You can count on me to continue promoting Windows Live and its surrounding technologies. Messenger is here to stay after all, and so is Messenger Pus!.

. HP and Dell will not take kindly to any suggestion that their pre-approved install/recovery disks contain any sort of malware. This is from the second link posted

Here is a summary of what LOP does , process and executable wise, so we we
can put the evidence of LOP and what it does behind us and just get the
formal letter completed.

Here is the sequence:

Install messenger plus.

Choose to Install sponsor and now the fun starts.

MSG+ Installer downloads lop installer from
r9849.bins.lop.com/bins/int/7k11_pk2.int or other similar url.

Lop installer installs a bunch of exes and a fake DLL exe which are stored
under the logged in users profile as random names/folders and under the all
users profile as random names/folders. One exe is actually a dll with an exe
extension. The actual legitimate exe is stored in All Users. The DLL exe is
located in the logged in users profile. I am not a programmer, but why
microsoft allows DLLs to be renamed EXE's and still be launched as DLLs is
beyond me.

Lop installer adds the fake exe as BHO in the registry so when IE starts it
shows popups and starts another of the EXEs.

Lop installer adds one of its exe's as a Run in the registry to that it
launches IE in the background and starts one of the other EXEs.

Lop installer creates a hidden job in C:\Windows\Tasks. Name similar to:

A700637A918C1DD6.job

These jobs start an exe which starts IE in the background and launches
another one of the EXEs. This EXE is launched every hour, so if you dont
kill the file or kill the job, cleaning up the other entries will just start
this process over every hour.

It also creates another directory under the logged in users profile with
other other executables such as the scheduled job executable, the
installer, etc.

Basically, the BHO and EXEs are a ring of chained events, each starting each
other. Very similar to how CWS_NS3 (Home search assistant) worked. You need
to remove all points of precense or this thing will just keep starting
itself over from the other 2 points.

So for example, In my install, job starts
c:\docume~1\forens~1\applic~1\tonspo~1\coalplayroam.exe which starts
c:\docume~1\forens~1\applic~1\tonspo~1\firstaxis.exe (the originall
installer) which starts C:\Documents and Settings\All Users\Application
Data\Locks Clock Plus Option\Dart Idle.exe which starts firstaxis.exe again.
Each of these processes having the ability to once again start an instance
of IE. Oh and lets not forget that when you start IE, the BHO also launches
the executable. This is why this thing is such a PITA. Everthing launches
each other.

This circular chain of events can be started at each point on the chain.

Hijackthis gets these lines:

O2 - BHO: (no name) - {8E1F0B57-662A-9F87-E4E2-BA6C306EBDB7} -
C:\DOCUME~1\FORENS~1\APPLIC~1\ANTESE~1\test lies.exe
O4 - HKLM\..\Run: [plus option junk third] C:\Documents and Settings\All
Users\Application Data\Locks Clock Plus Option\Dart Idle.exe
O4 - HKCU\..\Run: [boob mpeg]
C:\DOCUME~1\FORENS~1\APPLIC~1\TONSPO~1\FIRSTAXIS.exe

Last but not least, I did not read the MSG+ eula, but its installer contacts
home base when the program finishes installing:

GET /setupcomplete.php?ra=92ba1d97&up=0&mp=4240&lg=en&sp=1 HTTP/1.1
User-Agent: MessengerPlusLive
Host: software.msgpluslive.net
Cache-Control: no-cache

GET /software/setupcomplete.php?ra=92ba1d97&up=0&mp=4240&lg=en&sp=1 HTTP/1.1
User-Agent: MessengerPlusLive
Connection: Keep-Alive
Cache-Control: no-cache
Host: xxx.msgplusliveDOTnet
Cookie: langusr=en

RE: MVP Award - Hello Windows Live!

quote:Originally posted by jegar

quote:Originally posted by ShawnZ

quote:Originally posted by LEE123
I'm not bashing his program - it's amazing code, and I congratulate Patchou on it. I just don't think he can expect an MVP for bundling adware with it.



for the last time, they didn't remove him because his program has adware. they knew about the adware for ages, and they knew about it when adding him to the team. microsoft only removed him because people bitched.



Sorry dude this is the official statement from Microsoft:

quote:" Cyril Paciullo was awarded with MVP status this year on the basis of his technical expertise and strong community contribution. However, his active MVP Award status was revoked as soon as the extent of the connection between his application and spyware was made apparent to the MVP Program."


Source of article please?

Microsoft know that Messenger Plus! Live does not bundle spyware.