Mar 24
SourceForge-hosted PDFCreator Trojan/Toolbar Warning
I decided to post this as a public safety announcement, since I (surprisingly) didn’t see this blogged elsewhere. I have, for many years now, used the free/open source PDFCreator software for simple PDF generation and testing.
I recently updated to the most recent version (0.9.7) of the software (now hosted at pdfforge.org), and have made an interesting discovery.
The software is bundled with a browser toolbar component that has behavior which I would consider malware or trojan-like behavior. The notable difference is that it redirects certain types of browser traffic to www.searchsettings.com, which is a linkbait/parking-type site.
In Firefox, I noticed an extension called “Search Settings 1.2″ which, once removed, killed this behavior. After more research, I saw that IE had 2 Add-Ins installed (these were also removed). I did some more digging, and that’s when things got interesting.
There is a SourceForge Bug 2607106 “Remove trojan from download!” filed against this project. There’s the report at SiteAdvisor on pdfforge.org hosting this malware. There’s the post from an angry user on the pdfforge.org message boards.
To clarify, there are other “free” PDF creation projects that are questionable at best. However, I always took PDFCreator (sf.net) as a legitimate open source project.
The PDFCreator Toolbar is apparently implemented using “mybrowserbar”. As per their terms of service, they indicate:
f) modify your Microsoft Internet Explorer and/or Mozilla Firefox browser settings for the default search engine, address bar search, “DNS error” page, “404 error” page, and new tab page to facilitate more informative responses as determined by The Toolbar;
mybrowserbar.com “Company Information” redirects to www.spigot.com, which claims to be “Coming in March 2009″. spigot.com is a proxied domain, so there’s no further information available.
I downloaded and investigated the source tarball for the PDFCreator project, and the source of the browser toolbar installer is nowhere to be found (indeed, the .exe included with the installer isn’t present). There’s a response from Philip, one of the developers, in the pdfforge.org forum which sheds a little light on the browser toolbar. I completely empathize with his desire to make some money from his open source work; however, I’d disagree that this is an appropriate approach, and at the very least, the toolbar install option should be more up-front about it.
It’s unfortunate to see a long-time, responsible open source project act this way, and I do hope it’s an honest mistake. I wanted to give people the heads-up who may not be aware of this.
March 28th, 2009 at 4:00 am
Thanks for the warning. For whatever reason, the addon wasn’t present in my firefox but in my IE only. I haven’t used IE … ever so this wasn’t much of a bother but it certainly will prevent future problems.
Thanks once again.
April 6th, 2009 at 2:47 pm
Thanks for putting this up! I re-installed pdf creator this weekend and the new search feature was preventing me from using a proxy at a school which automatically redirects you to their login page. I appreciated this blog so much, I added it to Stumble! Thanks for keeping an eye out!
-Adje
April 7th, 2009 at 2:18 am
I’ve been trying to kill this spyware for 2 days now, none of the uninstallation instructions work, which constitutes malware in my view. Dismayed to see a good open source project go down this route.
It’s open source, so has anyone forked a non-crapware version yet?
April 7th, 2009 at 3:34 am
UPDATE – Nailed it!! After removing PDFCreator and reinstalling it (with the toolbar, not that I was given a choice), the PDFForge Toolbar entry finally appeared in the Add/Remove Programs control panel. That finally killed it. It had the cheek to bring up a feedback form asking why it was uninstalled, so I made sure they knew my opinion of it!
We now have a batch file to set it up without the toolbar, with the following contents:
@echo off
PDFCreator-0_9_7_setup.exe /components=\”!toolbar\” /tasks=\”!desktop_icon\”
This brings the option not to install the toolbar back, and unticked by default.
April 27th, 2009 at 12:03 am
Hey!
Thanks a lot for posting the announcement. I’m sure there are many others out there who would benefit from it.
