8 replies to this topic

[_Q_]

I was wondering if Malwarebytes Anti-Malware is able to detect and remove Opencandy (www.opencandy.com). I find this kind of adware extremely annoying as it gets installed silently along with an increasing number of legitimate applications

[nosirrah]

_Q_, on Jul 9 2009, 06:14 AM, said:

I was wondering if Malwarebytes Anti-Malware is able to detect and remove Opencandy (www.opencandy.com). I find this kind of adware extremely annoying as it gets installed silently along with an increasing number of legitimate applications

Get me a link to anything that installs this without a EULA and/or a checkbox , without those we cant target this .

[_Q_]

nosirrah, on Jul 10 2009, 02:02 AM, said:

Get me a link to anything that installs this without a EULA and/or a checkbox , without those we cant target this .

Example of software that silently install Opencandy are PSP Video (www.pspvideo9.com) and MediaCoder (mediacoder.sourceforge.net). They do specify in their EULA the fact that Opencandy is going to be installed, but I guess most users won't read the whole license for every and each software they're going to install. Other than that, there is no checkbox and no other notice on their websites.

[nosirrah]

Since I know the makers of opencandy are reading this I will post my complaints here .

First the uninstall bugs :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OCDLMgr"="RunDll32.exe C:\\PROGRA~1\\REDKAW~1\\VIDEOC~1\\OPENCA~1\\OCSETU~1.DLL,_MgrCheck@16"

This is not removed by the uninstaller and causes an error every boot .


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4d02e7e6-5930-4b51-b9b0-9f21b3789400}]

This was added by your software but not removed .


Next are the three files not removed :

C:\Documents and Settings\Owner\Application Data\OpenCandy\SearchMeIE.exe
C:\Program Files\Searchme.com\Searchme Toolbar\Toolbar.InstallState
C:\Program Files\Red Kawa\Video Converter App\OpenCandy\SearchMe.msi <- may or may not actually be your choice here


In you PM you mentioned wanting to avoid listing by us and delisting with another vendor . The fact that this is default unchecked in the installer and has a (more or less) functional uninstaller means we wont be listing this .

That being said it would be in your best interest to do the following to improve your product :

Correct the bugs in the uninstaller .
Add a standalone start menu folder for your software complete with a read me and uninstaller link .
Modify the uninstaller to include a complete uninstall option or make the uninstaller complete by default .
Work with the vendors that use your software to include the option to uninstall your software within their uninstall routine . The average user will assume that since the host software installed your software , the host uninstaller will also remove it . This should not be exploited to attain a persistent install .

[Dr. Apps]

Bruce,

Thanks for looking into this and for your suggestions.

Regarding [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"OCDLMgr"="RunDll32.exe C:\\PROGRA~1\\REDKAW~1\\VIDEOC~1\\OPENCA~1\\OCSETU~1.DLL,_MgrCheck@16" Definitely a bug and one we (oddly) haven't seen before. We will look into it and rectify it.

Regarding HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4d02e7e6-5930-4b51-b9b0-9f21b3789400}, this is the SearchMe toolbar which you must have been recommended and subsequently accepted. The uninstall for SearchMe is in Add/Remove programs. SearchMe, being the recommended program and thus a separate piece of software must be removed via its own un-installer.

This folder and its contents: C:\Documents and Settings\Owner\Application Data\OpenCandy\SearchMeIE.exe, are where the downloaded installers for programs you choose to install, via an OpenCandy recommendation, are stored. This folder would not exist

I assume (well I guess it's obvious )you installed one of RedKawa's products, when you remove the RedKawa software you installed, IT SHOULD DEFINITELY remove all elements of RedKawa software and the OpenCandy folder, OpenCandy plug-in and why_is_this_here.txt file from RedKawa's installation directory. All publisher's are REQUIRED to remove those files at uninstall of their product. It will not remove the recommended software (in this case SearchMe) that you accepted since it is a separate product.

As far as "uninstalling" OpenCandy, we are a plug-in for publisher's software that has ZERO FUNCTIONALITY outside of the publisher's installer it was integrated with. We do offer publisher's the option of un-install tracking of their software which is why the OpenCandy dll is left in the publisher's software's installation folder. But it should ALWAYS be removed when uninstalling the publisher's software. We are discussing discontinuing ANONYMOUS AGGREGATE uninstall statistics for publishers because then our dll will NOT need to be left by the publisher's software in its install directory and thus there wouldn't be anything to uninstall of ours.

