Kaspersky claims zotero standalone 2.1a3 contains adware "Adware.Win32.Gaba.eth"

My Kaspersky antivirus is currently blocking me from downloading Standalone 2.1a3, claiming it's infected with adware:

22/05/2011 23:04:18 Firefox Web Anti-Virus Detected: not-a-virus:AdWare.Win32.Gaba.eth http://www.zotero.org/download/standalone/2.1a3/Zotero_win32.zip/Zotero_win32/extensions/zoteroWinWordIntegration@zotero.org/components/zoteroWinWordIntegration.dll

I also tried again and got from Kaspersky:


The requested URL cannot be provided
The requested object at the URL:
http://www.zotero.org/download/standalone/2.1a3/zotero_win32.zip
contains legal software that can be used by criminals for damaging your computer or personal data
not-a-virus:AdWare.Win32.Gaba.eth

I'd be grateful if this could be checked, Kaspersky informed of a false-positive or whatever. As I think it's probably safe, I'm going to disable Kaspersky during the download and install.
  • I've confirmed the detection with an online multi-engine scanner, result here: http://virusscan.jotti.org/en/scanresult/935836d95737ac80c0c32bcf2a453cd383eaf28a

    This will have to be explored by the core team to see what's up.

    The DLL is supposed to be part of the plugin, and it's hard to say if there's anything wrong with it. There is a pile of assembly at the end of it-- maybe something is wrong? I would honestly hold off on installing until this is cleared up 100%.
  • It's a false positive.
  • Thanks for verifying. Might you be able to send something to that effect to the folks at Kaspersky and other places that are flagging it, so they can tweak their definitions?
  • It looks like the latest zoteroWinWordIntegration DLL in SVN doesn't have this issue, so it won't be a problem with the next version of standalone, which is long overdue and should be out within the next week. My guess is that there's something about the specific code in this version and the fact that it is an XPCOM component that is triggering the false positive.
  • +1 here - I'm using Avira and after my update zoteroWinWordIntegration.dll is being quarantined
  • edited May 23, 2011
    If you're receiving this from the WinWord plugin and not from Standalone 2.1a3, please make sure you have the latest version of the Word plugin. As far as we know this doesn't occur with the latest version.

    If you still get it after installing the latest version, let us know.

    And just to reiterate, this is a false positive. There's nothing at all wrong with the plugin.
  • edited May 23, 2011
    I am using firefox 3.6.17 w/ zotero plugin 2.1.6; the winword plugin is v3.1. The problem is obviously from the winword plugin, and as far as I can tell, that's the latest there is.

    I assumed the malware warning was a false positive - thanks for the reassurance. I have added the dll to the list of exceptions (perhaps shouldn't advertise it) so that my antivirus will stop blocking it. However, I'm sure others will run into this problem, and won't like this solution (or won't know how to configure their AV to allow such exceptions).

    Like I mentioned, this showed up today immediately after my AV-update, after which the on-access scanner picked the zotero dll up.
  • We've submitted the DLL as a false positive to Avira.

    The latest version appears to pass other tools.
  • Working perfectly! For this you have to uptade your virus definition files..(I'm also an Avira user).
  • We've reported this issue to Avira and Kaspersky, who have determined that it was a false positive. Virus definitions from today should contain a fix. We are still waiting for a response from McAfee.
  • I have the same problem. But I put in the scan exceptions of Avira. Then it works well.
  • sigmund1973: Are you sure you have the latest virus definitions? As far as we know this was fixed a week ago.
  • Dan Stillman: Yes. My virus definition is June 2. I tried to remove the exception (D:\Program Files\Zotero_win32\extensions\zoteroWinWordIntegration@zotero.org\components\zoteroWinWordIntegration.dll ) from Avira just now again. "ADWARE/Agent.Gabaeth" detection comes again.
  • AVG Free 2011 decided this morning that zotero.exe is malware and moved it into the vault. Something about 'Injects code'. I'm using Zotero Standalone 3.0b2.1 for Windows. Anything I should worry about or can I restore the executable?
  • spoedniek: It's almost certainly nothing to worry about, but you'll need to provide the exact error message for us to tell you what's happening.
  • Dan,
    Thanks. I re-installed Zotero and that seemed to fix things. There wasn't much of an error message except to say that it (AVG) is moving the zotero.exe into the vault and do I want to restart the computer now :-). If it happens again I will make screen captures of the various messages and post them.
Sign In or Register to comment.