Mar 24

SourceForge-hosted PDFCreator Trojan/Toolbar Warning

Tag: opensource,opinion,randompmularien @ 11:46 pm

I decided to post this as a public safety announcement, since I (surprisingly) didn’t see this blogged elsewhere. I have, for many years now, used the free/open source PDFCreator software for simple PDF generation and testing.

I recently updated to the most recent version (0.9.7) of the software (now hosted at pdfforge.org), and have made an interesting discovery.

The software is bundled with a browser toolbar component that has behavior which I would consider malware or trojan-like behavior. The notable difference is that it redirects certain types of browser traffic to www.searchsettings.com, which is a linkbait/parking-type site.

In Firefox, I noticed an extension called “Search Settings 1.2″ which, once removed, killed this behavior. After more research, I saw that IE had 2 Add-Ins installed (these were also removed). I did some more digging, and that’s when things got interesting.

There is a SourceForge Bug 2607106 “Remove trojan from download!” filed against this project. There’s the report at SiteAdvisor on pdfforge.org hosting this malware. There’s the post from an angry user on the pdfforge.org message boards.

To clarify, there are other “free” PDF creation projects that are questionable at best. However, I always took PDFCreator (sf.net) as a legitimate open source project.

The PDFCreator Toolbar is apparently implemented using “mybrowserbar”. As per their terms of service, they indicate:

f) modify your Microsoft Internet Explorer and/or Mozilla Firefox browser settings for the default search engine, address bar search, “DNS error” page, “404 error” page, and new tab page to facilitate more informative responses as determined by The Toolbar;

mybrowserbar.com “Company Information” redirects to www.spigot.com, which claims to be “Coming in March 2009″. spigot.com is a proxied domain, so there’s no further information available.

I downloaded and investigated the source tarball for the PDFCreator project, and the source of the browser toolbar installer is nowhere to be found (indeed, the .exe included with the installer isn’t present). There’s a response from Philip, one of the developers, in the pdfforge.org forum which sheds a little light on the browser toolbar. I completely empathize with his desire to make some money from his open source work; however, I’d disagree that this is an appropriate approach, and at the very least, the toolbar install option should be more up-front about it.

It’s unfortunate to see a long-time, responsible open source project act this way, and I do hope it’s an honest mistake. I wanted to give people the heads-up who may not be aware of this.

50 Responses to “SourceForge-hosted PDFCreator Trojan/Toolbar Warning”

  1. Gaurav Arora says:

    Thanks for the warning. For whatever reason, the addon wasn’t present in my firefox but in my IE only. I haven’t used IE … ever so this wasn’t much of a bother but it certainly will prevent future problems.

    Thanks once again.

  2. Adje says:

    Thanks for putting this up! I re-installed pdf creator this weekend and the new search feature was preventing me from using a proxy at a school which automatically redirects you to their login page. I appreciated this blog so much, I added it to Stumble! Thanks for keeping an eye out!

    -Adje

  3. Deryk says:

    I’ve been trying to kill this spyware for 2 days now, none of the uninstallation instructions work, which constitutes malware in my view. Dismayed to see a good open source project go down this route.

    It’s open source, so has anyone forked a non-crapware version yet?

  4. Deryk says:

    UPDATE – Nailed it!! After removing PDFCreator and reinstalling it (with the toolbar, not that I was given a choice), the PDFForge Toolbar entry finally appeared in the Add/Remove Programs control panel. That finally killed it. It had the cheek to bring up a feedback form asking why it was uninstalled, so I made sure they knew my opinion of it!

    We now have a batch file to set it up without the toolbar, with the following contents:
    @echo off
    PDFCreator-0_9_7_setup.exe /components=\”!toolbar\” /tasks=\”!desktop_icon\”

    This brings the option not to install the toolbar back, and unticked by default.

  5. Heff says:

    Hey!

    Thanks a lot for posting the announcement. I’m sure there are many others out there who would benefit from it.

