My Computer "scanned"?

I encountered the exact same thing. Unfortunately I was not at my computer but had Windows IE open. When I returned to my computer it had been re-routed to the website: Webscan5.com. It said it had scanned all of my drives. Interesting enough it said it scanned my E: Drive. I don't have E: drive. It said it found all kinds of malware and trojan viruses on my computer. A dialogue box asked if I wanted to remove them. I tried to hit cancel but the box just kept reappering. I went to task manager and killed my IE session.

I went back to the site and it immediately started the "scan" again.

I'd love to know what this is and I hope to God it didn't actually scan anything on my computer.

Anybody have any idea what this is?

Thanks for the info.

I encountered the exact same thing. I use Firefox. I clicked ok, but my safety zone would not allow the download. Thank God. What was I thinking? A scan completion bar was running. When I went to Task Manager 5avscan was not running, but I ended my Firefox session and am running my anti virus and security threat program. So far nothing has been detected. (70% complete)

Googled 5avscan and not much info.

I had the same thing happen shortly after my Norton AV had advised me it had blocked an attempt of an attack. I checked to make sure all my firewalls and AV was turned on, then I ran a virus scan, nothing showed up. I then ran spybot, there was one problem that showed up having to do with microsoft antivirus but I don't really think it is related to the 5avscan problem as I have microsoft AV turned off in favor of Norton, but I had spybot fix it anyway. I then opened the windows task manager and simply ended the firefox session and the problem was resolved...I hope.

Kathy

Just curious....I have spybot as well and noticed a new icon on the the far right corner with a "lock" symbol next to it after the incident.

You all?

is part of Spybot S&D, specifically, it indicates that Spybots Resident
protection w/ Tea Timer is active & guarding your registry settings & is
monitoring blacklisted processes.

This is a good thing in general 'tho' it may slow down some other A/S programs when they want to change something by pausing them & asking you if you approve of the proposed change(s). This is the same thing it does when some attacker tries to change registry items to create a home for itself.

You may wish to disable this feature if you're running another A/S program with running background guard so they don't fight over who's territory it is. If that is NOT happening, then let it run.
It has saved my tail on several occasions over the years.

If you aren't already, on Spybot Front page, on top left side, click the "Mode" button & click on "Advanced" Mode & re-start S&D. You'll find 2 new buttons at bottom left (settings & tools) which will give you access to numerous helpful items in the program like "System Startup" which shows you everything starting at boot-up & will allow you(via checking/unchecking) to make some un-necessary items a manual start as actually needed. On right side of that feature you can find info on what each item is that's starting. What you change by putting check mark, you can change back by unchecking if desired/necessary.

Enjoy!!

Hmmm, maybe I'm looking at a different lock because I don't have Spybot running all the time since I have Norton AV and Spybot and Norton shouldn't both be running at the same time, right? I did get a message from Norton AV that an attack against my computer had been blocked, but a few seconds later I was on the 5avscan.com site and couldn't get away, so it seems that Norton was not able to defend against the attack after all. I wonder if Spybot could have done the job better?

got during scanning was just telling you that you have 2 AVs on the machine & the MS one had been de-activated (By Norton) as is correct
procedure to prevent conflict. Not to worry!!

The little lock shows "Authenticated by VeriSign, Inc", which means it is a secure website for conducting financial transactions.

thanks for the info on the SpyBot features. Interestingly, while I am running SpyBot it did not stop the re-direct to the website, the "scanning" of my computer etc., etc., Nothing popped up

I mostly just want to know what the heck this website is.

Did it scan my computer or was it just some kind of a website setup to make it look like it did, get me to click "OK" and then download something onto my computer?

Is there anybody out there that knows? Again it's www.webscan5.com

re-directed to that site by a "hook" similar to those you'd get to MS or Yahoo's home Page. The fake AV alert system infection consists of several parts.

The first takes you to the "scanning & scaring page" which doesn't usually actually inject any infection except to scare you to click "Yes" to "download cure" & possibly enter re-direct to part2. This would be the Webscan 5 page.

The download page (part 2 ) is where the trouble
really is and will download it's own trojan which will then open a back door to allow more infections to download. This would be the AV scan5 page. IF you don't get caught here, you're half way home & only have the scare re-direct to worry about.

If you have Spybot (running in advanced mode) under the tools button, double click "Browser pages". This shows where your IE etc. are directed to & thru when you browse the net. Look to see if Webscan5 or the other are listed there. There may be several of both "Home page" (house symbol) & search start pages (World symbol). Your current homepage may also be found in Internet Options in CP.

You can delete any you don't want to be there by click to highlite the bad ones then click change and in resulting view use backspace to back them out of existence one by one. DO NOT remove ALL! You want to leave at least 1 of each. In my case I kept ONLY 1 "House" About:Blank (blank page for Home) & 1 "World" : http://www.google.com/ search page. Once entered here, absent any over-riding other program you have approved, Spybot will lock these pages as only ones to be used upon opening of IE.

