Sandi's Site
I was forced to remove Google Ads from this page because far too many 'betrayware' (fake antispyware) products were being advertised and it was becoming well nigh impossible to keep the bad guys out of the ads. Therefore, there is only a donation link in the menu above. If you see any pages where such malware is being advertised by Google Ads on other pages, please send me screenshots so I can do what I can to exclude them.
All graphics are thumbnails that when clicked will open full size versions of the pictures.
Patchou has said many times that he doesn't want to do anything bad by his customers, and the version of the adware-known-as-lop that is installed as his Sponsor Program is much better behaved vis a vis installation and removal than many other versions that are out there. But, that being said, there is more to the Sponsor Program than its install and uninstall protocols. The Sponsor Program is also what it advertises, where it leads people and what it encourages people to install.
DO NOT install the 'Sponsor Program' before
reading the information at this link (information updated 1 November 2004)
The ties that bind - Messenger
Plus, Secure Software Inc and C2Media
Adware installed with Messenger Plus!
by the Sponsor Program (updated 1 November 2004)
The
implications of installing the Sponsor Program (updated 1 November 2004)
My first Messenger Plus! installation experience
Malware being advertised at the Msgplus
forums
Is Messenger Plus Spyware?
The majority of this article discusses the 'Sponsor Program' that generates so much displeasure amongst some Messenger Plus! users. But, before we get into the nitty gritty, two things need to be pointed out.
First, Messenger Plus does not, in my experience, install the Sponsor Program if the offer to install is refused. I pointed this out on 4 October 2004.
Second, users of Messenger Plus! may not realise that beginning with version 3.20.100 of the software, released on 19 September 2004, and continuing with build 3.21.104 released on 10 October 2004 and 3.25.106 released on 20 October 2004, MP will send periodical 'statistics' to the msgplus server about what MP features you have used. The option is on by default, but can be turned off (of course, to be able to turn the option off, you have to know that it exists). During my tests, if this option is enabled when I uninstalled Messenger Plus!, Messenger Plus! would phone home (reporting its removal?).
According to what I read on the MP site on 28 September 2004, the programme does not send data to msgplus during the first week of use - apparently this delay is to allow users to 'discover' the option and turn it off.
Some people call this statistical tracking 'spyware', not because usage data is transmitted to msgplus, but because there is no notification or warning that this will happen. The user is left to discover the setting by themselves.
The author of the programme points out that the information that is gathered is non-personal stuff like 'Quick Text was used' or 'Plus icon was clicked', but that is beside the point. Users should be informed during installation that the data will be gathered, and permission obtained to gather and transmit or, even better, the option should be turned OFF by default and users should be allowed to 'discover' the option and turn it on. If MS and other programme suppliers can set their data collection options to off by default, or can advise that the settings exist and prompt for permission to leave collection and transmission enabled during installation, so can MP.
Information about the data collection can be found here:
http://www.msgplus.net/changelog.php
Update 17 October 2004
Just doing a tidy-up, focusing the introduction at the beginning of page on the key points so users don't get lost in the details, and fixing some broken links.
As part of my research for a December publication that I am writing, I have been wandering around the net checking out the latest activities of various spyware purveyors, including the adware known as lop.com.
I found this message posted by 'Moore' and dated 3 October 2004 (to read the
entire thread click on the thread-name link in the top right hand corner of the
screen):
http://www.wilderssecurity.com/showpost.php?p=269566&postcount=38
Which lists this URL:
http://www.sunbiz.org/scripts/cordet.exe?a1=DETFIL&n1=P02000112500&n2=NAMFWD&n3=0000&n4=
N&r1=&r2=&r3=&r4=SECURESOFTWARE&r5=
The sunbiz link, as at 15 October 2004, reveals that a person by the name of Cyril, Paciullo (or Paciullo Cyril) is listed as a director of Secure Software, Inc together with an Alex Shamash and a Jason Lucas.
