Don't know what to make of e-scans mwave.exe

Discussion in 'other anti-virus software' started by Jaws, Jun 5, 2005.

Thread Status:
Not open for further replies.
  1. Jaws

    Jaws Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    210
    Hi All,

    I got a question about e-scans Mwav.exe scanner. Using the latest ver 6.2.9, early in the scan, when the scan gets to ***scanning registry and file system for adware/spyware***

    A warning window opens wanting me to buy e-scan to remove adware/spyware.

    This is what's in the log information entry window:

    Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.

    Then shortly thereafter 2 more entries:

    Entry "HKCR\CLSID\{B0693766-5278-4ec6-B9E1-3CE40560EF5A}" refers to invalid object "CaPlgin.ax". Action Taken: No Action Taken.

    Entry "HKCR\CLSID\{F467BFF8-9CE5-413d-B10A-28C7EC96B1CD}" refers to invalid object "%SystemRoot%\system\ipclsp.dll". Action Taken: No Action Taken.

    After searching in widows explorer the only entries for AltNet are in spybot s&d, Adaware and hosts.

    What originally brought me to Wilders a few months ago was another mwave.exe scan that said I had VX2 & 180solutions adware/spyware on my computer. After help from Wilders great members it was determined I wasn't infected. And a subsequent scan with a different version of e-scans scanner it didn't show up that I was infected. Strange.

    I'm thinking e-scan is making people think they're infected just to buy their product. I'm tending not to trust e-scan do to these discrepancies.

    Something else I tried was to substitute the one file mwavscan.com the ver 4.4.7 for the ver. 6.2.9. With 4.4.7 I didn't get those warnings about altnet. Maybe I'm doing something wrong by just substituting ver 4.4.7 for ver. 6.2.9 in my temp folder which is where I extract mwave.exe. One other thing . When I finish the scan with ver. 4.4.7, 11516 files are scanned. With ver 6.2.9, 17890 files are scanned. Why the discrepancy with number of files scanned?

    Any thoughts on what is occurring? Am I doing something wrong? And yes I did full system scans with adaware, spybot S&D, Nod, bitdefender and ewido.

    Thanks,

    Jaws
     
  2. hadi

    hadi Guest

    Hi
    The good thing is that it is powered by KAV engine. the latest ver 6.2.9 wont take any action unless you pay for it. However version 4.4.7 is still available and it still does a good job download it from
    http://www.spywareinfo.dk/download/mwav.exe
    extract it. it self extractable usually to c:\kaspersky
    open the folder and double click on "kavupd" (it takes some time to updateall the files one after one ) when update is complete double click on "mwavscan" a window appears , now tick whatever you want and hit "scan clean". it does its best ehen used in safe mode.
     
  3. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    I have been using escan 4.4.7 for several months. I found that for it to work correctly, scan/clesn, and be able to update I had to make a folder C:/Bases. Here is a thread, rather long, that it was discussed. I think around page 5 is where it was finally made clear to me.
    https://www.wilderssecurity.com/showthread.php?t=67183&page=5&pp=25&highlight=JerryM

    I have a high level of confidence in it, and when combined with Bit Defender 8.0, and Ewido there is a high degree of protection.

    Jerry
     
  4. Jaws

    Jaws Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    210
    Hi Hadi,

    Thanks for the info on how to use 4.4.7 with kavupd. I was using e-scan way before they turned it into scan only. With your advice I now scan with the latest kav update. One thing I don't like is the update (bases & downloads) is put into the root of my c:\ drive. Upon redoing the scan per your instructions, I no longer get the warning for adware/spyware. I still think e-scan is playing head games with those false warnings to buy their product when you scan with the current versions.

    Hi Jerry,

    When I followed Hadi instructions to double click on kavupd, it put two folders on my c: drive. c:\bases and c:\downloads. Do these folders have to be in the kaspersky folder? I got kinda lost reading that thread. I'll have to read it about 3 or 4 more times for it to stink in my hard head!

