Messenger Plus have a Virus - Printable Version
-Shoutbox (https://shoutbox.menthix.net)
+-- Forum: MsgHelp Archive (/forumdisplay.php?fid=58)
+--- Forum: Messenger Plus! for Live Messenger (/forumdisplay.php?fid=4)
+---- Forum: WLM Plus! Help (/forumdisplay.php?fid=12)
+----- Thread: Messenger Plus have a Virus (/showthread.php?tid=76670)
Messenger Plus have a Virus by briandgwx on 08-10-2007 at 03:17 AM
I am a Chinese, English not well.
Today, i setup Messenger Plus 4.23.276, at end of setup, my antivirus software Zonealarm found a Virus.
Virus Name: Trojan.Win32.Obfuscated.en
This virus in the C: Document and setting folder.
:
PLEASE SOLVE THIS PROBLEM!!!!!
RE: Messenger Plus have a Virus by prashker on 08-10-2007 at 03:44 AM
This wouldn't be caused by Messenger Plus Live. Are you sure you downloaded it from the official site? msgpluslive.net.
RE: Messenger Plus have a Virus by Dane on 08-10-2007 at 03:45 AM
The Virus you're describing was not caused by Messenger Plus! Live.
Please rescan your computer with Symantec Online Virus Scanner or McAfee Online Virus Scanner and confirm that you get a detection please.
RE: Messenger Plus have a Virus by DarryDoo on 10-21-2007 at 09:46 AM
I, too, have experienced this at the end of a Plus! install. Using Avast! antivirus, got the following -- see attachment:
Full file name: C:\DOCUME~1\Rosalie\LOCALS~1\Temp\msgpl_e138.tmp\spinstall.exe
This PC had an old version of Messenger, which was updated to Messenger Live! after a prompt stating that the updated had to occur to continue. Once Messenger Live! was installed, the Plus! | Compatibility Info link was clicked, which auto-downloaded the version in question. At the end of the Plus! update, the warning popped up.
DIR in the TEMP directory reveals the following:
10/21/2007 05:05 AM 40,960 rtdrvmon.exe
10/21/2007 05:05 AM 49,152 ~DFD88C.tmp
10/21/2007 05:05 AM <DIR> msgpl_e138.tmp
10/21/2007 05:01 AM 3,954,000 MsgPlus - Auto Update.exe
10/21/2007 04:54 AM 18,895,728 msg4F.exe
After choosing No Action from Avast!, I received another warning, this time for C:\Program Files\Adverts\uninst.exe, for the same virus.
I promptly deleted the C:\Program Files\Adverts directory, which contained only the UNINST.EXE file.
Note that I chose NOT to install the sponsor.
It would appear that, indeed, there IS a trojan within the Plus! install package -- possibly in the sponsor.
I am currently scanning with Symantec online scanner, will update when results are available.
Cheers
Darren
RE: Messenger Plus have a Virus by ahmetgns on 10-21-2007 at 10:00 AM
How to uninstall adware-sponsor?
How can I uninstall the sponsor program
quote:
Originally posted in website's FAQs - What does Messenger Plus! Live install on my computer?
For those who choose to give their support by installing the optional sponsor program, the sponsor's uninstallation program is copied in "C:\Program Files\Adverts" and is only used to uninstall the sponsor from Add/Remove Programs.
I doubt you installed sponsor
500th post
RE: Messenger Plus have a Virus by Spunky on 10-21-2007 at 10:07 AM
spinstall.exe is associated with CiD. Are you 100% positive you didn't install the sponsor? If you didn't, it is quite possible that the un\install program was copied to the directory during installation of MP!L without any intent of ever being used
RE: Messenger Plus have a Virus by Patchou on 10-21-2007 at 04:43 PM
The file that was detected is not a trojan but the program used to install/uninstall the sponsor. It can be extracted for two reasons only: the sponsor was accepted during the installation of Plus! Live or the sponsor was installed with a previous version of Messenger Plus! (3.xx) so the setup re-extracts the uninstaller to make sure it will be able to remove the sponsor when Messenger Plus! Live is uninstalled.
If you didn't accept to install the sponsor, then the only reason for this will be a previous installation from a previous version of Plus!. Of course, in that case, nothing is installed, the program is extracted only for future uninstallation. If the sponsor had already been removed by a third party program on your system, then don't worry about the uninstaller being deleted by your anti-virus, it probably won't be needed anymore (although it is never recommended to delete anything from yoru computer, sponsor or not, by using a third party program when an uninstaller is provided).
RE: RE: Messenger Plus have a Virus by DarryDoo on 10-22-2007 at 04:30 PM
quote:Then why do several anti-virus utilities detect it as such?
Originally posted by Patchou
The file that was detected is not a trojan
quote:It was not.
but the program used to install/uninstall the sponsor. It can be extracted for two reasons only: the sponsor was accepted during the installation of Plus! Live
quote:I'm fairly certain that the sponsor was not previously installed. But not 100%.
or the sponsor was installed with a previous version of Messenger Plus! (3.xx) so the setup re-extracts the uninstaller to make sure it will be able to remove the sponsor when Messenger Plus! Live is uninstalled.
quote:
If you didn't accept to install the sponsor, then the only reason for this will be a previous installation from a previous version of Plus!. Of course, in that case, nothing is installed, the program is extracted only for future uninstallation. If the sponsor had already been removed by a third party program on your system, then don't worry about the uninstaller being deleted by your anti-virus, it probably won't be needed anymore (although it is never recommended to delete anything from yoru computer, sponsor or not, by using a third party program when an uninstaller is provided).
Is there a switch to simply extract all files in the EXE? I'd like to do more testing on these files. FWIW, the online scanners that Dane mentioned DO NOT scan inside compressed files, so of course nothing would be detected by them.
RE: Messenger Plus have a Virus by vaccination on 10-22-2007 at 05:51 PM
quote:Because anti-viruses aren't always right.
Originally posted by DarryDoo
quote:Then why do several anti-virus utilities detect it as such? (Smilie)
Originally posted by Patchou
The file that was detected is not a trojan
RE: RE: Messenger Plus have a Virus by dexluther on 10-23-2007 at 08:42 AM
quote:
Originally posted by vaccination
quote:Because anti-viruses aren't always right.
Originally posted by DarryDoo
quote:Then why do several anti-virus utilities detect it as such? (Smilie)
Originally posted by Patchou
The file that was detected is not a trojan
Didn't that Microsoft one-care what-ya-ma-call it auto-update use to detect Plus itself as a malicious program? I think that would be proof enough that they aren't always right.
RE: Messenger Plus have a Virus by Patchou on 10-23-2007 at 05:24 PM
To extract the sponsor files, just run the setup and select to install the sponsor. You can grab the file in the Adverts directory of Program Files and do all the tests you want on it if you want.
A trojan is something that does things in your backs, uninvited, which is not the case of the sponsor program as you can see. Some antivirus companies just like scaring people to justify the presence of their software of their computers.
As for confirming that the sponsor may have been installed before, thank you . You can confirm that by installing again without the sponsor program, you'll see that the sponsor exe won't be extracted automatically anymore. Here are the two keys that are verified to check for a previous sponsor installation from a previous version of Plus! :
SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MsgPlus! Plugin - SponsorInstalled
SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\MessengerPlus3 - SponsorInstalled
If the value is set to 1, the new setup resets it to 0, extracts the new sponsor install/uninstall exe in the Adverts dir. This way, running the unisntaller of the new Plus! will allow uninstallation of the sponsor, if it was indeed installed (if not, then nothing special will happen, the sponsor's unisntaller will just be deleted).
I hope this helps you understand what happened in your case .