Results 1 to 7 of 7

Thread: Old Webshots program tagged as malware by Kapersky & others

  1. #1
    amethyst Guest

    Default Old Webshots program tagged as malware by Kapersky & others

    I have webup.exe, and it is the 2001 version of webshots. I've been using the Webshots program for years for desktop wallpaper and screensaver (although I haven't downloaded any pictures for probably a year or 2 now), this is the second computer I've used it on, just love it.

    So today I finally figured out what to do in what exact order to get my favorite 'second opinion' online AV scanner to run (thanks, Oldsod!), and it tagged this little webup.exe file, which I've had for 7 years now and which ZASS 6.5 doesn't identify as being a problem. I had neglected to set the software to 'report only', so I lost the .exe, but I had a backup on a CD. I restored that and restarted the scan, this time on 'report only'. It also tagged the .exe I had copied from the CD.

    I had virustotal.com scan it, and I got the following results:

    A v a s t 4.7.1098.0: Win32.Adware-gen
    B i t d e f e n d e r 7.2: Adware.Gator.AT
    Fortinet 3.14.0.0: Adware/Gator
    Kapersky: not-a-virus:Adware.Win32.Gator.1050
    McAfee 5219: potentially unwanted program, Adware-GAIN
    Panda 9.0.0.4: Adware/Gator

    I had to use Webshots feedback form to notify them. Many people just let their AV software do its thing and it does, deleting stuff without asking first, and I'm sure Webshots should be happy to know why their paying customers might be having problems all of a sudden. I am not a paying member, so e-mail exchange is not likely, although I did strongly urge them to contact me anyway.

    I'll run a full system scan with the antispyware portion of ZASS at some later date, my computer has been spending enough time being scanned for the day.

    So...I don't think Webshots is malware. Anyone?

    Amethyst

    ZoneAlarm Security Suite version:6.5.737.000
    TrueVector version:6.5.737.000
    Driver version:6.5.737.000
    Anti-virus Vet engine version:31.1.0.000
    Anti-virus signature DAT file version:31.1.5501.000
    Anti-spyware engine version:5.0.189.0
    Anti-spyware signature DAT file version:01.200801.3255
    AntiSpam version:4.8.2.7565




    Operating System: Windows XP Pro
    Software Version: 6.5
    Product Name: ZoneAlarm Internet Security Suite

    Message Edited by amethyst on 01-31-2008 03:57 PM

    Message Edited by amethyst on 01-31-2008 03:59 PM

  2. #2
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Old Webshots program tagged as malware by Kapersky & others


    <blockquote><hr>amethyst wrote:
    I have webup.exe, and it is the 2001 version of webshots. I've been using the Webshots program for years for desktop wallpaper and screensaver (although I haven't downloaded any pictures for probably a year or 2 now), this is the second computer I've used it on, just love it.

    So today I finally figured out what to do in what exact order to get my favorite 'second opinion' online AV scanner to run (thanks, Oldsod!), and it tagged this little webup.exe file, which I've had for 7 years now and which ZASS 6.5 doesn't identify as being a problem. I had neglected to set the software to 'report only', so I lost the .exe, but I had a backup on a CD. I restored that and restarted the scan, this time on 'report only'. It also tagged the .exe I had copied from the CD.

    I had virustotal.com scan it, and I got the following results:

    A v a s t 4.7.1098.0: Win32.Adware-gen
    B i t d e f e n d e r 7.2: Adware.Gator.AT
    Fortinet 3.14.0.0: Adware/Gator
    Kapersky: not-a-virus:Adware.Win32.Gator.1050
    McAfee 5219: potentially unwanted program, Adware-GAIN
    Panda 9.0.0.4: Adware/Gator

    I had to use Webshots feedback form to notify them. Many people just let their AV software do its thing and it does, deleting stuff without asking first, and I'm sure Webshots should be happy to know why their paying customers might be having problems all of a sudden. I am not a paying member, so e-mail exchange is not likely, although I did strongly urge them to contact me anyway.

    I'll run a full system scan with the antispyware portion of ZASS at some later date, my computer has been spending enough time being scanned for the day.

    So...I don't think Webshots is malware. Anyone?

    Amethyst

    ZoneAlarm Security Suite version:6.5.737.000
    TrueVector version:6.5.737.000
    Driver version:6.5.737.000
    Anti-virus Vet engine version:31.1.0.000
    Anti-virus signature DAT file version:31.1.5501.000
    Anti-spyware engine version:5.0.189.0
    Anti-spyware signature DAT file version:01.200801.3255
    AntiSpam version:4.8.2.7565




    Operating System: Windows XP Pro
    Software Version: 6.5
    Product Name: ZoneAlarm Internet Security Suite

    Message Edited by amethyst on 01-31-2008 03:57 PM

    Message Edited by amethyst on 01-31-2008 03:59 PM
    <hr></blockquote>


    AVs are usually dead on. Online scanners from virustotal or jottiscan are too, but the antivirus engines that normally use lots of heuristics do not have the heursitics enabled. Hence the heuristic scanners miss a lot. But the definition bsed antivirus engines results are dead on.

    Many of the AV scanner will go the extreme and declare many files as riskware or malicious. I know this all too well - I have an entire folder full of tools and such, and this folder is always set to not be scanned by the resident AV. Tools like AngryIP or Magical Jelly Bean Keyfinder to name some of the more innocent ones.

