No announcement yet.

Does Foxit Reader free have malware?

  • Time
  • Show
Clear All
new posts

  • Does Foxit Reader free have malware?

    I was updating to the new version and Malwarebytes blocked the OCSetupHlp.dll for malware.

    Here is the VirusTotal analysis of this file


    edit: When I save the post a space gets inserted into the VT url. Remove the space to get to the VT page.
    Last edited by David_E; 02-26-2014, 01:36 AM.

  • #2

    After i install 6.14 there was some crap (Safe Search, or something like that, IE settings has changed and so on) installed with Foxit Reader and i found Event Viewer warning ~Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications.

    What is that?


    • #3
      You're lucky. MS Security Essentials didn't detect it. I did a custom install of Foxit and still got infected. My new tabs changed to, a program called SearchProtect was installed, my homepage was set to some random site, and I was prevented from making changes in Firefox via about:config. Windows XP users that try to uninstall SearchProtect from the control panel are then unable to boot their machines because it has a buggy uninstaller that deletes system boot files.

      I can't believe Foxit is willingly doing business with this scummy Malware company. They have even announced the creation of yet another unwanted toolbar:

      I used to recommend Foxit. Not anymore. Now I will tell everyone to steer clear. It was fun while it lasted but I am going back to Acrobat.


      • #4
        Yes, unbelievable, but Foxit now comes with Malware !!!!

        I was alerted to an update this morning. Did a custom upgrade (no word plugin, no spell check, no in browser preview) and while it was doing its thing, I open another browser and my homepage has changed?! Then I get prompts on my system (thank you Winpatrol) that additional software has been installed, startup program added, some cloud conduit added ... even though I declined the changes, every few minutes the same alerts came back.

        I can't believe Foxit went to the dark side and now comes with malware.

        I did not authorize any cloud service
        I did not auhtorize any homepage changes
        I did not authorize the services of "search protect by conduit" to be installed on my system, monitor all my browsers and internet activity, etc.

        It seems there are two uninstallers in Program Features, but guess what, not all files could be removed. So now I have to get my system double checked.

        Plus, now I have to tell everybody not to update Foxit any longer, then seek another solution, more work that I did not need.

        Foxit had become the #1 recommendation against Acrobat bloat. Well, Foxit just dropped off the podium and the top 10 list. Time to move on.


        • #5
          David E, I used a URL shortener on that link that is too long for the forum.

          Copy the following for URL if you would.

          ( Not sure what the forum is doing with add link below here, first forum I see that adds a whole summary around a link instead of just a URL ... was able to edit out some of the summary ... well then it kills the bitly url ... geez ... not working out like with any other board I've been on ... sorry )
          VirusTotal's antivirus scan report for the file with MD5 670013b656852e6401c9fd135fb03bad at 2014-02-24 17:32:13 UTC. 8 out of 50 antivirus detected the file as malicious. Some of the detections were: PUP.Optional.OpenCandy, Riskware.Agent!, TROJ_GEN.F47V0210, Adware.OpenCandy.4, Opencandy (fs), a variant of Win32/OpenCandy.A, PE:PUF.OpenCandy!1.9DE5, Riskware/OpenCandy
          Last edited by icerabbit; 02-25-2014, 01:59 PM. Reason: Fussing with the forum trying to get a link published by itself without adding a whole bunch of text


          • #6
            Malwarebytes MBAM just found a dozen or so threats in a quick scan related to:


            There goes my productivity for the rest of day. Now I have spend time researching this crap and scrubbing around with various tools and start doing deep scans.

            Dammit Foxit !!!


            • #7
              PS: FYI. SuperAntiSpyware, which I used first did not find anything. So don't worry about using that.


              • #8
                After MBAM deep scan and removal of all above. System restart.

                Two browsers needed to have their default page reset: Firefox, Chrome; from conduit crap with advertising to my personal default. (IE / Win intercepted the homepage change)

                Three browsers needed to have a search engine preset changed back to default and then have "conduit search" removed from the preset search engines.

                Opera seems to have been immune.

                Hijack This is throwing me a bunch of stuff. Complaining about some missing files here and there (seemingly unrelated) and some unknown files in Winsock LSP called wlidnsp.dll. I guess I will have to dive deeper into that later.


                • #9
                  I had another look during lunch time, and I think my system is clean now. Between Malware Bytes Anti-Malware, WinPatrol and manually removing the search engine add-ons and reverting the home pages in the browser.

                  I reached out to foxit support yesterday, but only got an auto-reply.


                  • #10
                    All right. Here is the scoop on the matter.

                    I had an email discussion with the editor of my favorite download site, prompted by my negative review and calling out of Foxit including Malware (as a warning to other users).


                    To better understand what happened exactly yesterday morning on my primary system with Foxit when I updated it; I went ahead and uninstalled the latest Foxit (interestingly it says all components couldn't be removed) and started over, taking screen shots along the way.

