I recently updated Firefox, registered my free copy of Ad-Aware, and updated CCleaner. I then found two unwanted programs installed on my PC. One was Mobius (?), to do with mobile apps, and the other was My PC Backup, both of which I did not consciously download, and certainly never gave permission to be installed. The installation even included desktop shortcut icons!
My questions are: how were these programs downloaded, how did they install themselves without my permission, and how do I prevent further downloads of unwanted software programs?
The vast majority of unwanted programs are either pre-installed when you buy a PC, or were bundled with a download that you wanted. A few ares “drive by” installations, where malware is installed on the fly by infected websites. These almost always exploit a security hole in your PC’s software. At the moment, the weakest link is Oracle Java in the browser.
I can’t tell what has happened in this case, but all the programs you installed should have been registered with Windows’ Add/Remove Programs utility. Go to the Windows 7 Control Panel, select “Programs” and click “Uninstall or change a program”. The listing tells you the name of the program, the publisher, and the date it was installed. It should also be able to uninstall the program.
If Mobius and My PC Backup are not listed, check the dates when their shortcut icons were created. To do this, right-click the desktop icon, select “Properties” from the dropdown list, and click the “General” tab. This will tell you the date and time it was created, which is easier than finding the folder creation dates in Windows Explorer.
Next, click the “Installed on” heading in the Windows 7 uninstaller to sort the list by date, and see if any programs have the same date and time stamps as your rogues. This could show which of your downloads installed the unwanted programs.
I don’t believe Mozilla would ever foist another program on you on principle, and because of its lucrative search deal with Google, it doesn’t need the money. If you download CCleaner directly from Piriform, then it does include some foistware in the form of Google Chrome and the Google Toolbar for Internet Explorer. Google pays for foistware installations, which helps cover the cost of the free version of CCleaner, but the installation isn’t deceptive. You can decline it by unticking the boxes. Lavasoft’s Ad-Aware includes a toolbar and has previously bundled Blekko, but it’s not generally known for foistware.
Sources of foistware
Of course, it’s possible that one your chosen downloads has been repackaged by another site to include foistware that neither Mozilla nor Piriform knows about. It’s therefore very important to download programs only via the original website, or from a trustworthy source such as All My Apps. As when applying for passports etc, be extremely wary of Google links and Google adverts, especially if you find it hard to distinguish between the two. There are plenty of scammers who would happily charge you for free programs such as CCleaner and Firefox, or use them to install things you don’t want.
But people usually install foistware by two other methods. First, the unwanted program is presented in such a way that you can easily miss it. I’ve been caught out by Adobe, and Oracle can be appalling. The only cure is vigilance.
Second, the unwanted program may be hidden from view. For example, if you click on the “normal” installation then you’ll get the program you asked for plus one or two you didn’t, such as the Ask toolbar. You should always click the “Custom” or “Advanced” installation button, which should allow you to untick any foistware programs you don’t want. Of course, if you’re dealing with a rogue package, it will install whatever it likes even if you tell it not to.
If you have any doubts, open the installation program (eg. ccsetup407.exe for CCleaner) in a Sandboxie sandbox, which prevents it from making any changes to your PC. After you have seen what it wants to do, you can either move the installation program out of the sandbox or go to AlternativeTo.net and pick a different program. There are usually several good alternatives.
“Drive by” attacks are mainly used to install small bits of malware rather than things that look like utilities. You can avoid almost all of these attacks by installing the latest security patches from Microsoft and, more importantly, other software suppliers such as Oracle, Adobe and Apple. I use Secunia’s free Personal Software Inspector (PSI) to check for and install updates. It’s worth remembering that most malware attacks use popular “exploit kits” such as Blackhole, which try to exploit holes that were fixed months or even years ago.
Exploit kits typically target old versions of browsers and popular browser plug-ins such as Adobe Flash, Adobe Acrobat and Oracle’s Java. For this reason, I recommend uninstalling all versions of Java from your PC to see if you can avoid using it. If you must have it, make sure you only have the latest version installed, and that there are no earlier versions on your hard drive.
Removing unwanted programs
Ordinarily, unwanted programs are not hard to uninstall. You can do it using Windows, as mentioned above, or a third party program such as CCleaner or SlimCleaner. If you suspect something will be harder to uninstall than normal, use Revo Uninstaller instead.
I think CCleaner should be able to uninstall My PC Backup, if it’s a legitimate program. To try this, click the “Tools icon” and check the “Uninstall” listing for your unwanted programs. My recommendation, however, is to download the free version of Malwarebytes Anti-Malware (MBAM) to your desktop and run a quick scan. MBAM is good at removing stuff that your usual antivirus software has missed or thinks is a legitimate program. (Real malware doesn’t usually install icons on your desktop.)
In August, someone complained to Malwarebytes, saying: “I am the Product Manager for MyPC Backup, recently a customer has reported MalwareBytes is reporting our application as Malware”. (He described it as “an automated backup tool”.) Malwarebytes responded that it was reported as a PUP or potentially unwanted program “and not malware or malicious”. In a blog post on the general issue, the company says: “Malwarebytes feels most of our users have no knowledge that these PUPs were installed and would like them removed.” This fits your case exactly.
PUP was coined by MacAfee, and the acronym is now used by AVG, Avast, Lavasoft and many others.
So, Malwarebytes may be able to remove your PUPs whether they are legitimate programs or malware. If not, the Kaspersky Virus Removal Tool is also worth a go, before resorting to a help forum such as Bleeping Computer or Wilders.
Note that in this case, we’re assuming your PC is infected in some way and we’re trying to remove malware, not to replace your current anti-virus product or provide long-term, full-time protection.
How do you prevent it happening again? I’ve already mentioned keeping software and security patches up to date, which today is mostly an automated process. I’ve mentioned being vigilant and only downloading stuff from trusted sites. This should preclude falling for “social engineering” attacks such as downloading a new media player or codec to see a sexy/funny/personal video or whatever. You should also be vigilant about free music and free wallpaper offers, because those are the most obvious ways for scammers to bait their hooks.