Undesired popups online 'winantiviruspro'

[Guest]

This is one such link I copy/paste that occurs, there are many others which
can cause a windows crash. I have tried Trend Micro and Popup Stopper
Professional and neither will stop this popup. I have also isolated the URL's
in Security Restricted Sites and that only works sometimes to tell me that a
site is trying to open another window and asks if I want to allow it or not.
Just what is this problem related to Spyware or a Virus.

http://www.winantiviruspro.com/page...ResultsCT7DayVT1Day_4&ax=1&ex=1&ed=2&j=1&h=10

ALSO: I see that I am identified here as 'Michael @ Webwalking.info' and I
no longer use this site 'Webwalking.info' as it is closed so I need to make
changes.

 

[Guest]

In addition to the popup, a installation of the program attempts, several
popups
occur changing windows to these messages which are identified as a IE page
but is a message box. Never click yes, just click the X to close the popup
as it
would continue, shows webpage where the program originates, if clicked then
shows you have not scanned your computer, a virus could be infecting it Do you
want to scan your computer or not, clicking X the webpage popsup then a
message
box to install the program occurs then clicking X stops the installation.
This goes
through about 8 message boxes and three webpages then you can go back to
the webpage you were viewing before the interruption. This morning it has now
happened 18 times, I have the images of the message boxes that asked to allow
or not, "The current Web page is trying to open a site on the Internet. Do you
want to allow this?", which then gives me a IP and then the Internet URL of
the
site.

 

[Anonymous Bob]

"Michael @ Webwalking.info"

In addition to the popup, a installation of the program attempts, several
popups
occur changing windows to these messages which are identified as a IE page
but is a message box. Never click yes, just click the X to close the popup
as it
would continue, shows webpage where the program originates, if clicked then
shows you have not scanned your computer, a virus could be infecting it Do you
want to scan your computer or not, clicking X the webpage popsup then a
message
box to install the program occurs then clicking X stops the installation.
This goes
through about 8 message boxes and three webpages then you can go back to
the webpage you were viewing before the interruption. This morning it has now
happened 18 times, I have the images of the message boxes that asked to allow
or not, "The current Web page is trying to open a site on the Internet. Do you
want to allow this?", which then gives me a IP and then the Internet URL of
the
site.

It's possible you are just seeing an ad. Are the popups coming from just one
site?
If you were to download the program, you would be infected with a winfixer
variant.

http://msmvps.com/blogs/spywaresucks/archive/2007/04/25/877948.aspx

I believe superantispyware has a good track record on removing this
infection:
http://www.superantispyware.com/definition/awvtu/

I would also recommend the use of the MVPS hosts file:
http://www.mvps.org/winhelp2002/hosts.htm

Bob Vanderveen

 

[Guest]

Several installs of different anti virus programs centered on removing
spyware and virus all of which are not desired, plus sites of advertising and
general sites that give news info and sites that are blogs. Should the
registry keys be deleted then look for the files installed and try to delete
them offline mode so they cannot be downloaded again. In the registry I find

Default value [PCheck Class] UWAP7.PCheck.1

C:\Program Files\Common Files\WinAntiVirus Pro 2007\WAPChk.dll

KEY:
HKEY_CLASSES_ROOT\CLSID\{2A5C2E6D-864B-4f2c-9542-8B272741D78B}\InprocServer32

HKEY_CLASSES_ROOT\CLSID\{2A5C2E6D-864B-4f2c-9542-8B272741D78B}\ProgID

[Default] value UWAP7.PCheck.1

HKEY_CLASSES_ROOT\CLSID\{2A5C2E6D-864B-4f2c-9542-8B272741D78B}\VersionIndependentProgID

[Default] value

So it could be possible this program has installed again unknowingly else
its just not completely removed by Trend Micro.

The same program file appears at this registry key.

HKEY_CLASSES_ROOT\TypeLib\{6F520BE0-9B54-4558-816F-224E67997DF3}\1.0\0\win32

and has a folder link at this Reg Key.

