Viruses, Malware, and Spyware

 Happy New Year,

This is my first post and I'm sorry it is not happy.  Ive used PDFCreator for several years and really trust it, but...

I recently -- 2009/12/23 -- installed version 0.9.8.  

Today, my Avira anti-virus product reported:

`Avira ADSPY/Dealio.Search adware or Spyware
C:\\Program Files\\pdfforge Toolbar\\SearchSettings.dll


What's the story?  Is it malware or is it an Avira false-positive.

Please explain.  Thanks.

I note that there are two other posts on the virus subject:

2009/12/10 -- This was NOT answered.

2009/07/03 -- -- This WAS answered

Regards, Jeffrey





I am also getting the same detection with Avira


yesterday I got the same. This is a false positive. Please also see this faq entry:

I have uploaded the file to virustotal and it seems that sophos, mcafee and avira find it. They seem to share their signatures.:

Please also refer to this FAQ entry, as the dll is part of the toolbar:

kind regards,



we now have a reply by avira, that it is a false positive. They said:

"Die Datei 'SearchSettings.dll' wurde als 'FALSE POSITIVE' eingestuft. Dies bedeutet, dass diese Datei nicht gefährlich und eine Fehlmeldung unsererseits ist. Das Erkennungsmuster wird mit einem der nächsten Updates der Virendefinitionsdatei (VDF) entfernt werden."

Which means, that it is a false positive and will be fixed with the next update.

kind regards,


I'm running Sophos Anti-Virus and I'm seeing the PDFForge toolbar detected as spyware. Two items have shown up since I installed it: Widgi Toolbar and SearchSettings.

The components identified as Widgi Toolbar are:

  • C:\\Program Files (x86)\\pdfforge Toolbar\\IE\\1.1.2\\pdfforgeToolbarIE.dll
  • HKCR\\Wow6432Node\\CLSID\\{b922d405-6d13-4a2b-ae89-08a030da4402}
  • HKLM\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\{b922d405-6d13-4a2b-ae89-08a030da4402}
  • HKLM\\Software\\Wow6432Node\\Microsoft\\Internet Explorer\\Toolbar\\{b922d405-6d13-4a2b-ae89-08a030da4402}

The components identified as SearchSettings are:

  • HKCR\\Wow6432Node\\CLSID\\{e312764e-7706-43f1-8dab-fcdd2b1e416d}
  • HKU\\S-1-5-21-893870800-1412504420-337594231-11060\\SOFTWARE\\Microsoft\\Internet Explorer\\URLSearchHooks\\{e312764e-7706-43f1-8dab-fcdd2b1e416d}
  • C:\\Program Files (x86)\\pdfforge Toolbar\\SearchSettings.dll
  • C:\\Program Files (x86)\\pdfforge Toolbar\\SearchSettingsRes409.dll
  • HKLM\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\{e312764e-7706-43f1-8dab-fcdd2b1e416d}

Given the way this toolbar is installed with PDFCreator, I'd say that Sophos is pretty accurate in its representation. I've been using PDFCreator for a while and have been very happy with it, but this may change my mind about the trustworthyness of the developers.


I have talked to Sophos with it. They say that the search result pages show ads and thus it is a potentially unwated piece of software by the people running the company.

Following this, they should also report Google and Ask toolbar (which I suspect they don't, as they have a certain market power and financial equipment.)

Can anyone confirm this?

kind regards,

The Google Toolbar's current iteration doesn't hijack 404 and DNS error pages*. It's also much more explicit about its installation. Your software puts a checkbox on a screen showing the toolbar, which implies that it won't be installed if you uncheck that box. Sure there's some text that explains it, but any developer worth their salt knows that people don't read text like that. At the minimum, you should place another checkbox on that page that will allow the user to deselect installation of the toolbar.

*I'm aware that the beta does and if it stays that way I'll be making a recommendation to Sophos to treat it as malware.