I sincerely appreciate your suggestions and we will go back and QA RedKawa's builds with them to figure out what's going on there. We are committed to doing things the right way for users. I'm happy that most of your suggestions and bugs are things that are supposed to be working the way you think they should.

BTW, what Operating System & Service Pack level are you on? (Actually from looking at the paths, it looks like you're on XP 32 bit, is it SP2,3?)

Thanks again,

Dr. Apps

nosirrah, on Jul 10 2009, 11:48 PM, said:

Since I know the makers of opencandy are reading this I will post my complaints here .

First the uninstall bugs :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OCDLMgr"="RunDll32.exe C:\\PROGRA~1\\REDKAW~1\\VIDEOC~1\\OPENCA~1\\OCSETU~1.DLL,_MgrCheck@16"

This is not removed by the uninstaller and causes an error every boot .


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4d02e7e6-5930-4b51-b9b0-9f21b3789400}]

This was added by your software but not removed .


Next are the three files not removed :

C:\Documents and Settings\Owner\Application Data\OpenCandy\SearchMeIE.exe
C:\Program Files\Searchme.com\Searchme Toolbar\Toolbar.InstallState
C:\Program Files\Red Kawa\Video Converter App\OpenCandy\SearchMe.msi <- may or may not actually be your choice here


In you PM you mentioned wanting to avoid listing by us and delisting with another vendor . The fact that this is default unchecked in the installer and has a (more or less) functional uninstaller means we wont be listing this .

That being said it would be in your best interest to do the following to improve your product :

Correct the bugs in the uninstaller .
Add a standalone start menu folder for your software complete with a read me and uninstaller link .
Modify the uninstaller to include a complete uninstall option or make the uninstaller complete by default .
Work with the vendors that use your software to include the option to uninstall your software within their uninstall routine . The average user will assume that since the host software installed your software , the host uninstaller will also remove it . This should not be exploited to attain a persistent install .

[MysteryFCM]

2 more apps "silently installing" OC;

http://www.mywot.com...ybody-seen-this

Apparently mentioned in the EULA that we all know no-one reads (mentioning it there only is unacceptable as it does not allow the user to make a decision as to whether or not to install OC)

[Fatdcuk]

MysteryFCM, on Jul 15 2009, 02:57 PM, said:

2 more apps "silently installing" OC;

http://www.mywot.com...ybody-seen-this

Apparently mentioned in the EULA that we all know no-one reads (mentioning it there only is unacceptable as it does not allow the user to make a decision as to whether or not to install OC)

I think this type of behaviour qualifies a software for targeting.

Dr. Apps,

Companies like MBAM are not ment to be the ones policing/monitoring your affiliates,

This has been a big bug bear over the years the cycle of us finding either driveby or desceptive install's and then your type of company taking retro action to address it.

Where's our payment for that service we are providing you ?

This is purely personal opinion, then if even 1 driveby or desceptive install is repeatedly seen by the software then it should be considered for listing.

No notification of source required, only observation of sleazy install practice required

If you disagree with listing then it should be appealable where the software enters a 3 month probation period(still listed) but the installs monitored regulary to see if the sleazy install behaviour has stopped.

Again 1 sleazy install = stay listed. 3months and no sleazy install = delisting.


Of course if you would like me as a paid consultant to do your policing,my rates are very reasonable and inline with genaral computer consultancy fee's....

[Dr. Apps]

Ade, Bruce & Steven, et al,

(Some rehash for clarification first)

OpenCandy provides a moderated recommendation (or ad, if that's what you want to call it) network that allows software developers to recommend software (that they choose, which meets certain guidelines) to their users during installation of their software. In order to make recommendations we provide software publishers with a plug-in they integrate into their installer. The plug-in ONLY runs during installation or (optionally) un-install of the publisher’s software for the following reasons:

#1) To enable publisher's the ability to recommend software they love or think their users will find valuable

#2) To provide publisher’s with ANONYMOUS AGGREGATE statistics (country, language and operating system of the computer) installing their software

And, optionally

#3) To provide the ANONYMOUS statistic that a computer, in some country, running Windows whatever, un-installed their software. (Which as I said in my post above, we are considering discontinuing, thus negating the need for software publishers to have our dll in their software's installed directory.)

Nobody before us has tried to do what we are doing, the way we do it, for the reasons we do, backed up by how we do it. So I don’t think the comment by Ade “your type of company" applies to us.

Malwarebytes provides a service (through the software and this forum) for users (of which I am one, along with the hundreds of people I've installed or recommended Malwarebytes to) to help them address security related concerns. It is the work of the user community and the Malwarebytes researchers that enables Malwarebytes to be successful at doing what it does (removing nasties). We didn't ask anyone to "police" us or "monitor" our "affiliates" (they're really not affiliates, they're partners); a user posed a question that involves OpenCandy and I chose to participate to be part of the discussion. All I wanted to do, was know (personally and professionally), what OpenCandy can do to make sure we ARE doing things the right way.

We go through a lengthy process to QA publisher's builds before they release them publicly. It's a lot of work and yes, sometimes things (a bug for example) may slip by us. But if/when they do, upon discovery (whether by ourselves or through users, etc), we try to rectify them as soon as possible.

I really think that the security and user communities need to have a open and logical discussion about the definition of adware (and I'm not talking about software that collects/exploits your personal information in order to inundate you with targeted ads -- that's adware AND spyware, plain and simple). I'm talking about recommendations or "ads" in installers (where no personal information is transmitted and there isn’t any persistence of ads). Paint.net shows an "ad" within their installer, it's not labeled adware, neither are programs that drop (opt-out, or no opt) icons on your desktop for eBay or wherever else. Heck, programs like Adobe Reader which ACTUALLY silently installs AIR, or Java which pushes opt-out toolbars are NOT labeled adware.

When I first talked to the folks at OpenCandy, I said it sounded like "'AppSense'… except more benign." Though, until recently, I never thought of a software recommendation as an ad. Maybe it was flawed logic on my part or maybe it's the fact that publisher's choose what they recommend and whether they do it for free or to get paid or the fact that OpenCandy isn’t a program or installed on your computer to persistently show ads.

I've spent the previous nine years fighting the same good fight that all of you here have, to protect regular people from the crap that permeates the Internet. When I let my software firewall allow MediaCoder to connect to the internet in November of 2008 and I saw (and discovered) OpenCandy, and instead of (my usual) "OMG, what the hell!" reaction, I tweeted that I thought OpenCandy was a "cool idea" (http://twitter.com/d...uses/1018127759) and that "OpenCandy is a great way 2 spread open-source s/w." (http://twitter.com/d...uses/1023463505)

If OpenCandy is something that can be considered to be "installed" then I guess a Google Ad can be installed as well. I just don't believe a file, whose functionality is solely used during installation or (optionally) un-installation of the software’s installer it was integrated with, is "installed". There's no persistent state (other than a lonely, vegetative one awaiting removal when/if someone uninstalls the publisher's software or if someone decides to delete the dll themselves) of functionality. I also stand by the fact that EULAs exist for a reason, one of which is to disclose things like the existence of OpenCandy (though I'd like to do a "powered by OpenCandy" program so our publisher's can publicize that they've partnered with us).

If we were "sleazy" (or interested in being or acting sleazy), I wouldn't here having this discussion…. It goes without saying (or maybe it doesn't), but a company aiming for "sleazy" installs or that has bad intentions and bad actions wouldn't participate in discussions like this. They would just ignore it (like they already do) and continue with THEIR practices, not caring whether Malwarebytes or anyone else listed them or not.

But we care about users. I care about users. I wouldn't be part of something that I couldn't be proud of, passionate about or look my mother in the eye and say "this is what I do for a living".

As always, I'm happy to have discussions like this. When the community has ideas on how we can do things better, we are always willing to listen and make changes if necessary.

I think it's critically important for the software community, as a whole, to have this discussion. Recommendations or ads in installers are happening anyway, and in some (actually, sadly, most) cases, by companies ACTUALLY doing SLEAZY THINGS with the sleaziest of intentions. OpenCandy isn't one of them. I (and many others) believe OpenCandy provides an agreeable way to meet the needs of developers who need to make money and/or acquire more users WHILE providing a new, unique way for users to discover great software (all without having their personal information or privacy collected and/or exploited).

Thank you for your time and apologies for such a long post .

Thanks,

Dr. Apps

PS: Ade, I don't drink, but I can buy you a beer or pint sometime. That goes for anyone else (of legal drinking age) on this thread as well.

[MysteryFCM]

I'd like to highlight a few things if I may;

Dr. Apps, on Jul 15 2009, 07:22 PM, said:

OpenCandy provides a moderated recommendation (or ad, if that's what you want to call it)

It's not a recommendation, it's an advert, plain and simple. Recommendations aren't placed in software, nor their installers, nor do they require plugins.

