I recently updated Firefox, registered my free copy of Ad-Aware, and updated CCleaner. I then found two unwanted programs installed on my PC. One was Mobius (?), to do with mobile apps, and the other was My PC Backup, both of which I did not consciously download and certainly never gave permission to be installed. The installation even included desktop shortcut icons! My questions are: how were these programs downloaded, how did they install themselves without my permission, and how do I prevent further downloads of unwanted software programs?
The vast majority of unwanted programs are either pre-installed when you buy a PC or are bundled with a download that you want. A few ares “drive-by” installations, where malware is installed on the fly by infected websites. These almost always exploit a security hole in your PC’s software. At the moment, the weakest link is Oracle Java in the browser.
I can’t tell what happened in this case, but all the installed programs should have been registered with Windows’ Add/Remove Programs utility. Go to the Windows 7 Control Panel, select “Programs,” and click “Uninstall or change a program.” The listing tells you the name of the program, the publisher, and the date it was installed. It should also be able to uninstall the program.
If Mobius and My PC Backup are not listed, check when their shortcut icons were created. To do this, right-click the desktop icon, select “Properties” from the dropdown list, and click the “General” tab. This will tell you the date and time it was created, which is easier than finding the folder creation dates in Windows Explorer.
Next, click the “Installed on” heading in the Windows 7 uninstaller to sort the list by date and see if any programs have the same date and time stamps as your rogues. This could show which of your downloads installed the unwanted programs.
I don’t believe Mozilla would ever foist another program on you on principle, and because of its lucrative search deal with Google, it doesn’t need the money. If you download CCleaner directly from Piriform, then it does include some foistware in the form of Google Chrome and the Google Toolbar for Internet Explorer. Google pays for foistware installations, which helps cover the cost of the free version of CCleaner, but the installation isn’t deceptive. You can decline it by unticking the boxes. Lavasoft’s Ad-Aware includes a toolbar and has previously bundled Blekko, but it’s not generally known for foistware.
Sources of foistware
Of course, one of your chosen downloads may have been repackaged by another site to include foistware that neither Mozilla nor Piriform knows about. It’s therefore essential to download programs only via the original website or from a trustworthy source such as All My Apps. When applying for passports etc., be extremely wary of Google links and Google adverts, especially if you find it hard to distinguish between the two. There are plenty of scammers who would happily charge you for free programs such as CCleaner and Firefox or use them to install things you don’t want.
But people usually install foistware by two other methods. First, the unwanted program is presented in such a way that you can easily miss it. Adobe has caught me out, and Oracle can be appalling. The only cure is vigilance.
Second, the unwanted program may be hidden from view. For example, if you click on the “normal” installation, then you’ll get the program you asked for plus one or two you didn’t, such as the Ask toolbar. You should always click the “Custom” or “Advanced” installation button, which should allow you to untick any foistware programs you don’t want. Of course, if you’re dealing with a rogue package, it will install whatever it likes, even if you tell it not to.
If you have any doubts, open the installation program (e.g., ccsetup407.exe for CCleaner) in a Sandboxie sandbox, which prevents it from making any changes to your PC. After seeing what it wants to do, you can either move the installation program out of the sandbox or go to AlternativeTo.net and pick a different program. There are usually several good alternatives.
“Drive-by” attacks are mainly used to install small bits of malware rather than things that look like utilities. You can avoid almost all of these attacks by installing the latest security patches from Microsoft and, more importantly, other software suppliers such as Oracle, Adobe, and Apple. I use Secunia’s free Personal Software Inspector (PSI) to check for and install updates. It’s worth remembering that most malware attacks use popular “exploit kits” such as Blackhole, which try to exploit holes that were fixed months or even years ago.
Exploit kits typically target old browsers and popular browser plug-ins such as Adobe Flash, Adobe Acrobat, and Oracle’s Java. For this reason, I recommend uninstalling all versions of Java from your PC to see if you can avoid using it. If you must have it, make sure you only have the latest version installed and that there are no earlier versions on your hard drive.
Removing unwanted programs
Ordinarily, unwanted programs are not hard to uninstall. You can do it using Windows, as mentioned above, or a third-party program such as CCleaner or SlimCleaner. If you suspect something will be harder to uninstall than normal, use Revo Uninstaller instead.
I think CCleaner should be able to uninstall My PC Backup if it’s a legitimate program. My recommendation, however, is to download the free version of Malwarebytes Anti-Malware (MBAM) to your desktop and run a quick scan. MBAM is good at removing stuff that your usual antivirus software has missed or thinks is a legitimate program. (Real malware doesn’t usually install icons on your desktop.) To try this, click the “Tools icon” and check the “Uninstall” listing for your unwanted programs.
In August, someone complained to Malwarebytes, saying: “I am the Product Manager for MyPC Backup, recently a customer has reported MalwareBytes is reporting our application as Malware.” (He described it as “an automated backup tool.”) Malwarebytes responded that it was reported as a PUP or potentially unwanted program “and not malware or malicious.” In a blog post on the general issue, the company says: “Malwarebytes feels most of our users have no knowledge that these PUPs were installed and would like them removed.” This fits your case exactly.