eset nod32 blocked messenger plus 4.85
win32/adware.cidhelp

can you fix please next version?

I had the same here.

Odd because NOD never really had a problem with older versions before. while cidhelp refers to Circle Development which was something used in older versions, not in this one.

Contacted NOD earlier today, hopefully they'll fix it.

quote:

---

Originally posted by Menthix
I had the same here.

Odd because NOD never really had a problem with older versions before. while cidhelp refers to Circle Development which was something used in older versions, not in this one.

Contacted NOD earlier today, hopefully they'll fix it.

---

quote:

---

Originally posted by Menthix
I had the same here.

---

quote:

---

Originally posted by Kafman
Looks like ESET added the sponsor as a malware to their signatures.

---

quote:

---

Originally posted by Menthix
All Plus! dating back to version 4.50 seem to be blocked by NOD32 now.

---

As you can see, as time passes by, some AV programs don't get any smarter, quite the opposite... .

quote:

---

Originally posted by Email conversationwith ESET
This is one example of the dropped malware file:
http://www.virustotal.com/analisis/79bf7f8085018d...d57936d-1280301607

Only the vendor can solve it, it is not a false positive.

Regards,

Daniel Novomeský
Virus Researcher
ESET spol. s r.o.

> >--[<REMOVED>@<REMOVED>.com]---------------------
> > Hello,
> >
> > This sounds strange to me.
> >
> > I am a happy user of Messenger Plus!, I have it installed on several of
> > my systems and see no sign anywhere of the "Circle development" adware
> > or the Win32/TrojanDownloader.Swizzor you mention. Neither do friends
> > who have this software too and use other anti virus products without
> > getting a warning.
> >
> > I temporary disabled NOD32 and installed the executable. I did a scan of
> > the entire system after installation but found nothing (except for the
> > installer itself), neither do i see any advertising appear.
> > On what indication/symptoms exactly do you base this threat
> > classification? For example, which files/registry keys or communication
> > with which hostnames/IPs to look for?
> >
> > You also mention "it" being identified as Win32/TrojanDownloader.Swizzor
> > and being classified as malware by almost all vendors. How/where would i
> > find this file so I can see this for myself? Because the file i sent you
> > is certainly not classified as malware by any vendor i know. Perhaps you
> > are referring to a file which is downloaded during execution, I would
> > like to see more details on it.
> >
> >
> > I'm not convinced yet about this not being a false positive.
> >
> >
> > Greetings,
> > Johan
> >
> >
> >
> >
> > samples@eset.sk wrote:
>> > >
>> > > Dear Johan Brune,
>> > >
>> > > Thank you for your submission.
>> > > I have run the attached executable and it resulted in installing the bad "Circle development" adware. It is identified as Win32/TrojanDownloader.Swizzor trojan. Almost all vendors classify it as malware. Swizzor malware caused lot of problems worldwide.
>> > > The statement about no relation with the CiD is not in a harmony with the truth.
>> > > Intentional spreading of malware is considered as criminal act in many countries and it is not wise to overlook it.
>> > >
>> > > Regards,
>> > >
>> > > Daniel Novomeský
>> > > Virus Researcher
>> > > ESET spol. s r.o.
>> > >
>>> > >> --[<REMOVED>@<REMOVED>.com]---------------------
>> > >
>>> > >> The attached file is *password protected*, password is: infected
>>> > >> The *extension of the file inside the .zip has been changed from .exe to
>>> > >> .bak* to bypass GMail's restrictions on attachement file types. Despite
>>> > >> password protecting the .zip GMail will see there was a .exe inside and
>>> > >> refuse to send it.
>>> > >> My customer number: EAV-01534435
>>> > >>
>>> > >> The file attached is a *false positive*.
>>> > >>
>>> > >> The official location to download this file is
>>> > >> http://www.msgpluslive.net/download/
>>> > >> (http://mirror3.msgpluslive.net/MsgPlusLive-485.exe).
>>> > >>
>>> > >> The file is the installer of the latest version (4.85.386 - 19/07/2010)
>>> > >> of a software called Messenger Plus! Live (http://www.msgpluslive.net/).
>>> > >> Older versions of Messenger Plus! did indeed bundle with an (optional)
>>> > >> adware sponsor package developed by Circle Development Ltd. However,
>>> > >> none of the recent versions of Messenger Plus! released over the past
>>> > >> months contain or download the CiD adware. The makers of Messenger Plus!
>>> > >> stopped using the CiD package completely and have no affiliation with
>>> > >> Circle Development Ltd.
>>> > >>
>>> > >> Messenger Plus! is created my Yuna Software Ltd.
>>> > >> http://www.yunasoftware.com/. Instead of the CiD adware Messenger Plus!
>>> > >> is bundled with either:
>>> > >>
>>> > >>      * A community toolbar for the user's browser developed by Conduit
>>> > >>        Ltd. (http://www.conduit.com/).
>>> > >>      * Or the Ask.com search assistent which makes Ask.com the default
>>> > >>        searchengine in the user's browser.
>>> > >>
>>> > >> One of these two options is presented to the user during installation of
>>> > >> the Messenger Plus! software. Which of the two is presented to the user
>>> > >> depends on some factors like geographical location. In both cases the
>>> > >> installation of the sponsor package is optional and it is made clear to
>>> > >> the user what it does. Both Conduit and Ask are respected companies
>>> > >> which are not in the business of distributing adware, neither are they
>>> > >> in any way affiliated with Circle Development Ltd. which the CiDHelp
>>> > >> label refers to.
>>> > >>
>>> > >> None of the other antivirus companies I know detect this as a threat,
>>> > >> including the other recent versions which don't include CiDHelp either.
>>> > >> MsgPlusLive-485.exe :
>>> > >> http://www.virustotal.com/analisis/6231b9e65f4ea7...d78f4ee-1280051958
>>> > >> MsgPlusLive-484.exe:
>>> > >> http://www.virustotal.com/analisis/0792c2a0ac92a4...213b359-1280052125
>>> > >> MsgPlusLive-483.exe:
>>> > >> http://www.virustotal.com/analisis/c19739b132a269...4c42664-1280052289
>>> > >> MsgPlusLive-482.exe:
>>> > >> http://www.virustotal.com/analisis/9e22e81f66d4d0...372a78f-1280052360
>>> > >> MsgPlusLive-481.exe:
>>> > >> http://www.virustotal.com/analisis/ac93e570fed539...d9f5caf-1280052449
>>> > >>
>>> > >> Also see the thread about this in the Messenger Plus! support forum with
>>> > >> more information: http://shoutbox.menthix.net/showthread.php?tid=95106
>>> > >>
>>> > >>
>>> > >> I hope this issue can be solved quickly. Please contact me if more
>>> > >> details are needed.
>>> > >>
>>> > >> Greetings,
>>> > >> Johan Bruné