 Dear Philip,

my McAfee is also reporting c:\\Program Files\\pdfforge Toolbar\\Widgi Toolbar.IE.dll as Spyware. So is, or is this not spyware vs. a component of PDF Forge, and how would I remove it if so? I believe this hasn't been specifically answered (only in regard to the "search" question). 


Many thanks, 


1.) I dont know what exactly the toolbar does, but I dont think that it behaves like a virus and collects data from your computer other than the data that is used for getting the search result.

2.) What the virus scanners find is that it is advertisement that most people do not want because there is no use for it except the function the create PDFs from web pages with one click, which may be useful in some cases, but PDFCreator is free and so advertisement is needed to get some money for example to host this homepage here. I think it is better to have some advertisement than a software that is protected with online activation and costs about 20$ per installation.

3.) If you want to get rid of the toolbar simply go to Control Panel => Software and do a deinstallation of the PDFCreator toolbar.

Advertising is a bad way to monetize a small piece of desktop software (by small, I mean the limited amount of user interaction). The only way to do it is to act in a manner similar to malicious software. Breaking HTTP and DNS error handling is a great example of this. What if a web site shows advertisements on their 404 pages? The PDFForge toolbar is now robbing the site owners of potential ad revenue.

Also, where is the disclosure about what the toolbar will do if it's installed? You have to ■■■ through the license agreement to find anything about how it operates. How many people here read license agreements all the way through? Of those people, who would see the GPLv2 heading and assume that's all that was in there and move on. Now how many non-techie people do you think are going to read that? It should be disclosed on the "PDFCreator Browser Add-On" page of the installer.

Re: comments above "Your software puts a checkbox on a screen showing the toolbar, which implies that it won't be installed if you uncheck that box."

If I've unticked the "yahoo toolbar" checkbox during installation, is there a risk that my computer is now infected with some other toolbar that didn't have any options during the installation?


1.) Maybe it would be better to read the text of a check box before clicking them. What if this Checkbox asked for "format drive C: after installation" :-)

2.) You can uninstall the toolbar any time in Control Panel => Software

3.) There is the toolbar and there is the question, if you want to make yahoo your default search engine.

People aren't going to read that text. It is visually implied that unchecking the box will prevent the installation of the toolbar. You could fix this very simply by having two checkboxes. One would handle the toolbar and one would handle the search defaults.


"Following this, they should also report Google and Ask toolbar (which I suspect they don't, as they have a certain market power and financial equipment.) "

As noted the Google and Ask Toolbars do not HiJack 404, DNS and other standard broweser behaviors. They also are not hidden within another piece of Software without explanation (PDFFroge Toolbar) - i.e. they present the user with expected behavior.

This is what McAfee Enterprise 8.7 reported after I installed the PDFForge Toolbar.


I am afraid that what you say is wrong. Sophos has confirmed, that Google and Ask toolbars are also marked as potentionally unwanted software.

And they are served in large volumes within other software just like the way we do. Have you recently installed Suns JRE? It includes a Toolbar that you have to deselect.

kind regards,

Java - The toolbar is not called "Sun Java Toolbar" it's clearly marked Yahoo Toolbar.

Per the other toolbars - please cite.

Well, we do not serve a plain Yahoo Toolbar, but you find the name on many places there (see the screenshots). But The main feature from PDFCreators point of view is the instant-PDF-button on the toolbar

Well Im a programmer and previously very happy with PDFcreator, but after the last install ver .9.9 and unchecked both boxes, got both the toolbar and search addons installed to firefox.

I donated to this project some years ago, and to throw that rubbish at users is just not on.



Are you sure that you unchecked both checkboxes and did not have the toolbar installed already?

This should under no circumstances happen. Could you repeat the installation (please uninstall Toolbar and PDFCreator first) to see if it installs again?

kind regards,

Yeah I got this damn 404 page hijack thing too unexpectedly. What a pain in the ass. Not a great idea. Fair enough to try and monetize, but this is crap way to do it - too sneaky, looks too much like malware. Maybe put ads on UI when one converts a file to a pdf, much like winamp has ads in it?

This was is not a smart way to do it. Leave my browser alone!!!

Great software though, thx v much.