Jump to content

Messenger Plus now with new Spyware!


linuxdude32

Recommended Posts

linuxdude32

Ugh, just finished removing all the spyware that came with this free add-on to MSN Messenger. The author claimed that it was innocent adware (a search toolbar) and the installer claimed it was optional but would help the author. Well, I'm not against adware per se and thought I could help. But right after it was installed, something kept insisting on changing settings related to IE every few minutes (Spybot would ask me whether it should be allowed). Alarm bells went off so I had Spybot Search & Destroy do a scan and it detected Coolwebsearch which adds a list of items to IE's favorites list and C2.lop which is a browser hijacker and porn dialer. :thumbsup: :) :rolleyes: Here's the Spybot info for C2.lop:

If security settings of IE are low, the TeenSex dialer is installed without asking the user. If not, the every few clicks a message box will pop up asking to install the direct access (means dialer). The user can choose to set lop.com as his IE start page by clicking a link to the bottom.A new lop.com dialer is also installed from <<website URL removed>>
I had used past versions (2.x) of Messenger Plus before without problem. I think it used to be called MSN Plus.I'm a smart guy and I fell for this probably because I trusted msnplus.net from past experience not to do this to me. Also, I downloaded it from Cnet and you'd think they'd know better. Evidently not. I don't know if the spyware would've been installed had I said 'no' but I'm not trying it again to find out. And I don't care if it would've been fine in that case. The very fact the author is willing to even offer this option shows what he's willing to do to make a living. I'm angry, embarrassed and resentful. I know that some people here will likely think I'm an idiot for having let this happen but I just thought I was helping the author for what was once a great product and I'll never trust them again. I'm willing to embarrass myself if it means a few people are helped into avoiding this mess.Thank space I had Spybot Search & Destroy on my machine, which actually has memory resident component now. I can't recommend it highly enough. It saved my skin. Messenger Plus, however, is absolutely evil and I recommend avoiding it like the plague. For more info, do a Google search on it. Edited by linuxdude32
Link to post
Share on other sites
linuxdude32
This would do better in Security and Networking.... so I moved it. :thumbsup:
I was thinking that, but then I thought that the people who really need to know about this program might be people that would never look in Security and Networking and the warning is about a very popular Windows application. Is it possible to cross-post this to both?
Link to post
Share on other sites
ross549

Well, I did leave a link in Application Software... so we should get visitors here.... :PThat being said, I think that most folks that visit here will most likely not be installing this particular piece of software anyway. :thumbsup:

Link to post
Share on other sites
linuxdude32
Well, I did leave a link in Application Software... so we should get visitors here.... :PThat being said, I think that most folks that visit here will most likely not be installing this particular piece of software anyway. :lol:
Are you saying that there's already been a post about this? I tried looking for one before I posted. Or do you mean that security-conscious people wouldn't install it? Don't be too sure, I did and I'm very security conscious. I don't use auto-logins. I have my PGP passprase memorised. I sweat when I accidentally leave a port open overnight, or heck, even an hour or two. I don't even use IE. This is one of the only times I've had spyware on my system. I can't remember another time I had spyware on my system, or at least one with which I was this absolutely repulsed! :w00t: And I used to be frequent reader and contributor to this forum. Honestly, doc, one in a million, one in a million!!!! :(
Link to post
Share on other sites

Very interesting post, Jason.1) While I'm not surprised that this MSN add-on would have adware (I don't use it, nor advise that others use it for that reason, and never tried it out because I rarely use Messenger-type applications to start with), I'm extremely perplexed that CWS and C2lop.com would be bundled along with it. :w00t: It doesn't make sense for the reasons that are obvious to us all, combined with the quoted box you include in your first post. Are you absolutely sure that you got these 2 things with Messenger Plus ? And I'm now wondering if this would now apply to MSN Extra which is being offered by a major ISP in Canada (Sympatico.ca)...2) I have never received a pop-up from Spybot. What setting in that program do you think would have enabled this ? The reason I ask is that I had Spybot installed for the longest time, running on a manual basis along with Ad-Aware. I decided to remove it because updates were not as frequent as Ad-Aware, and scans never picked up anything for the last 6 months. I attribute this to SpywareBlaster. But if you say this setting warned you about two very critical pieces of scumware, then I might just put it back on again.3) A fellow member in another forum I belong to, also mentioned in a PM about Spybot popping up alongside Startup Monitor (by Mike Lin) with similar warnings. I dismissed the SS&D warning, thinking she didn't interpret the dialog properly, and saying it doesn't do that. I have Startup Monitor too, and rely on it to warn me, as it does. I now owe her an apology/rectification, and a warning to others there. Awaiting your reply...Thanks !

