Originally posted by Lou
Perhaps they're testing this by installing over a previous installation that already had the CiD sponsor? In that case they would obviously get a false positive because it's not even from the same installer
Would sound unlikely. I would assume they do automated testing on clean VMs.
It is definitely an CiD uninstaller though. Installed the old 4.60
. When you install that version with the CiD sponsor it creates an uninstall.exe in C:\Program Files\Circle Development\. That file looks a lot like what Eset claims they are seeing:
4.60 CiD uninstaller: http://www.virustotal.com/analisis/d9fd774108d289...5be03e1-1280921456
Eset's mysterious find: http://www.virustotal.com/analisis/79bf7f8085018d...d57936d-1280301607
But even if you would...
- Delete the uninstall.exe file from the old version (while keeping CiD installed)
- Download and install the latest plus! version
- Try to remove CiD through Plus' uninstaller
...that won't cause the current Plus! version to download the CiD uninstaller either. It just makes Plus! say "CiD is installed but the uninstaller is corrupted. Install the CiD again to fix".
So what would explain the detection?
- Eset is ignorant and is classifying everything they recognize as Messenger Plus! as being bundled with CiD, based on an old version. Even though newer versions don't bundle with CiD.
- Eset's testing methods are malfunctioning like Lou suggested.
- Or some code in the current Messenger Plus! version could still download/contain the uninstall.exe Eset refers to even though it is unused. After all, some of the other CiD uninstall functionality is still there too. Perhaps there's something which ticks Eset's stuff off even in the latest version.
The annoying thing is Eset isn't clear in telling exactly what they're basing their detection on
. Perhaps someone else can try to get some sense out of them: How to submit virus or potential false positive samples to ESET's labs
. As long as Eset doesn't tell what their problem is Yuna can't exactly fix it either. Damn annoying, because I'm using NOD32 myself too and using Plus! installers all the time
Tip: when sending them MsgPlusLive-485.exe, rename it to something like MsgPlusLive-485.bak before zipping and (optionally) password protecting it. GMail won't allow you to send a zipped .exe, even if you password protect the .zip.