.msi files.

[thehorse13]

If they truly are not spyware, then I would report the false positive to the vendor. That will nix the annoying warnings for everyone.

--TH13

[nihil]

Hmmm,

It is a good point about false positives though. I know that a lot of scanners will flag Alexa as spyware, but I am surprised to see it in 4 installation files? Anyway, we know that MS installs it, so the warning seems a bit superfluous?

http://www.jsware.net/jsware/msicode.php3#unpack

That site has tools that let you open up .msi files and see what they do

[Cider]

Hey there. Thanks for the link.

Spoke to my supervisor. She says that Alexa is Malware, I quote

It can open up your computer to outsiders

As nihil said

Anyway, we know that MS installs it, so the warning seems a bit superfluous?

I might be asking a stupid Q here - Why does MS install it if it gets flagged for malware?

[nihil]

Alexa is strange one. as it is not a malware in my absolutely pedantic definition of such.

You might consider it to be a form of spyware, but in reality it is just a bloody nuisance. It is actually a targeted advertising application that is the result of some sort of deal between Microsoft and Amazon (I think). I seem to recall that it needs IE to work?

It is of no interest and absolutely no value to me so I always remove it. I take a very simple view that if I don't use something I don't want it running. Firstly it would be using MY resources and secondly it is just something else to go wrong and cause conflicts.

I am not surprised that all Panda does is flag it in the .msi files............ far too complex to try to extract it from one of those! I would guess that what Panda does is clean the Registry and executables, so it cannot run. That is what SpyBot and AdAware do, if you so choose.

I do not think that it is a security hazard in particular............. that would depend on how you run your system IMO............like IE on minimum security and always log in as Administrator? c'mon MS and Amazon are major players.............. if they were doing things like that, how come the drek/cack/poep hasn't hit the fan?

[dinowuff]

Wow

Delete the msi files in question

DevSupp.dll is probably hijacked

If you notice the random characters your mal/spyware generated i.e., 36fe.msi

This means your true issue is creating random install files so when you clean one, two more infect you. These are not the Microsoft installer, they are Microsoft installation packages.

9 times out of 10 there will be a entry in the \...\currentversion\run KEYS (Current user - everyone who loged on) and system pointing to the instal packages.

ie HKEY\LOCAL MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN and in the left pain will be c:\windows\36fe.msi

Don't forget to dump system restore

[Cider]

Sheesh, what a mission

Thanks for all the tips everyone.

[nihil]

Get copies of the files.....................

If dinowuff is correct, you are NOT dealing with Alexa.

Send the files to your research people to investigate

[thehorse13]

virustotal or cwsandbox are two of my favorite for submitting questionable stuff.

[nihil]

Another one is Jotti:

http://virusscan.jotti.org/

Although virus total uses more scanners

http://www.virustotal.com/

Both are supported by and use Panda, so they should be OK for Cider to use. Obviously they are both using scanning techniques, whilst Sunbelt's CWSandbox actually tries to run the thing and see what it does

[nihil]

Back on original topic so a double post

It just ocurred to me that this might actually be some sort of trojan with Alexa as the payload.

I seem to recall that there were one or two that specifically did this?

As Alexa is a web surfing habits and site rating system, unscrupulous site owners would use this trick to increase the number of hits being reported to Alexa.

Something similar to the click fraud scams for pay per click advertising schemes. There are trojans to do that as well