Note: The Florida Department of State, Division of Corporations search URL
is http://www.sunbiz.org/corpweb/inquiry/cormenu.html
Ok, fair enough, but is there a possible
connection between C2Media and Secure Software Inc?
More potential information about those
behind lop.com spyware can be found here.
http://www.freedomlist.com/forum/viewtopic.php?t=15724&highlight=
'Webhelper' of Team Lavasoft posted the above message on 22 March 2004.
It notes that those behind the
spyware commonly known as Lop have several different business names including
*C2Media*, Fla Internet Marketing Inc, Media Live,
Mp3 Search, *Secure Software Inc*, Spawnet Limited,
Trinity Acquisitions Inc, Warnet AdGaurd, Warnet Limited. There is also a
disconcerting list of domain names. 'Webhelper' also has his own domain,
www.webhelper4u.com, which lists
comprehensive information about what he calls the 'lop.com gang':
http://www.webhelper4u.com/watcher/thewatcherlistold.html
The names behind lop.com/C2Media are variously listed on many sites as Alex Shamash and Jason Lucas, the same names as those who share the directorship of Secure Software Inc with Paciullo Cyril. According to documents filed with Secretary of State, Tallahassee, Florida, Secure Software came into being on 17 October 2002, the incorporator was Jason Lucas, the initial Board of Directors consisted of Alex Shamash and Jason Lucas and its initial share issue was 1,000 shares with a value of $1.00 per share. The 2003 Uniform Business Report filed 10 September 2003 lists Paciullo Cyril as an added director. As a side note, a search of the Messenger Plus! forums reveals that the Sponsor Program was first added to Messenger Plus! around May 2003 (Patchou says July 2003).
Cyril Paciullo (cyrilpaciullo@popularemailprovider.com - (the email address has been changed to protect P. Cyril from robot spam) is, as at 14 December 2004, the name behind www.msgplus.net - current registration details can be accessed via http://registrar.godaddy.com/whois.asp.
Out of interest I checked out www.patchou.com using the same service. Although the registration details for www.msgplus net have been cleaned up since I first checked, the godaddy.com registration details for www.patchou.com are less than helpful. We all know that is not possible to have the phone number (123) 456-7890 and the address only states PQ H0H 0H0?) <Question: Should fake phone numbers and fake/incomplete addresses be legal or permitted?>
Synopsis:
Secure Software, Inc = Paciullo Cyril, Alex Shamash and Jason Lucas
www.msgplus net = P, Cyril
(cyrilpaciullo@popularemailprovider.com
- edited address - for those of you who don't know how to search the appropriate
records, replace popularemailprovider.com with hotmail)
Alex Shamash and Jason Lucas are mentioned at
http://www.freedomlist.com/forum/viewtopic.php?t=15724&highlight=
Alex Shamash, C2Media and Cyril Paciullo's
msgplus.net domain registration use(d) the same address, being PO Box
1113 Shalimar, Florida, 32579, United States.
Interesting, yes? Oh well, lets go back to waiting for the next version of Messenger Plus. I will be very interested to see what install protocol 'Patchou' finally settles on.
Update 29 November 2004
Patchou created a 'get the facts' page which he later removed. Part of that page discussed "Rumour: the author of Messenger Plus is the director of lop.com". Rather than reproducing the relevant text, here's a screen shot.
The highlighted comments by Patchou piqued my interest because I do not remember seeing anybody say that Patchou is a director of lop.com, or of C2Media, nor do I remember seeing anybody say that Patchou has a share in C2Media.
I conducted a Google and Vivisimo search (web and newsgroups) for 'Patchou director lop' and 'Patchou director c2media' but I have not been able to find a message or site wherein it has been said that Patchou is a director of lop.com (it is not possible to be the director of a domain name in any event), nor have I found a message or site wherein it has been said that Patchou is a director of C2Media, nor have I found a message or site wherein it has been said that Patchou has a 'share' in C2Media. All I have found is several other sites that highlight Patchou's shared directorship of Secure Software Inc with Alex Shamash and Jason Lucas, whilst also pointing out that Alex and Jason (not Patchou) are directors of C2Media, the company behind the software commonly known as lop.com.
