We’ve all seen it before, crapware packed into an installer for an otherwise great app. I think most people understand that sometimes this is a necessary evil to support starving app developers everywhere. But what if ads and junkware were included by the company hosting a download for the software and it was ambiguous if any of the funds even went to the developers at all? This is what I heard about the CNET Installer, an application that I had never tried before since I usually download directly from the developer. According to a thread on a popular social media site, this program’s only benefit to a user is its claim to improve download reliability, but in reality the purpose of this software is its ability to sneakily attempt to install crapware on your computer. And why does it do it? This crapware is put into the installer by companies paying CNET to put it there. CNET is literally getting paid to sneakily attempt to install garbage on your computer.

It sounds crazy that a reliable company like CNET would resort to these kinds of advertising tactics, so I had to investigate for myself. If CNET’s download installer really is a crapware trap, the scary part is how many people are falling into it. According to CNET it has received over 751,418 downloads which included 97,556 just last week alone. At this rate it will soon be over 1 million downloads and likely close to as many computers infected with its alleged crapware.

My Investigation is long and drawn out, so if you’d like to just skip to learn how to avoid becoming a victim of crapware via CNET, scroll down.

The Verdict – Is CNET’s installer just a scam to infect your computer?

I was mostly convinced this was going to be bad based on previous experiences with bundled crapware, but the only way to be sure that the rumors were true was to give it a go myself. I went to CNET and decided to download a program called Mangofile using the CNET Installer. Here’s what I ran into:

On the very second page of the installer was what at first glance appeared to be the Terms of Service checkbox for the app I was downloading. But alas, it was a trick! This wasn’t the TOS I was looking for, it was a installer acceptance box with light-gray text. The fine print next to it clearly says that it’s going to install SweetPacks toolbar!

Well, they didn’t manage to snag me on this one. I was sure not to check that little box. So I left it unmarked and clicked onto the Next Step.

What’s this? Another Terms of service? Of course I’ll just click the green box right where my mouse already is and accep… wait a minute. This is another load of crapware! Look at the left side! DefaultTab Search Bar and TopArcadeHits? If that doesn’t sound like crap then I don’t know what does.

The way around this one was to click the Decline button, so that’s what I pressed.

This screen is even telling me to “Click ‘Accept’ now to continue my installation” so that’s just what I’m going… wait a minute, this is another page of crapware! What the heck is Wajam? That’s not the application I was trying to download…

That makes 3 attempts to get me to install crapware. I clicked Decline again and was finally taken to the screen where the program I actually wanted would begin downloading.

After 3 pages of crapware installation attempts, guess what? My download froze. It got to 8.5MB out of 26.5MB and then stopped downloading. I let it sit for about 5 minutes and after it had made no progress I canceled. I didn’t even install the Mangofile that I was originally after. And then I noticed something strange, my Google Chrome browser that was running in the background crashed out. Luckily I didn’t have any unsaved data open it, but that was certainly odd wasn’t it?

Well it made me suspicious, so I went to take a look.

The Fallout – What if you do fall for the scam?

It turns out that even if you don’t check the box to accept installation, the CNET installer will still install the crapware from the first box. So just letting the installer get to the download page will be enough for you to have fallen into the trap.

I was absolutely sure not to accept any of the software that they planned to install, but as you can see in the screenshot below it still installed SweetPacks.

Time to uninstall. I selected all of the SweetPacks programs and then clicked the uninstall button.

Strangely enough, an IB Updater Service prompt appeared and asked me to enter a captcha during uninstall. This is the first time I’ve ever seen a program require a captcha to uninstall, and it surely didn’t ask for a captcha when it installed itself earlier without my permission. Captcha is for security, why in the hell would you need to verify so closely that you want to uninstall something!

With no more entries left in the Programs & Features section of the Control Panel it was time to be sure.

I had uninstalled all of the SweetPacks programs from my control panel. Everything should be gone, right? Wrong. The uninstallers don’t actually remove anything. I pulled up a quick search of my drive for files that were recently modified and found quite a few. In particular two entire system folders were created in C:\Program Files.

Within each of these directories were full on SweetPacks applications. I did the sensible thing and manually deleted them by going up a level and removing the entire folder. However not all of these files were removed easily.

In the Updater by SweetPacks directory I ran into a problem with ExtensionUpdaterService.exe – it wouldn’t delete. It turns out that it was already running and would first have to be closed.

To do so I opened up the Task Manager and selected to view processes from All Users. Then I just right-click on the ExtensionUpdaterService.exe and ended it. The file deleted without a problem after it was no longer running.

Next up was a few leftover file scattered about my AppData folder. I used Everything Search to find them and then I removed all of these and anything else I could find that had “sweet” in the name.

In all of my browsers except for Chrome, CNET had installed SweetPacks Toolbar and let it hijack my browsers’ Home Page. This was easily rectified by removing the toolbars and changing the homepages back, but it was still a pain to fix it in both Firefox and IE.

After I finished with Firefox & IE it was time to scan the registry. Chrome wasn’t affected, I think mostly due to it crashing during the installation.

I performed a quick memory scan with CCleaner and found several entries that the installer never bothered to remove. These cleaned up easily enough.

Now call me paranoid, but I wanted to be sure that I had removed everything to do with this CNET installer debacle. So I ran some scans using some free tools in the following order:

After all of that I ran another file system scan and everything looked clean. Hopefully it’s all gone. I don’t even think Brian’s method of uninstalling software would have been 100% effective with this royal mess!

How to Avoid the CNET Installer and its Crapware

The easiest way to avoid your computer getting infected is obvious: avoid downloading from CNET & Download.com!

Unfortunately some programs are hosted exclusively on Download.com and you might not have an option. In these cases there are still a few ways around the crapware.

Only use Direct Download Links when possible. If your download link contains “cbsidlm” at the beginning of the filename, abort ! It is the CNET Downloader…remember that CBS Broadcasting, Inc. is the Parent company of CNET.

! It is the CNET Downloader…remember that CBS Broadcasting, Inc. is the Parent company of CNET. Add “&dlm=0” to the end of your download links. For example if your download is: http://download.cnet.com/Tropical-Island-Escape-3D-Screensaver/3001-2257_4-92094.html?spi=ad31aa7581c9b6ecfe6e0740a9ed58fe Change it to http://download.cnet.com/Tropical-Island-Escape-3D-Screensaver/3001-2257_4-92094.html?spi=ad31aa7581c9b6ecfe6e0740a9ed58fe&dlm=0

Install Greasemonkey for Firefox (Tampermonkey on Chrome)and use this script to prevent your browser from ever downloading the CNET Installer.

Also, if you’re going to install the essential free and open source software like Firefox, Thunderbird, VLC, FileZilla, or Evernote — heck even the runtimes like Java (if you must) Sliverlight and Shockwave — Use Ninite if you can. One of the staples of the Ninite service since its inception is to never allow toolbars or extra junk to be installed.

Conclusion

CNET monetizes many of the programs available in its software download section, also known as Download.com. This is done through its CNET Installer application, which is touted to improve download reliability, however in my case it didn’t even do that as my download froze. The CNET Installer will still install crapware (possibly adware) on your computer even if you choose all of the options saying you don’t agree with it happening. Overall the CNET Installer a great runner up one of the worst pieces of software to ever be put on charade as something useful. Watch out for it the next time you find yourself downloading something from this company. And make sure to tell your friends and coworkers to stay away until the site gets a respectable download policy back in place.