Microsoft Antispyware incorrecting flagging Messenger Plus! Keys and Program Files

[Robert Pendell]

Here is a list of keys and program files that it is incorrectly flagging. In effect it scares people from using this addon for MSN Messenger. Oh and I even put in the message that it infinite loops when you either try to run the installer or if you run the actual program file after installation.

For the installer I can understand the warning although the infinite loop kinda needs to be corrected. Once you check the box then it finally lets it go. Actually you have to re-run the installer but beside the point. MsgPlus.exe though shouldn't be flagged at all with the same exact message. I mean what is the point. It is installed already.

Bad Warning
This warning displays when attempting to run either MsgPlus-354.exe or MsgPlus.exe
It shouldn't be shown for either. Especially MsgPlus.exe because the application is already installed!

Warning, Messenger Plus! Software Bundler is trying
to Install!

Microsoft AntiSpyware has detected the threat Messenger Plus! trying to install itself on your computer. The file trying to run (C:\Downloads\MsgPlus-354.exe) has been blocked from running. If you would like to allow Messenger Plus! continue running click the 'Allow' button below.

Name: Messenger Plus!
Type: Software Bundler
Threat Level: Moderate
Author: Patchou

Description: Messenger Plus! is an add-on for MSN Messenger that is bundled with third-party adware programs.

Advise: Moderate-risk items have some potential for adverse effect, but may be part of a wanted service. Users may decide to ignore such programs after review. Because this application gives you the option to not install the adware that comes bundled, we recommend ignoring it.

About Software Bundler: A program that installs other potentially unwanted software, such as adware or spyware. The license agreement of the bundling program may require these other components in order to function.

Message Appears Multiple Times (infinite loop until ignored)


Bad Detection of spyware. Items requested for removal from Microsoft Antispyware.
Files:
Installed to Installation Folder:
msgplus.exe
MsgPlusH.dll
MsgPlusLoader.dll
Resources\MsgPlusRes.dll
RichEdHook.dll

Installed to Windows\System32:
MsgPlusLoader.dll

Legitimately Downloaded Files:
MsgPlus-354.exe (Add-on installer) -- Flagging as Bundle may be correct for this file


Registry Keys:
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2
All Keys, Values, and Sub-Keys below this point (exact keys vary upon installation)
Purpose: Stores preferences for this addon applicable to the currently logged in user

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MsgPlus.Encrypted
All Keys, Values, and Sub-Keys below this point
Purpose: Class Definition for Encrypted Logs feature of this addon

HKEY_LOCAL_MACHINE\SOFTWARE\Patchou\MsgPlus2
All Keys, Values, and Sub-Keys below this point
Purpose: Stores preferences for this addon applicable to all users of the system.

Basically I would like to see Messenger Plus! removed from the list of software bundles in MSN Antispyware. It's program files and registry keys once the program is installed should not be flagged at all. Anything relating to C2 Lop though should continue to be flagged. The installer itself (which is named MsgPlus-354.exe in this message) may continue to be flagged as there is still potential for the spyware to be installed. However the infinate loop condition I got should be fixed as soon as possible.

 

[AndyManchesta]

Hi Robert

I agree Infinite Loops should be fixed if the user allows
things it should remember the setting.

The problem with Messenger Plus Is LOP like you point out
but its the way they hide this that causes concern and in
my view should be removed by MS Antispy untill they make
this part clearer. The setup screen can be easily
overlooked then the system gets infected with LOP. Alot
of users will either miss the warning on the setup file
because of the way its written or will not understand
that the sponser program is really the LOP infection.

For anyone who doesnt know about the setup file and the
way its written check this screenshot :

http://andymanchesta.com/MSAS/MP3.54.jpg

A simple 'I refuse,' or a 'no thank you' would have
sufficed, or even better, something like the following,
which avoids harshness or bad feeling:

"Yes please, install Messenger Plus! with the sponsor
program."

"No thank you, install Messenger Plus! without the
sponsor."

The truth is Patchou wants people to install the sponsor
program so thats why its written this way, Give it 5
minutes into the sponsor program running you will then
start getting pop-ups for rogue antispy products which
display "Your system is infected, Scan your pc for free"
warnings so some younger users may fall for this and end
up with alot more problems than just LOP. The Sponsor
Program is also what it advertises, where it leads people
and what it encourages people to install.

Messenger Plus!, if installed to include the 'sponsor
program', will install adware that generates pop up
windows. The Sponsor Program will also change your home
page, your search engine settings, place links in IE
favorites and place more links on your desktop. The
search toolbar that is installed cannot be turned off.
The pop up advertising windows will appear even if you
are running IE's pop-up blocker. This is because the
Sponsor Program adds its advertisement URLs to the pop-up
blocker exclusion list

In addition, if you change your IE settings back to your
original preferences this is what will happen (copied
from EULA):

"If you change your home page, search page or default
error page after installation of the Software, a Pass-
Through Toolbar will be installed at the bottom of your
web browser and shall remain active as long as the
Software is installed"

Here's a quote from Patchou about this:

"yes, it could be redesigned to warn you better but then,
nobody would install it, let's be honest"

Well, at least he has been honest about his install
(income) concerns, though I must wonder why he continues
to offer something that 'nobody would install' if they
were fully informed?

Im with MS Antispy on this one but I appreciate its a
matter of opinion and your view may be shared by some
people at Microsoft. I know Patchou was invited to
Redmond for talks with MS as Patchou says

"MSN is currently looking for ways to work together with
me to give MSN Messenger users the best possible IM
experience, the MSN Messenger team has invited me to
their headquarters in Redmond for a series of
introductory meetings. I'll be there for a couple of days
to explore common business opportunities which might
exist between our two companies. MSN and I reiterate the
fact that the purpose of the visit is not to shut down
Messenger Plus! nor to buy it"

He then signed a Nondiscolsure agreement so the results
of this meeting will stay secret untill MS feel ready to
reveal more on this so you may get your wish

Regards

Andy

 

[Robert Pendell]

Yea. But I still think Messenger Plus! in itself shouldn't be flagged. The
installer is fine but not the program itself...

 

[dread]

Ms antispyware is incorrectly flagging messenger plus. Ms antispyware
removes messenger plus and leaves the adware. Read this for more
information http://www.msgplus.net/petition.php. The petition has been sent.
401,683 signatures.
10,137 pieces of paper.
110 pounds or 50 kilograms.
33 feet or 10 meter high.
Lol.