Shoutbox

quote:

---

Originally posted by Lou
Perhaps they're testing this by installing over a previous installation that already had the CiD sponsor? In that case they would obviously get a false positive because it's not even from the same installer

---

Would sound unlikely. I would assume they do automated testing on clean VMs.

It is definitely an CiD uninstaller though. Installed the old 4.60. When you install that version with the CiD sponsor it creates an uninstall.exe in C:\Program Files\Circle Development\. That file looks a lot like what Eset claims they are seeing:
4.60 CiD uninstaller: http://www.virustotal.com/analisis/d9fd774108d289...5be03e1-1280921456
Eset's mysterious find: http://www.virustotal.com/analisis/79bf7f8085018d...d57936d-1280301607


But even if you would...

• Delete the uninstall.exe file from the old version (while keeping CiD installed)
  
• Download and install the latest plus! version
  
• Try to remove CiD through Plus' uninstaller

...that won't cause the current Plus! version to download the CiD uninstaller either. It just makes Plus! say "CiD is installed but the uninstaller is corrupted. Install the CiD again to fix".


So what would explain the detection?

• Eset is ignorant and is classifying everything they recognize as Messenger Plus! as being bundled with CiD, based on an old version. Even though newer versions don't bundle with CiD.
  
• Eset's testing methods are  malfunctioning like Lou suggested.
  
• Or some code in the current Messenger Plus! version could still download/contain the uninstall.exe Eset refers to even though it is unused. After all, some of the other CiD uninstall functionality is still there too. Perhaps there's something which ticks Eset's stuff off even in the latest version.
  

The annoying thing is Eset isn't clear in telling exactly what they're basing their detection on . Perhaps someone else can try to get some sense out of them: How to submit virus or potential false positive samples to ESET's labs. As long as Eset doesn't tell what their problem is Yuna can't exactly fix it either. Damn annoying, because I'm using NOD32 myself too and using Plus! installers all the time .
Tip: when sending them MsgPlusLive-485.exe, rename it to something like MsgPlusLive-485.bak before zipping and (optionally) password protecting it. GMail won't allow you to send a zipped .exe, even if you password protect the .zip.

Do I smell another petition in the works?

quote:

---

Originally posted by Eset's reply on a request for more detailed information
Dear Johan Brune,

I think your questions was already answered.
The recent version was tested. Testing the MsgPlusLive-485.exe resulted in Swizzor infection on previously clean system. It was confirmed by the independent tester too (non ESET employee). Reverse engineering confirmed the recent executable has references to Sponsor (CiD).
The vendor's website contains misleading informations. It states Messenger Plus! is freeware and 100% free. Freeware implies no optional malware and no third party sponsor components.
Sure the vendor can get more informations, unfortunately we were not contacted by him yet.

Regards,

Daniel Novomeský
Virus Researcher
ESET spol. s r.o.

---

* Menthix summons Yuna/Patchou. Them contacting Eset directly may lead to something useful.

Eset has an interesting definition of freeware btw:
http://www.merriam-webster.com/dictionary/freeware
http://en.wikipedia.org/wiki/Freeware
http://definr.com/freeware

well, isnt it obvious that patchou/yuna shoul be contacting them? i thought they'd have done that right after Menthix noted all the issues

* Chrono slaps patchou/yuna around a bit with a large trout.

quote:

---

Originally posted by Chrono

* Chrono slaps patchou/yuna around a bit with a large trout.

---

and you wonder why Patch wont use your name for his Kid

quote:

---

Originally posted by Chrono
well, isnt it obvious that patchou/yuna shoul be contacting them? i thought they'd have done that right after Menthix noted all the issues

---

i dunno but i would think Patch/Yuna would be better off to contact NOD32

Also see the discussion on the MalwareBytes forum (MalwareBytes is apparently blocking the Plus! site):
http://forums.malwarebytes.org/index.php?showtopic=57081

At least MalwareBytes is willing to show people what they see. I think we may have an explanation now:
http://forums.malwarebytes.org/index.php?showtopi...=findpost&p=295857

quote:

---

Originally posted by Menthix
Also see the discussion on the MalwareBytes forum (MalwareBytes is apparently blocking the Plus! site):
http://forums.malwarebytes.org/index.php?showtopic=57081

---

i clicked on malwarebytes forum by accident an thouhgt DZ upgraded the forum to a new Forum board

quote:

---

Originally posted by Menthix
At least MalwareBytes is willing to show people what they see. I think we may have an explanation now:
http://forums.malwarebytes.org/index.php?showtopi...=findpost&p=295857

---

The guy in that thread is acting like an arsehole though. Glad I don't use their software.

I got the video working by installing this codec (not worth installing, unless you really want to).

MenthiX was right - he's downloading Messenger Plus! Live 4.85, but because he doesn't have Windows Live Messenger 8 or 9 on his test machine, the installer then detects he only has Windows Messenger 4 (which comes with XP) and it then downloads the old Plus! 3.63 version with the adware.

my rule is "never argue with an idiot otherwise bystanders cant tell the difference".. an it seems he is an idiot.

OT: talking bout idiots, where's Discrate