Link to post
Share on other sites

No. Don't read too much into it. He was trying to say that through the link command he has left a link in the applications forum to this post. That way folks will see it in the applications section as well because when they click on it, it will bring them here.Most people on the forum are pretty security conscious. However, it sounds like this particular author is fairly devious. I for one, however, avoid anything with MSN in the name. They have not had the best reputation around. If it does not work on Firefox I don't use it. I only have IE on some computers around here to do the updates. :w00t: The first thing I delete on a computer is MSN. You are right that Spybot Search and Destroy is great. I have a disk I loan out to friends. It has Firefox, Thunderbird, Spybot and Zone Alarm on it as well as the Service Pack 2. It made the rounds a lot after SP2 came out and it has helped a number of friends and reduced their calls for help! :thumbsup:I'm glad to hear you traced it back to the source and were willing to share your experience her4e with us all! Thanks.

Link to post
Share on other sites
nlinecomputers

Phil,Spybot does have a setting that protects your IE settings from being changed. If you enable that and a program tries to add items to your zones or change your home page spybot will popup and tell you. (If you turn on the nag setting. It also can do so silently.)

Link to post
Share on other sites
linuxdude32
Are you absolutely sure that you got these 2 things with Messenger Plus ? And I'm now wondering if this would now apply to MSN Extra which is being offered by a major ISP in Canada (Sympatico.ca)...
I'm absolutely certain. It hadn't been installed seconds before Spybot S&D starting having a heart attack. Plus, the message was from Spybot Monitor or whatever it's called that loads into the task tray (I'm not in Windows right now or I'd be more specific). I haven't used Spybot in quite a few months, only started using it again when I started using Windows for more than games about a month or so ago. This is a new feature since the last time I used it; it asks you in the install if you want to run it; it's a shield specifically for IE. Additionally, I did searches online to see if the spyware and msn plus were related (see my Google link in the initial post to check them yourself). It's those reasons that make me confident where the spyware came from - messenger plus.MSN Extra is something completely different. It's a premium service that Sympatico is offering, as you say. They partnered with Microsoft. It's pretty much what you see at http://sympatico.msn.ca but with extra content, email storage, etc. Nothing to do with this warning at all. Hotmail is hosted by MSN. It's a perfectly safe (though useless, in my opinion) service.
2) I have never received a pop-up from Spybot. What setting in that program do you think would have enabled this ? The reason I ask is that I had Spybot installed for the longest time, running on a manual basis along with Ad-Aware. I decided to remove it because updates were not as frequent as Ad-Aware, and scans never picked up anything for the last 6 months. I attribute this to SpywareBlaster. But if you say this setting warned you about two very critical pieces of scumware, then I might just put it back on again.
I can't recall the name exactly and the Spybot S&D website doesn't seem to have info on it (though maybe I missed it). IE Shield or IE monitor, something like that. If enabled, it sits in your task tray. I believe, though I'm not sure, that these scumware programs are enabled through ActiveX controls, so SpywareBlaster in itself might be enough protection since I believe it blocks them. I don't think it's a bad idea to have more than one spyware defense on your system though. I have it and AdAware on mine and I scan with both regularly, at least once a week. This is the first time it's caught something more serious than javabyte.verify.
3) A fellow member in another forum I belong to, also mentioned in a PM about Spybot popping up alongside Startup Monitor (by Mike Lin) with similar warnings.
Yep, that's what happened. Spybot checks for programs that try to put themselves in the Startup now, too. There's even a section in advanced where you can disable any startup programs you want. I'm probably going to send these guys some cash. I don't want them to quit making this program. :w00t:
Link to post
Share on other sites
linuxdude32
No. Don't read too much into it.  He was trying to say that through the link command he has left a link in the applications forum to this post.  That way folks will see it in the applications section as well because when they click on it, it will bring them here.
:-) That's good. The more people who see it the better.
Most people on the forum are pretty security conscious.  However, it sounds like this particular author is fairly devious.  I for one, however, avoid anything with MSN in the name.
I don't blame ya! Alhough, this is called Messenger Plus - used to be called MSN+ or msn plus, don't really remember. It's actually just a plugin to Microsoft's MSN Messenger program (the good messenger, not the one that causes people to get popups if they're not behind a firewall). I hate most Microsoft products but their IM client is actually pretty decent and at one time, messenger plus was too. The product itself might still be fine but the spyware that comes with it is awful stuff. And I should make it clear that messenger plus is not made by Microsoft.
I'm glad to hear you traced it back to the source and were willing to share your experience her4e with us all!  Thanks.
Thanks for letting me know it's appreciated, too. I know most people probably see this and think... what an idiot... but they basically took advantage of my past trust in them! :w00t:
Link to post
Share on other sites
ross549 Posted on Dec 12 2004, 05:46 AM   Well, I did leave a link in Application Software
Smooth move Ross. The more links to this issue, the better IMO. That's what Mods get 'paid' for, right ? :D
I think that most folks that visit here will most likely not be installing this particular piece of software anyway.
They certainly won't after reading this thread ! :D
This is one of the only times I've had spyware on my system.
Relax...It happens to the best of us 'security-conscious' types ! And may happen again, as more and more software writers are getting craftier every day... :lol: But you don't expect this to happen with M$-related apps. That's the part that's maddening.
Spybot does have a setting that protects your IE settings from being changed.
It's the "TeaTimer" function, if I'm correct, Nathan and Jason. What a strange name for a setting :( . (set the program to warn you that it's time for tea in England...Who cares ! I don't have tea in the afternoon. I prefer an ice cold Canadian beer, personally. :lol: ) More seriously, it must have a setting I set to monitor 'silently'. That's why I had no warnings from that app. My defaults will be changed in the future to allow pop-up warnings of this type. But I still don't like having 2 apps doing the same thing : there's a risk of conflicts (and misunderstandings), as mentioned in my earlier post concerning this other user.In any case, thanks again for everyone's comments ! :w00t:
Link to post
Share on other sites
ross549
Smooth move Ross. The more links to this issue, the better IMO. That's what Mods get 'paid' for, right:hmm:
We get paid???? :o Where's my check....? :)
Link to post
Share on other sites
linuxdude32