HKEY_CLASSES_ROOT\TypeLib\{6F520BE0-9B54-4558-816F-224E67997DF3}\1.0\HELPDIR

another is REG_BINARY value at:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\WinAntiVirus Pro 2007

Another KEY

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A5C2E6D-864B-4f2c-9542-8B272741D78B}\InprocServer32

(Default)
C:\Program Files\Common Files\WinAntiVirus Pro 2007\WAPChk.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{6F520BE0-9B54-4558-816F-224E67997DF3}\1.0\0\win32

C:\Program Files\Common Files\WinAntiVirus Pro 2007\WAPChk.dll

and

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{6F520BE0-9B54-4558-816F-224E67997DF3}\1.0\HELPDIR

And REG BINARY:
HKEY_USERS\S-1-5-21-746137067-1292428093-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start
Menu2\Programs\WinAntiVirus Pro 2007

 

[Guest]

I would suggest you go with Anonymous Bob's suggestion and download/install
the free version of SuperAntiSpyware (superantispyware.com). You are being
re-infected via the Explorer Shell.

Several installs of different anti virus programs centered on removing
spyware and virus all of which are not desired, plus sites of advertising and
general sites that give news info and sites that are blogs. Should the
registry keys be deleted then look for the files installed and try to delete
them offline mode so they cannot be downloaded again. In the registry I find

Default value [PCheck Class] UWAP7.PCheck.1

C:\Program Files\Common Files\WinAntiVirus Pro 2007\WAPChk.dll

KEY:
HKEY_CLASSES_ROOT\CLSID\{2A5C2E6D-864B-4f2c-9542-8B272741D78B}\InprocServer32

HKEY_CLASSES_ROOT\CLSID\{2A5C2E6D-864B-4f2c-9542-8B272741D78B}\ProgID

[Default] value UWAP7.PCheck.1

HKEY_CLASSES_ROOT\CLSID\{2A5C2E6D-864B-4f2c-9542-8B272741D78B}\VersionIndependentProgID

[Default] value

So it could be possible this program has installed again unknowingly else
its just not completely removed by Trend Micro.

The same program file appears at this registry key.

HKEY_CLASSES_ROOT\TypeLib\{6F520BE0-9B54-4558-816F-224E67997DF3}\1.0\0\win32

and has a folder link at this Reg Key.

HKEY_CLASSES_ROOT\TypeLib\{6F520BE0-9B54-4558-816F-224E67997DF3}\1.0\HELPDIR

another is REG_BINARY value at:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\WinAntiVirus Pro 2007

Another KEY

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A5C2E6D-864B-4f2c-9542-8B272741D78B}\InprocServer32

(Default)
C:\Program Files\Common Files\WinAntiVirus Pro 2007\WAPChk.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{6F520BE0-9B54-4558-816F-224E67997DF3}\1.0\0\win32

C:\Program Files\Common Files\WinAntiVirus Pro 2007\WAPChk.dll

and

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{6F520BE0-9B54-4558-816F-224E67997DF3}\1.0\HELPDIR

And REG BINARY:
HKEY_USERS\S-1-5-21-746137067-1292428093-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start
Menu2\Programs\WinAntiVirus Pro 2007

"Michael @ Webwalking.info"


It's possible you are just seeing an ad. Are the popups coming from just one
site?
If you were to download the program, you would be infected with a winfixer
variant.

http://msmvps.com/blogs/spywaresucks/archive/2007/04/25/877948.aspx

I believe superantispyware has a good track record on removing this
infection:
http://www.superantispyware.com/definition/awvtu/

I would also recommend the use of the MVPS hosts file:
http://www.mvps.org/winhelp2002/hosts.htm

Bob Vanderveen

 

[Guest]

I believe that is occurring. After removing the Keys I still had a few popups.

