Jump to content
Nathalieyuna

66.220.17.126

Recommended Posts

Re: Support ticket #84716

Your email directed me to this forum. Please let me know why our safe site has shown up as a false positive by your software.

Thanks in advance!

Nathalie

Community Liaison

Yuna Software

post-46223-1278931647_thumb.jpg

Share this post


Link to post
Share on other sites

This is not an F/P I'm afraid, this IP is blocked because it's housing a site that's known to distribute badware.

Share this post


Link to post
Share on other sites

HI Steven,

Thanks for your reply. I'd appreciate more details as to what research indicates that this respectable site and the freeware it promotes, Messenger Plus! Live distributes

badware
When you download the software from this (official) site, you will have no annoyance factors or viruses. You are welcome to send me any logs or documentation offline as well via the email address I supplied in my original support ticket #84716. Thanks!

Nathalie

Community Liaison, Yuna Software

official representative for Messenger Plus! Live

Share this post


Link to post
Share on other sites

I'll get the details put into a report for you, and send it over.

Share this post


Link to post
Share on other sites

I believe it is marked as badware because the installer is known to install adware (in the sponsor software) as a default setting(but you can uncheck it). I have experienced it myself.

Share this post


Link to post
Share on other sites

Due to my normal machine going down, I've had to waste time migrating to a new one, so the report has been delayed. It should be ready within 24 hours.

My apologies for the delay.

@BrainyTehBrain,

It is indeed due to the "sponsor software" (myself and several others (aka Sandi at SpywareSucks) have documented this many times over the years).

Share this post


Link to post
Share on other sites

Report is finished, and infections identified include;

Adware.Agent, Trojan.Swizzor and Adware.LOP

Share this post


Link to post
Share on other sites

Interesting findings.

The sponsor program in the software was removed months ago. Therefore, the current freeware is virus free and ad-free, and the last few versions shouldn't be identified as badware. The install instructions are transparent to the user. They have the choice of whether or not to install a toolbar when downloading the software. You can download the latest version (4.85) and see for yourself.

Will you be sending me a more detailed report to my email so that we can see why this is still being diagnosed seemingly incorrectly?

Thanks!

Share this post


Link to post
Share on other sites

I'll be sending you the detailed report once finished, yes. As far as the latest version - I downloaded the file from your website so unless you're linking to the old version, it was the latest version that was tested (and I notice, whilst you say "months ago", 4.85 was only released released on: July 19th 2010 ..... , interesting, given I downloaded 4.84 on July 22nd, from the same page, using the same download link).

Share this post


Link to post
Share on other sites

Well well, I'm running 4.85's installer now, and guess what's still there ......

Share this post


Link to post
Share on other sites

Do you want to change your story? Attached is a quick TUN log for 4.85, as downloaded from the following at 22:50 GMT London

http://mirror3.msgpluslive.net/MsgPlusLive-485.exe

And guess what's still coming with it ......... (seems we're not as daft as you'd like us to be).

MsgPlusLive_485.exe.txt

Share this post


Link to post
Share on other sites

Thanks for your reply.

The sponsorship program was removed as early as January 15, 2010. All versions since then (including the latest version, 4.85) have not contained anything that could be considered adware or something similar. Part of the log you sent contains a reference to Messenger Plus 3, a very old version. Before generating a new report, please make sure all previous said versions are removed from the computer. You'll find that the latest versions are transparent and malware free.

Please feel free to share your findings once again.

Share this post


Link to post
Share on other sites

Interesting response, given it's YOUR installer (4.84 and 4.85) that's downloading and installing MessengerPlus. Can I suggest you download and install it yourself?

Share this post


Link to post
Share on other sites

Hey,

I'm a Malwarebytes' Anti-Malware and Messenger Plus! Live user.

Was a bit surprised when I found MAM to be blocking msgpluslive.net. So being in the middle, I'll try and help out...

Plus!'s previous optional sponsor was adware known as LOP, as detected by MysteryFCM's report.

However the sponsor has now been changed to Conduit toolbar, which a Google search tells me is certified as a 'Safe Download' by TRUSTe.

http://www.truste.org/pvr.php?page=validat...&sealid=112

http://clicktoverify.truste.com/pvr.php?pa...&sealid=101

http://www.conduit.com/Benefits/Trust-Conduit.aspx

CNET also wrote an article about it.

A virustotal report shows me that only 1 out of 42 anti-virus software's detects anything, of which I believe is a false positive.

