Hi all.
Got a customer whom got infected with Adware. The log of Panda AV points to the installer folder in the windows directory.
The four infected files in question are .msi files.
Is it safe to delete these files?
Thanks.
Printable View
Hi all.
Got a customer whom got infected with Adware. The log of Panda AV points to the installer folder in the windows directory.
The four infected files in question are .msi files.
Is it safe to delete these files?
Thanks.
What are the files called?
The main question would be whether these are genuine files that have been infected or are they pure malware files that have been given a plausible name and hidden in a place that does not look suspicious.
I normally do a Google search on the filename. There are a number of sites that list files and will tell you if they are OK, pure malware, suspicious or whatever.
Tried google , found nothing. Here is the log.
Ah! it is Alexa.................
http://www.imilly.com/alexa.htm
It actually ships with Windows/IE :D
Spybot and AdAware will remove it, but I would be wary of deleting .msi files as they don't actually do anything during normal operation of your computer.
Ahh ok thanks Nihil.
Nihil the problem I have is that I cannot use 3rd party tools to remove these sort of things.
I am doing the tech support here in SA for Panda.
Its a whole process to scale an issue to our HQ and wait for a reply. That is why I post here alot :)
Thanks for the link though.
EDIT: Questions still stands, can i delete these files :)
there is no need to delete them
.msi is a MicroSoft Installer file
it is 'just' an application waiting to be installed by double clicking it
even when it has been installed it is not a bad idea to 'store' these somewhere - network share ? - so you can go and get them again if needed in case of PC rebuild etc
but please DO list the titles of each file
and NO google hits is generally a sign that it is benign [safe] as there are no people with those issues out there
Foxy - check the attachment.
I would not delete those files. As Foxy says, they are just installation files. It is not as if you have found them in the Registry, start up folder or whatever.
I doubt if spybot or adaware would even spot them. I only mentioned them because they also report Alexa as spyware :)
Ok.
However when this client does a scan with panda and sends me the report he says, "Look Tyron there is adware on my pc".
Should I just put the files back in there original place as I have placed them in the recycle bin :)
Yes I would put them back, they won't do anything.
I keep finding Alexa everytime I load MS updates :D. I just make sure that it doesn't run in the live system, having it in .msi files doesn't bother me.......... if I need to reinstall, and it gets reinstalled as well it will just get detected and deleted again.
If they truly are not spyware, then I would report the false positive to the vendor. That will nix the annoying warnings for everyone.
--TH13
Hmmm,
It is a good point about false positives though. I know that a lot of scanners will flag Alexa as spyware, but I am surprised to see it in 4 installation files? Anyway, we know that MS installs it, so the warning seems a bit superfluous?
http://www.jsware.net/jsware/msicode.php3#unpack
That site has tools that let you open up .msi files and see what they do ;)
Hey there. Thanks for the link.
Spoke to my supervisor. She says that Alexa is Malware, I quote
As nihil saidQuote:
It can open up your computer to outsiders
I might be asking a stupid Q here - Why does MS install it if it gets flagged for malware?Quote:
Anyway, we know that MS installs it, so the warning seems a bit superfluous?
Alexa is strange one. as it is not a malware in my absolutely pedantic definition of such. :D
You might consider it to be a form of spyware, but in reality it is just a bloody nuisance. It is actually a targeted advertising application that is the result of some sort of deal between Microsoft and Amazon (I think). I seem to recall that it needs IE to work?
It is of no interest and absolutely no value to me so I always remove it. I take a very simple view that if I don't use something I don't want it running. Firstly it would be using MY resources and secondly it is just something else to go wrong and cause conflicts.
I am not surprised that all Panda does is flag it in the .msi files............ far too complex to try to extract it from one of those! I would guess that what Panda does is clean the Registry and executables, so it cannot run. That is what SpyBot and AdAware do, if you so choose.
I do not think that it is a security hazard in particular............. that would depend on how you run your system IMO............like IE on minimum security and always log in as Administrator? :lildevil: c'mon MS and Amazon are major players.............. if they were doing things like that, how come the drek/cack/poep hasn't hit the fan?
:)
Wow
Delete the msi files in question
DevSupp.dll is probably hijacked
If you notice the random characters your mal/spyware generated i.e., 36fe.msi
This means your true issue is creating random install files so when you clean one, two more infect you. These are not the Microsoft installer, they are Microsoft installation packages.
9 times out of 10 there will be a entry in the \...\currentversion\run KEYS (Current user - everyone who loged on) and system pointing to the instal packages.
ie HKEY\LOCAL MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN and in the left pain will be c:\windows\36fe.msi
Don't forget to dump system restore
Sheesh, what a mission :)
Thanks for all the tips everyone.
Get copies of the files.....................
If dinowuff is correct, you are NOT dealing with Alexa.
Send the files to your research people to investigate ;)
virustotal or cwsandbox are two of my favorite for submitting questionable stuff.
Another one is Jotti:
http://virusscan.jotti.org/
Although virus total uses more scanners
http://www.virustotal.com/
Both are supported by and use Panda, so they should be OK for Cider to use. Obviously they are both using scanning techniques, whilst Sunbelt's CWSandbox actually tries to run the thing and see what it does
:)
Back on original topic so a double post :)
It just ocurred to me that this might actually be some sort of trojan with Alexa as the payload.
I seem to recall that there were one or two that specifically did this?
As Alexa is a web surfing habits and site rating system, unscrupulous site owners would use this trick to increase the number of hits being reported to Alexa.
Something similar to the click fraud scams for pay per click advertising schemes. There are trojans to do that as well:(
Thanks for the sites Nihil.
Still waiting on the customer to send me these msi files.