Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Anti-virus Reacts On Every Scan


  • Please log in to reply
7 replies to this topic

#1 olddog1947

olddog1947

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 19 February 2006 - 01:18 PM

Hello Experts. Need some help in figuring out what is lurking in my computer. Every time I run a scan with Spybot or Ad-Aware, I get one or two hits on my anti-virus (Trend Micro 2005) that says that it has detected an infected file in (C:\Windows\downloaded program files\mediagatewayX.DLL) and it says the virus name is (ADW WINAD.BD) Scan result: Denied Access.

I tried a google search on the virus name with very little luck. Searching on the DLL was a little better and with all of the topics starting off with talk about HiJack This logs, I finally installed the program and ran a log today (my first, very good tutorial on your site) and found the reference to the mediagatewayX.DLL and also a pointer to (O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Seekmo/ie/bridge-c24.cab)

Could you please let me know what this is and how I get rid of it. Any and all help will be greatly appreciated.
First Home Build Computer
Antec Case/Asus A7n8x-e/1 Gig Memory/AMD XP-2700
PNY 7600 gs Video/Creative Sound Blaster/2 Maxtor 80Gig HD
Windows XP Pro SP-2

An oldster who loves playing
with this stuff

BC AdBot (Login to Remove)

 


#2 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:09:25 AM

Posted 19 February 2006 - 05:17 PM

ZangoCash appears to be adware (read popups or directed advertising) that is installed on your computer along with some games or videos you watch and without your knowledge usually. To delete that file open Internet Explorer and go to Tools>Internet Options. Under the General tab Click Settings then click View Objects. mediagatewayX.DLL should be in there and you can right click and delete. Thats a really weird place for a .dll file as this folder should only contain ActiveX controls.

Let us know if that works for you.

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#3 olddog1947

olddog1947
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 20 February 2006 - 07:09 PM

Sorry for not getting back to you sooner, my daughter had a problem she needed help with.

I tried removing this item from the explorer tools tab but it said that it was in use by something else. Unless you say otherwise, I will go into safe mode and see if that helps. Let me know what you think.

I may have confused you with my description of the problem, "ADW WINAD.BD" and "MediaGateway.DLL" were not in the downloaded programs file, the were reported in my anti-virus program. I did note a
reference in my search of "c:" to API log file.
First Home Build Computer
Antec Case/Asus A7n8x-e/1 Gig Memory/AMD XP-2700
PNY 7600 gs Video/Creative Sound Blaster/2 Maxtor 80Gig HD
Windows XP Pro SP-2

An oldster who loves playing
with this stuff

#4 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:09:25 AM

Posted 20 February 2006 - 08:58 PM

Have a look at the information concerning 016's in our HijackThis Tutorial - How to use HijackThis to remove Browser Hijackers & Spyware. According to that you can delete it with HJT.

Hope that helps.

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#5 olddog1947

olddog1947
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 22 February 2006 - 02:36 PM

Thanks, that worked fine and got rid of the active X item, but I am still getting hits every time I do a scan. This is the onlt time that trend micro ever reacts as if this thing was trying to "call home". is there anyway I can control the speed of spybot or ad-aware so that I can get an idea of where or what this thing is. I have a sneaking idea that this is some type of web address or HTML something that is causing this reaction. Doing manual scans of my drive looking for ADW_WINAD.BD or MEDIAGATWAY.DLL find nothing. I do not think this thing is active, only a nusance.
First Home Build Computer
Antec Case/Asus A7n8x-e/1 Gig Memory/AMD XP-2700
PNY 7600 gs Video/Creative Sound Blaster/2 Maxtor 80Gig HD
Windows XP Pro SP-2

An oldster who loves playing
with this stuff

#6 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:09:25 AM

Posted 22 February 2006 - 04:14 PM

What is happening here is that as Spybot or Ad-Aware get to this item and scan it Trend Micro reacts as if the item is being activated when in actual fact it is only being scanned. Its a type of conflict between anti malware programs. Try disabling your Trend Micro and running Spybot and Ad-Aware and check the results. This could also be a situation where your programs are scanning each others quarantines so you should empty those.

For Ad-Aware its in Program Files\Lavasoft\Ad-Aware SE Personal\Quarantine

For Spybot its in Windows\Application Data\Spybot - Search and Destroy\Recovery

Empty the CONTENTS of those folders. I don't know where Trend Micro may have their quarantine.

Edited by Leurgy, 22 February 2006 - 05:09 PM.

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#7 olddog1947

olddog1947
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 27 February 2006 - 02:36 PM

This thing is like the chinese water torture. I have checked and cleared all of my quarantine files, and done several searches on my C: drive and I still get this warning. I have installed the Microsoft windows defender beta and it reacts also.

New Note: As of yesterday, Ad-Aware no longer causes a reaction to my anti-virus, but the others still do. Out of desperation I did a registry scan using a key word scan and got a hit on the following key.

HKLM/software/trendmicro/pc cillin/scan info

This key contained both of the words in my anti-virus alert. Is there a way that I can re-name or delete this item without damage to my registry to see if it is the one causing my problems.

Thanks,
First Home Build Computer
Antec Case/Asus A7n8x-e/1 Gig Memory/AMD XP-2700
PNY 7600 gs Video/Creative Sound Blaster/2 Maxtor 80Gig HD
Windows XP Pro SP-2

An oldster who loves playing
with this stuff

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,059 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:25 AM

Posted 27 February 2006 - 07:48 PM

The issues you are describing do not appear significant enough to warrant making registry changes which could have an adverse impact on your system. Did you try disabling Trend Micro as Leurgy suggested before running your scans?

Have you tried to contact Trend Micro Support?
http://esupport.trendmicro.com/support/sup...m1&locale=en_GB
email: retail@support.trendmicro.com
telephone: 1 800 864 6027

There have been previous reports of other issues with Spybot and what you are describing may have already been reported to them. If so, they may be able to provide you with a possible solution.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users