Unwanted Programs

  • 12 Replies
  • 3002 Views
*

Offline joe53

  • Dell Community Colleague
  • SpywareHammer Staff
  • Bronze Member
  • 250
  • Certifiable
    • Free PC Security Software- A Primer
Unwanted Programs
« on: June 29, 2014, 01:28:54 PM »
Over the past few days, I am seeing software being installed on my Win 7/sp1 system that I did not authorise:

Google Chrome browser
Google Toolbar
Ad-Aware Toolbar
Lavasoft Toolbar Cleaner
Soda PDF 6 Reader (it trumped my default Sumatra pdf reader)

I can uninstall all this junk via Control Panel>Programs and Features,and none of my many scanners detects anything malicious. I have not downloaded any software recently (although I did allow a Gov't IT dude  remote access to my PC a few days back).

I am mystified how programs can install themselves silently (no alerts from UAC or WinPatrol Plus) without my explicit consent. I doubt this is a malware problem, but did not know where else to post this. Any advice appreciated.

*

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • 27175
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: Unwanted Programs
« Reply #1 on: June 29, 2014, 03:05:04 PM »
Two thoughts. First is a bit of paranoia. Gov't IT dude? Remote Access? That would be my first suspect. Did you uninstall the remote software after you were done?

Second is, something has totally fubar'd your security. I would run a Belarc scan and see what it says about your security benchmark is. Maybe your group policy got messed up.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

*

Offline joe53

  • Dell Community Colleague
  • SpywareHammer Staff
  • Bronze Member
  • 250
  • Certifiable
    • Free PC Security Software- A Primer
Re: Unwanted Programs
« Reply #2 on: June 29, 2014, 07:44:01 PM »
Two thoughts. First is a bit of paranoia. Gov't IT dude? Remote Access? That would be my first suspect. Did you uninstall the remote software after you were done?


That was my initial impression, but I watched him closely as he did his thing. As far as I could see, all he did was format a thumb drive, and install/configure on it TrueCrypt 7.1a which I had downloaded from Steve Gibson's GRC website. (It took him 3 hours to do this, but one does not expect speed from a civil servant). As far as I can tell, the remote connection was severed at the end of the session.

The Google and Soda PDF software installed 2 days later, out of the blue. I had downloaded nothing in the interim. Don't think I had even used this system in the previous day or two.

I ran Belarc, which tells me my AV and MS patches are up-to-date. Belarc does not report a CIS Benchmark Score for this Win 7 system.

I went into Control Panel>Network and Sharing Center>Change advanced sharing settings, and saw that Public Folder sharing was enabled. I turned it off. Dunno if that is related.

This system (and all my security software) otherwise work well, exhibiting no other signs of malware.

The programs are all uninstalled, but their origin remains a mystery.

Thanks for the reply, Hoov.


*

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • 27175
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: Unwanted Programs
« Reply #3 on: June 29, 2014, 08:00:41 PM »
3 hrs to do so little? Even for a civil servant that is excessively slow.

What software were you using for the remote connection?

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

*

Offline joe53

  • Dell Community Colleague
  • SpywareHammer Staff
  • Bronze Member
  • 250
  • Certifiable
    • Free PC Security Software- A Primer
Re: Unwanted Programs
« Reply #4 on: June 29, 2014, 08:55:20 PM »
3 hrs to do so little? Even for a civil servant that is excessively slow.

What software were you using for the remote connection?

Alas, that info was lost when I deleted his email with the remote link.

I have no doubt that the IT guy was legit, as I had met him last week at a course I was taking. And he was responding to a phone call I had initiated.

As for the 3 hours, all I can say is I was asked "can I put you on hold" frequently. I was also asked to mount and dismount that program more times than your average Mountie does with his horse. All this just to create a backup stick to send forms to the Gov't. (Oy!)

