Don't know what to make of e-scans mwave.exe

Hi All,

I got a question about e-scans Mwav.exe scanner. Using the latest ver 6.2.9, early in the scan, when the scan gets to ***scanning registry and file system for adware/spyware***

A warning window opens wanting me to buy e-scan to remove adware/spyware.

This is what's in the log information entry window:

Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.

Then shortly thereafter 2 more entries:

Entry "HKCR\CLSID\{B0693766-5278-4ec6-B9E1-3CE40560EF5A}" refers to invalid object "CaPlgin.ax". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{F467BFF8-9CE5-413d-B10A-28C7EC96B1CD}" refers to invalid object "%SystemRoot%\system\ipclsp.dll". Action Taken: No Action Taken.

After searching in widows explorer the only entries for AltNet are in spybot s&d, Adaware and hosts.

What originally brought me to Wilders a few months ago was another mwave.exe scan that said I had VX2 & 180solutions adware/spyware on my computer. After help from Wilders great members it was determined I wasn't infected. And a subsequent scan with a different version of e-scans scanner it didn't show up that I was infected. Strange.

I'm thinking e-scan is making people think they're infected just to buy their product. I'm tending not to trust e-scan do to these discrepancies.

Something else I tried was to substitute the one file mwavscan.com the ver 4.4.7 for the ver. 6.2.9. With 4.4.7 I didn't get those warnings about altnet. Maybe I'm doing something wrong by just substituting ver 4.4.7 for ver. 6.2.9 in my temp folder which is where I extract mwave.exe. One other thing . When I finish the scan with ver. 4.4.7, 11516 files are scanned. With ver 6.2.9, 17890 files are scanned. Why the discrepancy with number of files scanned?

Any thoughts on what is occurring? Am I doing something wrong? And yes I did full system scans with adaware, spybot S&D, Nod, bitdefender and ewido.

Thanks,

Jaws

 

Hi
The good thing is that it is powered by KAV engine. the latest ver 6.2.9 wont take any action unless you pay for it. However version 4.4.7 is still available and it still does a good job download it from
http://www.spywareinfo.dk/download/mwav.exe
extract it. it self extractable usually to c:\kaspersky
open the folder and double click on "kavupd" (it takes some time to updateall the files one after one ) when update is complete double click on "mwavscan" a window appears , now tick whatever you want and hit "scan clean". it does its best ehen used in safe mode.

 

I have been using escan 4.4.7 for several months. I found that for it to work correctly, scan/clesn, and be able to update I had to make a folder C:/Bases. Here is a thread, rather long, that it was discussed. I think around page 5 is where it was finally made clear to me.
https://www.wilderssecurity.com/showthread.php?t=67183&page=5&pp=25&highlight=JerryM

I have a high level of confidence in it, and when combined with Bit Defender 8.0, and Ewido there is a high degree of protection.

Jerry

 

Hi Hadi,

Thanks for the info on how to use 4.4.7 with kavupd. I was using e-scan way before they turned it into scan only. With your advice I now scan with the latest kav update. One thing I don't like is the update (bases & downloads) is put into the root of my c:\ drive. Upon redoing the scan per your instructions, I no longer get the warning for adware/spyware. I still think e-scan is playing head games with those false warnings to buy their product when you scan with the current versions.

Hi Jerry,

When I followed Hadi instructions to double click on kavupd, it put two folders on my c: drive. c:\bases and c:\downloads. Do these folders have to be in the kaspersky folder? I got kinda lost reading that thread. I'll have to read it about 3 or 4 more times for it to stink in my hard head!

Thank you both,

Jaws

 

The easiest way I found was to put the contents of the eScan folder into the bases folder, and then move the two folders(Bases, Download) to the root of another partition or flash drive. And then scan from there.

 

Jaws,
No they are not in the/a Kasperskey folder. The Bases folder is not even in the program files. When downloaded the program it made a Bases folder. I then went into the program and placed the update exe, and the (probably not the correct name) and mwavscan .com shortcuts on my desktop. That way I just click on the update and it goes to the KAV site and updates.

It sounds complicated, and was for me until Firecat and others walked me through. I need to be able to cookbook something to get it done. But I think I have the best of both worlds with the KAV engine as the on demand scanner, and Bit Defender 8.0. I would use the mwav program with any other AV except possibly KAV.

Jerry

 

Hi Likuid,

I'm anal when it comes to keeping the C:\ drive (partition) just for Program Files and WinNT. So when I do a format and fresh install I create a folder named Z on my D:\ drive and change all the Environmental Variables for temp files to D:\Z. I figure it's much easier to go to D:\Z and delete everything there. Also less fragmentation on the C:\ drive. I also move my Temporary internet Files folder to D:\

Since I don't have a problem putting stuff in the root of the D:\ drive I'll follow your suggestion.

Just so I got it straight, I put the e-scan folder contents into the bases folder and move the bases folder to the root of D:\. Then move the downloads folder to the root of D:\.

I'll have:

D:\
---Bases
---Downloads
---Temporary Internet Files
---Z

Should I assume when I do a kavupd that everything will stay on the D:\ drive and I won't have to delete anything?

Thanks a lot for your help.