    I’ve been using pdfcreator for more than a year now. When I got my new laptop I just downloaded from sourceforge instead of finding the installer I had saved. I saw that the new version was 0.97 instead of my trusted 0.96, but I thought what the heck, the guy found some time to make some improvements.

    To my dismay, I found many of my clicks, especially to slower responding sites, were directed to the effing mybrowserbar.com. At first I thought it was due to YM, which installs the Yahoo toolbar. Imagine my surprise when I learned otherwise. I guess I now need to apologize to the people at Yahoo for accusing their grannies of providing… morally deficient services?

    Oh well, not like I called them up on the phone or something :P

    Again, thanks for the post. Keep it up!

  6. Me says:

    If I’m not completely wrong you have clearly the option to NOT install this toolbar.
    Just deselect it during the install.
    Everyone who installs ANY toolbar addon doesn’t deserve better ; ) It should be common knowledge by now what those things do. No matter where they come from.

  7. Marty says:

    What annoys me is that PDFCreator installs this toolbar by default. I unchecked the install box and it installed it anyway. I am going to be more careful installing sourceforge apps in the future.

  8. Dan says:

    “I unchecked the install box and it installed it anyway.”:

    You have both yahoo! toolbar the browser extension that you must uncheck. In the next screen, make the “compact installation” since the Browser extension for IE and Firefox is part of the full installation.

    Unfortunatyely, this guy is wise and I also approve your thaughts, this is not a way to give away an open source application, so i’ll never fill any donation to these guys.

    But we must keep in mind that the installer is not part of the source and unfortunately, it’s in your hands to look carefully at the installations. Honest people wouldn’t make that kind of catch but we’re living in a world were many people is ready to put some sticky gums in your hair to get more money, no matter the impressions.

    So if you see one of those names (even if they don’t have anything to do with this because they’re linked with that person, hehe), don’t wave the hand! ;)

    – Philip Chinery
    – Daniela Martin
    – Frank Heindörfer
    – Steven Lee

  9. Sheldon says:

    A world’s smallest violin to those complaining about the browser redirecter installed with PDFcreator 0.9.7. After all, you consented to it — it was clearly part of the EULA (end user licensing agreement)

    Except, I got caught to. You see the developers of PDFcreator are unethical and sneaky. There are 2 EULA’s you consent to. One is a GNU open source license that goes on for screen after screen. That’s followed by a EULA labelled PDFcreator toolbar.

    But this EULA isn’t just about the PDFcreator toolbar. It’s an agreemtn between you and Spigot which allows them to install a browser hijacker. And accepting the EULA happens when you continue with the installation.

    Now it doesn’t matter if you choose not to install the PDFcreator toolbar. It ends up as a toolbar in Firefox. So you can deselect it from the active toolbars in Firefox.

    Now it just so happens I just finished switching my DNS nameserver under XP from the automatic nameserver Control Panel – Network Connections – TCPIP to using the specified nameservers from OPENDNS. I made the change because I didn’t like my ISP bringing up its page when I made a mistake in the name of a website. I’d rather that be done by OPENDNS.

    It appears that part of the programs installed changed my DNS nameserver back to the automatic default one so that it could then have its own redirector and search engine.

    So now I try to uninstall this stuff. Let me tell you, they put you through the wringer and give out false information. There’s no program called searchseeker.exe on your system.

    For firefox there’s the toolbar to unselect and an addon to remove and then you have to go to add/remove programs where you can remove the PDFcreator toolbar which didn’t show up in add/remove programs when you first look for it.

    Overall, a nasty and unethical piece of work — and one that shouldn’t be allowed in a project using sourceforge resources. If you want to be nasty and unethical don’t use sourceforge.

