Warning: Cnet downloader installs nasty malware without permission

Yesterday I used the once-reliable Cnet to download software from their site. They suggested using their Cnet downloader, which I did. Just as I clicked Yes to download, I saw a tiny message saying it would install a search plugin called Wajam. It was too late to say No and besides there didn’t appear to be any option to do so. The installation of Wajam locked up Firefox after installing it on Explorer and Chrome. I deinstalled Wajam from Add / Remove programs.

Things then got much worse. After deinstalling Wajam, a message appeared when starting Chrome saying ‘Coupon Companion’ had been installed. I did not authorize that nor was their any mention of it. CNet forums have many complaints about this stealth install of malware which spews ads everywhere. The complaints have been ignored by Cnet for months.

Now for the truly scumbag part. After deinstalling Coupon Companion from Chrome, I checked Add / Remove Programs and found it needed to be deinstalled there too. During that deinstall it had a box checked saying it would install a DNS tool, which presumably would have jacked my DNS. That’s right, The Coupon Companion deinstall program was trying to install yet another piece of malware, something which has to be a new low in sleaze. Hey, fuck you Coupon Companion and fuck you Cnet.


Malwarebytes found two trojans after the attempted install of the DNS jacker on my computer. Microsoft Security Essentials found three more.

Files Detected: 2
C:\Users\bob\AppData\Local\Temp\DNS.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Users\bob\Local Settings\Temporary Internet Files\Content.IE5\BLB3IDIY\DNS[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.

Cnet used to be solid and reliable. However, based upon their slimy, unethical new behavior, I’ve deleted my Cnet iPhone app and will stop going to their website. I suggest you do the same. If you go to sleazy, unsafe areas you’ll probably catch something nasty.

This post was read 381 times.

About author View all posts Author website


4 CommentsLeave a comment

  • Firefox blocks a lot more malware than it used to, but mostly limited to FF Add-ons.

    I’ve been a fan of Sunbelt Software (now GFI) since their original Counterspy.
    I recently upgraded my VIPRE Antivirus to VIPRE Internet Security and have seen much tighter security, not only via their up-to-date list of known malware but also a list of legitimate sites with unintended malware, such as Truthdig:

    Safe Browsing
    Diagnostic page for http://www.truthdig.com/cartoon/item
    What is the current listing status for http://www.truthdig.com/cartoon/item?
    This site is not currently listed as suspicious.
    What happened when Google visited this site?
    Of the 91 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-12-29, and the last time suspicious content was found on this site was on 2012-12-28.
    This site was hosted on 2 network(s) including AS36444 (NEXCESS), AS15169 (Google Internet Backbone).
    Has this site acted as an intermediary resulting in further distribution of malware?
    Over the past 90 days, http://www.truthdig.com/cartoon/item did not appear to function as an intermediary for the infection of any sites.
    Has this site hosted malware?
    No, this site has not hosted malicious software over the past 90 days.

    The one time I knowningly installeed software which turned out to be rogue, I called GFI and the support was prompt and effective. Downloaded their cleanup code and all was soon well. Their Software is excellent, their support exceptional – and no, I don’t get paid to shill for them. 🙂

Leave a Reply