Microsoft Antispyware incorrecting flagging Messenger Plus! Keys and Program Files

R

Robert Pendell

Here is a list of keys and program files that it is incorrectly flagging.
In effect it scares people from using this addon for MSN Messenger. Oh and
I even put in the message that it infinite loops when you either try to run
the installer or if you run the actual program file after installation.

For the installer I can understand the warning although the infinite loop
kinda needs to be corrected. Once you check the box then it finally lets it
go. Actually you have to re-run the installer but beside the point.
MsgPlus.exe though shouldn't be flagged at all with the same exact message.
I mean what is the point. It is installed already.

Bad Warning
This warning displays when attempting to run either MsgPlus-354.exe or
MsgPlus.exe
It shouldn't be shown for either. Especially MsgPlus.exe because the
application is already installed!

Warning, Messenger Plus! Software Bundler is trying
to Install!

Microsoft AntiSpyware has detected the threat Messenger Plus! trying to
install itself on your computer. The file trying to run
(C:\Downloads\MsgPlus-354.exe) has been blocked from running. If you would
like to allow Messenger Plus! continue running click the 'Allow' button
below.

Name: Messenger Plus!
Type: Software Bundler
Threat Level: Moderate
Author: Patchou

Description: Messenger Plus! is an add-on for MSN Messenger that is bundled
with third-party adware programs.

Advise: Moderate-risk items have some potential for adverse effect, but may
be part of a wanted service. Users may decide to ignore such programs after
review. Because this application gives you the option to not install the
adware that comes bundled, we recommend ignoring it.

About Software Bundler: A program that installs other potentially unwanted
software, such as adware or spyware. The license agreement of the bundling
program may require these other components in order to function.

Message Appears Multiple Times (infinite loop until ignored)


Bad Detection of spyware. Items requested for removal from Microsoft
Antispyware.
Files:
Installed to Installation Folder:
msgplus.exe
MsgPlusH.dll
MsgPlusLoader.dll
Resources\MsgPlusRes.dll
RichEdHook.dll

Installed to Windows\System32:
MsgPlusLoader.dll

Legitimately Downloaded Files:
MsgPlus-354.exe (Add-on installer) -- Flagging as Bundle may be correct for
this file


Registry Keys:
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2
All Keys, Values, and Sub-Keys below this point (exact keys vary upon
installation)
Purpose: Stores preferences for this addon applicable to the currently
logged in user

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MsgPlus.Encrypted
All Keys, Values, and Sub-Keys below this point
Purpose: Class Definition for Encrypted Logs feature of this addon

HKEY_LOCAL_MACHINE\SOFTWARE\Patchou\MsgPlus2
All Keys, Values, and Sub-Keys below this point
Purpose: Stores preferences for this addon applicable to all users of the
system.

Basically I would like to see Messenger Plus! removed from the list of
software bundles in MSN Antispyware. It's program files and registry keys
once the program is installed should not be flagged at all. Anything
relating to C2 Lop though should continue to be flagged. The installer
itself (which is named MsgPlus-354.exe in this message) may continue to be
flagged as there is still potential for the spyware to be installed.
However the infinate loop condition I got should be fixed as soon as
possible.
 
P

plun

Robert Pendell formulated a lot of rubbish about Messenger plus:
Basically I would like to see Messenger Plus! removed from the list of
software bundles in MSN Antispyware.

Basically I would see Messenger Plus removed as software !

Write to Patchou and tell him to make it clear for all users
what it mean with C2 Lop !

And Patchou makes a lot of money out of all users missing this
without sponsor program choice during install.

IMHO
 
R

Robert Pendell

I really think it is quite hard to "accidentally" install this spyware
program. For one I think it is quite clear (while it might be harsh
wording) that the disagree bit makes it so that the program still installs
but without the spyware. Another thing is that there is _no_ default
selection on that screen. The next button is grayed out so a selection has
to be made. I have never missed it the point of that screen and I am one of
millions that never read the EULA of any software.
 
P

plun

Well,this is a program which also a lot of kids/teenagers using
and for sure they don´t understand what a "sponsor program" is.

This is a real hijack nothing else.

Pathou must make this clear and also it MUST be a working uninstaller
for all circumstances. Remove this "shit".
And I really hope that MSN Messengers engineers can get rid of this
parasite one time for all, it´s enough with LOP "infections" !
 
R

Robert Pendell

Well the uninstaller works fine. As long as MSAS doesn't screw it up. When
MSAS tries to remove C2 Lop it screws up any chance of getting a clean
removal. Most spyware have a way of getting it removed cleanly. Just look
at a spyware infested computer sometime that hasn't had a spyware cleaner
used on it yet. It may have a lot of spyware but I bet that at least 75% of
all of it can be removed cleanly. I had a friend like this. I was able to
get rid of everything myself using Add/Remove Programs except for the stupid
program that was the downloader for all of this spyware.

