Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

My Computer "scanned"?

Dec 26, 2008 6:23AM PST

When browsing the internet a website re-routed me to the site *********.com. Two pop-ups disguised as Windows security windows came up and said something about initializing scanning "My Computer". I quickly ctrl+alt+del and removed the running process that was titled "Scan My Computer". I haven't had any recurring pop-ups or performance problems, but I'm curious if any information could have been taken.

Immediately after the incident I ran an Ad-Aware scan with nothing unusual arising. I have AVG 7.5 with everything active but Anti Virus, and the Windows Firewall and Updates on. I also have a pop-up blocker that works well, very rarely do I get pop-ups. I have Windows XP and run IE6 for my web browser on a fairly new Gateway laptop.

Is there anything more I should do? Could any info have been taken?

URL was edited by forum admin to prevent others from getting infected.

Discussion is locked

- Collapse -
More info
Dec 26, 2008 6:43AM PST

I tried the same website again to determine what was really happening and the page it sent me to had a new name **********.com. It must be a frequently changing page to hide its identity. I watched for a moment and the site was indeed trying to scan my computer because it went from an Internet Explorer Window to a My Computer Window and a scan completion bar was running. Not even 1% had been completed before I closed the application but it has me worried if anything could have been stolen. Again there are no pop-ups or performance problems but I'm unsure of what steps to take.

URL was edited by admin to prevent others from getting infected.

- Collapse -
webscan5.com
Dec 26, 2008 8:24AM PST

I encountered the exact same thing. Unfortunately I was not at my computer but had Windows IE open. When I returned to my computer it had been re-routed to the website: Webscan5.com. It said it had scanned all of my drives. Interesting enough it said it scanned my E: Drive. I don't have E: drive. It said it found all kinds of malware and trojan viruses on my computer. A dialogue box asked if I wanted to remove them. I tried to hit cancel but the box just kept reappering. I went to task manager and killed my IE session.

I went back to the site and it immediately started the "scan" again.

I'd love to know what this is and I hope to God it didn't actually scan anything on my computer.

Anybody have any idea what this is?

Thanks for the info.

- Collapse -
5avscan
Dec 26, 2008 12:58PM PST

I encountered the exact same thing. I use Firefox. I clicked ok, but my safety zone would not allow the download. Thank God. What was I thinking? A scan completion bar was running. When I went to Task Manager 5avscan was not running, but I ended my Firefox session and am running my anti virus and security threat program. So far nothing has been detected. (70% complete)

Googled 5avscan and not much info.

- Collapse -
5avscan
Dec 26, 2008 1:38PM PST

I had the same thing happen shortly after my Norton AV had advised me it had blocked an attempt of an attack. I checked to make sure all my firewalls and AV was turned on, then I ran a virus scan, nothing showed up. I then ran spybot, there was one problem that showed up having to do with microsoft antivirus but I don't really think it is related to the 5avscan problem as I have microsoft AV turned off in favor of Norton, but I had spybot fix it anyway. I then opened the windows task manager and simply ended the firefox session and the problem was resolved...I hope.

Kathy

- Collapse -
Does everybody have "spybot" installed?
Dec 26, 2008 2:36PM PST

Just curious....I have spybot as well and noticed a new icon on the the far right corner with a "lock" symbol next to it after the incident.

You all?

- Collapse -
The Little Lock By The Clock....
Dec 26, 2008 4:24PM PST

is part of Spybot S&D, specifically, it indicates that Spybots Resident
protection w/ Tea Timer is active & guarding your registry settings & is
monitoring blacklisted processes.

This is a good thing in general 'tho' it may slow down some other A/S programs when they want to change something by pausing them & asking you if you approve of the proposed change(s). This is the same thing it does when some attacker tries to change registry items to create a home for itself.

You may wish to disable this feature if you're running another A/S program with running background guard so they don't fight over who's territory it is. If that is NOT happening, then let it run.
It has saved my tail on several occasions over the years.

If you aren't already, on Spybot Front page, on top left side, click the "Mode" button & click on "Advanced" Mode & re-start S&D. You'll find 2 new buttons at bottom left (settings & tools) which will give you access to numerous helpful items in the program like "System Startup" which shows you everything starting at boot-up & will allow you(via checking/unchecking) to make some un-necessary items a manual start as actually needed. On right side of that feature you can find info on what each item is that's starting. What you change by putting check mark, you can change back by unchecking if desired/necessary.