  10. Antony Sharman says:

    many thanks pmularien for the heads up.
    I, too, initially thought this was a yahoo sneak,
    I always, carefully, reject toolbars during installation and my copy of Firefox 3.5 did not show the toolbar.
    Only after reading this thread has it all become clear that the irritating behaviour of skipping 404 error messages belongs firmly with these PDFCreator bandits.
    I place error messages deliberately in my web sites – for a purpose – to stop people from leaving my sites because of a mistype.
    Now the less weary who install PDFCreator will be FORCED off site after a brief view of the 404 file.

    Way to go guys. I hope that Mozilla/Firefox catches up with this malware and removes the plugin from their pages.

  11. Antony Sharman says:

    Quickie update – for me, uninstalling the toolbar hasn’t done the job, so I am going to uninstall PDFCreator and hope for the best – never to use these guys product again if I can help it.

  12. Antony Sharman says:

    PDFCreator uninstalled and the 404 action continued. . .

    You were right that “Search Settings Plugin 1.2.1″ is the culprit.
    In Firefox: Tools > Add-Ons > then just Disable the offending piece of junk.

  13. Antony Sharman says:

    Just one more thing – after un-installing pdfforge Toolbar leaves multiple keys behind, even in HKEY_LOCAL_MACHINE\SOFTWaRE\Microsoft\Windows\CurrentVersion\Run which I found out 7 days later . . . typical junkware!

  14. Grey Area says:

    Thanks for this information. I also found that PDF Creator had installed the “Search Settings Plugin” as an extension and with the ironic description of “Protects your default search settings”. Ha! I have uninstalled the whole thing. And as a bonus I left a little comment on the pdfforge forums to express my displeasure at the under-handed tactic. I’m certain the post will be deleted (as it should be considering the language I used)

  15. PDFCreator Trojan/Toolbar Warning says:

    […] » SourceForge-hosted PDFCreator Trojan/Toolbar Warning – It’s Only Software […]

  16. Jose says:

    That was puzzling me, tried to remove the yahoo search with about:config then I noticed the extension while reinstalling firefox.

  17. ydfg says:

    Thank you for the hint with the Addon. I too was confused why this mybrowser…-crap suddenly appeared. When installing PDFCreator, I made sure not to select the Browser-Bar and it installed it anyways. I will make sure to look for an alternative to PDFCreator and will never recommend it anyone again. Sad that the author did this :(

  18. logisch says:

    thanks for reporting that.

  19. medic says:

    Hi thanks for the post, I did manage to get rid of the bar from my IE. Please check your “respond from Philip” link its dead.

    medic

  20. Open Source PDF printer driver lets us create PDF documents from any Windows App ~ Windows Open Source Apps says:

    […] SourceForge-hosted PDFCreator Trojan/Toolbar Warning […]

  21. Steven Leach says:

    I downloaded this PDFCreator, and investigated my self as well and Totally agree with you. I have changed my Blog and Pointed to this entry of yours. Thank you for alerting me. I have since moved on to use BullZip PDF printer driver and did not realize how far this project has fallen from the open source credo.
    Again Thank you for the alert.

  22. Open Mind » Blog-Archiv » pdfforge.org: Open Source Tools zur PDF-Erstellung says:

    […] eine problematische Software mit (vgl. auch den Artikel in der englischen Wikipedia, den Blog Post von Peter Mularien sowie die Diskussion im PDF Forge Forum). Achten Sie deshalb bei der Installation darauf, die […]

  23. Bobby says:

    I managed to get the toolbar removed, but I had to work at it for a while. I too found that even though I had unchecked the toolbar install it did it anyways. It is one thing to include a toolbar that you can opt out of, but when people do things like this it shows what pieces of crap they really are. I encourage EVERYONE to visit the project and leave a thumbs down until it is fixed.

    Leave Feedback Here

  24. jim says:

    agreed using spyware in open-source projects is a disaster.
    Any project doing that should be avoided going forward.

  25. masken says:

    So is there NO way of installing without getting the addons and yahoo toolbar?

    The post above: PDFCreator-0_9_7_setup.exe /components=\”!toolbar\” /tasks=\”!desktop_icon\” does NOT work.

