my register and was wondering if anyone could shed some light
on what it is? and why it keeps coming back to haunt my computer. Will it strike again or what?
the key is called onemorekey (subkey) options and goes as follows:
Key Name: HKEY_CURRENT_USER\Software\OneMoreKey\Options
Class Name:
Last Write Time: 3/9/2008 - 4:52 PM
Value 0
Name: Aff
Type: REG_SZ
Data: 880155
Value 11
Name: BillingUrlApproved2
Type: REG_SZ
Data:
Value 12
Name: LastRun
Type: REG_SZ
Data: 3/9/2008
Value 13
Name: SecurityVector
Type: REG_SZ
Data: 22222222222222222222222222222222222222222222222222222222222222222
Value 14
Name: Scans
Type: REG_SZ
Data: 1
Value 15
Name: LastScan
Type: REG_SZ
Data: 09.03.2008 16:48:46
It looks to me like one url is pointing to a site where you have to order or your stuck!, which i do
remember popping up frequently and not being able to go anywhere else.
Should I deleted the etire key again?
If you can shed any light my way it would be much appreciated!
Thanks much!
BK
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:12:22 AM, on 4/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Was looking through the register again and found yet another key in
HKEY_USERS\S-1-5-21-725345543-1563985344-1957994488-1004\Software\OneMoreKey\Options
Key Name: HKEY_USERS\S-1-5-21-725345543-1563985344-1957994488-1004\Software\OneMoreKey\Options
Class Name:
Last Write Time: 3/9/2008 - 4:52 PM
Value 0
Name: Aff
Type: REG_SZ
Data: 880155
Ok, ran Superantispyware and it seemed to do the trick! found 48 different items and quarintined
them all. Then I deleted them all… seemed pretty harmless to wipe em out. I was wanting to ask also
about Windows defender (which I also have)… from what I gather it’s not to smart to run more than
1 resident scanner at once? (super anti is currently set to not use resident scanner). which is best?>
(Wdefender dropped the ball on this one I guess). I
haven’t installed the other one yet… it has a resident scanner also, should I?
Thanks for all the help micky77 and pondus! whew… I feel alot better now…
The versions of Super Anti-Spyware (SAS) and MalwareBytes Anti-Malware (MBAM) that you were provided are free.
For both these apps. you have to pay a one time fee in order to use their resident protection. Most forum members recommend these as a secondary and tertiary scanner. Having SAS and MBAM on your computer (the free versions) will not cause problems.
As far as I know both applications have a god resident protection. So up to you to choose which you wish to activate (pay the one time fee)
In terms of Wdefender, you can leave it running. It’s light on system resources and doesn’t conflict with other security programs.
WOW,
Thanks confused... (although you don't seem all that confused to me).... Thats good info to
know.
Will check into a subscription for one or the other.. In the meantime i did install Malewarebytes
and ran it and found yet more stuff and deleted it.. hope that was cool?
Malwarebytes' Anti-Malware 1.36
Database version: 1966
Windows 5.1.2600 Service Pack 3
4/11/2009 11:51:25 AM
mbam-log-2009-04-11 (11-51-08).txt
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\OneMoreKey (Rogue.Installer) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\AdwareAlert (Rogue.AdwareAlert) → No action taken.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → No action taken.
Folders Infected:
C:\Documents and Settings\BK\Application Data\AdwareAlert (Rogue.AdwareAlert) → No action taken.
C:\Documents and Settings\BK\Application Data\AdwareAlert\Log (Rogue.AdwareAlert) → No action taken.
C:\Documents and Settings\BK\Application Data\AdwareAlert\Settings (Rogue.AdwareAlert) → No action taken.
C:\Program Files\DomPlayer (Trojan.Lop) → No action taken.
Files Infected:
C:\Documents and Settings\BK\Application Data\AdwareAlert\rs.dat (Rogue.AdwareAlert) → No action taken.
C:\Documents and Settings\BK\Application Data\AdwareAlert\Log\2008 Mar 09 - 10_51_08 PM_914.log (Rogue.AdwareAlert) → No action taken.
C:\Documents and Settings\BK\Application Data\AdwareAlert\Log\2008 Mar 09 - 10_51_16 PM_144.log (Rogue.AdwareAlert) → No action taken.
C:\Documents and Settings\BK\Application Data\AdwareAlert\Settings\ScanResults.pie (Rogue.AdwareAlert) → No action taken.
(although i don’t know why it says No Action Taken for all of them now, when it said they were
deleted? does that cost too?) (now I’m confused)
Run MBAM again and this time when the scan is complete, all detections should have a check mark in the box to the left of the entry, leave them selected (or select if not selected). At the bottom of the window there is a button, Remove Selected, click that and the items will be removed.