WinAntiVirusPro

Category: Adware and PUAsProtection available since:19 Jun 2006 00:00:00 (GMT)
Type: Unspecified PUALast Updated:22 Feb 2008 23:01:16 (GMT)

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

WinAntiVirusPro is an Anti-Virus application which may exaggerate threats on the user's computer in an attempt to coerce the user into buying the full version.

WinAntiVirusPro may impair performance of the Windows firewall and some other security related Miscrosoft applications.

The default installation location is:

<Program Files>\WinAntiVirus Pro 2006

When WinAntiVirusPro is installed the following files and folders are typically created (the contents of new folders are not listed):

<User>\Application Data\WinSoftware
<User>\Application Data\WinSoftware\WinAntiVirus Pro 2006
<Desktop>\WinAntiVirus Pro 2006.lnk
<Start Menu\Programs>\WinAntiVirus Pro 2006
<User>\Activate.log
<User>\FileAccess.log
<User>\Application Data\WinAntiVirus Pro 2006
<User>\Cookies\user@www.winantivirus[?].txt
<User>\Cookies\user@www.winsoftware[?].txt
<Temp>\WA6PSetup.exe
<Common Files>\WinAntiVirus Pro 2006
<Program Files>\WinAntiVirus Pro 2006
<System>\stera.exe
<System>\drivers\FOPN.sys
<System>\drivers\vspf_hk5.sys
<System>\drivers\vspf5.sys

where ? is a digit 0 - 9.

New versions of the following legitimate files may be installed:

<System>\atl71.dll
<System>\av.cpl
<System>\mfc71.dll
<System>\msvcp71.dll
<System>\SpOrder.dll

The following registry entry is created to run WinAV.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinAntiVirusPro2006
<Program Files>\WinAntiVirus Pro 2006\WinAV.exe

The file vspf_hk5.sys is registered as a new system driver service named "vspf_hk", with a display name of "vspf_hk". Registry entries

are created under:

HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk

The file vspf5.sys is registered as a new system driver service named "vspf", with a display name of "vspf". Registry entries are

created under:

HKLM\SYSTEM\CurrentControlSet\Services\vspf

The file FWSvc.exe is registered as a new file system driver service named "FWSvc", with a display name of "Firewall service". Registry

entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\FWSvc

The file FOPN.sys is registered as a new file system driver service named "FOPN", with a display name of "FOPN". Registry entries are

created under:

HKLM\SYSTEM\CurrentControlSet\Services\FOPN

The files WAPPChk.dll, AVAutoplay.exe, iefwbho.dll, WAV6COM.dll and winpgi.dll are registered as COM objects, creating registry entries under:

HKCR\CLSID\{85C99188-BEFD-4c61-A54B-5D7CB0204C1E}
HKCR\CLSID\{723D54C7-7483-4EB8-8EED-CE5B2AEA534D}
HKCR\CLSID\{2178F3FB-2560-458f-BDEE-631E2FE0DFE4}
HKCR\CLSID\{1AC5C88A-DEA7-462b-A232-04AF5CA42E7E}
HKCR\CLSID\{0903FECD-7F7A-4790-A819-A3CE08416732}
HKCR\CLSID\{B2A3156E-3332-4b47-AF5A-5B121503514F}
HKCR\CLSID\{B5141620-C2B2-4d95-9F0F-134D99C87AB0}
HKCR\WinPGIntegrator.IEIntegrator
HKCR\WinPGIntegrator.IEIntegrator.1
HKCR\WAPPChk.WAPPChk
HKCR\WAPPChk.WAPPChk.1
HKCR\AVExplorer.ShellExtension
HKCR\AVExplorer.ShellExtension.2
HKCR\AntiVirusCOM.AVOfficeProtect
HKCR\AntiVirusCOM.AVOfficeProtect.1
HKCR\WinPGIntegrator.IEIntegrator
HKCR\WinPGIntegrator.IEIntegrator.1
HKCR\WAPPChk.WAPPChk.1
HKCR\WAPPChk.WAPPChk
HKCR\AVExplorer.ShellExtension.2
HKCR\AVExplorer.ShellExtension
HKCR\AntiVirusCOM.AVOfficeProtect.1
HKCR\AntiVirusCOM.AVOfficeProtect
HKCR\IEFWBHO.IEFW
HKCR\IEFWBHO.IEFW.2

The files iefwbho.dll and winpgi.dll are registered as Browser Helper Objects (BHOs) for Microsoft Internet Explorer, creating registry entries under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2178F3FB-2560-458F-BDEE-631E2FE0DFE4}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B5141620-C2B2-4D95-9F0F-134D99C87AB0}

The file MailScan.dll is registered as a layered service provider (LSP), creating and modifying registry entries in the Winsock 2

system configuration database under:

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters

Note: the LSP chain should only be repaired by experienced individuals or under expert guidance.

The following registry entries are set, affecting internet security:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
<Program Files>\WinAntiVirus Pro 2006\WinAV.exe
<Program Files>\WinAntiVirus Pro 2006\WinAV.exe:*:Enabled:winav.exe

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
<Program Files>\WinAntiVirus Pro 2006\Updater.exe
<Program Files>\WinAntiVirus Pro 2006\Updater.exe:*:Enabled:updater.exe

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
<Program Files>\WinAntiVirus Pro 2006\Support.exe
<Program Files>\WinAntiVirus Pro 2006\Support.exe:*:Enabled:support.exe

WinAntiVirusPro sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates the Microsoft Internet Connection Firewall (ICF).

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1

HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1

HKCR\WAVAutoPlay.AVAutoPlay\shell\Play\DropTarget
CLSID
{0903FECD-7F7A-4790-A819-A3CE08416732}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\WAVAutoPlay
DefaultIcon
<Program Files>\WinAntiVirus Pro 2006\WinAV.exe,0

HKCR\Drive\shellex\ContextMenuHandlers\ShellExtension
(Default)
{1AC5C88A-DEA7-462b-A232-04AF5CA42E7E}

HKCR\Directory\shellex\ContextMenuHandlers\ShellExtension
(Default)
{1AC5C88A-DEA7-462b-A232-04AF5CA42E7E}

HKCR\*\shellex\ContextMenuHandlers\ShellExtension
(Default)
{1AC5C88A-DEA7-462b-A232-04AF5CA42E7E}

Registry entries are created under:

HKCU\Software\WinAntiVirus Pro 2006
HKLM\SOFTWARE\WinAntiVirus Pro 2006
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WA6P_is1

WinAntiVirusPro provides an uninstall option which can be accessed via the Add or Remove Programs dialog in the Windows Control Panel.

The software is listed as "WinAntiVirus Pro 2006".

download Try Sophos products for free
Download now