  26. Erik says:

    Many, many thanx for this post.
    I was afraid my PC had been hijacked by aggressive malware.
    Removing the search settings plugin corrected everything for me.

  27. Axel says:

    Oh man, i’m shocked! How the hell could they just possibly think of doing that?! It’s like stabbing you in your back. What a waste of talent.

  28. Mark says:

    So many once-loved apps ruining their reputations by including crapware toolbars… it’s a sad thing to see.

  29. Mack says:

    Try qvPDF instead. It is open source and free and does have crap bundled into like PDFCreator. http://sourceforge.net/projects/qvpdf/

  30. Mack says:

    Sorry, I meant to say qvPDF doesn’t have crap bundled in it like PDFCreator. You might also want to try CutPDF, and doPDF, which are commercial, but free.

  31. faargenwelsh says:

    I’ve just finished running a KlamAV (free open source anti-virus software for linux) scan while checking my windows drive (I have a dual-boot install) for problems.

    All executables under C:/Program Files/PDFCreator/ are highlighted as containing “Trojan.VB.Chinky-1″.

    Man, I was using this program for like several years now! What a shame, really…

  32. julie says:

    thanks for posting this!

    i installed the updated version recently (not being as cautious as usual based on past experience with product–my mistake).

    anyway, i wanted to mention (so that others searching for info can make correlation) that this issue was brought to my attn by mcafee alerting me that a program was seeking outbound connection. it was located in program files as a benign-sounding applicationupdater.exe, referencing spigot and the version #

    *******
    File Information

    File Name: ApplicationUpdater.exe
    File Size: 380928
    File Path: C:\Program Files\Application Updater\
    Version: 1.1
    First seen: 1/8/2010
    Recognized safe program

    Manufacturer: Unknown
    ******

    i had already removed the crap before locating your article but found your research/info to be of obvious interest since I only had made the general association. (your article saved me lots of time i would have spent duplicating efforts) so…

    …thanks again for sharing your findings!
    ~julie

  33. hinchbox says:

    What has happened at Sourceforge? A few years ago they sent you a rebuke about compromising their site’s security when you forgot your password, and now they are allowing spyware to be uploaded to, and downloaded from their servers?

  34. Jean Lewis says:

    Thank you so much for your helpful post about the PDF toolbar. That message has been annoying me for several months – now it’s gone and all thanks to you for pointing out where the trouble lay. I’m very grateful.

  35. Andrea says:

    I really appreciate, thanks

  36. niarami says:

    I strongly agree, that’s not tolerable for an opensource project according to me. That is being unethical because 99% of user will install this malware. I suggest to make a fork project without the toolbar…

  37. Ulla says:

    Thank you for this post, it is very helpful to me, just the information I was looking for.

  38. David says:

    I got stung by this. I installed PDFCreator from SourceForge thinking it was safe. Boy was I wrong! I did unselected the option to install the toolbar component, but it installed anyway. Fortunately my ForeFront AV noticed the suspicious behavior and alerted me. I will think long and hard about downloading anything from SourceForge in the future. I;m surprised that they would permit malware being added to software there.

  39. arows1faith says:

    I’m terribly disappointed in this… and it’s apparent truth! I GREATLY APPRECIATE the info!!!!

    FYI: original page of Post of angry user @ http://replay.waybackmachine.org/20090301134326/http://www.pdfforge.org/node/2423

  40. Lee says:

    We were using this app since 0.9.7 and push it to our machines using deployment tools. We used to have a method to uninstall the toolbar via scripting but now there is no method to exclude the toolbar from the installation, even when using the uninstall string. Currently I can uninstall PDF Creator but the toolbar errors stating another app is installing and I must wait.

    Attempting to uninstall it failed, would not even work from Safe Mode. We’re done using their software and removing it from our library.

  41. Tim says:

    Ugh… Looks like they have more malware tied to it now! Our IPS complains, on every install, that it is contacting some malware site and blocks it. I used to love this program — it is so hard to see when people go to the dark side to drive revenue. Why didn’t he just ask for $10?

