What happened to the Messenger Plus! forums on msghelp.net?
Shoutbox » MsgHelp Archive » Messenger Plus! for Live Messenger » WLM Plus! Help » eset nod32 blocked messenger plus 4.85

Pages: (3): « First [ 1 ] 2 3 » Last »
eset nod32 blocked messenger plus 4.85
Author: Message:
silent_07
New Member
*


Posts: 1
38 / Male / Flag
Joined: Jul 2010
O.P. eset nod32 blocked messenger plus 4.85
eset nod32 blocked messenger plus 4.85
win32/adware.cidhelp

can you fix please next version?

This post was edited on 08-02-2010 at 02:54 PM by Patchou.
07-24-2010 05:34 PM
Profile E-Mail PM Find Quote Report
Menthix
forum admin
*******

Avatar

Posts: 5537
Reputation: 102
40 / Male / Flag
Joined: Mar 2002
RE: eset nod32 blocked messenger plus 3.85
I had the same here.

Odd because NOD never really had a problem with older versions before. while cidhelp refers to Circle Development which was something used in older versions, not in this one.

Contacted NOD earlier today, hopefully they'll fix it.
Finish the problem
Menthix.net | Contact Me
07-24-2010 06:36 PM
Profile E-Mail PM Web Find Quote Report
Hank
Banned


Posts: 3129
Reputation: 5
– / – / Flag
Joined: Nov 2003
Status: Away
RE: eset nod32 blocked messenger plus 3.85
quote:
Originally posted by Menthix
I had the same here.

Odd because NOD never really had a problem with older versions before. while cidhelp refers to Circle Development which was something used in older versions, not in this one.

Contacted NOD earlier today, hopefully they'll fix it.
looks like NOD have a few more to fix, they cant even support Thunderbird3.1 an how long has it been out? the ( Eset Smart Security Extension ) does not work.
07-25-2010 12:08 AM
Profile PM Find Quote Report
Kafman
Full Member
***

Avatar

Posts: 376
Reputation: 24
36 / Male / Flag
Joined: Feb 2004
RE: eset nod32 blocked messenger plus 3.85
quote:
Originally posted by Menthix
I had the same here.
Confirmed in the spanish forums with two users who had nod32 aswell eset smart security.

Looks like ESET added the sponsor as a malware to their signatures.
[Image: sig.png]
07-25-2010 06:04 AM
Profile PM Find Quote Report
Menthix
forum admin
*******

Avatar

Posts: 5537
Reputation: 102
40 / Male / Flag
Joined: Mar 2002
RE: eset nod32 blocked messenger plus 3.85
quote:
Originally posted by Kafman
Looks like ESET added the sponsor as a malware to their signatures.
Which sponsor though? 3.85 comes with a Conduit toolbar, or in some cases Ask.com... cidhelp refers to the old sponsor which hasn't been used for quite a while.

All Plus! versions dating back to version 4.50 seem to be blocked by NOD32 now (since Update 5306 (20100723). Versions older than that are not labeled with CiDHelp. In the past NOD would only block the old (pre v4.80) sponsor when you actually install the sponsor.

But blocking any Plus! version newer than 4.81 just doesn't make sense at all, the CiD sponsor isn't used in those versions at all. The newer Plus! versions either use Conduit (community toolbar) or As.com (search engine) as a sponsor. Neither are adware, no antivirus inditifies it as being that, even NOD agrees on that...
Conduit: http://www.virustotal.com/analisis/c640cae328d651...92dbbf1-1280051763
Ask.com: http://www.virustotal.com/analisis/d029c34dd469a3...7669945-1280051389

Additionally none of the newer versions are blocked by any other scanner:
4.85: http://www.virustotal.com/analisis/6231b9e65f4ea7...d78f4ee-1280051958
4.84: http://www.virustotal.com/analisis/0792c2a0ac92a4...213b359-1280052125
4.83: http://www.virustotal.com/analisis/c19739b132a269...4c42664-1280052289
4.82: http://www.virustotal.com/analisis/9e22e81f66d4d0...372a78f-1280052360
4.81: http://www.virustotal.com/analisis/ac93e570fed539...d9f5caf-1280052449

Only some of the older versions which actually *did* use a CiD adware sponsor a blocked by other scanners:
4.11: http://www.virustotal.com/analisis/8d8ca2c8b9c19d...da321ab-1280052802


If you use NOD32, download MsgPlusLive-485.exe and submit it to ESET as a false positive.

