Spyware Warrior

[Stovnet]

Hi

On the next reboot following the recent update to Messenger Plus! 3.20.100 I ended up with a bunch of spyware/adaware/browser hijackers. It turned out to be the LOP spyware and/or the CoolWWWSearch.smallM spyware. It infected both computers on my network. I run spybot, adaware, spywareblaster very regularly and keep them completely up-to-date. I also use Winpatrol and HijackThis as seems fit. I also subscribe to Spysweeper, and Norton Internet Security and Antivirus 2003.

These rotten little pests put a bunch of links in my favourites of both internet explorer (also that and XP completely up-to-date) and Firefox and on my desktop, plus hijacked my homepage and put a toolbar in IE explorer. It took me about two hours to get rid of everything from both computers.

The only program that had been recently downloaded was the update to Messenger Plus!, which occurred separately on both computers. I do not run a server. Both are connected with some basic file sharing privileges, but though a hardware firewall.

Neither Spysweeper or Norton prevented this spyware stuff happening. Both spysweeper and Winpatrol alerted me to the change of my homepage browser. Additionally Winpatrol alerted me to a program called Chic 4.exe that was loaded to start up. However, even though I said no, chic 4.exe kept getting Winpatrol's attention. I found other new directories that had just appeared in my program files directory called Blah Lies, Third Load Pop and Trymedia. None of my programs decided any of the *.exe files in these were a problem. Chic 4.exe was in Blah Lies.

Spysweeper found the lop spyware stuff, and spybot found coolWWsearch in that order. None of these programs thought chic 4.exe was a problem file, even though on subsequent reboots it kept getting Winpatrol's attention. I did the various sweeps in safe mode.

Anyway, I guess you are all asleep now, but I had a similar experience to this one other time (the only two times I have had trouble with spyware) and if my memory serves me correctly, the last time was when I downloaded an update to Messenger Plus!

Has anyone else had this problem?

Microsoft simply said, it wasn't them, and suggested I get some anti-spyware programs.

Any comments?

Regards
Stov
_________________
Stov

[TeMerc]

Hi Stovenet, and welcome to the forums. Nah, we ain't all alseep.

MessengerPlus!2 and 3, have been coming with bundled adware for some time now. It does for the most part, tell you about the bundled adware, of course, it doesn't tell you about the malware, LOP, that it also installs.

We in the security arena/forums have debated this issue with the creator of MessPlus!, but to no avail, he's more interested in the money he's making.

Sadly, not much we can do, just recommend the app not be used or supported. Worse yet, its a nice app.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog

[Stovnet]

Hey thanks for that. It explains a lot.

I checked out some of your recommendations, and added the hosts file and iespyad to my repertoire. What a load of stuff there seems to be to beat these turkeys that do this stuff.

I've noticed that since installing ie-spyad that spywareblaster has a number of its resticted sites disabled afterwards. Is this because uninstalling the previous version of ie-spyad has uninstalled some of those that spywareblaster had.

I also noticed in the last cleanup with LOP etc that it also added itself to my trusted sites in IE.

They are rich aren't they. When will antispyware etc laws hit the streets for these corporations.
_________________
Stov

[wawadave]

[herbalist]

[Stovnet]

Hi

I appreciate everyone's help, and the HOST file certainly stopped me getting into the msgplus site. I, nevertheless, decided to have a look at what the msgplus makers said about this spyware (by over-riding the host file settings), and they certainly had some stuff to say. Anyways, I decided to risk uninstalling and reinstalling as per msgplus's instructions, including this time, to make sure I refused to download the sponsor's (C2 media which translates to LOP spyware) stuff.

After the reinstall, I then visually checked various directories, and ran a complete sweep using my Spysweeper and Spybot (all completely up-to-date) and found not a single trace of anything untoward. Plus through all this I had (and of course still have) Spywareguard and Winpatrol running, and use Adaware and Spywareblaster.

Therefore, unless there is something obvious I am missing, it seems to me that using msgplus is just fine, AS LONG AS, when installing the option to REFUSE the sponsored downloads is taken.

At no point did spysweeper or winpatrol decide anything untoward was happening. They, of course, told me that msgplus was now going to run at startup if I said "yep", which I did.

Looks like not reading the fine print got me here. I've certainly learnt now to pay much more careful attention to the EULA.

Regards
Stephen
_________________
Stov

[Moore]

http://www.wilderssecurity.com/showthread.php?p=170026
_________________
| Stop Malvertising | Outpost | Blocklist Pro | Hosts |

[Bubba]

Knowing Messenger Plus gives the option during install to NOT add the sponsor program by C2Media....still causes me a little heartburn. However....hopefully Patchou will be able to cover his costs some other way someday instead of having to use C2Media.

On the other hand....if a user Ops out of the plainly seen option to not install the sponsor program....it then and only then does not install the search bar for IE.