Yesterday I was reviewing some of the files recently added to the FreeFixer library. Currently there are around 125 000 files added to the database. One of the files that caught my attention was WebGetBho.dll, digitally signed by WebGet, which looked like a new variant of the Altbrowse/BrowseFox adware. The scan result from VirusTotal clearly shows that this is the case:
I have not found out how WebGet is distributed. If you have some hints on where I can find the software that bundles WebGet, please let me know since I’d like to test it and see how the WebGet ads looks like. In case you have WebGet on your machine and it displays one of its ads, please take a screenshot and post it comments field below so me and the other readers can have a look at it.
I assume that WebGet works like the other Altbrowse/BrowseFox variants: WebGet adds itself into Internet Explorer and Mozilla Firefox, and show some sort of ads. The ads may be labelled “WebGet”.
To remove WebGet, simply check the WebGet files for removal in the FreeFixer scan result. The WebGet files are usually located in “C:\Program Files\webget\” or “C:\Program Files\webget (x86)\” if you are running 64-bit Windows. These are some of the files that may appear in the scan result:
- webgetbho.dll
- updatewebget.exe
- webget.FFUpdate.dll
- webget.FirstRun.exe
- webget.CompatibilityChecker.dll
- webget.IEUpdate.dll
Hope this helped you figure out what WebGet is and how to remove it.
I downloaded CamStudio v2.7.2 from the camstudio.org site earlier today.
Immediately after it installed, I got a warning from Webroot that C:\Program Files (x86)\webget\webget.FirstRun.exe was trying to connect to the internet. I stupidly allowed it to connect and didn’t think anything of it. When I subsequently surfed the web, a couple extra browser tabs appeared, with urls beginning with opensoftwareupdater. I did not take screenshots as I was more interested in getting rid of the problem. I ran an adware cleaning program and the services it located were Update webget and Util webget, at which point I realized that I invited this insanity into my browser when I ignored Webroot’s warning. My cleaner found and removed some folders and keys. Hopefully the problem is gone. I’m planning on a wipe and reload at my earliest convenience…
Al, thank you for the report on WebGet. I tried the CamStudio_Setup_v2.7.2_r326_(build_19Oct2013).exe download from camstudio.org but for some reason it did not install WebGet on my machine. Perhaps it noticed that I’m running Windows in a virtual machine.
It is however clear that CamStudio is involved in software bundling since the following file is located in CamStudio’s installation directory: BunndleOfferManager.exe.
Unfortunately, the detection rate for BunndleOfferManager.exe is pretty low. Only 2 of the 51 anti-virus programs at VirusTotal detect it. DrWeb report it as “Adware.Bundle.4” and ESET-NOD32 calls it “a variant of Win32/Bunndle”.
hi,this disturbing and sneaky software bundles with adobe flash player update.
adobe flashplayer update now became totally asshole when they sneakily install this software on your computer .
Are you sure that the Flash Player update you got was actually from Adobe? There are many web sites that pop-up alerts about an outdated flash player, and when installed the user ends up with lots of unwanted software.
I can confirm that ‘WebGet’, ‘Settings Manager’ and ‘LinKey’ are all installed via a fake Adobe flash update. I’m trying to track down the offending website from my Clients browse history, but it’s taking some time. I’ve heard a number of people have recently fallen victim to this fake update. McAfee, AVG and Avira have all failed to spot it until the extensions are installed and the browser is being used. I’m still investigating, but it looks as if a pre-installed version of Malwarebytes was partially disabled by additional malware subsequently installed once these three were up and running.
Thank you for sharing!