*

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • 27175
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: Unwanted Programs
« Reply #5 on: June 29, 2014, 09:19:57 PM »
I just thought of something. Chrome does do a remote desktop app That would explain the two Google Entries. And if Chrome was not setup properly (to keep his profile private) on his desktop that might explain the toolbars. The Soda PDF reader I am not familiar with, but with all the new push to store profiles in the cloud, it may have forced that to be installed as well.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

*

Offline Bear

  • Malware Removal Mentors
  • Global Moderator
  • Gold Member
  • 2830
Re: Unwanted Programs
« Reply #6 on: June 30, 2014, 01:53:25 AM »
Another thought.  You just had TrueCrypt installed.  Wonder if the distro you used had some little packages attached?
Never interrupt your enemy when he is making a mistake.
- Napoleon Bonaparte

*

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • 27175
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: Unwanted Programs
« Reply #7 on: June 30, 2014, 07:37:40 AM »
I have relocated this thread to a different board. This will allow others who may have heard of this to add to the discussion.

I am going to try and do some recreating of different scenario's tonight to see if I can duplicate this.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

*

Offline negster22

  • Global Moderator
  • Platinum Member
  • 3626
    • Secure Computer Solutions
Re: Unwanted Programs
« Reply #8 on: June 30, 2014, 02:48:07 PM »
Hi joe,

One question that comes to mind, is whether you noticed if the install date on these programs was the day the IT guy was there or afterward:

Quote
Google Chrome browser
Google Toolbar
Ad-Aware Toolbar
Lavasoft Toolbar Cleaner
Soda PDF 6 Reader (it trumped my default Sumatra pdf reader)

I do not think Chrome Remote Desktop includes any foistware, if that was used but it does require the Chrome Browser be installed..
« Last Edit: June 30, 2014, 02:51:47 PM by negster22 »
Microsoft MVP - Consumer Security 2006 - 2011
BITS and PC's

*

Offline joe53

  • Dell Community Colleague
  • SpywareHammer Staff
  • Bronze Member
  • 250
  • Certifiable
    • Free PC Security Software- A Primer
Re: Unwanted Programs
« Reply #9 on: June 30, 2014, 11:23:18 PM »
Hi negster22:

As far as I can recall, the install date for these unwanted programs was a day or two after I gave remote control to the IT guy. I could be wrong.

I am going to contact him again, to see if he can sort this out, which remote program he used etc. I'm not holding my breath!

Thanks for responding.

*

Offline joe53

  • Dell Community Colleague
  • SpywareHammer Staff
  • Bronze Member
  • 250
  • Certifiable
    • Free PC Security Software- A Primer
Re: Unwanted Programs
« Reply #10 on: July 02, 2014, 03:00:41 PM »
Well, the Gov't IT guy tells me that the program he used to take remote control was called WebEx, which he said would not have installed any other program. A search on "WebEx  Google"  turns up a ton of hits, so I'm not sure I believe him.

I still have no idea where these unwanted software came from. I thought I knew how to protect my systems, but vendors are becoming increasingly ingenious at slipping bundled software past one's defenses. I am disappointed that neither Win 7 UAC nor WinPatrol PLUS alerted me to the (silent) installation of this junk on a PC I use for professional purposes.

Since I have successfully uninstalled these programs, you can consider this topic closed. (I still see a lot of related files I have to delete).

Thanks again to all who responded. 

*

Offline ky331

  • Dell Community Colleague
  • Dell Support Group
  • Bronze Member
  • 373
  • Rascal & Biscuit
Re: Unwanted Programs
« Reply #11 on: July 06, 2014, 08:31:30 AM »
"I am mystified how programs can install themselves silently (no alerts from UAC or WinPatrol Plus) without my explicit consent. "

I'm curious:   Did WinPatrol "merely" fail to alert you to the installation of all these PUPs... or did it also fail to acknowledge their existence after the fact (e.g., did they, or did they not, "eventually" appear under Start-Up, Recent, and other appropriate tabs)?

*

Offline joe53

  • Dell Community Colleague
  • SpywareHammer Staff
  • Bronze Member
  • 250
  • Certifiable
    • Free PC Security Software- A Primer
Re: Unwanted Programs
« Reply #12 on: July 06, 2014, 10:36:34 PM »
Good question, ky331.

Certainly WPP did not alert me at the time of installation.  I'm not sure if they were listed in my other WPP tabs subsequently, as I saw them in my browser and (some) in msconfig, and removed them via Control Panel.

I note that when I open WPP, UAC requires a permission. I wonder if this is preventing its real-time protection from working?