Whilst I have *NOT* seen anybody say that Patchou has a directorship or 'share' of anything other than Secure Software Inc, in the pages I have examined, I am not surprised when people see a stronger than average connection between C2Media and Msgplus for other reasons - including because Patchou has said that C2Media hosts the msgplus web site - and because C2Media, Alex Shamash and Cyril Paciullo's msgplus.net domain registration also share(d) the same postal address - and because Patchou has been added as a director of a legal entity which listed the same pre-existing directors as C2Media.
The internet is full of freeware that bundles adware/malware/spyware to raise revenue, but I cannot think of another example of a relationship between freeware and its advert suppliers like that between msgplus and C2Media. If anybody else knows of a similar arrangement between a freeware author and adware purveyors, I would like to hear about it:
I'd also be interested to hear from anybody who can provide the URL of any site which tries to say that Patchou has a directorship of, or 'share' in, C2Media or lop.com. I can't find anything.
Update 11, 12 and 17 October 2004
The confusing 36 hour Sponsor Program delay has been removed which is a good thing!!! Bravo and applause to Patchou.
Thanks to the help of MANY volunteers, I have screen shots of what I think are all of the different install routines.
One installer has an information window before the Sponsor Agreement Window which says:
"Please read the following important message.
In order to keep Messenger Plus! free of charge for everyone, an optional
sponsor program is packaged with this installer. This program will add, among other things, a search bar in Internet
Explorer designed to accelerate your searches on the web (please read the
licence agreement for the full details). There's no risk involved in
giving it a try: the sponsor program can be easily removed at any time by
uninstalling Messenger Plus! You can then, if you desire, reinstall this
software without the sponsor.
Your support is extremely appreciated, thank you for using this program.
I want to keep Messenger Plus! free, install the sponsor program
I refuse to give my support, install Messenger Plus! without the sponsor"
This is followed by the Sponsor Agreement Window. The Sponsor Agreement Window has the following dialogue.
"Sponsor Agreement (C2Media)...<snip>
"I accept, install the sponsor program on my computer" [Note there
is no 'refusal' option, only back or install]
Tonight I downloaded an installer with an install protocol that I had not seen before now. The install design has the 'important message' on the same screen as the 'installation path' window. The text of the message does not change from that above. The 'installation path window is then followed by a Sponsor Agreement window which has a screen shot of the Toolbar, and the beginning of the C2Media EULA.
There are two install windows that I have seen that include a picture of the toolbar. One shows the standard 'introduction' spiel with the actual C2Media EULA scrolled off screen, the other has the C2Media EULA in screen, because the introductory spiel is part of a separate window.
Other installers apparently have no introductory window, instead the 'important message' is part of the Sponsor Agreement Window as follows:
"PLEASE READ THE FOLLOWING MESSAGE: In order to keep Messenger Plus! free of charge for everyone, an optional sponsor program is packaged with this installer. This program will add, among other things, a search bar in Internet Explorer designed to accelerate your searches on the web (please read the licence agreement for the full details). There's no risk involved in giving it a try: the sponsor program can be easily removed at any time by uninstalling Messenger Plus! You can then, if you desire, reinstall this software without the sponsor.....<snip C2Media Sponsor Agreement>"
For the Sponsor Agreement Window where there is no initial information window, the dialogues are:
"Sponsor Agreement (C2Media)...<snip>
I accept, install Messenger Plus! with the sponsor program
I refuse to give my support, install Messenger Plus! without the sponsor"
"Sponsor Agreement (C2Media)...<snip>
I ACCEPT, install Messenger Plus! with the sponsor program
I refuse, do not install the sponsor program"
"[Screenshot of toolbar]
Sponsor Agreement (C2Media)...<snip>
I accept, install Messenger Plus! with the sponsor program.
