66.220.17.126

[Nathalieyuna]

Re: Support ticket #84716

Your email directed me to this forum. Please let me know why our safe site has shown up as a false positive by your software.

Thanks in advance!

Nathalie

Community Liaison

Yuna Software

[MysteryFCM]

This is not an F/P I'm afraid, this IP is blocked because it's housing a site that's known to distribute badware.

[Nathalieyuna]

HI Steven,

Thanks for your reply. I'd appreciate more details as to what research indicates that this respectable site and the freeware it promotes, Messenger Plus! Live distributes

badware

When you download the software from this (official) site, you will have no annoyance factors or viruses. You are welcome to send me any logs or documentation offline as well via the email address I supplied in my original support ticket #84716. Thanks!

Nathalie

Community Liaison, Yuna Software

official representative for Messenger Plus! Live

[MysteryFCM]

I'll get the details put into a report for you, and send it over.

[Nathalieyuna]

I'll get the details put into a report for you, and send it over.

Thanks, waiting patiently.

[BrainyTehBrain]

I believe it is marked as badware because the installer is known to install adware (in the sponsor software) as a default setting(but you can uncheck it). I have experienced it myself.

[MysteryFCM]

Due to my normal machine going down, I've had to waste time migrating to a new one, so the report has been delayed. It should be ready within 24 hours.

My apologies for the delay.

@BrainyTehBrain,

It is indeed due to the "sponsor software" (myself and several others (aka Sandi at SpywareSucks) have documented this many times over the years).

[MysteryFCM]

Report is finished, and infections identified include;

Adware.Agent, Trojan.Swizzor and Adware.LOP

[Nathalieyuna]

Interesting findings.

The sponsor program in the software was removed months ago. Therefore, the current freeware is virus free and ad-free, and the last few versions shouldn't be identified as badware. The install instructions are transparent to the user. They have the choice of whether or not to install a toolbar when downloading the software. You can download the latest version (4.85) and see for yourself.

Will you be sending me a more detailed report to my email so that we can see why this is still being diagnosed seemingly incorrectly?

Thanks!

[MysteryFCM]

I'll be sending you the detailed report once finished, yes. As far as the latest version - I downloaded the file from your website so unless you're linking to the old version, it was the latest version that was tested (and I notice, whilst you say "months ago", 4.85 was only released released on: July 19th 2010 ..... , interesting, given I downloaded 4.84 on July 22nd, from the same page, using the same download link).

[MysteryFCM]

Well well, I'm running 4.85's installer now, and guess what's still there ......

[MysteryFCM]

Do you want to change your story? Attached is a quick TUN log for 4.85, as downloaded from the following at 22:50 GMT London

http://mirror3.msgpluslive.net/MsgPlusLive-485.exe

And guess what's still coming with it ......... (seems we're not as daft as you'd like us to be).

MsgPlusLive_485.exe.txt

[Nathalieyuna]

Thanks for your reply.

The sponsorship program was removed as early as January 15, 2010. All versions since then (including the latest version, 4.85) have not contained anything that could be considered adware or something similar. Part of the log you sent contains a reference to Messenger Plus 3, a very old version. Before generating a new report, please make sure all previous said versions are removed from the computer. You'll find that the latest versions are transparent and malware free.

Please feel free to share your findings once again.

[MysteryFCM]

Interesting response, given it's YOUR installer (4.84 and 4.85) that's downloading and installing MessengerPlus. Can I suggest you download and install it yourself?

[MysteryFCM]

I've already read the claim of it's being the previous sponsor, and am not buying it.

Why is this you ask? Simple - the file I downloaded, downloaded the MsgPlus installer itself, then progressed to install the crapware. I can do a video of this in action if you guys don't believe me? This was NOT an old installer that was being used.

/edit

Doing a video of this in action now, so you can see for yourself ... will post when done

[MysteryFCM]

1. Go to msgpluslive.net

2. Click the Download button

3. Run installer

4. Select the sponsor option

You can use either CaptureBAT, Wireshark or Total Uninstall, to monitor the installation and confirm the installation of Swizzor

/edit

Installer is still running btw (over an hour since it was started), which is why the video hasn't been posted yet (slowness is likely due to a mixture of the machines specs, and the monitoring software (CamStudio + CaptureBAT) running, though the MsgPlus installer has always been horribly slow whenever I've tested it)

[MysteryFCM]

You seem to be under the assumption that I'm basing my analysis on what AV's are telling me - I'm not, I've got eyes of my own.

