Shoutbox

eset nod32 blocked messenger plus 4.85
win32/adware.cidhelp

can you fix please next version?

I had the same here.

Odd because NOD never really had a problem with older versions before. while cidhelp refers to Circle Development which was something used in older versions, not in this one.

Contacted NOD earlier today, hopefully they'll fix it.

quote:

---

Originally posted by Menthix
I had the same here.

Odd because NOD never really had a problem with older versions before. while cidhelp refers to Circle Development which was something used in older versions, not in this one.

Contacted NOD earlier today, hopefully they'll fix it.

---

looks like NOD have a few more to fix, they cant even support Thunderbird3.1 an how long has it been out? the ( Eset Smart Security Extension ) does not work.

quote:

---

Originally posted by Menthix
I had the same here.

---

Confirmed in the spanish forums with two users who had nod32 aswell eset smart security.

Looks like ESET added the sponsor as a malware to their signatures.

quote:

---

Originally posted by Kafman
Looks like ESET added the sponsor as a malware to their signatures.

---

Which sponsor though? 3.85 comes with a Conduit toolbar, or in some cases Ask.com... cidhelp refers to the old sponsor which hasn't been used for quite a while.

All Plus! versions dating back to version 4.50 seem to be blocked by NOD32 now (since Update 5306 (20100723). Versions older than that are not labeled with CiDHelp. In the past NOD would only block the old (pre v4.80) sponsor when you actually install the sponsor.

But blocking any Plus! version newer than 4.81 just doesn't make sense at all, the CiD sponsor isn't used in those versions at all. The newer Plus! versions either use Conduit (community toolbar) or As.com (search engine) as a sponsor. Neither are adware, no antivirus inditifies it as being that, even NOD agrees on that...
Conduit: http://www.virustotal.com/analisis/c640cae328d651...92dbbf1-1280051763
Ask.com: http://www.virustotal.com/analisis/d029c34dd469a3...7669945-1280051389

Additionally none of the newer versions are blocked by any other scanner:
4.85: http://www.virustotal.com/analisis/6231b9e65f4ea7...d78f4ee-1280051958
4.84: http://www.virustotal.com/analisis/0792c2a0ac92a4...213b359-1280052125
4.83: http://www.virustotal.com/analisis/c19739b132a269...4c42664-1280052289
4.82: http://www.virustotal.com/analisis/9e22e81f66d4d0...372a78f-1280052360
4.81: http://www.virustotal.com/analisis/ac93e570fed539...d9f5caf-1280052449

Only some of the older versions which actually *did* use a CiD adware sponsor a blocked by other scanners:
4.11: http://www.virustotal.com/analisis/8d8ca2c8b9c19d...da321ab-1280052802


If you use NOD32, download MsgPlusLive-485.exe and submit it to ESET as a false positive.

Seems ESET isn't completely sure yet either:

quote:

---

Originally posted by Menthix
All Plus! dating back to version 4.50 seem to be blocked by NOD32 now.

---

Yeah forgot to detail that, like you already said, it blocks all the CiD variants (wich it doesn't have any sense since it is the old sponsor...)

It doesn't have any sense that ESET blocks Conduit or Ask.com and classify it as a CiD variant...

Here's the spanish tread with two screenshots, from nod32 aswell eset smart security wich detects it as a CiD variant: http://foro.msgpluslive.es/showthread.php?tid=14574&page=2

As you can see, as time passes by, some AV programs don't get any smarter, quite the opposite... .

quote:

---

Originally posted by Email conversationwith ESET
This is one example of the dropped malware file:
http://www.virustotal.com/analisis/79bf7f8085018d...d57936d-1280301607

Only the vendor can solve it, it is not a false positive.

Regards,

Daniel Novomeský
Virus Researcher
ESET spol. s r.o.