BTW, Some programs require that you visit the website for the company that
produced the software in order to get the uninstaller. A little research
will show that if the item doesn't show in Add/Remove Programs. Then the
uninstaller may require one more visit.

The uninstaller bit is up to the manufacturer of the software. Pending that
something else doesn't mess with it then all should be well. C2 Lop can be
removed independent of Messenger Plus so it isn't really attached to it.
Not like Kazaa or the like where the spyware is integrated directly into the
interface.

Might also want to take a look at this petition that Patchou is planning on
sending to Microsoft.
http://www.msgplus.net/petition.php

Looks like I got my electronic signature in just in time. No more entries
are being accepted.

Oh and the infinate look happened again when it flagged TightVNC (remote
control software). The flagging was correct and I ignored it but the
infinite loop continued until you ticked the checkbox so it is definately a
big bug.
 
P

plun

Hi

If you want to use Messenger Plus why don´t you pay for it ?
Send Patchou a dollar or two !

Or do you mean that users without knowledge about sponsors programs are
paying Patchou with AD and you will have a "free ride " ?

Messenger Plus are for me dead and I hope that MSN Mess team also
blocks
this parasite in coming versions.

--
plun


After serious thinking Robert Pendell wrote :
Well the uninstaller works fine. As long as MSAS doesn't screw it up. When
MSAS tries to remove C2 Lop it screws up any chance of getting a clean
removal. Most spyware have a way of getting it removed cleanly. Just look
at a spyware infested computer sometime that hasn't had a spyware cleaner
used on it yet. It may have a lot of spyware but I bet that at least 75% of
all of it can be removed cleanly. I had a friend like this. I was able to
get rid of everything myself using Add/Remove Programs except for the stupid
program that was the downloader for all of this spyware.

BTW, Some programs require that you visit the website for the company that
produced the software in order to get the uninstaller. A little research
will show that if the item doesn't show in Add/Remove Programs. Then the
uninstaller may require one more visit.

The uninstaller bit is up to the manufacturer of the software. Pending that
something else doesn't mess with it then all should be well. C2 Lop can be
removed independent of Messenger Plus so it isn't really attached to it. Not
like Kazaa or the like where the spyware is integrated directly into the
interface.

Might also want to take a look at this petition that Patchou is planning on
sending to Microsoft.
http://www.msgplus.net/petition.php

Looks like I got my electronic signature in just in time. No more entries
are being accepted.

Oh and the infinate look happened again when it flagged TightVNC (remote
control software). The flagging was correct and I ignored it but the
infinite loop continued until you ticked the checkbox so it is definately a
big bug.
 
T

Tim Jensen

Messenger Plus! is a harmless program, and those who are installing it
should know, and are explicitly told, that there is additional content
downloaded and installed IF and ONLY IF the sponser program is selected.
Inexperienced users that go through installations without knowledge of what
they are installing get what they deserve. If you don't like the sponser,
dont install it. You are attacking a legitimate software company, that gets
its funds from voluntary donations. Spyware should be labled as such, and
the user warned accordingly, however MSAS should be able to differentiate
reliably between sypware and harmless patch programs. I agree with the
warnings about the installation package, but specify the unwanted
adware/spyware! This will tell users what comes with the package. Also, I
would love to see the description updated. Should not the software
companies have a say about what is told to the user about the 'potential
threats' in their programs? Or is this a commentary written by Microsoft on
the programs, and what they 'might' do.

I dont care if you do or do not like 'Messenger Plus!', but at least keep
the integrety of MSAS by telling the whole truth.

EMist
 
R

Reko Turja

Tim Jensen said:
Messenger Plus! is a harmless program, and those who are installing
it should know, and are explicitly told, that there is additional
content downloaded and installed IF and ONLY IF the sponser program
is selected.
//snip

I dont care if you do or do not like 'Messenger Plus!', but at least
keep the integrety of MSAS by telling the whole truth.

I've been cleaning this pest from several computers now and then, and
I have to disagree strongly with your opinion. For the first time
somebody installs MSN+ the installee can avoid the additional payload
included with it. *However* with the MSN+ updates which seem to be
mostly automatic the payload will be installed automatically,
regardless what was originally chosen at installation time. So
initially the malware can be avoided, but any update will install all
of it.

So IMNSHO the inclusion of MSN+ is quite well grounded and there's no
need to have it's status changed...

-Reko
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top