Posted as a warning and for information/use of other DC denizens.
Following a link in Lifehacker
, oCam Supercharges Screen Capture in Windows
, I went to the oCam developer's website at http://www.ohsoft.net
. There I found they had 4 products:
I downloaded and installed oCam
(it was a straightforward silent install), as that was what I was primarily interested in, and took a look at the other 3 items, downloading VirtualDVD
as that looked like it could be useful to me.
I gave oCam
a quick try out, and it seemed to do what it was designed for rather well.
I then turned my attention to something else and opened up IE11 (this is on a laptop with Win7-64 Home Premium), and saw that the default page was what looked like a search page hijack for unifinder.net
At the bottom of the page there was a box with small type in it that said:
You can change the search engine using the PageUp, PageDown key and Mouse Wheel.
* If keyword is the URL address, we will go directly to the site.
* [100% Freeware] Screen Recorder / DVD-ROM emulator / File Archiver / Hide Folder Download
Copyright Ohsoft.net All Right Reserved
After a bit of experimentation, I recognised that the search page was a trojan hijack - i.e., it persisted between IE sessions and could not be deleted. It kept recreating itself as file unifinder.em.js
Fearing the worst, I set MBAM (Malwarebytes PRO) on a scan, and it took a few minutes to come up with a report that 8 folders and 60 files had been infected with (PUP.Optional.CrossRider.A)
. The infected items were quarantined and deleted, necessitating what MBAM said was an "urgent" reboot of the laptop (some of the malware had been running in RAM).
After reboot, I re-ran the MBAM scan (better safe than sorry) and then turned my attention to the IE start page, which still had the persistent unifinder.net
page. I eventually figured out that if I set another
website page as the start page instead, and shredded the file unifinder.em.js
, then the problem was cleared.
I then did a DuckGo search on (PUP.Optional.CrossRider.A), and discovered that "PUP" stands for "Potentially Unwanted Program". I ran MBAM and MS Security Essentials over the installer files for oCam
, but they both came up "clean". I shredded both files and added some notes to avoid them, to my OneNote Notebook.
The DuckGo search on (PUP.Optional.CrossRider.A) also came up with an interesting post at fixpcyourself.com
about a variant of it - Remove PUP.Optional.Cgminer Virus
Another learning experience.EDIT 2014-04-30 2332hrs:
By the way, as a precaution I did of course expunge every last trace of oCam
, and as a result of this experience I would strongly recommend that you never download the thing. I certainly wouldn't touch it with a bargepole again. There is, after all, such a thing as a failure of trust.