Win 8 Survey intruding MSI installer in Win 8

Hi, I am wondering, what is causing an intrusion of some Win 8 Survey in various software setups like Axcrypt, which use MSI installer.

hxxp://imageshack.us/photo/my-images/689/capture09062012125937.jpg

hxxp://imageshack.us/photo/my-images/40/capture09062012125208.jpg

I would just like to know, if it is a malware or just Microsoft snooping around. It links to those Privacy Rules: hxxp://opencandy.com/eulas/win8-sweepstakes-rules.html

I had to do a clean install of Win 8 RTM after ~14 days, because it crashed so badly, that I was not able to repair it or install it, so I had to format HDD with linux in order to instal Win 8, kind of funny and sad. Anyway, when I was installing software, I have noticed, that almost all applications, that use MSI installer, included that Win 8 survey.

 

Notice the word OpenCandy in that privacy URL? Some application developers bundle things with their application installer so as to generate revenue. Examples of that would be the Ask Toolbar and OpenCandy. You can learn more about OpenCandy at -http://www.opencandy.com/- and via search engine.

I believe Axcrypt is known to do this. I think I read that Cool Timer has also been bundled with adware components so that doesn't surprise me. Perhaps all of the other instances where this happened are also cases where the installer is known to come bundled with such a thing(?). Theoretically, adware could hook one's system in an attempt to display such survey requests prior to running other installers. I can't remember if I've heard of that before or not.

Given that such bundling is very objectionable to some users, many of the developers who do this type of thing also offer a special download that is free of such components. I would recommend that you always check to see if an application you are about to download is known to come with such components and if so look for and use the "clean" installer. I would suggest never running an installer that comes with such components, but if you decide to I would encourage you to take steps to protect your system against modifications and kill your net connection prior to the install in order to prevent the bundled software from phoning anything home and/or retrieving behavior modifications from its developer.

 

The problem is, that I used the same installer 2 weeks ago and it was not there, in none of the setups. I did not download any new setup since then.

 

Is it happening with any apps that *aren't* known for being bundled with OpenCandy? Do you know how to investigate what is going on when you run the setup exe? Ever used ProcMon (http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx) and Wireshark (http://www.wireshark.org/)?

Perhaps, for whatever reason, the OpenCandy component decided not to make its presence known last time.

 

Not really, I just checked and applications like Daemon Tools and such are known for it, so it probably downloaded some new advertisement during setup.
Well if it is only adware, I do not mind, I was just worried, that it might be something serious. Anyway thanks for help, I will just leave it as it is for now.

 

I would expect an antimalware tool, at least if it is configured to detect potentially unwanted programs, to detect such things and alert you to them. Since you didn't get an alert I would say there is to some degree a shortcoming in the way your systems are protected. Which you might want to try to close.

Just for fun, I checked AxCrypt-1.7.2931.0-Setup.exe against VirusTotal:

~ VirusTotal Results Removed per Policy ~

Sadly, there is only one positive (ESET-NOD32, Win32/OpenCandy). If you click on the Behavioural information tab below, you can see some information of interest. Bearing in mind that things could change, OCSetupHlp.dll, api.opencandy.com, and media.opencandy.com would appear to be red flags.