Seems ESET isn't completely sure yet either:
[Image: please-submit-this-object-to-eset-for-analysis.png]

This post was edited on 08-04-2010 at 02:00 PM by Menthix.
Finish the problem
Menthix.net | Contact Me
07-25-2010 09:20 AM
Profile E-Mail PM Web Find Quote Report
Kafman
Full Member
***

Avatar

Posts: 376
Reputation: 24
36 / Male / Flag
Joined: Feb 2004
RE: eset nod32 blocked messenger plus 3.85
quote:
Originally posted by Menthix
All Plus! dating back to version 4.50 seem to be blocked by NOD32 now.
Yeah forgot to detail that, like you already said, it blocks all the CiD variants (wich it doesn't have any sense since it is the old sponsor...)

It doesn't have any sense that ESET blocks Conduit or Ask.com and classify it as a CiD variant...

Here's the spanish tread with two screenshots, from nod32 aswell eset smart security wich detects it as a CiD variant: http://foro.msgpluslive.es/showthread.php?tid=14574&page=2
[Image: sig.png]
07-25-2010 08:31 PM
Profile PM Find Quote Report
Patchou
Messenger Plus! Creator
*****

Avatar

Posts: 8607
Reputation: 201
43 / Male / Flag
Joined: Apr 2002
RE: eset nod32 blocked messenger plus 3.85
As you can see, as time passes by, some AV programs don't get any smarter, quite the opposite... :p.
[Image: signature2.gif]
07-27-2010 04:00 PM
Profile PM Web Find Quote Report
Menthix
forum admin
*******

Avatar

Posts: 5537
Reputation: 102
40 / Male / Flag
Joined: Mar 2002
RE: eset nod32 blocked messenger plus 3.85
quote:
Originally posted by Email conversationwith ESET
This is one example of the dropped malware file:
http://www.virustotal.com/analisis/79bf7f8085018d...d57936d-1280301607

Only the vendor can solve it, it is not a false positive.

Regards,

Daniel Novomeský
Virus Researcher
ESET spol. s r.o.

> >--[<REMOVED>@<REMOVED>.com]---------------------
> > Hello,
> >
> > This sounds strange to me.
> >
> > I am a happy user of Messenger Plus!, I have it installed on several of
> > my systems and see no sign anywhere of the "Circle development" adware
> > or the Win32/TrojanDownloader.Swizzor you mention. Neither do friends
> > who have this software too and use other anti virus products without
> > getting a warning.
> >
> > I temporary disabled NOD32 and installed the executable. I did a scan of
> > the entire system after installation but found nothing (except for the
> > installer itself), neither do i see any advertising appear.
> > On what indication/symptoms exactly do you base this threat
> > classification? For example, which files/registry keys or communication
> > with which hostnames/IPs to look for?
> >
> > You also mention "it" being identified as Win32/TrojanDownloader.Swizzor
> > and being classified as malware by almost all vendors. How/where would i
> > find this file so I can see this for myself? Because the file i sent you
> > is certainly not classified as malware by any vendor i know. Perhaps you
> > are referring to a file which is downloaded during execution, I would
> > like to see more details on it.
> >
> >
> > I'm not convinced yet about this not being a false positive.
> >
> >
> > Greetings,
> > Johan
> >
> >
> >
> >
> > samples@eset.sk wrote:
>> > >
>> > > Dear Johan Brune,
>> > >
>> > > Thank you for your submission.
>> > > I have run the attached executable and it resulted in installing the bad "Circle development" adware. It is identified as Win32/TrojanDownloader.Swizzor trojan. Almost all vendors classify it as malware. Swizzor malware caused lot of problems worldwide.
>> > > The statement about no relation with the CiD is not in a harmony with the truth.
>> > > Intentional spreading of malware is considered as criminal act in many countries and it is not wise to overlook it.
>> > >
>> > > Regards,
>> > >
>> > > Daniel Novomeský
>> > > Virus Researcher
>> > > ESET spol. s r.o.
>> > >
>>> > >> --[<REMOVED>@<REMOVED>.com]---------------------
>> > >
>>> > >> The attached file is *password protected*, password is: infected
>>> > >> The *extension of the file inside the .zip has been changed from .exe to
>>> > >> .bak* to bypass GMail's restrictions on attachement file types. Despite
>>> > >> password protecting the .zip GMail will see there was a .exe inside and
>>> > >> refuse to send it.
>>> > >> My customer number: EAV-01534435
>>> > >>
>>> > >> The file attached is a *false positive*.
>>> > >>
>>> > >> The official location to download this file is
>>> > >> http://www.msgpluslive.net/download/
>>> > >> (http://mirror3.msgpluslive.net/MsgPlusLive-485.exe).
>>> > >>
>>> > >> The file is the installer of the latest version (4.85.386 - 19/07/2010)
>>> > >> of a software called Messenger Plus! Live (http://www.msgpluslive.net/).
>>> > >> Older versions of Messenger Plus! did indeed bundle with an (optional)
>>> > >> adware sponsor package developed by Circle Development Ltd. However,
>>> > >> none of the recent versions of Messenger Plus! released over the past
>>> > >> months contain or download the CiD adware. The makers of Messenger Plus!
>>> > >> stopped using the CiD package completely and have no affiliation with
>>> > >> Circle Development Ltd.
>>> > >>
>>> > >> Messenger Plus! is created my Yuna Software Ltd.
>>> > >> http://www.yunasoftware.com/. Instead of the CiD adware Messenger Plus!
>>> > >> is bundled with either:
>>> > >>
>>> > >>      * A community toolbar for the user's browser developed by Conduit
>>> > >>        Ltd. (http://www.conduit.com/).
>>> > >>      * Or the Ask.com search assistent which makes Ask.com the default
>>> > >>        searchengine in the user's browser.
>>> > >>
>>> > >> One of these two options is presented to the user during installation of
>>> > >> the Messenger Plus! software. Which of the two is presented to the user
>>> > >> depends on some factors like geographical location. In both cases the
>>> > >> installation of the sponsor package is optional and it is made clear to
>>> > >> the user what it does. Both Conduit and Ask are respected companies
>>> > >> which are not in the business of distributing adware, neither are they
>>> > >> in any way affiliated with Circle Development Ltd. which the CiDHelp
>>> > >> label refers to.
>>> > >>
>>> > >> None of the other antivirus companies I know detect this as a threat,
>>> > >> including the other recent versions which don't include CiDHelp either.
>>> > >> MsgPlusLive-485.exe :
>>> > >> http://www.virustotal.com/analisis/6231b9e65f4ea7...d78f4ee-1280051958
>>> > >> MsgPlusLive-484.exe:
>>> > >> http://www.virustotal.com/analisis/0792c2a0ac92a4...213b359-1280052125
>>> > >> MsgPlusLive-483.exe:
>>> > >> http://www.virustotal.com/analisis/c19739b132a269...4c42664-1280052289
>>> > >> MsgPlusLive-482.exe:
>>> > >> http://www.virustotal.com/analisis/9e22e81f66d4d0...372a78f-1280052360
>>> > >> MsgPlusLive-481.exe:
>>> > >> http://www.virustotal.com/analisis/ac93e570fed539...d9f5caf-1280052449
>>> > >>
>>> > >> Also see the thread about this in the Messenger Plus! support forum with
>>> > >> more information: http://shoutbox.menthix.net/showthread.php?tid=95106
>>> > >>
>>> > >>
>>> > >> I hope this issue can be solved quickly. Please contact me if more
>>> > >> details are needed.
>>> > >>
>>> > >> Greetings,
>>> > >> Johan Bruné

