Removal of Winantiviruspro2006

Hi,
I have taken all of the steps recommended to remove this software. Spybot is still detecting Winsoftware.WinAntivirusPro2006 which it fixes but they reappear after rebooting XP.

The HJT fole reads..

Many thanks,

Les

 

Which steps are you refering to ?

I need the other logs as well.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat[/B]
  • CounterSpy - ONLY IF you were not able to run Windows Defender
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Hi Matt,
I'm trying to fix this problem for a friend. I followed the steps in Sticky thread "READ & RUN ME FIRST". Soon discovered the problem was related to WinAntivirusPro2006 which my friend paid $20 for the privilege of downloading and installing this problem. All steps were completed but some problems persisted. I fixed some of these by reading other threads.
A week has now passed and my friend tells me he is still getting some annoying pop-ups although most of the annoying nag error messages are now not appearing (these were definately associated with Winantiviruspro2006). I have just finished running all the scans you suggested (to obtain the logs for you) and have been on this PC for 2 hours with no problems.
I suspect the problem is solved and any pop-ups he is experiencing is related to the web pages he is visiting.
Can you please have a look at the logs and let me know if you think they are "clear".
Many thanks!!

 

The rest of the logs.

Thanks again Matt for your time and help.

 

Your activescan and bitdefender logs are clean.

Do you know what 'gadu gadu' is ? It rings a bell somewhere in the back of my head but I can't place it. It is installed on your system, if you installed it knowingly then its probably fine but its exe name (gg.exe isn't too helpful)

I assume from the way you are speaking you have removed WinAntiVirus. There are still traces on your system though

<< The installed version of Java on this compter is out-dated. Install Java Runtime Environment (JRE) 5.0 Update 8 available from http://java.sun.com/javase/downloads/index.jsp. Uninstall all older versions of Java on your computer, before installing the latest version of Java. >>



Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.




Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may not be there just continue to the next if this is the case)

If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

REBOOT to Normal Mode.

Post a fresh HijackThis log.

 

Hi Matt,

Gadu Gadu is a Polish messaging service similar to MSN. It was downloaded as freeware from the internet (http://www.gadu-gadu.pl/). Apparently it is popular in Poland.

Followed all your instructions.

Please find a fresh HJT log attached.

 

Did you have any problems deleting the files I asked you to. Can you confirm they are deleted.

Run Hijack this

Click do a system scan only.

Click the config button

Select Misc Tools

Select Delete an NT Service

Enter 'FWSvc' in the dialog and click ok

Tell me what the result of this is.

 

Hi Matt,

C:\WINDOWS\system32\viruxz.dll - this file didn't exist
C:\Program Files\IntCodec - folder deleted
C:\Program Files\WinAntiVirus Pro 2006 - I had deleted this earlier

Following your last instructions an error message reads..
"The service 'FWSvc' is enabled and/or running. Disable it first, using HJT or from the services.msc window"

What now?

 

Click Start, Then click run

Type Services.msc and hit enter

In the resulting windows scroll down and find Firewall Service

Double click the entry (the path to executable should say C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe)

If the stop button is enabled click it and then set the startup type to disabled and apply

Then retry the steps to remove the NT service in HJT

 

OK did that.

Message now reads..

Short name: FWSvc
Full name: Firewall service
File: c:\program files\winantiviruspro2006\FWSvc.exe (file missing)

Are you abolutely sur you wish to delete this service?

Thanks for you previous quick reply!!

 

The service is part of winantivrus pro which you say you have removed (including the folder in c:\program files) so YES you do want to remove that service.

How is your computer running now ?

Rerun your AV scans and to double check everything is fixed. Post a new HJT log

 

Disabled FWSvc as intructed.

Ran Spybot which still shows 6 entries by Winsoftware.WinAntiVirusPro2006

I have attached the Spybot log and a fresh HJT log.

 

Delete everything in this folder: (that you can)

C:\Documents and Settings\Leszek\Local Settings\Temp

Copy the following text to notepad and save it as fixreg.reg on the desktop (making sure to set filetype to All Files in the save dialog.)

Code:

REGEDIT4

[-HKEY_CLASSES_ROOT\CLSID\{B2A3156E-3332-4b47-AF5A-5B121503514F}]

[-HKEY_CLASSES_ROOT\Interface\{E18B69D0-7E9E-4C6E-BDD8-879A1FFF7123}]

[-HKEY_CLASSES_ROOT\TypeLib\{1234890A-5E6E-4867-8136-CA6F1456B235}]

[-HKEY_LOCAL_MACHINE\Software\Classes\WAP6.PCheck]

[-HKEY_LOCAL_MACHINE\Software\Classes\WAP6.PCheck.1]

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B2A3156E-3332-4b47-AF5A-5B121503514F}]

Close notepad and doubleclick the fixreg.reg file on your desktop

Click yes to merge with the registry.

 

Hi Matt,

Did all that.

OK, Spybot now runs clean!! PC appears to be working normally.

My friend, Les, says "Thanks a million! - thank goodness there are people like Matt around".

Let us know if your ever in Glasgow... you can come down and visit our Polish Club (http://www.sikorskipolishclub.org.uk/) and we'll buy you all the beer or vodka you can swallow!

 

zadowolony jestem ze moglem ci pomoc

Well I do quite like Tyskie

I have Polish friends lol

 

Your Polish is as good as your removal of Winantiviruspro!!

Very impressed and we do have Tyskie in the club.. so don't hesitate to pay us a visit if your in the area.

Dziekuje bardzo i goraco pozdrawiam!!!!!

 

I cheated with the polish lol

Happy Surfing