    On the other hand many vendors are turning a blind eye to some of the known malware/adware/junk because of corporate deals and fear of the legal law suites. Some give in to pressure of the litigation and some just made deals for affiliated companies or business partners. You will be surprised who is involved with whom in business and who backed down from legal prosecution. All of a sudden users need several malware scanners to find everything. And actually something is probably missed anyways somewhere.
    Side note: Zone Labs has faced several legal cases where they were sued by the "suspicious corporations involved with malware/syware" and Zone Labs has always stood firm and faced the situation down without ever backing down. As far as I know Zone labs has never backed down and gave in. Hurrah!

    Okay back to the topic. This gator or gain is really Claria. It is considered adware. The best approach for adware is a dedicated adware scanner or malware scanner. Ad-aware, superantispyware, asquared. ewido and any of the big threee - webroot, counterspy and pctools antispyware scanners- will give further and expanded results. However the first few listed are available as freeware, the big three are not.
    Again some users consider this not to be spyware.
    But I would consider this to be spyware; not any kind of a toolbar/BHO gets installed on my desktops or browsers nor anything else that will report back home. This includes any software from the provider, tools/utilities from the provider, windows automatic updater, etc. This is why a software firewall is needed - to control the outbound connections accordingly to the application, port, protocol and IPs.

    Some will consider this to be spyware - gator/gain reports back to the home servers a history of the users searches and browsing habits concerning. Alexa is similar to Claria and operates in a similar fashion.

    Ewido has an online scanner - very neat and effective. After the http://www.ewido.net/en/onlinescan/ the files in the Temp folder can be easily cleaned out and no trace of the scanner is remaining.

    Any rogue BHO or .dll or malicious activeX involved will be seen by these applications. So will manual checking for BHO, bad .dlls and activeX or by using a HJT tool and viewing the results.

    Oldsod
    Best regards.
    oldsod

  3. #3
    amethyst Guest

    Default Re: Old Webshots program tagged as malware by Kapersky & others

    Thanks, Oldsod. I'll look into this some more.

    I've had this webup.exe for many years, it's been scanned plenty of times by various scanners over the years, which has included InoculateIt, Spybot S &amp; D, Housecall, Panda, RAV, N o r t o n ' s, ZASS, and B i t d e f e n d e r. It's only been today that B i t d e f e n d e r had a problem with it. Funny, too, that it flags only the original .exe which I have only run once to install the program, and yet the actually functioning parts of it are ignored.

    Anyway, ZoneAlarm shows 2 entries pertaining to Webshots, and one of them has no access to the internet. The other one had question marks across the board. That was the screensaver. I just gave it 2 green bars (so my screensaver runs without asking me if it is allowed to do so) and then x's across the board. It actually hasn't ever asked for internet access yet. ZA makes me give permission to even open up the webshots user interface for me to change the desktop wallpaper, thought, which is fine by me.

    I've heard mention of Webshots possibly having adware, and I've also heard negative things about the newer, updated versions of the software. Mine is old, unobtrusive, doesn't nag, doesn't bug me. I've accumulated a lot of collections of photos over the years [and managed to keep them through a few format and restore jobs on a cranky Windows 98 machine as well as a transfer to a new computer], but I haven't downloaded anything for a very long time, as I've been happy with what I have. I read a complaint on another forum from a person who would love to revert back to the version I have because the updated one nags all the time for her to upgrade to the premium version, which would involve becomng a paying member. I'm sticking with my old one. It's for Windows 98, but it works. Maybe it's the newer ones with the Adware, I don't know.

    Anyway, I'll do some more reading. It's hard to find any details on the version I have. It's not likely too many people use it anymore, and I'm sure if the Webshots folks ever do get back to me, it'll be to urge me to &quot;upgrade&quot;. :-)

    Thanks!

    Amethyst

  4. #4
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Old Webshots program tagged as malware by Kapersky & others

    Years ago the screensaver either the .scr or the .exe were considered beniegn. Not anymore these days. Now screensavers are a source of keyloggers and troyans. The nag screen is considered by many to be 'ad ware". I have a few of these applications, but I always hack these and silence the nag screens. Oldsod
    Best regards.
    oldsod

  5. #5

    Default Re: Old Webshots program tagged as malware by Kapersky & others

    Gator is one of original spyware producers. Old software might have old versions of Gator spyware installed with it.Anything related to Gator or Claria is spyware although Claria pretend to be real software company these days (got out the being a spyware company because people didn't like them)

    Message Edited by Jeruselem on 02-01-2008 04:52 PM

  6. #6
    amethyst Guest

    Default Re: Old Webshots program tagged as malware by Kapersky & others

    I had virustotal scan the running Webshots processes--the screensaver and the systray .exe, and they are clean. However, now 8 are saying the original installer file is this Gator adware thing. I've done some poking around online and in my computer, even checking in the registry. I can not find any signs of Gator or Gain on my computer, so I don't think running this installer actually did any harm to my system. As I said, though, people who have installed the more up-to-date versions of webshots have had complaints about its intrusive and nagging popups.

    I did put the webup.exe in a zipped folder anyway. That will keep it from doing anything unless I want it to, correct? I could just put a copy of it onto my external hard drive and delete the one on my PC. Yes, I think I'll go do that right now...

    Amethyst

  7. #7
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Old Webshots program tagged as malware by Kapersky & others

    Correct. Zipping it and placing it on a removeable drive works.
    Another approach is change the file extension from .exe (or .dll, .bat, etc) to .txt or .doc It cannot be executed and all scanners will no longer see it as a malicious file.

    Even if it was installed and running, the firewall should block it outbound connections attempts (unless it uses a BHO or .dll for the browser, this would circumvent the firewall)

    Oldsod
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •