PenWes malware installed with PDFCreator? (part 2)

See Part 1 before

I recently (2012-03-13) updated 2 softwares on my PCs; later in the day, I saw a window saying “Warning, you are no more protected by PenWes”, which worried me and lead me to some investigations that I could detail more on request.

My conclusion is that it was installed during PDFCreator own installation and as a result of that latter. Some hints:

  • PDFCreator was among the two applications I had installed that day
    (the other being Skype upgrade)

  • on my 2 PCs, the installation was obviously done within seconds of that of PDFCreator, I as can judge by the modification dates of related files:

1st PC
PDFCreator: SetupLog.txt 2012-03-13 14:55:51

PenWes: uninstall.exe 2012-03-13 14:55:45

2nd PC
SetupLog.txt, 5 733 bytes, 2012-03-13 15:05:40, C:\Program Files\PDFCreator\
unins000.dat, 196 474 bytes, 2012-03-13 15:04:25, C:\Program Files\PDFCreator\

uninstall.exe, 317 351 bytes, 2012-03-13 15:04:21, C:\Program Files\PenWes\

To be more specific about the suspected connection between PenWes and PDFCreator:

  • on my second PC, I uninstalled PDFCreator, then PenWes (that had not been removed by PDFCreator uninstall) (using Revo Uninstaller)
  • I downloaded again PDFCreator installation package (PDFCreator-1_3_0_setup.exe) and checked that it had the same MD5 signature as the one used the day before
  • I installed it again, and this time, PenWes was not installed

My guess is that the installation is one way or another connected to the software that is proposed just before the end of PDFCreator installation: what I am sure of is that:

  • I did not accept such installation, and surely not on my 2 infected PCs
  • PenWes was not explicitely advertised (while I am not sure of the name of softwares that were advertised)
  • advertised software is not systematically the same (the second day, when PenWes was not installed, the advertised software was something as “link…(something”, not among those that were advertised initially)

According to google cache, someone had signaled this on  sourceforge site

The comment  is still listed in google results  but has been removen from sourceforge pdf creator project page.

 

Hello,

I have to say that I have never heard the name PenWes before. The kind of software advertised depends on the country. In which country are you in? And can you give me the MD5 of the setup you have used?

Finally, where did you download PDFCreator?

It happens that other companies wrap up other software around ours. I can assure you, that we do not install software silently. We have advertising screens that offer to install additional software, but if the user rejects that, it will not be installed. And I also do not know the name PenWes from there.

If you can give me some more information, I will investigate on that.

kind regards,
Philip

"Finally, where did you download PDFCreator?"

The download link is still in my navigator history, here it is:

 

http://freefr.dl.sourceforge.net/project/pdfcreator/PDFCreator/PDFCreator%201.3.1/PDFCreator-1_3_1_setup.exe

 

 it seem that  the "sponsor ware" which is bundled with the package wich change randomly ro a different one.

Tried to run the installer again, and I got another option:

 

Last time I had clicked "next" without notice.

I agree to have the option to install a software if this can help to support the product, but not one that change my DNS configuration without telling me.

Hello Philip, thank you for your reply, and sorry for my late reply. I am in France. Signatures for the used setup file are: CRC32: 45D61E51 MD5: 8D7DCEAF045A57B569F63E48320B974D SHA-1: AD66A7A5C3B2BBD6B495251C6FFA8F77488FFC26 It was downloaded from : http://www.pdfforge.org/download clicking on the download button which links to: http://prdownloads.sourceforge.net/pdfcreator/PDFCreator-1_3_1_setup.exe?download I am sure that PenWes is not part of PDFCreator itself; but I am sure that it is part of the installation package; this installation package proposes at some step to install another software; and it is there the problem lies: - the page presenting this additional software is not always the same; and some of them are so unnoticeable that the user may be led to accept without realizing that it will install another software - as far as I am concerned, I try to be careful, and I am surprised that I would have accepted on two different PC to install this software; I do not exclude that it was installed without control I consider PDFCreator a kind of reference I would have trusted blindly; I regret to see in many posts that persons are annoyed by the installation of additioonal software. I understand that it helps fundindg; may be the step at which installation of an additional software should be made more conspicuous; and may be the installation of this additional software should be subject to the same confirmation steps as the main software: I cannot get "standard software" installed without having to confirm and reconfirm and accept licences etc..., and such additional sofware as PenWes is installed with almost no warning! Best regards, Pancho

Hello Philip, thank you for your reply, and sorry for my late reply. I am in France.

Signatures for the used setup file are:

CRC32: 45D61E51

MD5: 8D7DCEAF045A57B569F63E48320B974D

SHA-1: AD66A7A5C3B2BBD6B495251C6FFA8F77488FFC26

It was downloaded from :

http://www.pdfforge.org/download

clicking on the download button which links to:

http://prdownloads.sourceforge.net/pdfcreator/PDFCreator-1_3_1_setup.exe?download

I am sure that PenWes is not part of PDFCreator itself; but I am sure that it is part of the installation package; this installation package proposes at some step to install another software; and it is there the problem lies:

- the page presenting this additional software is not always the same; and some of them are so unnoticeable that the user may be led to accept without realizing that it will install another software

- as far as I am concerned, I try to be careful, and I am surprised that I would have accepted on two different PC to install this software; I do not exclude that it was installed without control

I consider PDFCreator a kind of reference I would have trusted blindly; I regret to see in many posts that persons are annoyed by the installation of additioonal software. I understand that it helps funding; may be the step at which installation of an additional software is proposed should be made more conspicuous; and may be the installation of this additional software should be subject to the same confirmation steps as the main software: I cannot get "standard software" installed without having to confirm and reconfirm and accept licences etc..., and such additional sofware as PenWes is installed with almost no warning!

Best regards,

Pancho

 I had the same problem on march 19th.

 

I setup pdfcreator on a TSE Win2k8 Server. I discovered today that DNS settings were modifed into n2.penwes.com, you can imagine my pleasure !! :-)

I ll try to uninstall it immediately.

tks

 

I have just had to do the same - uninstll penwes. I looked on the ..\\program files\\9x86)\\penwes directory and found a file (now deleted so name from memory) licence.txt or some such. It was all the details of a licence agreement between me and whoever gave me penwes.

It detailed penwes as being an anti-phishing software, but I have no idea where it came from. It was some time in the last fortnight, but I foolishly did not note the date before I uninstalled it. Luckily, I read about its replacement of the DNS service and so switched it back before I uninstalled.

I note that Google searching only yields results from France (me too) and suspect it is something in our water.

I came across penwes as my computer, usually very fast, was going rather slowly and I couldnt understand why. I went into Scheduled Tasks manager and found penwes there.

Now, the reason why I am mentioning this here and now is because I have no PDFCreator installed, nor have I tried it out. The nearest to that is a download recently of Adobe Reader X.  I have other Adobe products, but they were not installed recently.