Alexa hidden hijacker

  • Thread starter Thread starter J.R.Newboy
  • Start date Start date
J

J.R.Newboy

Attention All.I recently was experiencing sluggish
performance and redirects. Ran a deep scan with our MS
AntiSpy Beta and came up clean.I then ran a scan with my
Lavasoft Ad-Aware and recieved several hits! A hidden
hijacker called "Alexa"(new one to me).Don't know if this
info is useful to anyone but thought I should pass it on.
Here is a copy of my scan log:#:24 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-
Aware SE Personal\
ProcessID : 800
ThreadCreationTime : 8-20-2005 4:21:55 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 16


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Alexa Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet
explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet
explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : MenuStatusBar

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet
explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : Script

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet
explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : clsid

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet
explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : Icon

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet
explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : HotIcon

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet
explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : ButtonText

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-
00aa003c157a}"
Rootkey : HKEY_USERS
Object : S-1-5-21-2000478354-706699826-
854245398-500\software\microsoft\internet
explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-
00aa003c157a}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 8
Objects found so far: 24


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 24


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@adrevolver[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:10
Value :
Cookie:[email protected]/adrevolver/
Expires : 4-28-2008 10:25:56 PM
LastSync : Hits:10
UseCount : 0
Hits : 10

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@adrevolver[3].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:7
Value :
Cookie:[email protected]/
Expires : 8-19-2006 2:11:36 PM
LastSync : Hits:7
UseCount : 0
Hits : 7

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@questionmarket
[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value :
Cookie:[email protected]/
Expires : 10-9-2006 2:31:08 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@targetnet[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:10
Value :
Cookie:[email protected]/
Expires : 5-17-2033 11:33:20 PM
LastSync : Hits:10
UseCount : 0
Hits : 10

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 28



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 28


Scanning Hosts file......
Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 28

There is more to it,but this may give an insight to my
find.
J.R.NewBoy
 
I don't see anything in this scan which should have even the slightest
effect on the performance of your machine, I'm afraid.

Ad-aware has found a number of cookies, and it has spotted the Alexa feature
which is part of Internet Explorer in some older versions. This is the
"related to" button on the toolbar. You are at a web site, and you push the
related to button. The web url you are currently looking at is transmitted
to Alexa so that they can then find related sites via their mechanisms.

If this is spyware, it is remarkably tame. Would we rather have the feature
work like this?
1) press related to button
2) What would you like "related items to"
3) type in the url or term
4) get back the related items.

Does that successfully remove the "spyware aspect?"

As you can see, I'm not impressed by the designation of this browser feature
as spyware. However, it was removed from later browser versions, not sure
whether that was because of the outcry or because the relationship with
Alexa had a cost associated with it.

So--if you were seeing a performance hit--look elsewhere. Neither Alexa nor
any of the cookies found by this scan has even the smallest impact on your
system performance.

--

Attention All.I recently was experiencing sluggish
performance and redirects. Ran a deep scan with our MS
AntiSpy Beta and came up clean.I then ran a scan with my
Lavasoft Ad-Aware and recieved several hits! A hidden
hijacker called "Alexa"(new one to me).Don't know if this
info is useful to anyone but thought I should pass it on.
Here is a copy of my scan log:#:24 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-
Aware SE Personal\
ProcessID : 800
ThreadCreationTime : 8-20-2005 4:21:55 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 16


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Alexa Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet
explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet
explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : MenuStatusBar

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet
explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : Script

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet
explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : clsid

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet
explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : Icon

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet
explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : HotIcon

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet
explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : ButtonText

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-
00aa003c157a}"
Rootkey : HKEY_USERS
Object : S-1-5-21-2000478354-706699826-
854245398-500\software\microsoft\internet
explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-
00aa003c157a}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 8
Objects found so far: 24


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 24


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@adrevolver[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:10
Value :
Cookie:[email protected]/adrevolver/
Expires : 4-28-2008 10:25:56 PM
LastSync : Hits:10
UseCount : 0
Hits : 10

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@adrevolver[3].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:7
Value :
Cookie:[email protected]/
Expires : 8-19-2006 2:11:36 PM
LastSync : Hits:7
UseCount : 0
Hits : 7

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@questionmarket
[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value :
Cookie:[email protected]/
Expires : 10-9-2006 2:31:08 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@targetnet[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:10
Value :
Cookie:[email protected]/
Expires : 5-17-2033 11:33:20 PM
LastSync : Hits:10
UseCount : 0
Hits : 10

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 28



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 28


Scanning Hosts file......
Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 28

There is more to it,but this may give an insight to my
find.
J.R.NewBoy
 
Thanks for the post J.R

This is abit of a false detection in my view its not
Alexa that put it there, Microsoft did when they MSN was
teamed up with Alexa.

This cannot redirect you as the feature isnt active
anymore, It was listed in the tools menu as show related
links but Microsoft dropped them along time ago so it
will not appear now Unless you download Alexa toolbar
which will then put it back but it still doesnt work when
you press the Show related links now. If you have
problems with redirects then Ewido may be worth running
to be sure whatever it was isn't still active

Let me explain abit about this detection :

Lavasoft's Ad-Aware identifies the registry key included
with Internet Explorer as "Data Miner" spyware, Spybot
identifies it too without much explanation,

You will notice they all are the same detection as in
c95fe080-8f5d-11d2-a20b-00aa003c157a and it will come
with a clean install of Windows !

The issue is the 'Related Links' feature of IE (pre-XP
SP2) which appears under the 'Tools''Show Related Links'
menu item . If you used that feature when it was active,
IE will contact the Alexa servers, via MSN, to obtain
information about other web pages which seem to be
related, open an Explorer Bar, and display those.

The Alexa detection is just a registry key [1], creating
a menu item [2], pointing to a local web page [3],
pointing to an MSN search page [4], which redirects to
the Alexa web site[5].

[1] HKLM\Software\Microsoft\Internet
Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}

[2] Within IE, see Tools / 'Show Related Links'

[3] C:\Windows\Web\related.htm

[4] http://related.msn.com/related.asp?url=

[5] http://xslt.alexa.com/data?cli=16&url=


As a example enter this in your address bar :

http://related.msn.com/related.asp?url=Test.com

once you press go it will instantly change to :

http://xslt.alexa.com/data?cli=16&url=Test.com

and open a page with related links

But the whole feature was removed in the IE6 version in
XP SP2 so its not anything to be concerned about and
simply letting Adaware or Spybot remove the registry line
removes the last traces of this feature from your system

Hope that helps

Andy
 
Sorry Bill

I didnt realize you posted on this till Id sent mine but
good to see we had the same view that the problem isnt
connected to this Alexa feature.

Your too fast for me ;)

Andy
 
Back
Top