WinAntiVirus Pro 2007 (NewSoftware2007Install.exe)

NewSoftware2007Install.exe
346 KB (354,304 bytes)
348 KB (356,352 bytes)
Wednesday, August 22, 2007, 4:17:00 PM
Wednesday, August 22, 2007, 4:17:00 PM
Today, September 09, 2007, 3:38:24 PM
1.3.93.3
InstallProvider, Install
InstallProvider, Inc.
Language Neutral

Locations:
(1) C:\Documents and Settings\Charles Jones\Local Settings\Temp\ICD1.tmp
(2) C:\Documents and Settings\Charles Jones\Local Settings\Temp\ICD2.tmp
(3) C:\Documents and Settings\Charles Jones\Local Settings\Temp\ICD3.tmp
(4) C:\Documents and Settings\Charles Jones\Local Settings\Temp\ICD4.tmp
(5) C:\Documents and Settings\Charles Jones\Local Settings\Temp\ICD5.tmp
UWA7P_0001_N99M2908NetInstaller.exe
UWA7P_0001_N99M2908NetInstaller.inf
[version]
signature="$CHICAGO$"
AdvancedINF=2.0

[Add.Code]
UWA7P_0001_N99M2908NetInstaller.exe=UWA7P_0001_N99M2908NetInstaller.exe

[UWA7P_0001_N99M2908NetInstaller.exe]
file-win32-x86=thiscab
RegisterServer=yes

C:\Documents and Settings\Charles Jones\Local Settings\Temp\InstallProvider
[main]
LaunchCount=0

NewSoftware2007Install.inf

[version]
signature="$CHICAGO$"
AdvancedINF=2.0

[Add.Code]
NewSoftware2007Install.exe=NewSoftware2007Install.exe

[NewSoftware2007Install.exe]
file-win32-x86=thiscab
RegisterServer=yes

I went to check on the folder and file 'WAPChk.dll' and it was not in
the folder. I deleted the folder.

How can a installed program access a VBScript Script File to popup the
messages associated with 'WinAntiVirus Pro 2007' & other AntiVirus
programming that is associated with the interruptions of IE I experience?
Would there be a reference to the file that is using within this Key?
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache


In searching: C:\Program Files\Trend Micro\AntiVirus 2007\Quarantine\info
Text Files I find several which have within them data associated with this
matter of "WinAntiVirus Pro 2007" perhaps "C:\Program Files\" location.

C:\Program Files\outlook\outlook.exe
outlook.exe
WORM_GAOBOT.DF
8-29-2007 9:57
Virus found

C:\Program Files\outlook\p.zip
p.zip
WORM_GAOBOT.DF
8-29-2007 9:57
Virus found

C:\Program Files\outlook\v.tmp
v.tmp
WORM_GAOBOT.DF
8-29-2007 9:57
Virus found

I would suggest you go with Anonymous Bob's suggestion and download/install
the free version of SuperAntiSpyware (superantispyware.com). You are being
re-infected via the Explorer Shell.

==============

It's possible you are just seeing an ad. Are the popups coming from just one

 

[Anonymous Bob]

If you haven't downloaded superantispyware as yet, here's the direct
download link:
http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

Bob Vanderveen

 

[Guest]

Thanks and I intend to do that. I believe I have figured this thing out,
thank you for your assistance. After I log back in I'll post to this posting
and fill in details how things developed. Meanwhile I will keep on trying
to remove the problem causing problems with IE. Surfing is a real-time
problem with the popups occurring in mass numbers.

FYI

See Links About: WinAntiVirus Pro 2007 (NewSoftware2007Install.exe)

http://www.siteadvisor.com/sites/winantivirus.com/downloads/4080186/

winantivirus.com » download analysis
http://www.siteadvisor.be/sites/winantivirus.com/downloads?badid=1

Another to watch out for:
ZYCIXU62.EXE has been determined by the Prevx database as Bad. Therefore
this file is unsafe to run and should be removed using Prevx.
http://spywarefiles.prevx.com/RRAJHD035720695/ZYCIXU62.EXE.html

http://www.prevx.com/malwarecenter.asp

cleanup and remove ZYCIXU62.EXE
http://info.prevx.com/downloadprevx2.asp

 

[Anonymous Bob]

"Michael @ Webwalking.info"

Thanks and I intend to do that. I believe I have figured this thing out,
thank you for your assistance. After I log back in I'll post to this posting
and fill in details how things developed. Meanwhile I will keep on trying
to remove the problem causing problems with IE. Surfing is a real-time
problem with the popups occurring in mass numbers.

I think we lost him.

Bob Vanderveen