Alexa Adware in W2K SP4

• Previous message: Sturgeon, Jon: "Re: Q329170 (MS02-070), Q327984 and slow logoffs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Wed, 2 Jul 2003 12:19:00 -0400
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

I have received a number of reports from individuals who have "discovered" Alexa Adware in W2K SP4 installations. They've discovered this via a variety of programs such as PestPatrol and Ad-ware.

From what I've been able to determine, the reason for the detection is that the Alexa object GUID is placed in the registry under;

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

The reason for this is, according to reports I have read, because MSN uses Alexa as an assistant to their search engine. The "Show Related Links" option in MSN search comes via Alexa. However, if you view the details associated with that option, you will see that Alexa Toolbar itself is not installed (and this is the object which some have labeled adware.) The toolbar is offered via a link in text describing the service, but users are not prompted to install it.

Ergo, the assertion that the Alexa object is present or installed is, IMNSHO, a false detection for systems which have simply installed IE 6.0 (when this option was first added) or W2K SP4.

If anyone has proof to the contrary, please advise.

Cheers,
Russ - NTBugtraq Editor

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to

http://www.trusecure.com/offer/s0100/

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

• Previous message: Sturgeon, Jon: "Re: Q329170 (MS02-070), Q327984 and slow logoffs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Alert: Microsoft Security Bulletin - MS03-039 ... The way that Microsoft patched the new RPC Part II vulnerability ... Summer's Hottest Certification Just Got HOTTER! ... To learn more about the TICSA certification, ... (NT-Bugtraq) WHERE ARE NT4 OLD PASSWORDS STORED ... Sorry if this bores many of you (being an NT4 question), ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ... (NT-Bugtraq) Firewalls and DCOM ... Never underestimate the lengths to which your users will inadvertently go through to infect a network;)" ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ... (NT-Bugtraq) DCOM worm analysis report: W32.Blaster.Worm ... A Bugtraq user has already pointed out that a worm has been ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ... (NT-Bugtraq) Something changing DNS server settings ... When I looked in the registry of one of the affected computers, ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ... (NT-Bugtraq)