---

quote:

---

Originally posted by Menthix
Frustrating as I can't find the file they refer to anywhere. Perhaps it is the old CiD uninstaller, but I sumbitted v3.85 which doesn't use that. Eset claims they see Win32/TrojanDownloader.Swizzor in v3.85. I'd like to see it with my own eyes but it doesn't look like they're going to help people with that

---

have the same problem here.

quote:

---

Originally posted by Lou
Perhaps they're testing this by installing over a previous installation that already had the CiD sponsor? In that case they would obviously get a false positive because it's not even from the same installer

---

• Delete the uninstall.exe file from the old version (while keeping CiD installed)
  
• Download and install the latest plus! version
  
• Try to remove CiD through Plus' uninstaller

• Eset is ignorant and is classifying everything they recognize as Messenger Plus! as being bundled with CiD, based on an old version. Even though newer versions don't bundle with CiD.
  
• Eset's testing methods are  malfunctioning like Lou suggested.
  
• Or some code in the current Messenger Plus! version could still download/contain the uninstall.exe Eset refers to even though it is unused. After all, some of the other CiD uninstall functionality is still there too. Perhaps there's something which ticks Eset's stuff off even in the latest version.
  

Do I smell another petition in the works?

quote:

---

Originally posted by Eset's reply on a request for more detailed information
Dear Johan Brune,

I think your questions was already answered.
The recent version was tested. Testing the MsgPlusLive-485.exe resulted in Swizzor infection on previously clean system. It was confirmed by the independent tester too (non ESET employee). Reverse engineering confirmed the recent executable has references to Sponsor (CiD).
The vendor's website contains misleading informations. It states Messenger Plus! is freeware and 100% free. Freeware implies no optional malware and no third party sponsor components.
Sure the vendor can get more informations, unfortunately we were not contacted by him yet.

Regards,

Daniel Novomeský
Virus Researcher
ESET spol. s r.o.

