Summary
Summary
More Information
| Affected operating systems | Windows |
|---|---|
| Protection available since | 20 June 2006 08:52:23 (GMT) |
| Last updated | 3 June 2008 01:56:27 (GMT) |
| Detected by | Sophos Anti-Virus for Windows, version 7, and PureMessage for Microsoft Exchange. |
More Information
- Summary
- More Information
WinAntiVirusPro is an Anti-Virus application which may exaggerate threats on the user's computer in an attempt to coerce the user into buying the full version.
WinAntiVirusPro may impair performance of the Windows firewall and some other security related Miscrosoft applications.
The default installation location is:
<Program Files>\WinAntiVirus Pro 2006
When WinAntiVirusPro is installed the following files and folders are typically created (the contents of new folders are not listed):
<User>\Application Data\WinSoftware
<User>\Application Data\WinSoftware\WinAntiVirus Pro 2006
<Desktop>\WinAntiVirus Pro 2006.lnk
<Start Menu\Programs>\WinAntiVirus Pro 2006
<User>\Activate.log
<User>\FileAccess.log
<User>\Application Data\WinAntiVirus Pro 2006
<User>\Cookies\user@www.winantivirus[?].txt
<User>\Cookies\user@www.winsoftware[?].txt
<Temp>\WA6PSetup.exe
<Common Files>\WinAntiVirus Pro 2006
<Program Files>\WinAntiVirus Pro 2006
<System>\stera.exe
<System>\drivers\FOPN.sys
<System>\drivers\vspf_hk5.sys
<System>\drivers\vspf5.sys
where ? is a digit 0 - 9.
New versions of the following legitimate files may be installed:
<System>\atl71.dll
<System>\av.cpl
<System>\mfc71.dll
<System>\msvcp71.dll
<System>\SpOrder.dll
The following registry entry is created to run WinAV.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinAntiVirusPro2006
<Program Files>\WinAntiVirus Pro 2006\WinAV.exe
The file vspf_hk5.sys is registered as a new system driver service named "vspf_hk", with a display name of "vspf_hk". Registry entries
are created under:
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk
The file vspf5.sys is registered as a new system driver service named "vspf", with a display name of "vspf". Registry entries are
created under:
HKLM\SYSTEM\CurrentControlSet\Services\vspf
The file FWSvc.exe is registered as a new file system driver service named "FWSvc", with a display name of "Firewall service". Registry
entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\FWSvc
The file FOPN.sys is registered as a new file system driver service named "FOPN", with a display name of "FOPN". Registry entries are
created under:
HKLM\SYSTEM\CurrentControlSet\Services\FOPN
The files WAPPChk.dll, AVAutoplay.exe, iefwbho.dll, WAV6COM.dll and winpgi.dll are registered as COM objects, creating registry entries under:
HKCR\CLSID\{85C99188-BEFD-4c61-A54B-5D7CB0204C1E}
HKCR\CLSID\{723D54C7-7483-4EB8-8EED-CE5B2AEA534D}
HKCR\CLSID\{2178F3FB-2560-458f-BDEE-631E2FE0DFE4}
HKCR\CLSID\{1AC5C88A-DEA7-462b-A232-04AF5CA42E7E}
HKCR\CLSID\{0903FECD-7F7A-4790-A819-A3CE08416732}
HKCR\CLSID\{B2A3156E-3332-4b47-AF5A-5B121503514F}
HKCR\CLSID\{B5141620-C2B2-4d95-9F0F-134D99C87AB0}
HKCR\WinPGIntegrator.IEIntegrator
HKCR\WinPGIntegrator.IEIntegrator.1
HKCR\WAPPChk.WAPPChk
HKCR\WAPPChk.WAPPChk.1
HKCR\AVExplorer.ShellExtension
HKCR\AVExplorer.ShellExtension.2
HKCR\AntiVirusCOM.AVOfficeProtect
HKCR\AntiVirusCOM.AVOfficeProtect.1
HKCR\WinPGIntegrator.IEIntegrator
HKCR\WinPGIntegrator.IEIntegrator.1
HKCR\WAPPChk.WAPPChk.1
HKCR\WAPPChk.WAPPChk
HKCR\AVExplorer.ShellExtension.2
HKCR\AVExplorer.ShellExtension
HKCR\AntiVirusCOM.AVOfficeProtect.1
HKCR\AntiVirusCOM.AVOfficeProtect
HKCR\IEFWBHO.IEFW
HKCR\IEFWBHO.IEFW.2
The files iefwbho.dll and winpgi.dll are registered as Browser Helper Objects (BHOs) for Microsoft Internet Explorer, creating registry entries under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2178F3FB-2560-458F-BDEE-631E2FE0DFE4}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B5141620-C2B2-4D95-9F0F-134D99C87AB0}
The file MailScan.dll is registered as a layered service provider (LSP), creating and modifying registry entries in the Winsock 2
system configuration database under:
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters
Note: the LSP chain should only be repaired by experienced individuals or under expert guidance.
The following registry entries are set, affecting internet security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
<Program Files>\WinAntiVirus Pro 2006\WinAV.exe
<Program Files>\WinAntiVirus Pro 2006\WinAV.exe:*:Enabled:winav.exe
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
<Program Files>\WinAntiVirus Pro 2006\Updater.exe
<Program Files>\WinAntiVirus Pro 2006\Updater.exe:*:Enabled:updater.exe
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
<Program Files>\WinAntiVirus Pro 2006\Support.exe
<Program Files>\WinAntiVirus Pro 2006\Support.exe:*:Enabled:support.exe
WinAntiVirusPro sets the following registry entries, disabling the automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates the Microsoft Internet Connection Firewall (ICF).
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1
HKCR\WAVAutoPlay.AVAutoPlay\shell\Play\DropTarget
CLSID
{0903FECD-7F7A-4790-A819-A3CE08416732}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\WAVAutoPlay
DefaultIcon
<Program Files>\WinAntiVirus Pro 2006\WinAV.exe,0
HKCR\Drive\shellex\ContextMenuHandlers\ShellExtension
(Default)
{1AC5C88A-DEA7-462b-A232-04AF5CA42E7E}
HKCR\Directory\shellex\ContextMenuHandlers\ShellExtension
(Default)
{1AC5C88A-DEA7-462b-A232-04AF5CA42E7E}
HKCR\*\shellex\ContextMenuHandlers\ShellExtension
(Default)
{1AC5C88A-DEA7-462b-A232-04AF5CA42E7E}
Registry entries are created under:
HKCU\Software\WinAntiVirus Pro 2006
HKLM\SOFTWARE\WinAntiVirus Pro 2006
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WA6P_is1
WinAntiVirusPro provides an uninstall option which can be accessed via the Add or Remove Programs dialog in the Windows Control Panel.
The software is listed as "WinAntiVirus Pro 2006".
|
