locked
IEAK 11 creates odd extension RRS feed

  • Question

  • I am using IEAK 11 to create an install package for IE11 on Windows 7 SP1 64-bit. The package works correctly and installs silently but it creates a mystery browser extension.

    Name:                   {C95FE080-8F5D-11D2-A20B-00AA003C157A}
    Publisher:              Not Available
    Type:                   Browser Extension
    Architecture:           64-bit
    Version:                Not available
    File date:              Not available
    Date last accessed:     ‎Today, ‎July ‎10, ‎2015, ‏‎22 minutes ago
    Class ID:               {C95FE080-8F5D-11D2-A20B-00AA003C157A}
    Use count:              1
    Block count:            0
    File:                   Not available
    Folder:                 Not available

    The key under HKLM\Software\Microsoft\Internet Explorer\Extensions links the CLSID {1FBA04EE-3024-11D2-8F1F-0000F87ABD16}

    That can be found at HKLM\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{1FBA04EE-3024-11D2-8F1F-0000F87ABD16} which contains the value name Compatibility Flags with data 0x000000400 (1024).

    So it appears to be an Active X control and the compatibility flag seems to be a "kill bit" which tells IE not to load this control. That's according to what little I can find on google anyway. But I'd rather not have the control there in the first place.

    I've tried building the IEAK install package several times on different machines both Windows 7 and 8.1 and always with the same extension showing up.

    Any help at explaining this and getting rid of it would be appreciated.

    Friday, July 10, 2015 5:34 PM

Answers

  • Hi, to find out where the errant extension key is coming from..

    Download Sysinternals Suite Download

    and run Procmon.exe while you are doing a test deployment (filtering on registry write keys containing the Related sites extension clsid:
    {C95FE080-8F5D-11D2-A20B-00AA003C157A})

    IF there are no registry writes, then it may be that it is just an artefact left over from a build done on an XP machine, since you say that the Command bar button registry keys are empty and to write to the registry during a windows update or IE settings change, any malware/unwantedware has to be using a Registry Hook technique, which was removed/defeated in Win7 and higher). If there is no valid link to related.htm or (res://toolbar.dll\related.htm) then the command bar button will not even appear in the Command bar buttons list, nor can it be executed. so "I could just put a step in my MDT task sequence to delete that registry key after IE 11 installs" is quite acceptable.

    Command bar Extensions can have either/both HKLM and HKCU keys... IE9 introduced a new key in the IE settings registry keys for low integrity processes... Possibly these are just artifacts.... I know any Uninstaller won't be removing the new low integrity keys if it was developed for XP as the Alexa toolbar was.

    Regards.


    Rob^_^


    Tuesday, July 14, 2015 1:50 AM

All replies

  • Hi tsisson,

    that clsid 1FBA04EE-3024-11D2-8F1F-0000F87ABD16

    is used internally by IE to run Command bar button executables. The kill bit flag stops websites from executing programs from web pages.... It is required for some types of IE Command bar buttons to work.

    see https://msdn.microsoft.com/en-us/library/bb735854%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396

    the CLSID (C95FE080-8F5D-11D2-A20B-00AA003C157A) of the unwanted extension is

    documented here - http://www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.aspx?lst=det&idvirus=55150

    ITs an extension from Alexa. Alexa collects web statistics and is well known in the industry, It appears either that you have upgraded your build machine from XP where it existed previously or you have purposely installed their extensions with consent. please read the following:

    Infection strategy 

    Alexa creates the following entries in the Windows Registry:

    • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Internet Explorer\ Extensions\ {c95fe080-8f5d-11d2-a20b-00aa003c157a}
      This entry contains a reference to the file RELATED.HTM, which is in the Windows directory and determines the web page where the searches for related websites are made.
      This entry is also responsible for displaying the menu item Show Related Links.
    • HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Internet Explorer\ Extensions
      CmdMapping = {c95fe080-8f5d-11d2-a20b-00aa003c157a}

    Keep in mind that these entries are created whenever Internet Explorer or some of its Service Packs are installed.

    Means of transmission 

    Alexa is created either by the browser Internet Explorer or some of its service packs, and provides adware characteristics.

    >>>>>>>>>>>
    Start>Control Panel>Programs and Features>sort by Publisher... Locate any installed software from Alexa (It should be called the Alexa Toolbar) and uninstall it by clicking the uninstall button.

    Reboot your computer for the full changes to take affect.

    Rebuild your IEAK packages (as the above doco states: Keep in mind that these entries are created whenever Internet Explorer or some of its Service Packs are installed.
    so you should also scan your client machines and uninstall it before you deploy your IEAK package.


    Rob^_^

    Saturday, July 11, 2015 2:55 AM
  • Hi Rob,

    The HKLM extension key doesn't contain a link to RELATED.HTM and there are no extensions under HKCU and Alexis doesn't show up under installed applications. I did virus/malware scanning and turned up nothing.

    This is a clean image of Windows 7 just built by MDT with Microsoft updates disabled and only IE 11 installed. IE11 unattended install does do it's own updates and I was suspicious that something was getting in that way. I couldn't figure out a way to disable those updates to test my theory. However, I don't believe Alexis is the problem here.

    I could just put a step in my MDT task sequence to delete that registry key after IE 11 installs but I don't like not knowing where that extension came from.

    Tom

    Monday, July 13, 2015 12:29 PM
  • Hi, to find out where the errant extension key is coming from..

    Download Sysinternals Suite Download

    and run Procmon.exe while you are doing a test deployment (filtering on registry write keys containing the Related sites extension clsid:
    {C95FE080-8F5D-11D2-A20B-00AA003C157A})

    IF there are no registry writes, then it may be that it is just an artefact left over from a build done on an XP machine, since you say that the Command bar button registry keys are empty and to write to the registry during a windows update or IE settings change, any malware/unwantedware has to be using a Registry Hook technique, which was removed/defeated in Win7 and higher). If there is no valid link to related.htm or (res://toolbar.dll\related.htm) then the command bar button will not even appear in the Command bar buttons list, nor can it be executed. so "I could just put a step in my MDT task sequence to delete that registry key after IE 11 installs" is quite acceptable.

    Command bar Extensions can have either/both HKLM and HKCU keys... IE9 introduced a new key in the IE settings registry keys for low integrity processes... Possibly these are just artifacts.... I know any Uninstaller won't be removing the new low integrity keys if it was developed for XP as the Alexa toolbar was.

    Regards.


    Rob^_^


    Tuesday, July 14, 2015 1:50 AM
  • I should have thought to use Procmon.exe. Thanks for the suggestion Rob. Meanwhile I found an old IEAK11 build I did last year and that one does not have the same issue so I just used it in my image.

    Thanks,

    Tom

    Monday, July 20, 2015 2:45 PM