Bugtraq: Re: Unusual Activity in Ad-aware 6 Personal, Build 6.181

[Steve Ryan <sirsteve () internetcds com>]

Hi,

Well, this is odd.  I did not find any of those files you mentioned.  I 
didn't find a cache folder either.  I updated Ad-Aware with the latest 
definitions and then initiated a scan.  It created a 'cache' folder 
where you mentioned, although I didn't open it.  I let it finish the 
scan and then the 'cache' folder disappeared.  I cleaned the 30 or so 
'tracking cookies' it found and it created a cache folder again.  I was 
going to open it, but then I closed out Ad-Aware not even thinking and 
the cache folder disappeared.
Then I opened Ad-aware, ran a scan.. it immediately created a 'cache' 
folder but upon inspection, it's empty.  I checked it multiple times 
during the Ad-aware scan, and it stayed empty.  This time upon 
completion, before I could close Ad-aware, the 'cache' folder disappared.
Nothing unusual that I could find anyway.

Windows XP + SP1a + All critical/XP updates..

HTH.

fedhead wrote:

> Sorry about my previous post, Norton picked up the html code an filtered my
> e-mail. Here is the original post without the html flags
>
> Hello,
> Seems benign enough. Every night when it runs, after the first scan of the
> registry, it creates four files in the C:\Program Files\Lavasoft\Ad-Aware
> 6\cache folder which Norton AV catches as trojan scripts:
>
> exploit.chm
> installer.htm
> shellscript.js
> shellscript_loader.js
>
> In installer.htm, it appears to use one of the IE IFRAME exploits to
> download the java script files.
> The most unusual part is that it happens at the end of the registry scan in
> Ad-aware. A google search doesn't turn up any relation between this exploit
> and Ad-aware so it could be something unique to my system but at this point
> I am at a loss as to what it could be.
>
>
> Any info would be appreciated.
>
> Thanks,
> Matt