  42. Juergen says:

    Just installed PDF Creator 1.3.2, and at the same moment my Norton AV pops up with a “Trojan removed” message. Gives one a really bad feeling. Shame on them!

  43. Jinx says:

    Thank you for this warning. Sadly, for me, I read this too late. I have now spent over an hour trying to rid my computer of this spyware.

    I, too, am surprised at this sneaky behavior. I also suspect that Sourceforge would not allow this; I have filed a complaint and encourage others to do likewise: http://sourceforge.net/projects/pdfcreator/report_inappropriate

    Moreover, this is a real breach in etiquette and the trust people place in FOSS. At the very least, this should be opt-in.

    I encourage people not to use this software until the developers re-evaluate their priorities.

    See also:
    http://www.pdfforge.org/forum/open-discussion/8973-sweetim-spyware
    http://www.pdfforge.org/forum/help/9130-incredibar-underhand-tactics-urgent

  44. Gcs says:

    Many of the websites discussing how PDFCreator has diverged from the initial SourceForge and Open Source ideals were written back when PDFCreator first starting tricking users into installing a toolbar (2009). As a result, many of the initial articles and follow-up posts are not current. I would advise anyone to include Wikipedia’s article on PDFCreator in their research, as it does get updated with recent changes, plus shows the history of this deviation. It may be surprising to many that the issue (although altered) is still going on in October 2012. The toolbar source partner has changed a few times, but the problem continues, even worse, as now, the user must agree to the toolbar terms even if it not selected to be installed. pdfForge has turned the Review option off on SourceForge so that no more Reviews/comments can be left. Also, the pdfForge website forum attempts to explain away the issue, as if it is not their fault. After three years (since 2009), it is clear that pdfForce has no intention of ending the trickery. Unfairly, SourceForge’s reputation is threatened. Everyone should request SourceForge to solve the problem to save their own reputation.

  45. Olivier says:

    I left a request to Sourceforge support regarding this issue. I’ve been helping a friend recently to print pdf from her windows computer, I recommended to get PDFCreator directly from Sourceforge, only to discover this fishy binary malware “snap.do” bundled with an installer that looks exactly like an phishing attempt. Even AVG told us about the strange process running.

    This told, why the hell that after 3 years of this wild GPL abuse case, nobody have yet to fork the project and simply carry on ? After all, it’s all about peer review. Linux distributions would *never* let something creep along their package sources.

  46. Sherri says:

    I also found it installed the snap.do malware when I tried to update. My company is withdrawing it’s support for this project (we had recommended it on our website and donated financially in the past). Sad, since it has been very useful over the years, and would have paid for it if the creator had just asked.

  47. Andrew says:

    This same program has recently done this with Babylon Search and other stuff.

    At one point, I and others had posted negative reviews on the SourceForge.com project page, but I’ve noticed they were all removed. Additionally, the bug report you linked to above has been removed.

    It is questionable behavior for any software to even just ask you to load unrelated software, but it is absolutely unacceptable to load software without asking the user first. I’m quite shocked that Sourceforge allows this project to continue to ride on the Sourceforge name.

  48. Ze Caralho says:

    What a Shame!!
    This was such a nice tool.

    I had to rebuild my machine because of this.
    It interfered with my browser and kept of redirecting me to strange websites.
    Don’t install this this!!

    Runaway from it.

  49. Bucky says:

    Thanks for this info. It is a shame, because PDFCreator is otherwise a great program.

    Are you saying that if you download the source and compile it yourself, you will not get the spyware?

  50. SteveH says:

    I have been using PDFCreator for over 12 years; it suited me better than any of the alternatives that I tried at the time and I’ve stuck with it. However, I noticed that some of the upgrades weren’t helpful so I stuck with my 2002 version. Fortunately I still have it, and have continued to use that version to install PDFCreator as machines get upgraded or replaced.

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>