Patchou: You are an <insert unflattering description here> - Part 4

Details of installation environment.

Standard Windows XP Service Pack 2, running IE6 and the inbuilt pop-up blocker.

The pop-ups successfully evade Internet Explorer's pop-up blocker because of the following entries added by the Sponsor Program to the Pop-Up Blocker settings:

Not only does the Sponsor Program deliberately bypass XPSP2 protections, the pop-ups that appear via said bypassing, more often than not, try to download software onto your system.

The EULA

"The use of a third-party uninstaller or anti-spyware program may damage the Software and/or otherwise constitute a violation of this license.... You agree that you will only uninstall the Softrware from your computer by following the instructions set forth above and you will not initiate, permit, authorize or assist any third party or application to remove the Software from your computer, or disrupt its operation or the operation of any other user." This means we are not allowed to use AdAware, Windows Defender, Spybot or any other third party product to remove the Sponsor Program.

Interestingly the EULA says "The added bookmarks...may be removed manually". Not on my system!! They do not appear in "Organize Favorites", or Windows Explorer, and right click of the Sponsor added Favorites is disabled in IE.

Another entry in the EULA - "If incorrect host-file entries are detected for this Software's related domain names, those entries will be removed in order for this software to function properly". This means that a protective HOSTS file, such as that available from http://www.mvps.org/winhelp2002/hosts.htm is neutralised.

Then there's this:

"You represent and warrant that you are at least 18 years of age and that you are the owner or are authorized by the owner of this computer to download and install software on this computer...you agree to provide a copy of CiD's Privacy Policy and this Agreement to any users of this computer and obtain their consent to this Agreement and the Privacy Policy...unless you can legally accept this Agreement on behalf of all other users of this computer."

And:

"You hereby grant your explicit approval for this software to communicate from this computer system through your software firewall or hardware routing system (if present) with CiD's host network. For users of Windows XP Sp2 this softwares [sic] host domain names will be added to your web browsers [sic] list for popups....your firewall or router may not prompt you for communication access once this software is installed."

Summary: The Sponsor Program deliberately bypasses XPSP2's pop-up blocker; it removes protective entries from HOSTS files, it *may* edit your firewall settings to grant itself unfettered access to and from the net (blocked on my system by Group Policy). Older, vulnerable operating systems, or systems running with lowered security settings, will be infected with additional malware products automatically. You won't just get the "Sponsor", you'll get the Sponsor and lots of other crap.

Published Sat, Apr 8 2006 1:46 by sandi

Filed under: Security, safety and privacy on the Internet, Vulnerabilities, viruses and exploits

Comments

# re: Patchou: You are an &lt;insert unflattering description here&gt; - Part 4

Wednesday, May 03, 2006 4:34 PM by Sane user forced to endure morons using computer

How the *** do i get RID of it?!?!?!?!

HELP ME!!!!

# re: Patchou: You are an &lt;insert unflattering description here&gt; - Part 4

Wednesday, May 03, 2006 5:35 PM by sandi

Try uninstalling Messenger Plus!. That may remove the Sponsor Program.

There was a bug in the Messenger Plus! sponsor program that was, under some circumstances, preventing the removal of the Sponsor Program. It may help to download the latest version of Messenger, install with Sponsor Program and then uninstall Messenger Plus! Apparently the latest version of the Sponsor Program has been updated to remove this bug, but I do not yet have independent confirmation of this.

The Messenger Plus! uninstall windows DO NOT mention this, but it is essential that all other programmes be shut down during uninstall, especially Internet Explorer. Use Task Manager to ensure that no iexplore.exe processes are running before attempting an uninstall of Messenger Plus!. Also, anti-adware programmes, antivirus programmes and other protective software that actively monitor a computer system can interfere.

lop.com (the Sponsor Program) does not only come from Messenger Plus! There is a slim chance that if your system is infected with lop, it may be a version that did not come from Messenger Plus! (granted, it is a remote chance, but something to keep in mind). In such circumstances uninstalling Messenger Plus! will not do any good at all.

Sometimes the lop.com provided uninstaller works - available here:
http://lop.com/help.html

If you're still having problems, we get into the heavy stuff....
Troubleshooting advice

A selection of information links about lop.com malware (detected as Swizzor Trojan by antivirus programmes) and Messenger Plus! itself follow:

lop.com information on this site
http://sarc.com/avcenter/venc/data/adware.lop.html (Symantec)
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453076024 (Computer Associates)
http://vil.mcafeesecurity.com/vil/content/v_120626.htm (McAfee)
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SWIZZOR.AG (Trend Micro)
http://www.f-secure.com/v-descs/swizzor.shtml (F-Secure)
http://www.sophos.com/virusinfo/analyses/trojswizzorbq.html (Sophos)

IE-SPYADS will add the msgplus.net and msgpluszone.com to your restricted sites zone:
https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD

Windows Defender detects Messenger Plus as an Software Bundler (and rightly so)

# re: Patchou: You are an &lt;insert unflattering description here&gt; - Part 4

Wednesday, May 03, 2006 5:37 PM by sandi

Oops... copy 'n' paste doesn't capture embedded links.

Troubleshooting advice:
http://inetexplorer.mvps.org/tshoot.html

# re: Patchou: You are an <insert unflattering description here> - Part 4

Friday, October 06, 2006 6:26 PM by Canada3332

You can try aMSN (after you re-install Windows), which has a free plugin called MSN-Plus! Which doesn't contain this lovely piece of <insert word> software that invades your computer. aMSN is also available for different operating systems. There is no webcam support for the OS X, and PPC linux versions of the software. I would suggest picking up 0.96 or newer, as webcam support in *NIX operating systems was broken in 0.95 and older.

http://amsn.sourceforge.net/

Sandi: Softpedia and a few other sites seem to think aMSN is ok, therefore I'll allow this comment:
http://mac.softpedia.com/get/Internet-Utilities/aMSN.shtml

Spyware Sucks

This Blog

Syndication

Search

Tags

Community

Archives

News