CaptureBAT is a monitoring program, nothing more nothing less

Total Uninstall is a monitoring program, nothing more nothing less

Wireshark is a monitoring program, nothing more nothing less

None of the 3 programs are "relatively unknown" btw - they're very well known.

Follow the steps I outlined above on a clean install of Windows, or a machine without MsgPlus installed, and you'll see these results aswell.

NOD (amongst the other vendors I sent the details to) is detecting it as Swizzor because that's what it is. I've already read the thread over there, and they're under the assumption that either Esets monitoring gear is buggered, or they're using an old installer - neither of these are true. The montoring/analysis gear is just fine, and it's a brand new installer that they're using, downloaded from the URL I posted in a previous reply (by clicking the download button on msgpluslive.net).

FYI: Malwarebytes may not flag the installer, but it does flag the crapware that's installed.

[ShyWriter]

@MysteryFCM

I love it. You tell 'em Steven. BTW; Remind me to never get on the wrong side of a discussion with you.

Sock it to them!

~Shy

Sidenote: I'm taking bets on MysteryFCM's version being correct and offering 10-1 odds. Any takers?

[MysteryFCM]

It's NOT Conduit that it's installing. PLEASE follow the steps I outlined above before replying to anything else as I'm 99.9% confident you've not actually done so (else you wouldn't be arguing with me).

[MysteryFCM]

@MysteryFCM

I love it. You tell 'em Steven. BTW; Remind me to never get on the wrong side of a discussion with you.

Sock it to them!

~Shy

Sidenote: I'm taking bets on MysteryFCM's version being correct and offering 10-1 odds. Any takers?

[MysteryFCM]

	(+)(FOLDER) C:\Documents and Settings\All Users.WINDOWS\Application Data\scr style mp3 glue
	  (+)(FILE) Amen Soap.exe = 23:47 26/07/10 765952 bytes
	  (+)(FILE) Amen Soap.dat = 23:47 26/07/10 3596988 bytes

	(+)(FOLDER) C:\Documents and Settings\Steven\Application Data\forkprogrampeak
	  (+)(FILE) Start Ace Test.exe = 23:46 26/07/10 356352 bytes
	  (+)(FILE) slow mess.exe = 23:45 26/07/10 524288 bytes
	  (+)(FILE) ermuwcrw.exe = 23:45 26/07/10 765952 bytes
	  (+)(FILE) 1 rect ref build.exe = 23:45 26/07/10 269312 bytes
	  (+)(FILE) 0 = 23:46 26/07/10 1060 bytes

	(FOLDER) C:\Documents and Settings\Steven\Local Settings\Temp
	  (+)(FILE) bis4.exe = 23:45 26/07/10 524288 bytes

	(+)(FOLDER) C:\Program Files\Adverts
	  (+)(FILE) uninst.exe = 23:45 26/07/10 408576 bytes
	(+)(FOLDER) C:\Program Files\forkprogrampeak

	(REG KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
	  (+)(REG VAL) mp3 glue close defy = 'C:\Documents and Settings\All Users.WINDOWS\Application Data\scr style mp3 glue\Amen Soap.exe'

	(REG KEY) HKEY_USERS\S-1-5-21-796845957-813497703-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Run
	  (+)(REG VAL) Grid Atom = 'C:\DOCUME~1\Steven\APPLIC~1\FORKPR~1\slow mess.exe'

	(+)(REG KEY) HKEY_CURRENT_USER\Software\store trust amok
	  (+)(REG VAL) Internet Platform = ...w....X.@..H:.2...k..._H8...U...H........;(t.."\Q..1.... \....B)..F..$gg.S.......]..[...................F....z8...O.%e....4u,..-..M.......'1Y(......H.....\..;M...M2u..]....v...2.q..+v..$ag.S.......\..9................... ........xo..D....n"s..z.........._H<...9...o.....]..;(p.."0:..1i...B5....B)..F..K...S.......\..[...................w.....]..x .D...../}-..*S.....m..._H<...Q...8...R:...;(p.."XU..A....G5....B)..F..$gg.<{......\.._...................F....r8..g9..J....5.F..H>.6.......;=Q...U...H.6...\..;\.m.".o..~....:...K..z.gw..m);..X.....B........@..............F....s8...O.Vd....X.@..H:.5...}...g-.r..6...x.=...^..;,t..&\U..X....D0....B)..F..Q...S.......\..[...................F....w8..a=.U......;@..H:.6.......*H. ..e...H.....]..?(t..K/<..T....D6....B)..F..\.g.S.....v
	(+)(REG KEY) HKEY_CURRENT_USER\Software\store trust amok\Gpl Four

.... etc etc etc .....