I refuse to give my support, install Messenger Plus! without the sponsor"
The first two options, with separate windows providing information the Sponsor Program, and the Sponsor Program EULA itself, are the best so far. In all of the Sponsor Agreement Windows that I have seen, EXCEPT for the ones with separate information windows, the EULA text for the C2Media software is completely hidden. It is possible to see that there is a drag button on the Sponsor Agreement Window scrollbar, but it is hard to spot and is easily missed. It is very easy for a user to assume that the 'Sponsor Agreement (C2Media) heading is more more than a reference to the 'I accept' or 'I refuse' portions of the Sponsor Agreement Window. The window does say (please read the 'licence agreement' for the full details), but does not stipulate where the licence agreement is. An inexperienced user will not make the connection between 'Sponsor Agreement' (at the top of the window) and 'licence agreement' (window text).
"I refuse to give my support" is very harshly worded and likely to make the user see him or herself in a bad light. Even "I refuse" is not nice. What about a simple 'No thank you.'?
Other things that stand out are:
Why not mention the changes to home page, search engine and the popups?
It won't take up much more space than "please read the licence agreement for the full details" and makes the full implication of installing the Sponsor Program very clear to users without forcing them to trawl through a long EULA. A good point is that both windows point out that the sponsor can be removed by uninstalling Messenger Plus! (it would be good if that could be in bold font so that it is well highlighted). Also, neither option is selected which is also a good thing. A conscious decision must be made to choose the Sponsor Program (it is debateable whether it is right to highlight one high profile change, but not others). Despite this I see far too many people who don't realise that the Sponsor Program can be removed by uninstalling Messenger Plus! Hopefully that problem will improve, but I don't think the proposed changes will make much difference, unless users make the assocation between the MP Sponsor Program and not only the toolbar, but also the home page change, search engine change, and pop up windows (the links on the desktop and new favorites are not as 'in your face' and are not as likely to frighten unsuspecting users so probably don't need to be highlighted so much).
It will be very interesting to see what choice Patchou finally makes.
Unfortunately, the second popup window generated by the Sponsor Program on my systems was the same big yellow warning window about spyware as was mentioned in my original install report.
This time, I checked it out what was being
advertised. The pop up led to:
http://66.33.0.35/spyblocs/adv/free6.html
Spyblocs has been listed on http://www.spywarewarrior.com/rogue_anti-spyware.htm as follows:
"Spyblocs/eBlocs.com... aggressive, deceptive advertising.... false positives work as goad to purchase; poor scan reporting, Ad-Aware knockoff, same app as #1 Spyware Killer, SpyDoctor, Spyinator, SpyKiller 2005, SpySpotter, & SpywareThis [A: 6-26-04 / U: 8-4-04]"
Further information about Spyblocs can also be found here:
http://netrn.net/spywareblog/archives/2004/08/06/
and here:
http://tired-of-spam.home.comcast.net/eblocs.html
Now, let's think about this; let's say Messenger Plus! is installed with the Sponsor Program. Working from assumptions based on the install protocols of MP version 3.21.104, our hapless users expect the search bar which is fine, but may not expect the home page hijacking, the search engine hijacking or the popup windows. If their experience is the same as mine as been for each install, one of the very first popup windows they could see may be the big yellow window you see below. If the poor users don't want the home page changes, or search engine changes or the pop up windows, and they have not read the EULA, the chances are high, unless they are already experienced in the way and wiles of spyware and how to remove it, that they will take advantage of the very kind offer from the nice people who have told them that their computer IS INFECTED WITH SPYWARE and offer to fix the problem!
