Jump to content
Nathalieyuna

66.220.17.126

Recommended Posts

It's NOT Conduit that it's installing. PLEASE follow the steps I outlined above before replying to anything else as I'm 99.9% confident you've not actually done so (else you wouldn't be arguing with me).

It's very hard to make out what you're trying to say, MysteryFCM - which is why I'm asking so many questions (not arguing) to understand.

You didn't say until now that Plus! is installing something OTHER than the sponsor, hence why I didn't think I needed to run the monitoring program. You said in post #7 "it is indeed due to the 'sponsor software'" so please be clearer.

I'll now run the monitoring program and see if I can see what you believe to be a Swizzor trojan...

In the mean time, is there anything you can point out from your log in post #12 which you believe to be the Swizzor trojan? If so, it can then be passed on to the developers for review/removal.

Share this post


Link to post
Share on other sites

	(+)(FOLDER) C:\Documents and Settings\All Users.WINDOWS\Application Data\scr style mp3 glue
(+)(FILE) Amen Soap.exe = 23:47 26/07/10 765952 bytes
(+)(FILE) Amen Soap.dat = 23:47 26/07/10 3596988 bytes

(+)(FOLDER) C:\Documents and Settings\Steven\Application Data\forkprogrampeak
(+)(FILE) Start Ace Test.exe = 23:46 26/07/10 356352 bytes
(+)(FILE) slow mess.exe = 23:45 26/07/10 524288 bytes
(+)(FILE) ermuwcrw.exe = 23:45 26/07/10 765952 bytes
(+)(FILE) 1 rect ref build.exe = 23:45 26/07/10 269312 bytes
(+)(FILE) 0 = 23:46 26/07/10 1060 bytes

(FOLDER) C:\Documents and Settings\Steven\Local Settings\Temp
(+)(FILE) bis4.exe = 23:45 26/07/10 524288 bytes

(+)(FOLDER) C:\Program Files\Adverts
(+)(FILE) uninst.exe = 23:45 26/07/10 408576 bytes
(+)(FOLDER) C:\Program Files\forkprogrampeak

(REG KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
(+)(REG VAL) mp3 glue close defy = 'C:\Documents and Settings\All Users.WINDOWS\Application Data\scr style mp3 glue\Amen Soap.exe'

(REG KEY) HKEY_USERS\S-1-5-21-796845957-813497703-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Run
(+)(REG VAL) Grid Atom = 'C:\DOCUME~1\Steven\APPLIC~1\FORKPR~1\slow mess.exe'

(+)(REG KEY) HKEY_CURRENT_USER\Software\store trust amok
(+)(REG VAL) Internet Platform = ...w....X.@..H:.2...k..._H8...U...H........;(t.."\Q..1.... \....B)..F..$gg.S.......]..[...................F....z8...O.%e....4u,..-..M.......'1Y(......H.....\..;M...M2u..]....v...2.q..+v..$ag.S.......\..9................... ........xo..D....n"s..z.........._H<...9...o.....]..;(p.."0:..1i...B5....B)..F..K...S.......\..[...................w.....]..x .D...../}-..*S.....m..._H<...Q...8...R:...;(p.."XU..A....G5....B)..F..$gg.<{......\.._...................F....r8..g9..J....5.F..H>.6.......;=Q...U...H.6...\..;\.m.".o..~....:...K..z.gw..m);..X.....B........@..............F....s8...O.Vd....X.@..H:.5...}...g-.r..6...x.=...^..;,t..&\U..X....D0....B)..F..Q...S.......\..[...................F....w8..a=.U......;@..H:.6.......*H. ..e...H.....]..?(t..K/<..T....D6....B)..F..\.g.S.....v
(+)(REG KEY) HKEY_CURRENT_USER\Software\store trust amok\Gpl Four

.... etc etc etc .....

What I'm trying to say is simple, I downloaded 4.84, then 4.85 (both from msgpluslive.net), and both installers subsequently downloaded the MsgPlus installer that then installed Swizzor.

Share this post


Link to post
Share on other sites

Ok thank you - glad we got there in the end.

What's interesting is that I don't have anything like that in my log (attached below).

I'll try uninstall/install again and test with other users/computers to attempt to reproduce it.

In the mean time I'll email your log to Nathalie to pass on to the developers.

Thanks again.

MsgPlusLive_485.pdf

Share this post


Link to post
Share on other sites

Was yours on a clean install of Windows? (if so, it could be the OS version itself that's resulted in the differing install - test box is XP Pro SP3, if not, was MsgPlus already installed? (uninstall before hand wouldn't have completely removed all traces of it)).

/edit

Installation has finally finished btw, so I'll get the video and CaptureBAT log uploaded.