The sponsor can easily be unchecked on the installer, as seen here:

p6uTJ.png

So I hope you'll consider unblocking their website. :rolleyes:

Chris

Share this post


Link to post
Share on other sites

I've already read the claim of it's being the previous sponsor, and am not buying it.

Why is this you ask? Simple - the file I downloaded, downloaded the MsgPlus installer itself, then progressed to install the crapware. I can do a video of this in action if you guys don't believe me? This was NOT an old installer that was being used.

/edit

Doing a video of this in action now, so you can see for yourself ... will post when done

Share this post


Link to post
Share on other sites

I don't understand. Are you saying you're being offered the LOP adware when installing Messenger Plus! Live?

Every link I've tried it downloads the Plus! installer with the Conduit toolbar I described above.

Share this post


Link to post
Share on other sites

1. Go to msgpluslive.net

2. Click the Download button

3. Run installer

4. Select the sponsor option

You can use either CaptureBAT, Wireshark or Total Uninstall, to monitor the installation and confirm the installation of Swizzor

/edit

Installer is still running btw (over an hour since it was started), which is why the video hasn't been posted yet (slowness is likely due to a mixture of the machines specs, and the monitoring software (CamStudio + CaptureBAT) running, though the MsgPlus installer has always been horribly slow whenever I've tested it)

Share this post


Link to post
Share on other sites

I don't understand why you're going by what 3 relatively unknown programs are telling you?

The forum members are trying to figure out why the 1 anti-virus program (NOD32) is confusingly still detecting it as a Swizzor, which you can read about here.

The 3 programs you mention could also be questioned. I just sent a message to Total Uninstall about it.

If it were me I'd go by what 43/44 anti-virus companies say - agreeing the installer is safe (as well as Malwarebytes itself).

Share this post


Link to post
Share on other sites

You seem to be under the assumption that I'm basing my analysis on what AV's are telling me - I'm not, I've got eyes of my own.

CaptureBAT is a monitoring program, nothing more nothing less

Total Uninstall is a monitoring program, nothing more nothing less

Wireshark is a monitoring program, nothing more nothing less

None of the 3 programs are "relatively unknown" btw - they're very well known.

Follow the steps I outlined above on a clean install of Windows, or a machine without MsgPlus installed, and you'll see these results aswell.

NOD (amongst the other vendors I sent the details to) is detecting it as Swizzor because that's what it is. I've already read the thread over there, and they're under the assumption that either Esets monitoring gear is buggered, or they're using an old installer - neither of these are true. The montoring/analysis gear is just fine, and it's a brand new installer that they're using, downloaded from the URL I posted in a previous reply (by clicking the download button on msgpluslive.net).

FYI: Malwarebytes may not flag the installer, but it does flag the crapware that's installed.

Share this post


Link to post
Share on other sites
Follow the steps I outlined above on a clean install of Windows, or a machine without MsgPlus installed, and you'll see these results aswell.
NOD (amongst the other vendors I sent the details to) is detecting it as Swizzor because that's what it is.

I understand they're detecting it - what I don't understand is why they're detecting it.

The Conduit sponsor is just a toolbar, right? - So why would they classify it as a Swizzor trojan?

According to F-Secure, a Swizzor trojan is:

a LOP.COM-related plugin that acts as spyware/adware and provides customized search capabilities. The download and installation occurs without a notification to the user and without the user's approval.

I'm pretty sure in the t&c of the sponsor it will say what exactly it does (i.e. add a toolbar and customized search capabilities). So forgive me if I'm wrong, but how is anything done "without the user's approval" to class it as a Swizzor trojan?

Share this post


Link to post
Share on other sites

@MysteryFCM

I love it. You tell 'em Steven. BTW; Remind me to never get on the wrong side of a discussion with you. :rolleyes:

Sock it to them!

~Shy

Sidenote: I'm taking bets on MysteryFCM's version being correct and offering 10-1 odds. Any takers?

Share this post


Link to post
Share on other sites

It's NOT Conduit that it's installing. PLEASE follow the steps I outlined above before replying to anything else as I'm 99.9% confident you've not actually done so (else you wouldn't be arguing with me).

Share this post


Link to post
Share on other sites
@MysteryFCM

I love it. You tell 'em Steven. BTW; Remind me to never get on the wrong side of a discussion with you. :rolleyes:

Sock it to them!

~Shy

Sidenote: I'm taking bets on MysteryFCM's version being correct and offering 10-1 odds. Any takers?

:lol:

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.