I discovered that it was called teatimer in the process list. :hmm: Truly bizarre. I'm sure there's a story behind that but not really sure I'd find the story that interesting. I do drink tea though I prefer Diet Pepsi (it's my fave) but never once has it told me it was tea time! I feel like I've been ripped off now! :) Why, it's enough to.... to....to.... drive a man to drink!Ross: Of course you get paid, in gummy bears. A shipment is on it's way. Make sure your front step is clean when the dump truck arrives :o

Link to post
Share on other sites

Why doesn't this whole thread surprise me? :) Oh, I know! It's all those times I've had to help people remove Wild Tangent and WeatherBug from their systems that they got when they installed AOL Messenger...and failed to read the fine print about opting out of these spyware add-ins. :hmm:

Link to post
Share on other sites
linuxdude32
Why doesn't this whole thread surprise me? :hmm: Oh, I know!  It's all those times I've had to help people remove Wild Tangent and WeatherBug from their systems that they got when they installed AOL Messenger...and failed to read the fine print about opting out of these spyware add-ins. :o
Fine print or not, they shouldn't have included that kind of spyware. It has a porn dialer in and yes, I didn't read the fine print, but I took the developers word that it was adware, not spyware. People don't have time (or reading ability in many cases) to read EULAs written for lawyers.Besides, I've done that before with a previous version of the software. This is something new that the developer is doing. And I doubt very much the fine print said there was a porn dialer included in it but I might be wrong.Like you, Jeber, I used to blame the user until it happened to me. You've seen my posts; I'm not a dumb guy. It's social engineering - using trust and depending on people's good will to exploit them. Unless you read every license agreement completely for every software product you install, how can you be sure it won't happen to you? I already blamed myself in the beginning, there's no reason to rub it in. :)
Link to post
Share on other sites
ross549
Ross: Of course you get paid, in gummy bears. A shipment is on it's way. Make sure your front step is clean when the dump truck arrives :hmm:
Uhhhh..... I don't have a front step. I live in the barracks on base! :) :o
Link to post
Share on other sites

Jason, I hope you didn't think I was suggesting you were at fault. I was trying to make the point that even the "big names" are taking part in this less-than-proper behavior.It's a form of social engineering. They count on the fact that once we trust a product or company, we won't bother to look too closely at the EULA. It's a disturbing trend, and one I hope does not start to spread, or else soon we'll need to have our lawyers reviewing software agreements for us before we dare download anything.

Link to post
Share on other sites
Guest Paracelsus
...and WeatherBug from their systems that they got when they installed AOL Messenger
WAIT A MINUTE!!That must be the free version of WeatherBug. I have the licensed version, and no Spyware detector I've ever used has ever given a blip referring to WeatherBug,I've also used AIM without incident. :unsure:
Link to post
Share on other sites

Interesting!! You're the 1st person I've ever heard of that didn't have a problem with WeatherBug Paracelsus. Course you are also the 1st person I've ever heard of that paid for it so that must be the difference.I've never had a problem with AIM installs on any of my kids machines or my own as far as spyware. I have found WebTangent on some of theirs but they got it from playing web games online. But ZoneAlarm controls it's web access.