What I'm trying to say is simple, I downloaded 4.84, then 4.85 (both from msgpluslive.net), and both installers subsequently downloaded the MsgPlus installer that then installed Swizzor.

[MysteryFCM]

Was yours on a clean install of Windows? (if so, it could be the OS version itself that's resulted in the differing install - test box is XP Pro SP3, if not, was MsgPlus already installed? (uninstall before hand wouldn't have completely removed all traces of it)).

/edit

Installation has finally finished btw, so I'll get the video and CaptureBAT log uploaded.

[MysteryFCM]

FTP says it'll be ~107 mins, but the video + CaptureBAT logs will be here once upload is complete (I've got to pop out);

http://temp.it-mate.co.uk/msgpluslive.net-100805.zip

[Menthix]

I'm still downloading the screencast from the post above, but I have a theory on what might be happening based on http://forums.malwarebytes.org/index.php?a...st&id=37215

Like someone commented before, that log file contains many references to Messenger Plus! 3.x, an old version. But I don't doubt you were indeed running the installer of the most recent version (4.85.386), because I also see references to MsgPlusLive-485.exe.

You mention you use a clean Windows XP system. Here is what I think is happening: Messenger Plus! is an add-on for Windows Live Messenger. When you open MsgPlusLive-485.exe on your clean XP system it will detect you don't have any compatible version of Windows Live Messenger installed. But XP does come with an older version of Windows Messenger. Messenger Plus! dropped support for the old Windows Messengers some years ago, but as a service to the user it offers you to download and install the last version of Messenger Plus! which did support Windows Messenger. As a result MsgPlusLive-485.exe will offer you to download Messenger Plus! 3.63.148 (http://www.msgpluslive.net/download/old/). This old version of Messenger Plus! does indeed come with a fairly agressive (optional) adware package.

If this is indeed what is happening (still downloading the screencast) I think both sides are correct here:

* Messenger Plus! Live 4.85.386 itself is not bundled with CiD/Swizzor/Lop or anything alike. Messenger Plus! stopped bundling this package some versions ago as Nathalie pointed out.

* However, you are correct in stating running MsgPlusLive-485.exe in some specific situations could eventually lead to CiD being installed, although technically this happens through downloading an older version (3.63.148) in the background.

* Many users who are confused as to why the new versions of Messenger Plus! are being classified as CiDHelp by NOD32 (and the site blocked by MalwareBytes) would probably not have run into the situation you describe as they either have: 1. A system with Windows Live Messenger installed and Plus! 4.85.386 would install on their system without CiD being installed. 2. Using a clean Vista or Windows 7 system where Windows Messenger is not installed so Plus! again won't offer to install Messenger Plus! 3.63.148.

* Yuna is still distributing the old Messenger Plus! 3.63.148 version on their own site (http://www.msgpluslive.net/download/old/). Seeing as this thread is about Malwarebytes blocking the site (not the new installer) for distributing CiD I believe Malwarebytes is correct here.

* On the other side Yuna is still correct on not bundling any recent version of Messenger Plus! with the CiD package.

I think it would be relatively easy for Yuna to come clean completely of CiD so MalwareBytes and NOD32 can stop classifying new Plus! versions as a threat:

* Yuna should stop offering http://www.msgpluslive.net/download/old/ on their site.

* The current version of Messenger Plus! should be updated so it won't offer to download any old Plus! version if no compatible Live Messenger is detected.

* Additionally any historic references to the CiD package should be removed from the current Plus! version (for example http://rnd.menthix.net/mpl_screens/circle-...ve-sponsor.png)

* Any old versions of Messenger Plus! versions should be removed fron Yuna's servers.

* Once this is done I believe there should be no reason to classify Messenger Plus! as any threat anymore.

[Menthix]

I understand you might still be uploading the file above, will try again later.