I’ve been using pdfcreator for more than a year now. When I got my new laptop I just downloaded from sourceforge instead of finding the installer I had saved. I saw that the new version was 0.97 instead of my trusted 0.96, but I thought what the heck, the guy found some time to make some improvements.
To my dismay, I found many of my clicks, especially to slower responding sites, were directed to the effing mybrowserbar.com. At first I thought it was due to YM, which installs the Yahoo toolbar. Imagine my surprise when I learned otherwise. I guess I now need to apologize to the people at Yahoo for accusing their grannies of providing… morally deficient services?
Oh well, not like I called them up on the phone or something
Again, thanks for the post. Keep it up!
May 13th, 2009 at 6:29 am
If I’m not completely wrong you have clearly the option to NOT install this toolbar.
Just deselect it during the install.
Everyone who installs ANY toolbar addon doesn’t deserve better ; ) It should be common knowledge by now what those things do. No matter where they come from.
June 6th, 2009 at 7:58 pm
What annoys me is that PDFCreator installs this toolbar by default. I unchecked the install box and it installed it anyway. I am going to be more careful installing sourceforge apps in the future.
June 9th, 2009 at 9:49 am
“I unchecked the install box and it installed it anyway.”:
You have both yahoo! toolbar the browser extension that you must uncheck. In the next screen, make the “compact installation” since the Browser extension for IE and Firefox is part of the full installation.
Unfortunatyely, this guy is wise and I also approve your thaughts, this is not a way to give away an open source application, so i’ll never fill any donation to these guys.
But we must keep in mind that the installer is not part of the source and unfortunately, it’s in your hands to look carefully at the installations. Honest people wouldn’t make that kind of catch but we’re living in a world were many people is ready to put some sticky gums in your hair to get more money, no matter the impressions.
So if you see one of those names (even if they don’t have anything to do with this because they’re linked with that person, hehe), don’t wave the hand!
- Philip Chinery
- Daniela Martin
- Frank Heindörfer
- Steven Lee
August 5th, 2009 at 2:56 am
A world’s smallest violin to those complaining about the browser redirecter installed with PDFcreator 0.9.7. After all, you consented to it — it was clearly part of the EULA (end user licensing agreement)
Except, I got caught to. You see the developers of PDFcreator are unethical and sneaky. There are 2 EULA’s you consent to. One is a GNU open source license that goes on for screen after screen. That’s followed by a EULA labelled PDFcreator toolbar.
But this EULA isn’t just about the PDFcreator toolbar. It’s an agreemtn between you and Spigot which allows them to install a browser hijacker. And accepting the EULA happens when you continue with the installation.
Now it doesn’t matter if you choose not to install the PDFcreator toolbar. It ends up as a toolbar in Firefox. So you can deselect it from the active toolbars in Firefox.
Now it just so happens I just finished switching my DNS nameserver under XP from the automatic nameserver Control Panel – Network Connections – TCPIP to using the specified nameservers from OPENDNS. I made the change because I didn’t like my ISP bringing up its page when I made a mistake in the name of a website. I’d rather that be done by OPENDNS.
It appears that part of the programs installed changed my DNS nameserver back to the automatic default one so that it could then have its own redirector and search engine.
So now I try to uninstall this stuff. Let me tell you, they put you through the wringer and give out false information. There’s no program called searchseeker.exe on your system.
For firefox there’s the toolbar to unselect and an addon to remove and then you have to go to add/remove programs where you can remove the PDFcreator toolbar which didn’t show up in add/remove programs when you first look for it.
Overall, a nasty and unethical piece of work — and one that shouldn’t be allowed in a project using sourceforge resources. If you want to be nasty and unethical don’t use sourceforge.
October 3rd, 2009 at 3:01 pm
many thanks pmularien for the heads up.
I, too, initially thought this was a yahoo sneak,
I always, carefully, reject toolbars during installation and my copy of Firefox 3.5 did not show the toolbar.