Share this post


Link to post
Share on other sites

I'm still downloading the screencast from the post above, but I have a theory on what might be happening based on http://forums.malwarebytes.org/index.php?a...st&id=37215

Like someone commented before, that log file contains many references to Messenger Plus! 3.x, an old version. But I don't doubt you were indeed running the installer of the most recent version (4.85.386), because I also see references to MsgPlusLive-485.exe.

You mention you use a clean Windows XP system. Here is what I think is happening: Messenger Plus! is an add-on for Windows Live Messenger. When you open MsgPlusLive-485.exe on your clean XP system it will detect you don't have any compatible version of Windows Live Messenger installed. But XP does come with an older version of Windows Messenger. Messenger Plus! dropped support for the old Windows Messengers some years ago, but as a service to the user it offers you to download and install the last version of Messenger Plus! which did support Windows Messenger. As a result MsgPlusLive-485.exe will offer you to download Messenger Plus! 3.63.148 (http://www.msgpluslive.net/download/old/). This old version of Messenger Plus! does indeed come with a fairly agressive (optional) adware package.

If this is indeed what is happening (still downloading the screencast) I think both sides are correct here:

* Messenger Plus! Live 4.85.386 itself is not bundled with CiD/Swizzor/Lop or anything alike. Messenger Plus! stopped bundling this package some versions ago as Nathalie pointed out.

* However, you are correct in stating running MsgPlusLive-485.exe in some specific situations could eventually lead to CiD being installed, although technically this happens through downloading an older version (3.63.148) in the background.

* Many users who are confused as to why the new versions of Messenger Plus! are being classified as CiDHelp by NOD32 (and the site blocked by MalwareBytes) would probably not have run into the situation you describe as they either have: 1. A system with Windows Live Messenger installed and Plus! 4.85.386 would install on their system without CiD being installed. 2. Using a clean Vista or Windows 7 system where Windows Messenger is not installed so Plus! again won't offer to install Messenger Plus! 3.63.148.

* Yuna is still distributing the old Messenger Plus! 3.63.148 version on their own site (http://www.msgpluslive.net/download/old/). Seeing as this thread is about Malwarebytes blocking the site (not the new installer) for distributing CiD I believe Malwarebytes is correct here.

* On the other side Yuna is still correct on not bundling any recent version of Messenger Plus! with the CiD package.

I think it would be relatively easy for Yuna to come clean completely of CiD so MalwareBytes and NOD32 can stop classifying new Plus! versions as a threat:

* Yuna should stop offering http://www.msgpluslive.net/download/old/ on their site.

* The current version of Messenger Plus! should be updated so it won't offer to download any old Plus! version if no compatible Live Messenger is detected.

* Additionally any historic references to the CiD package should be removed from the current Plus! version (for example http://rnd.menthix.net/mpl_screens/circle-...ve-sponsor.png)

* Any old versions of Messenger Plus! versions should be removed fron Yuna's servers.

* Once this is done I believe there should be no reason to classify Messenger Plus! as any threat anymore.

Share this post


Link to post
Share on other sites

The file is uploaded now (apologies for taking so long to reply, just got back in).

Cheers for dropping by with some rationale :rolleyes:

Share this post


Link to post
Share on other sites
The file is uploaded now (apologies for taking so long to reply, just got back in).

The screencast confirms the theory from my last post:

  • 02:00: Messenger Plus! 4.85.386 detects you don't have any compatible Windows Live Messenger version installed, but you do have an old Windows Messenger version installed. As a result Plus! offers you to download the old (3.63.148) version which is compatible with your configuration.
  • 02:05: Messenger Plus! 3.63.148 starts being downloaded.
  • 03:25: The Messenger Plus! 3.63.148 installer launches, this is a separate installer (can also be downloaded directly from http://www.msgpluslive.net/download/old/). Anything that happens past this point is not caused by the current Plus! version.
  • 54:58: The old Messenger Plus! installer is finally loaded, as you can see it says 3.63.148 in the bottom-left.
  • 55:08: You select to install the sponsor package, which is CiD. (BTW, you could have selected the other option to not have any sponsor package at all.)
  • 55:32: The sponsor program license agreement which explains what the CiD package does is shown which the user needs to agree to before he can continue.
  • 03:25:10: Windows Messenger is launched. Having this installed was the reason why you were offered to install the old Plus! version instead of the current version without CiD.
  • 03:36:46: Recorder.exe is taking up almost all CPU resources. This is probably why it is taking so incredibly long. Under normal circumstances even on relatively slow systems inside a VM it never really takes more than 5 minutes to complete the installation.