> >--[<REMOVED>@<REMOVED>.com]---------------------
> > Hello,
> >
> > This sounds strange to me.
> >
> > I am a happy user of Messenger Plus!, I have it installed on several of
> > my systems and see no sign anywhere of the "Circle development" adware
> > or the Win32/TrojanDownloader.Swizzor you mention. Neither do friends
> > who have this software too and use other anti virus products without
> > getting a warning.
> >
> > I temporary disabled NOD32 and installed the executable. I did a scan of
> > the entire system after installation but found nothing (except for the
> > installer itself), neither do i see any advertising appear.
> > On what indication/symptoms exactly do you base this threat
> > classification? For example, which files/registry keys or communication
> > with which hostnames/IPs to look for?
> >
> > You also mention "it" being identified as Win32/TrojanDownloader.Swizzor
> > and being classified as malware by almost all vendors. How/where would i
> > find this file so I can see this for myself? Because the file i sent you
> > is certainly not classified as malware by any vendor i know. Perhaps you
> > are referring to a file which is downloaded during execution, I would
> > like to see more details on it.
> >
> >
> > I'm not convinced yet about this not being a false positive.
> >
> >
> > Greetings,
> > Johan
> >
> >
> >
> >
> > samples@eset.sk wrote:
>> > >
>> > > Dear Johan Brune,
>> > >
>> > > Thank you for your submission.
>> > > I have run the attached executable and it resulted in installing the bad "Circle development" adware. It is identified as Win32/TrojanDownloader.Swizzor trojan. Almost all vendors classify it as malware. Swizzor malware caused lot of problems worldwide.
>> > > The statement about no relation with the CiD is not in a harmony with the truth.
>> > > Intentional spreading of malware is considered as criminal act in many countries and it is not wise to overlook it.
>> > >
>> > > Regards,
>> > >
>> > > Daniel Novomeský
>> > > Virus Researcher
>> > > ESET spol. s r.o.
>> > >
>>> > >> --[<REMOVED>@<REMOVED>.com]---------------------
>> > >
>>> > >> The attached file is *password protected*, password is: infected
>>> > >> The *extension of the file inside the .zip has been changed from .exe to
>>> > >> .bak* to bypass GMail's restrictions on attachement file types. Despite
>>> > >> password protecting the .zip GMail will see there was a .exe inside and
>>> > >> refuse to send it.
>>> > >> My customer number: EAV-01534435
>>> > >>
>>> > >> The file attached is a *false positive*.
>>> > >>
>>> > >> The official location to download this file is
>>> > >> http://www.msgpluslive.net/download/
>>> > >> (http://mirror3.msgpluslive.net/MsgPlusLive-485.exe).
>>> > >>
>>> > >> The file is the installer of the latest version (4.85.386 - 19/07/2010)
>>> > >> of a software called Messenger Plus! Live (http://www.msgpluslive.net/).
>>> > >> Older versions of Messenger Plus! did indeed bundle with an (optional)
>>> > >> adware sponsor package developed by Circle Development Ltd. However,
>>> > >> none of the recent versions of Messenger Plus! released over the past
>>> > >> months contain or download the CiD adware. The makers of Messenger Plus!
>>> > >> stopped using the CiD package completely and have no affiliation with
>>> > >> Circle Development Ltd.
>>> > >>
>>> > >> Messenger Plus! is created my Yuna Software Ltd.
>>> > >> http://www.yunasoftware.com/. Instead of the CiD adware Messenger Plus!
>>> > >> is bundled with either:
>>> > >>
>>> > >>      * A community toolbar for the user's browser developed by Conduit
>>> > >>        Ltd. (http://www.conduit.com/).
>>> > >>      * Or the Ask.com search assistent which makes Ask.com the default
>>> > >>        searchengine in the user's browser.
>>> > >>
>>> > >> One of these two options is presented to the user during installation of
>>> > >> the Messenger Plus! software. Which of the two is presented to the user
>>> > >> depends on some factors like geographical location. In both cases the
>>> > >> installation of the sponsor package is optional and it is made clear to
>>> > >> the user what it does. Both Conduit and Ask are respected companies
>>> > >> which are not in the business of distributing adware, neither are they
>>> > >> in any way affiliated with Circle Development Ltd. which the CiDHelp
>>> > >> label refers to.
>>> > >>
>>> > >> None of the other antivirus companies I know detect this as a threat,
>>> > >> including the other recent versions which don't include CiDHelp either.
>>> > >> MsgPlusLive-485.exe :
>>> > >> http://www.virustotal.com/analisis/6231b9e65f4ea7...d78f4ee-1280051958
>>> > >> MsgPlusLive-484.exe:
>>> > >> http://www.virustotal.com/analisis/0792c2a0ac92a4...213b359-1280052125
>>> > >> MsgPlusLive-483.exe:
>>> > >> http://www.virustotal.com/analisis/c19739b132a269...4c42664-1280052289
>>> > >> MsgPlusLive-482.exe:
>>> > >> http://www.virustotal.com/analisis/9e22e81f66d4d0...372a78f-1280052360
>>> > >> MsgPlusLive-481.exe:
>>> > >> http://www.virustotal.com/analisis/ac93e570fed539...d9f5caf-1280052449
>>> > >>
>>> > >> Also see the thread about this in the Messenger Plus! support forum with
>>> > >> more information: http://shoutbox.menthix.net/showthread.php?tid=95106
>>> > >>
>>> > >>
>>> > >> I hope this issue can be solved quickly. Please contact me if more
>>> > >> details are needed.
>>> > >>
>>> > >> Greetings,
>>> > >> Johan Bruné

---

Frustrating as I can't find the file they refer to anywhere. Perhaps it is the old CiD uninstaller, but I sumbitted v3.85 which doesn't use that. Eset claims they see Win32/TrojanDownloader.Swizzor in v3.85. I'd like to see it with my own eyes but it doesn't look like they're going to help people with that .

quote:

---

Originally posted by Menthix
Frustrating as I can't find the file they refer to anywhere. Perhaps it is the old CiD uninstaller, but I sumbitted v3.85 which doesn't use that. Eset claims they see Win32/TrojanDownloader.Swizzor in v3.85. I'd like to see it with my own eyes but it doesn't look like they're going to help people with that

---

Perhaps they're testing this by installing over a previous installation that already had the CiD sponsor? In that case they would obviously get a false positive because it's not even from the same installer .

have the same problem here.