Only after reading this thread has it all become clear that the irritating behaviour of skipping 404 error messages belongs firmly with these PDFCreator bandits.
I place error messages deliberately in my web sites – for a purpose – to stop people from leaving my sites because of a mistype.
Now the less weary who install PDFCreator will be FORCED off site after a brief view of the 404 file.
Way to go guys. I hope that Mozilla/Firefox catches up with this malware and removes the plugin from their pages.
October 4th, 2009 at 11:18 am
Quickie update – for me, uninstalling the toolbar hasn’t done the job, so I am going to uninstall PDFCreator and hope for the best – never to use these guys product again if I can help it.
October 5th, 2009 at 5:47 am
PDFCreator uninstalled and the 404 action continued. . .
You were right that “Search Settings Plugin 1.2.1″ is the culprit.
In Firefox: Tools > Add-Ons > then just Disable the offending piece of junk.
October 13th, 2009 at 4:23 am
Just one more thing – after un-installing pdfforge Toolbar leaves multiple keys behind, even in HKEY_LOCAL_MACHINE\SOFTWaRE\Microsoft\Windows\CurrentVersion\Run which I found out 7 days later . . . typical junkware!
November 7th, 2009 at 1:05 am
Thanks for this information. I also found that PDF Creator had installed the “Search Settings Plugin” as an extension and with the ironic description of “Protects your default search settings”. Ha! I have uninstalled the whole thing. And as a bonus I left a little comment on the pdfforge forums to express my displeasure at the under-handed tactic. I’m certain the post will be deleted (as it should be considering the language I used)
November 23rd, 2009 at 4:26 pm
[...] » SourceForge-hosted PDFCreator Trojan/Toolbar Warning – It’s Only Software [...]
November 30th, 2009 at 5:29 pm
That was puzzling me, tried to remove the yahoo search with about:config then I noticed the extension while reinstalling firefox.
December 1st, 2009 at 5:16 am
Thank you for the hint with the Addon. I too was confused why this mybrowser…-crap suddenly appeared. When installing PDFCreator, I made sure not to select the Browser-Bar and it installed it anyways. I will make sure to look for an alternative to PDFCreator and will never recommend it anyone again. Sad that the author did this
December 28th, 2009 at 10:28 am
thanks for reporting that.
January 8th, 2010 at 1:38 am
Hi thanks for the post, I did manage to get rid of the bar from my IE. Please check your “respond from Philip” link its dead.
medic
January 31st, 2010 at 11:44 pm
[...] SourceForge-hosted PDFCreator Trojan/Toolbar Warning [...]
January 31st, 2010 at 11:47 pm
I downloaded this PDFCreator, and investigated my self as well and Totally agree with you. I have changed my Blog and Pointed to this entry of yours. Thank you for alerting me. I have since moved on to use BullZip PDF printer driver and did not realize how far this project has fallen from the open source credo.
Again Thank you for the alert.
February 1st, 2010 at 5:06 pm
[...] eine problematische Software mit (vgl. auch den Artikel in der englischen Wikipedia, den Blog Post von Peter Mularien sowie die Diskussion im PDF Forge Forum). Achten Sie deshalb bei der Installation darauf, die [...]
February 2nd, 2010 at 2:53 pm
I managed to get the toolbar removed, but I had to work at it for a while. I too found that even though I had unchecked the toolbar install it did it anyways. It is one thing to include a toolbar that you can opt out of, but when people do things like this it shows what pieces of crap they really are. I encourage EVERYONE to visit the project and leave a thumbs down until it is fixed.
Leave Feedback Here
February 4th, 2010 at 8:23 am
agreed using spyware in open-source projects is a disaster.
Any project doing that should be avoided going forward.
February 14th, 2010 at 5:13 am
So is there NO way of installing without getting the addons and yahoo toolbar?
The post above: PDFCreator-0_9_7_setup.exe /components=\”!toolbar\” /tasks=\”!desktop_icon\” does NOT work.