Also under Tools button, you may dbl. click BHO's (Browser Helper Objects) which will show items (active-X usually) which can operate thru browser. Example might be "{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)" (Adobe Acrobat PDF reader).

If you have Spybots SD Helper enabled then there'll also be one for that. It Will usually have no name but the last 5 #'s will be{xxxxx "2484F"}. Leave it there. The known ones will have a green check mark
to indicate "legit" but you may or may not want active all the time (toggled off to close possible entry points for attacks).
If you have ones there with name unknown to you or no name ( you can highlight & click "Toggle" at top to disable them and repeat to re-enable them if you need them. Active-X downloaded items can also be found in Internet Options in CP where you can un-install them.

Also under "Tools": IE Tweaks: Check mark available to Lock Hosts file against hijackers (use if you know hosts list clean) SD Helper is Spybots host's file.

You may also try (assuming when you go on net you have) right click on
2 computers by clock (LAN/net connection) and select "Repair"Option.
I believe this will dump your current local stored DNS library ( which webscan 5 may have inserted itself into to redirect you). A type of poisoned DNS action which can send any address you click to another "fake" site. Worth a try (especially after you've found & cleaned other items above.

Hope this helps.

The last two messages helped tremendously.

I did not click the OK button so as you say I am halfway home. I'll follow your other instructions.

Whew! Big relief. Thansk All.

Hello
Excuse me for my english
Also to me , it has happened what you wrote about WEBSCAN5
But an other thing I read when it happened: the ip address from where the problems comes and it was 93.150.8.120. It was written on the screen of my laptop in green.
Today I downloaded a software called IPNetInfo (http://www.nirsoft.net/utils/ipnetinfo.html)that told me some things about this IP address:

Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Information related to '93.150.0.0 - 93.151.255.255'

inetnum: 93.150.0.0 - 93.151.255.255
netname: OPITEL
descr: IP addresses allocated to DSL customers
country: IT
admin-c: LV1834-RIPE
tech-c: RD2747-RIPE
status: ASSIGNED PA
mnt-by: VODAFONE-IT-MNT
changed: roberto.decristofaro@vodafone.com 20080610
source: RIPE

person: Luca Vit
address: Vodafone N.V.
address: Via Jervis,13
address: I-10015 Ivrea, TO
address: Italy
e-mail: luca.vit@vodafone.com
nic-hdl: LV1834-RIPE
changed: luca.vit@vodafone.com 20070416
phone: +39 0125624819
source: RIPE

person: Roberto De Cristofaro
address: Vodafone N.V.
address: Via Jervis,13
address: I-10015 Ivrea, TO
address: Italy
phone: +39 0125624624
nic-hdl: RD2747-RIPE
changed: roberto.decristofaro@vodafone.com 20071206
source: RIPE

% Information related to '93.150.0.0/15AS44957'

route: 93.150.0.0/15
descr: route for Opitel DSL customers
origin: AS44957
mnt-by: VODAFONE-IT-MNT
changed: roberto.decristofaro@vodafone.com 20080617
source: RIPE


What do you think about?

via Sam Spade & clicked for additional data base & found this:

(Asked whois.arin.net:43 about +93.150.8.120) (show)

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
ReferralServer: whois: //whois.ripe.net: 43
NetRange: 93.0.0.0 - 93.255.255.255
CIDR: 93.0.0.0/8
NetName: 93-RIPE
NetHandle: NET-93-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRIRIPENET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: SUNIC.SUNET.SE
NameServer: NS3.NIC.FR
NameServer: NS-EXT.ISC.ORG
NameServer: NS.LACNIC.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 2007-03-27
Updated: 2007-04-03
ARIN WHOIS database last updated 2008-12-28 19: 10
Enter ? for additional hints on searching ARIN's WHOIS database.

Amsterdam as well?? Beginnings of a network?? Not likely to be trusted. S

1) And so, what do you think about these different IP addresses?

2) However, about the problem we had, I used MBAM and I put the elements in quarantene; do you think it is better to delete them?
Thanks
Hello
Paolo

wait a few days & IF computer seems to be working OK, Then delete/empty quarantine. Wouldn't connect to either by choice.

mostly seeing all the Spybot comments misled me. You're quite right,
IF it's just a lock with no blue & white box behind it then it's not Spybot but rather normally indicates a secure connection such as would be used for online purchases etc.

Since I don't have Norton, it could also be one of it's many functions indicating that a site has correctly identified itself (not Cross Site Scripted).

For others: Spybot's Tea Timer protects registry changes. You can have Spybot but NOT have Tea Timer active (perhaps ONLY SD Helper, Host file active)in which case most protective real time features are not active, more like an on demand scanner. You'd have these inactive to avoid conflicts with another real time protector (Say Norton or AVG .