So:

  • No, MsgPlusLive-485.exe itself does not contain or install anything related to CiD or Swizzor. The same thing goes for every recent Messenger Plus! version released since February this year.
  • However, in an unusual situation the current Plus! versions will offer you to download an older version (the 3.63.148 installer was digitally signed July 2008). This version in bundled with CiD (sometimes identified as Swizzor).
  • Since MalwareBytes is blocking the site (not the installer file) for distribution of CiD I would say that is correct because the site does indeed still offer http://www.msgpluslive.net/download/old/, even though a tiny portion of the users download this version as opposed to the current version.
  • Eset NOD32 on the other hand is not correct in classifying the current installer file itself as badware. If anything they should have labeled just the 3.x Messenger Plus! installers as badware.
  • But because Yuna is already moving away from CiD I would say they either stop offering the old Messenger Plus! version, or remove the CiD package from this old version. See http://forums.malwarebytes.org/index.php?s...st&p=295857. If that would be done I don't see any reason for MalwareBytes and NOD32 (and any other badware scanner for that matter) to continue classifying Messenger Plus! as a threat. MysteryFCM, do you agree?

Share this post


Link to post
Share on other sites

Pretty much, yes (I don't do VM's btw :)).

I know I could've selected the other option btw, but the point was to show Swizzor's installation :).

Share this post


Link to post
Share on other sites

(sarcasm alert) Nice to know the users are mature ......;

http://www.msghelp.net/showthread.php?tid=95106&pid=998871#pid998871

"A**ehole" and "idiot" ?? .....

Share this post


Link to post
Share on other sites

Welcome to the internet, there are trolls everywhere nowadays. You cant judge the community by reading a few comments from a couple of members :)

Seriously though, and take this as a nice advice, upgrade your system if you're going to be doing tests like these. Also, it's quite funny that you do such tests but fail to use proper and secure codecs for your videos: http://en.wikipedia.org/wiki/Indeo#Security_advisory

Also, it's funny that you tried to install Messenger Plus! without even installing Messenger first. What's the point of having an addon for Messenger when you don't have Messenger? No one would do that. You should try to recreate a real situation, and that means installing Windows Live Messenger AT LEAST. i doubt the quality of any of your testings now, thanks to your video.

Btw: "03:36:46: Recorder.exe is taking up almost all CPU resources. This is probably why it is taking so incredibly long. Under normal circumstances even on relatively slow systems inside a VM it never really takes more than 5 minutes to complete the installation." << The fact that you didn't realize about that and blamed the slow installation on Plus! itself makes me think that you dont really know what you are doing.

And what menthix said.

Regards.

Share this post


Link to post
Share on other sites
Welcome to the internet, there are trolls everywhere nowadays. You cant judge the community by reading a few comments from a couple of members :)

I wasn't judging the community.

Seriously though, and take this as a nice advice, upgrade your system if you're going to be doing tests like these.

My test system is just fine thank you.

Also, it's quite funny that you do such tests but fail to use proper and secure codecs for your videos: http://en.wikipedia.org/wiki/Indeo#Security_advisory

It's one of the codecs that comes with CamStudio :)

Also, it's funny that you tried to install Messenger Plus! without even installing Messenger first. What's the point of having an addon for Messenger when you don't have Messenger? No one would do that. You should try to recreate a real situation, and that means installing Windows Live Messenger AT LEAST.

Once again, the only point to the test, was to show MsgPlus installed Swizzor. The reasons it did such, and the situations in which it did such, were and continue to be, irrelevant. It wasn't a test of the program itself, nor was it ever intended to be such, hence not installing the latest WLM prior to testing.

i doubt the quality of any of your testings now, thanks to your video.

Your choice.

Btw: "03:36:46: Recorder.exe is taking up almost all CPU resources. This is probably why it is taking so incredibly long. Under normal circumstances even on relatively slow systems inside a VM it never really takes more than 5 minutes to complete the installation." << The fact that you didn't realize about that and blamed the slow installation on Plus! itself makes me think that you dont really know what you are doing.

It actually had nothing to do with Recorder.exe, it still took a while even without the recording software running. All recorder.exe did was make slow turn slower.

Share this post


Link to post
Share on other sites
I wasn't judging the community.

My test system is just fine thank you.

It's one of the codecs that comes with CamStudio :)

Once again, the only point to the test, was to show MsgPlus installed Swizzor. The reasons it did such, and the situations in which it did such, were and continue to be, irrelevant. It wasn't a test of the program itself, nor was it ever intended to be such, hence not installing the latest WLM prior to testing.

Your choice.

It actually had nothing to do with Recorder.exe, it still took a while even without the recording software running. All recorder.exe did was make slow turn slower.

Yet again, are you blind enough not to see that the fact that it took you "over an hour" to install was your own fault? i've been using the program since 2003 and i've never had problems installing it. 2 minutes tops. 1 hour? who are you kidding?

And then you dont expect people to think you're an idiot and an censored. Again, update your system (or upgrade your hardware, because it seems to me that you're still on a 486 machine :)).