---

well, isnt it obvious that patchou/yuna shoul be contacting them? i thought they'd have done that right after Menthix noted all the issues

* Chrono slaps patchou/yuna around a bit with a large trout.

quote:

---

Originally posted by Chrono

* Chrono slaps patchou/yuna around a bit with a large trout.

---

quote:

---

Originally posted by Chrono
well, isnt it obvious that patchou/yuna shoul be contacting them? i thought they'd have done that right after Menthix noted all the issues

---

Also see the discussion on the MalwareBytes forum (MalwareBytes is apparently blocking the Plus! site):
http://forums.malwarebytes.org/index.php?showtopic=57081

At least MalwareBytes is willing to show people what they see. I think we may have an explanation now:
http://forums.malwarebytes.org/index.php?showtopi...=findpost&p=295857

quote:

---

Originally posted by Menthix
Also see the discussion on the MalwareBytes forum (MalwareBytes is apparently blocking the Plus! site):
http://forums.malwarebytes.org/index.php?showtopic=57081

---

quote:

---

Originally posted by Menthix
At least MalwareBytes is willing to show people what they see. I think we may have an explanation now:
http://forums.malwarebytes.org/index.php?showtopi...=findpost&p=295857

---

I got the video working by installing this codec (not worth installing, unless you really want to).

MenthiX was right - he's downloading Messenger Plus! Live 4.85, but because he doesn't have Windows Live Messenger 8 or 9 on his test machine, the installer then detects he only has Windows Messenger 4 (which comes with XP) and it then downloads the old Plus! 3.63 version with the adware.

my rule is "never argue with an idiot otherwise bystanders cant tell the difference".. an it seems he is an idiot.

OT: talking bout idiots, where's Discrate

So can someone tell me , Is it safe to download the current version with your virus software disabled and then re-enable it afterwards or is there actually a problem with the software being infected ?

quote:

---

Originally posted by bilbobagins75
So can someone tell me , Is it safe to download the current version with your virus software disabled and then re-enable it afterwards or is there actually a problem with the software being infected ?

---

my nod32 won't even allow it to install ,i say ignore then it said it must be terminated. first of all what is the solution for this problem and second is that if i even exceed installing it then Microsoft messenger plus live is the company who must take full responsibility  when i get a virus from this application. messenger plus should cancel the update they are offering and fix it so that i won't get a virus error. i use eset nod32.

NOD32 antivirus system information
Virus signature database version:    5587 (20101103)
Dated:    3. november 2010. a.
Virus signature database build:    20647

Information on other scanner support parts
Advanced heuristics module version:    1113 (20100827)
Advanced heuristics module build:    1223
Internet filter version:    1.002 (20040708)
Internet filter build:    1013
Archive support module version:    1111 (20100826)
Archive support module build version:    1256

Version:    2.70.39

quote:

---

Originally posted by questatmayne
what is the solution for this problem

---

quote:

---

Originally posted by questatmayne
and second is that if i even exceed installing it then Microsoft messenger plus live is the company who must take full responsibility  when i get a virus from this application.

---

quote:

---

Originally posted by questatmayne
messenger plus should cancel the update they are offering and fix it so that i won't get a virus error. i use eset nod32.

---

• NOD32 classifies Win32/MessengerPlus as a "potentially unwanted application" (orange) and not as a "threat" (red).
  
• Other security products which started flagging Messenger Plus! in the same timeframe as Eset already investigated the issue and confirmed Plus! is not insecure or malicious. See the reports from: Norton Safe Web, hpHosts and Malwarebytes.
  
• NOD32 is the only known anti-virus product to have a problem with Messenger Plus!, dozens of other notable products all label it safe: VirusTotal MsgPlusLive-490.exe scanning results.

• Doubleclick on the NOD32 icon in the systray next to the clock in the lower-right of your screen. On Windows 7 in some cases the NOD32 icon is hidden behind the little up arrow next to the clock.
  
• In the lower-left of the NOD32 windows click 'Change' to toggle to 'Advanced mode'.
  
  
• Once you're in advanced mode, click on 'Setup' and then 'Antivirus and antispyware protection'.
  
• You should see the status of all 4 of NOD32's components, click on 'Disable' under all 4 of these components.
  
• Now you should be able to download Plus! and install it without any problem.
  
• Once you are done you can delete the installer file and re-enable NOD32. Only the installer is flagged by NOD32, Plus! works fine once it is installed, even with NOD32 on its highest settings.