[daveloyall]

As noted in other comments, the GIMP installer on http://sourceforge.net/projects/gimp-win/files/ is now bit-for-bit identical to the one on http://download.gimp.org/pub/gimp/v2.8/windows/ (let's call this one official).

Does anybody have a copy of the "value added" installer?

How did it work? Was it a wrapper which contained a copy of the official installer? Did it have the same filename? Was there some identifier in the URL? A cookie?

In other words, can we programmatically identify other hijacked projects?

[JohnTHaller]

It's a 730KB downloader installer as used by FileZilla, Angry IP Scanner, and other apps on SF that participate in the Dev Share program. You run it, it shows offers, then downloads the actual GIMP installer and runs that. I did a Virus Total scan of it earlier and the results are here: https://www.virustotal.com/en/file/a63a337b0aa6b2686440802eb...

It seems they've disabled the ability for the GIMP downloader installer posted earlier today to be able to download GIMP now. Possibly so other sites don't distribute it further thinking it's the real GIMP installer?

[makomk]

It was a small wrapper that downloads the actual installer, loaded from a different site to their usual mirrors because they outsourced the whole "bundling unwanted software" functionality to a third party. I don't still have a copy because I downloaded it in a temporary test VM, sorry.