Enjoy!! Happy

- Collapse -
The Little Lock By The Clock...
Dec 26, 2008 5:05PM PST

Hmmm, maybe I'm looking at a different lock because I don't have Spybot running all the time since I have Norton AV and Spybot and Norton shouldn't both be running at the same time, right? I did get a message from Norton AV that an attack against my computer had been blocked, but a few seconds later I was on the 5avscan.com site and couldn't get away, so it seems that Norton was not able to defend against the attack after all. I wonder if Spybot could have done the job better?

- Collapse -
Kathy, The Spybot Notice You
Dec 27, 2008 2:17PM PST

got during scanning was just telling you that you have 2 AVs on the machine & the MS one had been de-activated (By Norton) as is correct
procedure to prevent conflict. Not to worry!! Happy

- Collapse -
For All Who Posted The Same Webscan5
Dec 26, 2008 4:32PM PST

questions below, I suggest you install/update/run Free Malwarebytes
program MBAM.exe to be on the safe side & then watch for any behavioral changes in your machines for a while.It updates daily.Instruction & links for MBAM.exe:
http://forums.cnet.com/5208-6132_102-0.html?forumID=32&threadID=304328&messageID=2831556#2831556

Spybot users note: S&D Tea Timer would have blocked & asked you about registry changes by this infection for approve/disapprove of changes, blocking changes until you approved. Happy

- Collapse -
The Little Lock By The Clock
Dec 26, 2008 4:53PM PST

The little lock shows "Authenticated by VeriSign, Inc", which means it is a secure website for conducting financial transactions.

- Collapse -
Little Lock
Dec 26, 2008 6:22PM PST

thanks for the info on the SpyBot features. Interestingly, while I am running SpyBot it did not stop the re-direct to the website, the "scanning" of my computer etc., etc., Nothing popped up

I mostly just want to know what the heck this website is.

Did it scan my computer or was it just some kind of a website setup to make it look like it did, get me to click "OK" and then download something onto my computer?

Is there anybody out there that knows? Again it's www.webscan5.com

- Collapse -
webscan5.com
Dec 27, 2008 6:03AM PST
- Collapse -
Basically, I Believe You're Being
Dec 27, 2008 3:17PM PST

re-directed to that site by a "hook" similar to those you'd get to MS or Yahoo's home Page. The fake AV alert system infection consists of several parts.

The first takes you to the "scanning & scaring page" which doesn't usually actually inject any infection except to scare you to click "Yes" to "download cure" & possibly enter re-direct to part2. This would be the Webscan 5 page.

The download page (part 2 ) is where the trouble
really is and will download it's own trojan which will then open a back door to allow more infections to download. This would be the AV scan5 page. IF you don't get caught here, you're half way home & only have the scare re-direct to worry about.

If you have Spybot (running in advanced mode) under the tools button, double click "Browser pages". This shows where your IE etc. are directed to & thru when you browse the net. Look to see if Webscan5 or the other are listed there. There may be several of both "Home page" (house symbol) & search start pages (World symbol). Your current homepage may also be found in Internet Options in CP.

You can delete any you don't want to be there by click to highlite the bad ones then click change and in resulting view use backspace to back them out of existence one by one. DO NOT remove ALL! You want to leave at least 1 of each. In my case I kept ONLY 1 "House" About:Blank (blank page for Home) & 1 "World" : http://www.google.com/ search page. Once entered here, absent any over-riding other program you have approved, Spybot will lock these pages as only ones to be used upon opening of IE.

Also under Tools button, you may dbl. click BHO's (Browser Helper Objects) which will show items (active-X usually) which can operate thru browser. Example might be "{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)" (Adobe Acrobat PDF reader).

If you have Spybots SD Helper enabled then there'll also be one for that. It Will usually have no name but the last 5 #'s will be{xxxxx "2484F"}. Leave it there. The known ones will have a green check mark
to indicate "legit" but you may or may not want active all the time (toggled off to close possible entry points for attacks).
If you have ones there with name unknown to you or no name ( you can highlight & click "Toggle" at top to disable them and repeat to re-enable them if you need them. Active-X downloaded items can also be found in Internet Options in CP where you can un-install them.

Also under "Tools": IE Tweaks: Check mark available to Lock Hosts file against hijackers (use if you know hosts list clean) SD Helper is Spybots host's file.