                    I started with my older version of Foxit. In the first steps after agreeing to the EULA, there is a dialog for Toolbar, Ask search engine and Adk homepage with three checkboxes. After that you proceed to the two detailed setup screens for Foxit components and Foxit Additional Tasks. Then a couple more screens that I have always left yes.

                    Note that in that particular toolbar dialog, it is visually identified that it is a third party add-on with different logo plus a toolbar visually shown; and you have three tick boxes making you aware that are going to be three changes.

                    So, with the old Foxit installed, I let it check for updates, download the latest version, uninstall the old one ( kept on taking screenshots ).

                    With the newest version, after the EULA, you do not get the dialog for the toolbar/homepage/search engine change. It goes straight to the two screen with options for Foxit components and Foxit additional tasks. (note, there is no opt-in or opt-out for Foxit Cloud) You pick your options. Click next.

                    Here's where it matters.

                    There is a new dialog box with the foxit logo and label " Install Search Protect recommended by Foxit Reader " with Express or Custom. If you don't read the fine print thinking you are already in the custom install and opted out of everything negative you wouldn't want ... nope. This is where it tripped my inattention and will get those who have installed Foxit dozens or hundreds of times.


                    Install Search Protect, Recommended by Foxit Reader

                    Express = Install Search Protect to set my homepage, default search and new tabs to conduit search for Internet Explorer, Firefox and Chrome; and to block other software's attempts to change my browser's homepage and search settings.

                    Custom = Install Search Protect and set my homepage, search default, and new tabs to Conduit Search. Check marked as YES.


                    You need to pick custom and uncheck the conduit.

                    Proceeded with installation. Installation completed. No adverse side effects on my system.

                    I ran MBAM malware bytes anti malware and it found one instance of open.candy in a temp folder from during installation. I was told this is normal and not malicious.


                    So, it really is user error and was auto-pilot / inattention on my part. There is a screen to opt out of Search Protect by Conduit, after you have picked all your Foxit setup options.

                    One can argue whether or not Search Protect by Conduit is Malware or not.

                    At the very least it is, to me, an unwanted program, an unwanted homepage and an unwanted search engine. I prefer to install software of which I can be reasonably sure my personal information and data will not be abused, and if there's advertising support for something, I prefer to make my own decisions as well.


                    • #11
                      Thanks icerabbit for posting this info !
                      It helps me understand this, and may help others ...

                      Too bad Foxit doesn't have anything to say about this ...


                      • #12
                        In my almost 30 years of working with PCs, I am deeply offended when a legitimate program tries to sneak Ad-Ware or Mal-Ware onto computers that I manage. I have very often recommended (and in fact made happen) removal of kludgy ADOBE READER from computers and installed FOXIT READER. I have always assured others FOXIT is legit, safe, and the best PDF Reader / printer / annotator available for free. No longer. It took me more than an hour of work to scrape the UGLY CONDUIT AD-WARE crap off my laptop, and when I upgraded Foxit to a new edition, the default 'trust us, we know what's best for you' installation again tried to install Conduit again on my laptop. I see others have had similar experiences with ASK toolbar from Foxit. If you MUST provide us with this junk, the install menus should give users at least TWO OBVIOUS DEFAULT CHANCES to opt-out of this scumware before it inflicts itself on us.

                        Foxit: Get some integrity or get off my machines.


                        • #13
                          Received a response from Foxit to my support request on the matter. They will pass on my feedback to product development.

                          I replied with additional clarification and to please read through this forum thread on the matter + forward that as well.


                          • #14
                            Dear All,

                            We sincerely apologize for this inconvenience. I'll forward your feedback and experience to our market development team for references and evaluating.
                            PUP means Potentially Unwanted Products. The bundled third party software will not harm your system, but provide you with an offer of a third party product. And they are not mandatory to be installed. In the process of installing Foxit Reader, you shall have an Offer Screen which allows you to Accept or Reject the bundled tool, and you can un-check the option to choose not to install the recommended tool.

                            Again sorry for this difficulty and Thanks for your kind understanding.


                            • #15
                              This is an important topic that I believe deserves attention from Foxit users. The problem is caused by Foxit Corporation's decision (with v6.1) to add the OpenCandy Adware package, which has been resoundingly criticized in many software forums and blogs. see [url][url] for a discussion of how OpenCandy operates, including the host computer scan it performs during EVERY installation of the parent software, in this case, Foxit.

                              I am personally no longer going to use Foxit until they change their policy. For now I am staying with 6.06 but I am already using competing products as I move away from Foxit. I just hope others will express their concern and opposition before this becomes an irreversible part of the Foxit marketing approach. Need to show ad's? I get it, but OpenCandy is an intrusive and easily exploited choice with dangerous implications for users who are complacent enough to choose software from vendors that seek this approach. BTW, wikipedia's page on OpenCandy states that it is brought to us by the crew who brought us the evil Yahoo toolbar.

                              I hope this spurs future discussion!!!