Jaws

 

Ha-ha I thought I was the only one. Besides the standard Documents and Settings, Program Files, Windows and WUTemp folders I only have a Games and a Drivers folder. Anyway about e-scan mwav, I tried it on another computer and I half figured it out. I got it updated and completed a scan, but I never fully understood just how it works. For example how it sometimes saves the updates to C:\Bases and other times it saves them to C:\Downloads. I never bothered trying to get it setup right on my computer, although I think it would defiantly be worth the effort. I wish I could change the location of where it downloads its updates though, so instead of C:\Bases, it could go to C:\Program Files\KAV\Bases for example, anyone know if/how this can be done?

 

Firecat seems to be on vacation at this time. He was the one who worked me throught it. I do not know the answers to the questions, but the downloads put the updates in the C Bases folder.

Jerry

 

Yes it will leave the c; drive alone. as long as you run kavupdate from the d: drive it will stay there. HTH

 

No I am not on vacation; just that ninth grade is a bit tough

If there are any more problems, I'll try to help.

 

Funny, no one has commented on this. Am I the only one that this is happening to.

Regard,

Jaws

 

I have not been trailing eScan for quite a while now, but I'll tell you one thing - the eScan free edition is no longer designed as a quick fix tool - it is only a fully fledged promotion of the commercial eScan.

Quite simply, MWAV is a marketing tool.

Why, the website says that you have to pay USD 9.95 per month if you want MWAV to clean the malware as well! And that does not include a real time scanner.

This is all a ruse to make people buy the commercial edition of eScan with the real time scanner!

It is a delibrate attempt.

I know all this from the moment it became a scan-only app, that it was becoming a promotion for the commercial eScan.

 

Doesn't that verge on being illegal. To say you have malware on your computer when you actually don't.

I wonder how many people fell for this scam and if they can get their money back.

I don't know what country e-scans' is incorporated in, or if anybody can do anything about it, but I think it really sucks that they have to trick you into buying their product.

 

eScan scans the registry and flags some harmless registry keys as malware. Also, it deletes some registry keys that it thinks are invalid, without asking the user (that is, if you pay for it)

The company wishes to imply that why should one buy MWAV for USD 9.95 when MWAV Full Version comes free with the commercial eScan at a much cheaper rate.

That is a cheap marketing trick to promote the commercial eScan - that is why I called it delibrate!

I contacted them several times about MWAV turning into a promotion for the commercial eScan, and they told me that the existence of the free version (with cleaning of malware) reduces sales of the commercial version - which is why MWAV was turned into scan-only.

eScan has its development center in Bombay, India - the city where I live.

QuickHeal is also an Indian comapny, but that too uses cheap tricks to promote its software.

Sadly, Indian companies are not too honest in their work - please, please be careful when buying software made by an Indian company.

 

I have a story for those who are interested; the topic is MWAV (MicroWorld Anti Virus & Spyware Toolkit Utility)

Recently I got interested in this On-Demand Scanning system, downloaded version 7.1.4 and ran a thorough scan; after numerous files scanned I get prompted by (look at image attachment shown below);

And following, the ‘Virus Log Information’ screen becomes updated with a detection of an infection, and some more scanning through I see another entry indication another infection found.

Being who I am, Mr. Phant0m`` the guy who don’t get infected, I obviously knew this were a joke, haha.

I viewed over the Log file, I found the following;
--
Tue Sep 20 02:52:07 2005 => Offending value found in HKLM\Software\gnu !!!
Tue Sep 20 02:52:14 2005 => Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.

Tue Sep 20 02:52:28 2005 => Offending file found: C:\WINDOWS\gpinstall.exe
Tue Sep 20 02:52:28 2005 => System found infected with Conducent FlexPak Spyware/Adware (gpinstall.exe)! Action taken: No Action Taken.
--

This is the sort of information I were looking for, HKLM\Software\gnu a registry location, used by a clean media decoder, here is export of this location;

--
[HKEY_LOCAL_MACHINE\SOFTWARE\GNU]

[HKEY_LOCAL_MACHINE\SOFTWARE\GNU\ffdshow]
"mp41"=dword:00000000
--

And that is all, nothing more to see here… And anyways, FALSE POSTIVE!!!

As for ‘Offending file’ C:\WINDOWS\gpinstall.exe, GPInstall.exe is part of Installer Building kit, http://www.qsc.co.uk/gpinstall.htm, which is used by Spyblocker the developer of Spyblocker product and all of his other softwares.

Because it shares the same filename found in the specific location, doesn’t make this GPInstall.exe and infection or any part of malicious activity any magnitude. This is not http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453074716, and if signature detection were used, this problem would not be. But this software flags at minimum mere text file renamed to GPInstall.exe and placed into C:\WINDOWS location, specific location this product would flag any file named GPInstall.exe.

I’ve spent yesterday in real-time discussion, trying get these fps removed, and for the longest while I thought this person were really interested in resolving these fps.

Today, I made another communication attempt and figure out if anything will be done, and to keep this short, basically,

‘if we can do anything more on this then we will definitely do it.
but thats a very long process and could take time
but yes if its possible then we will definitely’

Hopefully this can save lot of time and scares, and show you where they stand regarding this product...

 

I believe the reg entries thing is defined directly by MicroWorld and does not use the KAV bases.....

I would recommend that you download the next version as soon as it comes out, it may or may not contain the fix.

 

Registry location, merely what would trigger this scanning to claim to be infection..

Not sure about the registry entry fp, but as for the GPInstall.exe fp, they made it perfectly clear near the end of our conversation when I was drilling them that they won’t fix this fp, this persons mono is, simply to difficult to use signature for the actual bad GPInstall.exe files, so instead they flag mere filename in specific location, regardless if it is legit bad or not..