Unchecky coming bundled with Conduit search optimizer adware now?

Complaints reached us that Unchecky now comes bundled with the Conduit adware, designed to deliver search based advertising and results. During installation the user is presented in some cases with the option to install the toolbar (on by default).
Avira flags it: https://www.virustotal.com/nl/url/3a6c869ede1359d2d94fc080773af498903ab48b7720242bc9b4d95eae15ec0d/analysis/
Here we see some IDS alerts for uncheky downloads:
https://urlquery.net/report.php?id=1405186047090
And here is the final proof: http://www.herdprotect.com/i0.exe-bd79cd405606bc27094c89c3ace959ee7771ddad.aspx
Here there is only one generic detection: http://r.virscan.org/report/d47b542155568a2d7f69d0d077e3876c

polonus

I see no detection on the install file? …only Avira reporting the URL

And virscan / ClamAV is a packer detection

My dear Pondus,

For File name:i0.exe
Publisher:RaMMicHaeL (signed by Michael Maltsev)
Product:Unchecky
Description:Unchecky Setup

bla bla bla and then…

The file i0.exe has been discovered within the following program…
360Amigo System Speedup Free by 360Amigo and that has the Conduit crap with it.

The Unchecky software “an sich” may be above board, my question is what is inside the installer?

Fact is that Unchecky now has been blocked at schools by sys-admins.
They won’t do that because of a spurious avira detection or a ClamAV false packer alerft.

So my question is what is out there so endangering that makes them wanna block this for their students.

polonus

Hello Peeps,

I asked Polonus to do the scan shortly after attempting to access the site from school. They cerainly have a knack for blocking these sites now :). However, the question still remains! Why in the world, would a anti-adware program such as Unchecky come bundled with adware? It seems to be very stupid.

I got a DoE (Department of Education) proxy block on it, from my personal computer, not a district one, were, settings are much stricter.

Edit: Shortly after posting, I thought, does this mean, we can’t recommend the program? If so, well, what do we recommend to help users prevent adware?

So!

I went back to double check results. Turns out, only my Laptop (owned by me, maintained by me) gets the DoE block. My desktop @ school to which I’m assigned doesn’t? Surely something is not correct…?

Either, it may also appear the block is corrupt on my laptop…

Edit:

The ? = nothing… They shouldn’t be there. I will send another message showing that

That translates to

Department of Education and Early Childhood Developpement

You cannot access the following webpage.

URL: unchecky.com/

If you think the blockage was a mistake, or have questions, contact the Depart. of Education & Early Childhood Developpement at 1-888-636-3131 or email proxy@nbed.nb.ca

Hi Michael,

Well this bundling practices, by “domineering” marketeers that know zilch about the security/privacy implications of bundling certain very persistent adware/trackware for the end-user, is really becoming a bigger and bigger problem. Users should go back to looking for clear installers from reputable downloaders or to the original developer, lest this guy has not been infested also by the “crap-bundling” fever. As Unchecky Set-Up is now also being spread from a Shanghai download site, it is getting harder and harder to get one’s hands on the real "clean’ McCoy software.

Besides the end-user position in the commercial Internet settings of to-day where big players decide and others just have to follow has become weaker and weaker and is sometimes non-existent, like in the wild, wild west of 1860 without any sheriff in sight. Alas sign of the times, and we have to come to live with it and take our own responsibility as others won’t do it for us or do not feel like doing it for us.

This is one thing, blocking through errors made by the very technicians that are responsible for that block is also a good possibilty. So take that up with them then. This “we have to come to live with it and take our own responsibility as others won’t do it for us or do not feel like doing it for us” is more and more becoming very, very true.

polonus

I still think our “best” defense is common sense. With common sense, you can avoid 99% of the PUP out there.

RUles of Common Sense:

  1. Don’t run unknown files. If you expect it to say SetupForXXX.exe then it should be close, if it says something different, SCAN IT (Great tool @ www.virustotal.com!)
  2. Read EVERYTHING. It may take an extra minute, but compare that to the hours it takes to clean, even with specialized helpers such as Martin, Argus Twin etc.
  3. Well, don’t visit suspicious sites. Period.

I will talk with the sys-admins, see what they have too say

I just installed it in a VM with Trend Micro OfficeScan and theres NO Junkware, downloaded from official site.

Hi Michael and Steven Winderlich,

OK, then Unchecky is above board and clean.
This is also checked and OK - the mail Michael gave -checked online:
MX record about nbed.nb.ca exists.
Connection succeeded to nbed-nb-ca.mail.protection.outlook.com SMTP.
220 BN1AFFO11FD018.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Fri, 3 Oct 2014 12:38:50 +0000

HELO verify-email.org
250 BN1AFFO11FD018.mail.protection.outlook.com Hello [verify-email.org]

MAIL FROM: check@verify-email.org
=250 2.1.0 Sender OK

RCPT TO: proxy@nbed.nb.ca
=250 2.1.5 Recipient OK

polonus