Share this post


Link to post
Share on other sites

Oh and the fact that it was "one of the codecs that came with camstudio" doesn't mean that you can't use a proper one. Do you know anything about something called "a configurations panel"? Again, it's an unsecure codec, and you should know it considering that's part of what you do here.

Sorry for the double post, but there's no edit button :)

Share this post


Link to post
Share on other sites
Yet again, are you blind enough not to see that the fact that it took you "over an hour" to install was your own fault? i've been using the program since 2003 and i've never had problems installing it. 2 minutes tops. 1 hour? who are you kidding?

And then you dont expect people to think you're an idiot and an asshole. Again, update your system (or upgrade your hardware, because it seems to me that you're still on a 486 machine :)).

Am I aware that I could've used a much faster system with more resources? Yes - but I don't have a much faster test machine at present. As for "Again, update your system" - not everyone has an endless supply of funds available to do such, some of us have family and bills, but thanks for playing.

Share this post


Link to post
Share on other sites
Oh and the fact that it was "one of the codecs that came with camstudio" doesn't mean that you can't use a proper one. Do you know anything about something called "a configurations panel"? Again, it's an unsecure codec, and you should know it considering that's part of what you do here.

I am aware of that, and had it been for anything else, I'd have used one of the other codecs, but as they produce a much larger file, and this being a large file to begin with, I opted for the one that produced the smallest file. However, as it's completely unrelated to the topic at hand - it's irrelevant.

Share this post


Link to post
Share on other sites

i have bills too, and i have a crap computer too, so we have a lot in common (lol?). The thing is that i don't use this crap computer for testing purposes, and you shouldn't either, specially if you're gonna talk about the speed of the installer. What kind of tester are you if you dont have the proper machine to do proper testing?

i just installed the latest version of Messenger Plus! Live to see how much time does it take me. it took me no more than 2 minutes. i have 768mb of ram, an athlon XP processor (2.6gh). i bet you have a better system than mine (but still crap enough to prevent you from doing proper testing). im guessing your computer is full of malware, specially seeing that a windows update popup keeps asking you to restart every few minutes. i seriously cant believe you dont use a totally upgraded version of windows to do the testing, how unprofessional of you.

Regards

Share this post


Link to post
Share on other sites

The whole codecs thing is not irrelevant, because it gets to show how little you care about security, even though you're supposed to care.

There were like 5 minutes of useful recording in that 3 hours video. You could've used a proper codec and cut the unnecesary parts of the video out of it instead (saving us a lot of time too, btw).

Share this post


Link to post
Share on other sites

Alas once again, the only purpose of the test was to show the presence of Swizzor. It wasn't about the program, nor was it about the speed of the installer, so this part of the discussion is OT and thus, irrelevant.

As for the popup, that was actually due to Windows Updates having just been installed and the machine not having been rebooted (and before you start, WU is completely irrelevant in this case - it was solely about the presence of Swizzor), but again, that's irrelevant.

Can we get back to the topic at hand now?

Share this post


Link to post
Share on other sites
The whole codecs thing is not irrelevant, because it gets to show how little you care about security, even though you're supposed to care.

There were like 5 minutes of useful recording in that 3 hours video. You could've used a proper codec and cut the unnecesary parts of the video out of it instead (saving us a lot of time too, btw).

I could've edited the video to cut the "unnecessary parts", yes, but then I'd have been accused of editing it to hide something - so I didn't cut or edit anything.

As for my not caring, you're entitled to your opinion. Thankfully, those that know me, know me better. And once again, this is completely unrelated to the topic at hand, so this part of the discussion is over.

Share this post


Link to post
Share on other sites

Messenger Plus! 4.85 was re-released yesterday.

http://www.msgpluslive.net/download/ - http://mirror10.msgpluslive.net/20100808/T...lusLive-485.exe

This version will not offer to download the older version anymore. In adition the installer of the old version is removed from the server and http://www.msgpluslive.net/download/old/ has been modified accordingly.

MysteryFCM: Can you re-check and see if there is still a reason for MalwareBytes to continue blocking the site? Apparently NOD32 started blocking download.msgpluslive.net a few days ago, should be fine for them to stop blocking too.

Share this post


Link to post
Share on other sites

I'll get it re-tested, thanks for letting me know (any reason I'm not seeing a mention of this on the website or forums btw?).

Share this post


Link to post
Share on other sites

Correction: http://www.msgpluslive.net/download/old/ is being offered again, but without the CiD/Swizzor in it. This just happened between my last post and now.

I guess that may also be why there isn't any official mention on the website/forum about it. Looks like it is still being worked on. Although I don't know if there will even be a news post or anything about it when it is done since this affects so few users.

Share this post


Link to post
Share on other sites

No problem, was just curious.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.