From reviewing the links above, it seems quite obvious that SpyBlocs is nasty stuff. Seriously, such misleading advertising sucks. I have installed MP several times now, and the yellow ad for Spyblocs has been the first, or second, window to appear within a minute or two of the Sponsor Program install being completed. In fact, since installing Messenger Plus! this evening, in the space of 5 or so minutes the same yellow advertisement appeared TWICE!!
Patchou has said many times that he doesn't want to do anything bad by his customers, and the version of the adware-known-as-lop that is installed as his Sponsor Program is much better behaved vis a vis installation and removal than many other versions that are out there. But, that being said, there is more to the Sponsor Program than its install and uninstall protocols. The Sponsor Program is also what it advertises, where it leads people and what it encourages people to install.
Malware being advertised at Msgplus:
Note: there is an IMPORTANT update about
the malware advertisements dated 3 January 2005
The above was advertising PrecisionTime by Gator
http://www3.ca.com/securityadvisor/pest/browse.aspx?let=P&cat=Adware
The above was advertising Dashbar by Gator:
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453078809
The 'free Smileys' advertised at msgplus.net come from 'Smiley Central' aka funwebproducts, sadly, also don't have a very good reputation.
PS. Patchou says he no longer advertises Smiley Central because it is not
compatible with Messenger Plus (4 January 2005):
but guess what was advertised today (12 January 2005) (note the address in the
status bar and the position of my cursor):
Smiley Central are also SPAMMERS. Check out the screen shot of a spam email that I received today (24 November 2004). First, the graphic was pulled from a remote server, thereby confirming my email address is live (I downloaded the graphic because I don't care if this particular address is confirmed as 'live' - the email address in question is purely a spam and phish trap, but for people who aren't flooded with spam yet, please be warned that remotely hosted graphics are the number one way that spammers confirm an email address is 'live' thereby increasing its value to spammers immeasurably. Tip: Do NOT download remote pictures if you are given the choice. Second, check out the 'unsubscribe' email address. How much do you want to bet the address is unique and yet another way to confirm that an email address is 'live'? Tip: Never try to unsubscribe from a spam email. Just delete it.
I took great pleasure in reporting the spam message via Spamcop.
Update: within 48 hours of my publishing the above
information about the Gator advertisements on msgplus.net (note the funwebproducts advertisements have been around for a while), somebody posted
this to the Messenger Plus! forums:
http://msgplus.mybboard.com/showthread.php?tid=36364
Thanks to "elreteipos" we know that people at the msgplus forums know about my commentary.
I am very pleased to report that the complained of advertisements have disappeared and been replaced with a generic Messenger Plus! advertisement.
I sent out a request to contacts all over the world, and asked that they check the msgplus forums and report if they see the same thing as I do (to rule out IP specific filtering). Every single English speaking person has reported that they are seeing the same advertisement, therefore the changed advertisements are not IP specific. But, that being said, they are country specific. I have received reports that non-English versions of the site are still seeing malware advertisements. I also note that pop-up advertisements at the msgplus site are still advertising malware to everybody, English speaking or otherwise.
I think we can assume that "they" are listening, just like "they" listened to complaints about the sponsor program (leading to improvements in the installation protocols used by Messenger Plus). It will be interesting to see what advertisements survive when the banner ads go external again.
Y'know, when I found out that my old Bravenet guestbook had started advertising unsavoury or problematic software (including cursors from funwebproducts), a guestbook I had been using since late 1999, I dumped it and created a new guestbook hosted on my own site (currently disabled because of spammers). The old guestbook is still viewable for archival purposes (it is hard to give up entries that have been gathered over so many years), but entries are no longer accepted. Also, when I started receiving spyware complaints about my third-party-provided web page search facility, I also dumped that and created a search facility hosted locally, and also increased the prominence of an MVP created search site that is spyware free. Why do I tell you this? Because there ARE always alternatives if we find spyware/malware/crapware is being advertised (involuntarily or otherwise) on our web sites.