A site devoted to discussing techniques that promote quality and ethical practices in software development.

Saturday, March 28, 2015

Installation recommendation for PDFCreator 2.1.0

For those intend on installing PDF 2.1.0, you are recommended
  1. to download it, 
  2. turn off your network connectivity, 
  3. before running the installation package. 

This is because the installation script produces very much the same undesirable behaviour. Turning off the network connective during installation prevents it from calling home to download other crapware.

If you are running AVG 2015, it will pick up the presence of OpenCandy, "Adware AdLoad.OpenCandy", since it is a crapware, it is best to let AVG's residence shield to toss it away - no loss at all.

Below is the brief outline of what happen to the installation process with no network connectivity (assuming no AV to intercept the presence of OpenCandy crapware).

In fairness, I do not believe PDFCreator intends on planting OpenCandy into your machine. Detail probing of the installation process seems to indicate that some programming error is responsible for the left over of "OpenCandy's recommendation engine p101, version" (OCSetupHlp.dll) in the temporary directory. The presence of this file can cause your AV to report the presence of OpenCandy threat during routine scanning.

PDFCreator installation script also generates a copy of the set up log in "c:\Program Files\PDFCreator\SetupLog.txt". There also seems to be a programming error that left the temporary copy (original copy) of this file of the format "Setup Log yyyy-mm-dd #xxx.txt" in your temporary directory.

When one initiates the set up program, it creates two temporary directories of the format is-XXXXX.tmp. One is to hold the actual installation program PDFCreator-2_1_0-Setup.tmp and the other is to hold various files that it needs during the installation program. You can find the list in the Set up log. One of them is the "OpenCandy recommendation engine p101" OCSetupHlp.dll version

At the early stage of installation process, this DLL is not used, see comment below, and if you hate OpenCandy, delete it now and in fact that is what AVG did when it picks up the presence of OpenCandy and that you instruct it to remove the threat.

After you have selected the options to install, the program will run smoothly to completion. In my execution (not installing "PDF Architect") I never allow the last dialog box to launch PDFCreator.

Investigation using ProcMon on the interaction of the PDFCreator setup program with OpenCandy records the following observations:
  1. Towards the end of the installation phrase, the installation script launches RunDll32.exe to invoke OCSetupHlp.dll with the entry point using exported function 16 and the optional parameter seems to indicate an intention to perform IPC with the parent process. The purpose of this is still a mystery.
  2. The installation script's clean up process then deletes the files such as InstallCheck.exe, etc in the temporary directory
  3. It fails to delete OCSetupHlp.dll because RunDll32.exe is still running using it. The installation program attempts to delete this file 31 times before giving up.
  4. Once all the files are 'deleted', including the failed one, it tries to delete the directory but fails.
  5. At the end it simply ignores those failures and completes the installation.
The presence of the installation program trying numerous attempt to delete OpenCandy crapware only to be faulted by their programming error and the lack of sign of it trying to plant this engine elsewhere suggest to me that PDFCreator does not have any intention of using OpenCandy in the execution of the program.

You cannot delete OCSetupHlp.dll at the completion of the installation program until you have terminated the RunDll32.exe process holding this DLL. The best way to find the process holding onto this DLL is to run ProcExp and then search for the OCSetupHlp.dll. Alternately, log off and log back on and you can delete this file. It is highly recommended that you delete OCSetupHlp.dll to avoid your AV finding it in routine scanning.

Once RunDll32.exe is terminated you can delete OCSetupHlp.dll and to satisfy your concern, run your AV scanner over your system or use something like MalwareBytes.

No comments:

Blog Archive