Link to post
Share on other sites
linuxdude32
Jason, I hope you didn't think I was suggesting you were at fault.  I was trying to make the point that even the "big names" are taking part in this less-than-proper behavior.
Yeah, sorry, Jeber. I'm a little sensitive. :w00t: Still smarting from it, I guess.
It's a form of social engineering.  They count on the fact that once we trust a product or company, we won't bother to look too closely at the EULA.  It's a disturbing trend, and one I hope does not start to spread, or else soon we'll need to have our lawyers reviewing software agreements for us before we dare download anything.
Exactly. If the EULAs were written for regular people or they had a translation for us, it wouldn't be so bad. :lol: Maybe there needs to be a EULA certification body - this program meets ethical standards of not spying on you, screwing up, slowing down your system or eating all the food in your cupboard!
Link to post
Share on other sites
  • 4 weeks later...

Hello all, my first post here. Long time reader of Scots newsletter tho.With regards to MessengerPlus! versions. As far as I know it has been coming with adware in it since before I DLed it couple of years ago. It was version 2-something or other. It had adware installed when I DLed, I had not read the EULA properly, which the creator Patchou, kind of counts on, and does not care if you do or not.The more recent versions have become a bit more difficult to remove the LOP infection present. In some cases, it has to be uninstalled, reinstalled and then reinstalled again!!Here are a couple of links regarding MessPlus! along with some quoted commentary from the creator.http://66.102.7.104/search?q=cache:gzzNp1P...ywareinfo&hl=enHaving been doing many HijackThis logs the last year or so, I can atest that most users don't realise what they are in for. And most all are amazed when the adware is pointed out. But of course the lesson learned here is always read the EULA. Except if its a Claria\Gator product, and you have nothing to do for a few hours. Their EULA is approximately 6000 words long.On another subject related to Spybot v 1.3 .Here is some info about How Tea Timer works.And I have a page someplace on why its called TeaTimer, but at the moment it eludes me where I have it at.So, in a nutshell, I would strongly advise against helping to promote MessPlus!3 even if you choose to DL it without the adware. This guy creates way too much trouble with those who are not overly cautious.

Link to post
Share on other sites
linuxdude32

Welcome to the forum, Temerc! And thanks very much for the useful links. I wish I had read the first one before installing Messenger Plus.It took me about a couple of hours figuring out what happened and fixing it. As far as I'm concerned Patchou has gone over to the dark side taking blood money from the lowest of the low and I'll never use his software again or anything he's involved in.

Link to post
Share on other sites
Thats a great find, thanks for sharing that.
I'm new here so I thought I'd share the URL but Sandi has been hammering this subject for a while - nasty stuff. ;) Glad to contribute! Regards,Silj
Link to post
Share on other sites

Thought I would share this with you all regarding MessPlus!. It was posted by Webhleper, a man who does amazing things to expose the most notorious group on the web who are responsible for CWSI and VX infections. Read his website, its amazing.From the link I originally provided:

Not only is the Messenger Plus! Sponsor the malware commonly known as lop.com, the Msgplus forums have recently been advertising Gator products, and have also advertised funwebproducts. That's quite a trio.
Webhlepr replies:
I think they are more than just a sponser as I stated before in other postings. msgplus.net whois: Cyril Paciullo owner of msgplus.net PO BOX 1113 SHALIMAR, Florida 32579 In the Florida state corporation database for lop.com gangs secure software Inc. You will notice that Cyril in the whois uses Alex Shamash's P.O box of 1113 that is used by Shamash for the Corporation info http://www.sunbiz.org/scripts/cordet.exe?a...URESOFTWARE&r5= Officer/Director Detail Name & Address Title SHAMASH, ALEX PO BOX 1113 SHALIMAR FL 32579 LUCAS, JASON PO BOX 33O SHALIMAR FL 32579 CYRIL, PACIULLO 105 PLACE DU COLLEGE #8 LONGUEUIL, QUEBEC 00 J4J-1-G3 CA D To me if a person is a partner in a corporation and also installs the adware from the group in the corpoaration then he is not a sponser but a partner also directly responsible for infesting users as he makes money from the corporation as does the rest of lop.com with the adware installs and hijackings to lop.com pay per click search engine site.
For some amazing reading about the Transponder gang:http://www.webhelper4u.com/His page is in need of updating, and will be done soon.And here is an article which Webhleper provided most of the info on:http://www.msnbc.msn.com/id/6689667/site/newsweek/If this is too of topic, mods may split off.TeMerc
Link to post
Share on other sites

TeMerc I've forwarded your additional information to MVP Sandi :D She will find the information quite interestiong, I'm sure.Thank you!Regards,Silj

Link to post
Share on other sites
James M. Fisher
TeMerc I've forwarded your additional information to MVP Sandi  :D She will find the information quite interestiong, I'm sure.Thank you!Regards,Silj
That should make for interesting reading, Randy! :)
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...