Frustrating as I can't find the file they refer to anywhere. Perhaps it is the old CiD uninstaller, but I sumbitted v3.85 which doesn't use that. Eset claims they see Win32/TrojanDownloader.Swizzor in v3.85. I'd like to see it with my own eyes but it doesn't look like they're going to help people with that :(.
Finish the problem
Menthix.net | Contact Me
07-28-2010 03:16 PM
Profile E-Mail PM Web Find Quote Report
Lou
Veteran Member
*****

Avatar

Posts: 2475
Reputation: 43
– / Male / Flag
Joined: Aug 2004
RE: eset nod32 blocked messenger plus 3.85
quote:
Originally posted by Menthix
Frustrating as I can't find the file they refer to anywhere. Perhaps it is the old CiD uninstaller, but I sumbitted v3.85 which doesn't use that. Eset claims they see Win32/TrojanDownloader.Swizzor in v3.85. I'd like to see it with my own eyes but it doesn't look like they're going to help people with that
Perhaps they're testing this by installing over a previous installation that already had the CiD sponsor? In that case they would obviously get a false positive because it's not even from the same installer :undecided:.
[Image: msghelp.net.png]
The future holds bright things in it\\\'s path, but only time will tell what they are and where they come from.
Messenger Stuff Forums
07-28-2010 03:31 PM
Profile PM Web Find Quote Report
newcastle
New Member
*


Posts: 6
32 / Male / Flag
Joined: Dec 2008
RE: eset nod32 blocked messenger plus 3.85
have the same problem here.

This post was edited on 07-30-2010 at 09:22 AM by newcastle.
07-30-2010 09:16 AM
Profile E-Mail PM Find Quote Report
Pages: (3): « First [ 1 ] 2 3 » Last »
« Next Oldest Return to Top Next Newest »


Threaded Mode | Linear Mode
View a Printable Version
Send this Thread to a Friend
Subscribe | Add to Favorites
Rate This Thread:

Forum Jump:

Forum Rules:
You cannot post new threads
You cannot post replies
You cannot post attachments
You can edit your posts
HTML is Off
myCode is On
Smilies are On
[img] Code is On