    Thank you both,

    Jaws
     
  5. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    Stamford, CT
    The easiest way I found was to put the contents of the eScan folder into the bases folder, and then move the two folders(Bases, Download) to the root of another partition or flash drive. And then scan from there.
     
  6. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221

    Jaws,
    No they are not in the/a Kasperskey folder. The Bases folder is not even in the program files. When downloaded the program it made a Bases folder. I then went into the program and placed the update exe, and the (probably not the correct name) and mwavscan .com shortcuts on my desktop. That way I just click on the update and it goes to the KAV site and updates.

    It sounds complicated, and was for me until Firecat and others walked me through. I need to be able to cookbook something to get it done. But I think I have the best of both worlds with the KAV engine as the on demand scanner, and Bit Defender 8.0. I would use the mwav program with any other AV except possibly KAV.

    Jerry
     
  7. Jaws

    Jaws Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    210
    Hi Likuid,

    I'm anal when it comes to keeping the C:\ drive (partition) just for Program Files and WinNT. So when I do a format and fresh install I create a folder named Z on my D:\ drive and change all the Environmental Variables for temp files to D:\Z. I figure it's much easier to go to D:\Z and delete everything there. Also less fragmentation on the C:\ drive. I also move my Temporary internet Files folder to D:\

    Since I don't have a problem putting stuff in the root of the D:\ drive I'll follow your suggestion.

    Just so I got it straight, I put the e-scan folder contents into the bases folder and move the bases folder to the root of D:\. Then move the downloads folder to the root of D:\.

    I'll have:

    D:\
    ---Bases
    ---Downloads
    ---Temporary Internet Files
    ---Z

    Should I assume when I do a kavupd that everything will stay on the D:\ drive and I won't have to delete anything?

    Thanks a lot for your help.

    Jaws
     
    Last edited: Jun 6, 2005
  8. Matt_Smi

    Matt_Smi Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    359
    Ha-ha I thought I was the only one. Besides the standard Documents and Settings, Program Files, Windows and WUTemp folders I only have a Games and a Drivers folder. Anyway about e-scan mwav, I tried it on another computer and I half figured it out. I got it updated and completed a scan, but I never fully understood just how it works. For example how it sometimes saves the updates to C:\Bases and other times it saves them to C:\Downloads. I never bothered trying to get it setup right on my computer, although I think it would defiantly be worth the effort. I wish I could change the location of where it downloads its updates though, so instead of C:\Bases, it could go to C:\Program Files\KAV\Bases for example, anyone know if/how this can be done?
     
  9. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    Firecat seems to be on vacation at this time. He was the one who worked me throught it. I do not know the answers to the questions, but the downloads put the updates in the C Bases folder.

    Jerry
     
  10. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    Stamford, CT
    Yes it will leave the c; drive alone. as long as you run kavupdate from the d: drive it will stay there. HTH
     
  11. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    No I am not on vacation; just that ninth grade is a bit tough :(

    If there are any more problems, I'll try to help. :)
     
  12. Jaws

    Jaws Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    210
    Funny, no one has commented on this. Am I the only one that this is happening to.

    Regard,

    Jaws
     
  13. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    I have not been trailing eScan for quite a while now, but I'll tell you one thing - the eScan free edition is no longer designed as a quick fix tool - it is only a fully fledged promotion of the commercial eScan.

    Quite simply, MWAV is a marketing tool.

    Why, the website says that you have to pay USD 9.95 per month if you want MWAV to clean the malware as well! And that does not include a real time scanner.

    This is all a ruse to make people buy the commercial edition of eScan with the real time scanner!

    It is a delibrate attempt.

    I know all this from the moment it became a scan-only app, that it was becoming a promotion for the commercial eScan.
     
  14. Jaws

    Jaws Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    210
    Doesn't that verge on being illegal. To say you have malware on your computer when you actually don't.

    I wonder how many people fell for this scam and if they can get their money back.

    I don't know what country e-scans' is incorporated in, or if anybody can do anything about it, but I think it really sucks that they have to trick you into buying their product.
     