You may also try (assuming when you go on net you have) right click on
2 computers by clock (LAN/net connection) and select "Repair"Option.
I believe this will dump your current local stored DNS library ( which webscan 5 may have inserted itself into to redirect you). A type of poisoned DNS action which can send any address you click to another "fake" site. Worth a try (especially after you've found & cleaned other items above.

Hope this helps. Happy

- Collapse -
Thank You!
Dec 28, 2008 1:29AM PST

The last two messages helped tremendously.

I did not click the OK button so as you say I am halfway home. I'll follow your other instructions.

Whew! Big relief. Thansk All.

- Collapse -
INDICATION FROM WHERE THEY ARRIVE
Dec 28, 2008 10:27AM PST

Hello
Excuse me for my english
Also to me , it has happened what you wrote about WEBSCAN5
But an other thing I read when it happened: the ip address from where the problems comes and it was 93.150.8.120. It was written on the screen of my laptop in green.
Today I downloaded a software called IPNetInfo (http://www.nirsoft.net/utils/ipnetinfo.html)that told me some things about this IP address:

Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Information related to '93.150.0.0 - 93.151.255.255'

inetnum: 93.150.0.0 - 93.151.255.255
netname: OPITEL
descr: IP addresses allocated to DSL customers
country: IT
admin-c: LV1834-RIPE
tech-c: RD2747-RIPE
status: ASSIGNED PA
mnt-by: VODAFONE-IT-MNT
changed: roberto.decristofaro@vodafone.com 20080610
source: RIPE

person: Luca Vit
address: Vodafone N.V.
address: Via Jervis,13
address: I-10015 Ivrea, TO
address: Italy
e-mail: luca.vit@vodafone.com
nic-hdl: LV1834-RIPE
changed: luca.vit@vodafone.com 20070416
phone: +39 0125624819
source: RIPE

person: Roberto De Cristofaro
address: Vodafone N.V.
address: Via Jervis,13
address: I-10015 Ivrea, TO
address: Italy
phone: +39 0125624624
nic-hdl: RD2747-RIPE
changed: roberto.decristofaro@vodafone.com 20071206
source: RIPE

% Information related to '93.150.0.0/15AS44957'

route: 93.150.0.0/15
descr: route for Opitel DSL customers
origin: AS44957
mnt-by: VODAFONE-IT-MNT
changed: roberto.decristofaro@vodafone.com 20080617
source: RIPE


What do you think about?

- Collapse -
I Saw The Same Info As You...
Dec 28, 2008 1:27PM PST

via Sam Spade & clicked for additional data base & found this:

(Asked whois.arin.net:43 about +93.150.8.120) (show)

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
ReferralServer: whois: //whois.ripe.net: 43
NetRange: 93.0.0.0 - 93.255.255.255
CIDR: 93.0.0.0/8
NetName: 93-RIPE
NetHandle: NET-93-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRIRIPENET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: SUNIC.SUNET.SE
NameServer: NS3.NIC.FR
NameServer: NS-EXT.ISC.ORG
NameServer: NS.LACNIC.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 2007-03-27
Updated: 2007-04-03
ARIN WHOIS database last updated 2008-12-28 19: 10
Enter ? for additional hints on searching ARIN's WHOIS database.

Amsterdam as well?? Beginnings of a network?? Not likely to be trusted. S Sad Happy

- Collapse -
Two questions: 1) your opinion about IP 2) Your actions
Dec 28, 2008 7:47PM PST

1) And so, what do you think about these different IP addresses?

2) However, about the problem we had, I used MBAM and I put the elements in quarantene; do you think it is better to delete them?
Thanks
Hello
Paolo

- Collapse -
They're Safe In Quarantine (No Threat)...
Dec 30, 2008 2:24PM PST

wait a few days & IF computer seems to be working OK, Then delete/empty quarantine. Wouldn't connect to either by choice. Happy

- Collapse -
I Appologise For Mis-reading The "Lock"
Dec 27, 2008 2:11PM PST

mostly seeing all the Spybot comments misled me. You're quite right,
IF it's just a lock with no blue & white box behind it then it's not Spybot but rather normally indicates a secure connection such as would be used for online purchases etc.

Since I don't have Norton, it could also be one of it's many functions indicating that a site has correctly identified itself (not Cross Site Scripted).

For others: Spybot's Tea Timer protects registry changes. You can have Spybot but NOT have Tea Timer active (perhaps ONLY SD Helper, Host file active)in which case most protective real time features are not active, more like an on demand scanner. You'd have these inactive to avoid conflicts with another real time protector (Say Norton or AVG Cool. Happy