Dr. Apps, on Jul 15 2009, 07:22 PM, said:

#1) To enable publisher's the ability to recommend software they love or think their users will find valuable

Again, something that has no place being in an installer - this should be on the publishers website if anywhere.

Dr. Apps, on Jul 15 2009, 07:22 PM, said:

#2) To provide publisher’s with ANONYMOUS AGGREGATE statistics (country, language and operating system of the computer) installing their software

This would also make OpenCandy spyware (unless your plugin scans the system to identify the country (something you reference as being impossible for your plugin to do), the only way you could determine this is by Geo data obtained via the users IP address, which would need to be passed to a third party server for processing, to be accurate (else, how would you determine the country of a NAT'd PC?)).

Dr. Apps, on Jul 15 2009, 07:22 PM, said:

#3) To provide the ANONYMOUS statistic that a computer, in some country, running Windows whatever, un-installed their software. (Which as I said in my post above, we are considering discontinuing, thus negating the need for software publishers to have our dll in their software's installed directory.)

But didn't you just say your plugin allows the publisher to show the advert? How are they going to do this if you remove the DLL?

Dr. Apps, on Jul 15 2009, 07:22 PM, said:

Nobody before us has tried to do what we are doing, the way we do it, for the reasons we do, backed up by how we do it. So I don’t think the comment by Ade “your type of company" applies to us.

ALL adware installers are doing exactly the same as you are doing - they're just doing it slightly differently. The end result is the same.

Dr. Apps, on Jul 15 2009, 07:22 PM, said:

We go through a lengthy process to QA publisher's builds before they release them publicly. It's a lot of work and yes, sometimes things (a bug for example) may slip by us. But if/when they do, upon discovery (whether by ourselves or through users, etc), we try to rectify them as soon as possible.

If this is truly the case, then I've got 2 more questions;

1. Who on earth thought it would be a good idea to only require the publisher mention the adware *somewhere* in the EULA, instead of prominently displayed both on the programs download page, and on the first screen the installer displays? (both places being where it should be displayed)

2. Do you check each and every release by the publisher, and monitor their URL's for new builds? (i.e. incase they try to slip one past you after you've checked a so-called "good" installer), if so, what methods are you using to do such? (and if this is the case, I'm curious as to how you can afford to pay for the staff that would be required for such a task).

Dr. Apps, on Jul 15 2009, 07:22 PM, said:

I really think that the security and user communities need to have a open and logical discussion about the definition of adware (and I'm not talking about software that collects/exploits your personal information in order to inundate you with targeted ads -- that's adware AND spyware, plain and simple). I'm talking about recommendations or "ads" in installers (where no personal information is transmitted and there isn’t any persistence of ads). Paint.net shows an "ad" within their installer, it's not labeled adware, neither are programs that drop (opt-out, or no opt) icons on your desktop for eBay or wherever else. Heck, programs like Adobe Reader which ACTUALLY silently installs AIR, or Java which pushes opt-out toolbars are NOT labeled adware.

We're not here to talk about other companies, so I'll not go into that. However, to clarify, the definition of adware;

http://www.softpedia...ng_adware.shtml

Dr. Apps, on Jul 15 2009, 07:22 PM, said:

If OpenCandy is something that can be considered to be "installed" then I guess a Google Ad can be installed as well. I just don't believe a file, whose functionality is solely used during installation or (optionally) un-installation of the software’s installer it was integrated with, is "installed".

It's installed because an OC file is placed on the system, whether used or not is irrelevant.

Dr. Apps, on Jul 15 2009, 07:22 PM, said:

I also stand by the fact that EULAs exist for a reason, one of which is to disclose things like the existence of OpenCandy (though I'd like to do a "powered by OpenCandy" program so our publisher's can publicize that they've partnered with us).

I actually agree, EULA's are there to disclose information, but should NOT be the only place that adware/spyware/other_crapware are disclosed, especially when it's well known that 90% of users do not read them.

Dr. Apps, on Jul 15 2009, 07:22 PM, said:

If we were "sleazy" (or interested in being or acting sleazy), I wouldn't here having this discussion…. It goes without saying (or maybe it doesn't), but a company aiming for "sleazy" installs or that has bad intentions and bad actions wouldn't participate in discussions like this. They would just ignore it (like they already do) and continue with THEIR practices, not caring whether Malwarebytes or anyone else listed them or not.

No-one said OC was sleazy - we said that there had been silent installs of it.