  15. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    eScan scans the registry and flags some harmless registry keys as malware. Also, it deletes some registry keys that it thinks are invalid, without asking the user (that is, if you pay for it)

    The company wishes to imply that why should one buy MWAV for USD 9.95 when MWAV Full Version comes free with the commercial eScan at a much cheaper rate.

    That is a cheap marketing trick to promote the commercial eScan - that is why I called it delibrate!

    I contacted them several times about MWAV turning into a promotion for the commercial eScan, and they told me that the existence of the free version (with cleaning of malware) reduces sales of the commercial version - which is why MWAV was turned into scan-only.

    eScan has its development center in Bombay, India - the city where I live.

    QuickHeal is also an Indian comapny, but that too uses cheap tricks to promote its software.

    Sadly, Indian companies are not too honest in their work - please, please be careful when buying software made by an Indian company.
     
  16. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    I have a story for those who are interested; the topic is MWAV (MicroWorld Anti Virus & Spyware Toolkit Utility)

    Recently I got interested in this On-Demand Scanning system, downloaded version 7.1.4 and ran a thorough scan; after numerous files scanned I get prompted by (look at image attachment shown below);

    And following, the ‘Virus Log Information’ screen becomes updated with a detection of an infection, and some more scanning through I see another entry indication another infection found.

    Being who I am, Mr. Phant0m`` the guy who don’t get infected, I obviously knew this were a joke, haha.

    I viewed over the Log file, I found the following;
    --
    Tue Sep 20 02:52:07 2005 => Offending value found in HKLM\Software\gnu !!!
    Tue Sep 20 02:52:14 2005 => Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.

    Tue Sep 20 02:52:28 2005 => Offending file found: C:\WINDOWS\gpinstall.exe
    Tue Sep 20 02:52:28 2005 => System found infected with Conducent FlexPak Spyware/Adware (gpinstall.exe)! Action taken: No Action Taken.

    --

    This is the sort of information I were looking for, HKLM\Software\gnu a registry location, used by a clean media decoder, here is export of this location;

    --
    [HKEY_LOCAL_MACHINE\SOFTWARE\GNU]

    [HKEY_LOCAL_MACHINE\SOFTWARE\GNU\ffdshow]
    "mp41"=dword:00000000

    --

    And that is all, nothing more to see here… And anyways, FALSE POSTIVE!!!

    As for ‘Offending file’ C:\WINDOWS\gpinstall.exe, GPInstall.exe is part of Installer Building kit, http://www.qsc.co.uk/gpinstall.htm, which is used by Spyblocker the developer of Spyblocker product and all of his other softwares.

    Because it shares the same filename found in the specific location, doesn’t make this GPInstall.exe and infection or any part of malicious activity any magnitude. This is not http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453074716, and if signature detection were used, this problem would not be. But this software flags at minimum mere text file renamed to GPInstall.exe and placed into C:\WINDOWS location, specific location this product would flag any file named GPInstall.exe.

    I’ve spent yesterday in real-time discussion, trying get these fps removed, and for the longest while I thought this person were really interested in resolving these fps.

    Today, I made another communication attempt and figure out if anything will be done, and to keep this short, basically,

    ‘if we can do anything more on this then we will definitely do it.
    but thats a very long process and could take time
    but yes if its possible then we will definitely’

    Hopefully this can save lot of time and scares, and show you where they stand regarding this product...
     

    Attached Files:

  17. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    I believe the reg entries thing is defined directly by MicroWorld and does not use the KAV bases.....

    I would recommend that you download the next version as soon as it comes out, it may or may not contain the fix. :)
     
  18. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Registry location, merely what would trigger this scanning to claim to be infection..

    Not sure about the registry entry fp, but as for the GPInstall.exe fp, they made it perfectly clear near the end of our conversation when I was drilling them that they won’t fix this fp, this persons mono is, simply to difficult to use signature for the actual bad GPInstall.exe files, so instead they flag mere filename in specific location, regardless if it is legit bad or not..
     
Loading...
Thread Status:
Not open for further replies.