February 26th, 2010 at 8:48 am
Many, many thanx for this post.
I was afraid my PC had been hijacked by aggressive malware.
Removing the search settings plugin corrected everything for me.
March 8th, 2010 at 9:45 am
Oh man, i’m shocked! How the hell could they just possibly think of doing that?! It’s like stabbing you in your back. What a waste of talent.
March 23rd, 2010 at 6:37 am
So many once-loved apps ruining their reputations by including crapware toolbars… it’s a sad thing to see.
May 2nd, 2010 at 4:03 pm
Try qvPDF instead. It is open source and free and does have crap bundled into like PDFCreator. http://sourceforge.net/projects/qvpdf/
May 2nd, 2010 at 4:08 pm
Sorry, I meant to say qvPDF doesn’t have crap bundled in it like PDFCreator. You might also want to try CutPDF, and doPDF, which are commercial, but free.
May 12th, 2010 at 7:05 am
I’ve just finished running a KlamAV (free open source anti-virus software for linux) scan while checking my windows drive (I have a dual-boot install) for problems.
All executables under C:/Program Files/PDFCreator/ are highlighted as containing “Trojan.VB.Chinky-1″.
Man, I was using this program for like several years now! What a shame, really…
June 10th, 2010 at 6:48 am
thanks for posting this!
i installed the updated version recently (not being as cautious as usual based on past experience with product–my mistake).
anyway, i wanted to mention (so that others searching for info can make correlation) that this issue was brought to my attn by mcafee alerting me that a program was seeking outbound connection. it was located in program files as a benign-sounding applicationupdater.exe, referencing spigot and the version #
*******
File Information
File Name: ApplicationUpdater.exe
File Size: 380928
File Path: C:\Program Files\Application Updater\
Version: 1.1
First seen: 1/8/2010
Recognized safe program
Manufacturer: Unknown
******
i had already removed the crap before locating your article but found your research/info to be of obvious interest since I only had made the general association. (your article saved me lots of time i would have spent duplicating efforts) so…
…thanks again for sharing your findings!
~julie
June 26th, 2010 at 7:04 pm
What has happened at Sourceforge? A few years ago they sent you a rebuke about compromising their site’s security when you forgot your password, and now they are allowing spyware to be uploaded to, and downloaded from their servers?
June 27th, 2010 at 5:39 am
Thank you so much for your helpful post about the PDF toolbar. That message has been annoying me for several months – now it’s gone and all thanks to you for pointing out where the trouble lay. I’m very grateful.
September 5th, 2010 at 6:03 am
I really appreciate, thanks
September 11th, 2010 at 12:46 pm
January 8th, 2011 at 12:05 am
Thank you for this post, it is very helpful to me, just the information I was looking for.
March 15th, 2011 at 1:48 pm
I got stung by this. I installed PDFCreator from SourceForge thinking it was safe. Boy was I wrong! I did unselected the option to install the toolbar component, but it installed anyway. Fortunately my ForeFront AV noticed the suspicious behavior and alerted me. I will think long and hard about downloading anything from SourceForge in the future. I;m surprised that they would permit malware being added to software there.
March 22nd, 2011 at 5:42 pm
I’m terribly disappointed in this… and it’s apparent truth! I GREATLY APPRECIATE the info!!!!
FYI: original page of Post of angry user @ http://replay.waybackmachine.org/20090301134326/http://www.pdfforge.org/node/2423
August 2nd, 2011 at 2:41 pm
We were using this app since 0.9.7 and push it to our machines using deployment tools. We used to have a method to uninstall the toolbar via scripting but now there is no method to exclude the toolbar from the installation, even when using the uninstall string. Currently I can uninstall PDF Creator but the toolbar errors stating another app is installing and I must wait.
Attempting to uninstall it failed, would not even work from Safe Mode. We’re done using their software and removing it from our library.