JS/IE Trojan from ADAWARE???

Discussion in 'NOD32 version 2 Forum' started by spy1, Jun 5, 2004.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Just got this pop-up from NOD a few minutes ago while running an AA scan (which came out clean, BTW).

    Perhaps someone can clue me in to what it actually means?
     

    Attached Files:

  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,729
    Location:
    Texas

    Hello Pete

    I dug around and found this.

    It could be a false positive as you know.

    On my machine, I would rename that file.


    This VBScript trojan simply alters the default start up page that Internet Explorer uses. Running this script results in the creation of an HTML application being created in the WINDOWS STARTUP folder. This .HTA file alters the following registry key to change the default start page that IE uses:
    HKCU\Software\Microsoft\Internet Explorer\Main\Start Page

    This trojan exists as VBScript code contained in a .VBS, .VBE, or .HTA file
     
  3. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Okay. Thanks for the info. I'm just going to let it ride for the moment (running other scans). Pete
     
  4. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    mitch from the AA forum was nice enough to point me to this thread:
    http://www.lavasoftsupport.com/index.php?showtopic=14501 which somewhat explains what I'm seeing - I still don't understand why it just now has started happening, unless it's a heuristics issue with NOD, or a FP by NOD due to a recent update. Pete
     
  5. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,729
    Location:
    Texas

    Pete

    I also have NOD32 and Ad-aware and haven't had this warning. I don't run Ad-aware real time however. I just use it to scan at times.

    Good info.
     
  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Okay, I was able to reproduce the whole thing again this morning with another AA scan and I found that the "dummy" referred to in the result ("hit" from NOD) was simply something hinky in my Java temp folder.

    (Apparently, AA reads inside that and NOD doesn't unless AA opens it for AMON to scan).

    I cleaned out all the Java cache stuff, re-ran AA and did not get any more alerts from NOD.

    Good enough. Pete
     
  7. veles

    veles Registered Member

    Joined:
    Jul 1, 2005
    Posts:
    1
    i get that msg as well...but i dont get the option to delete the file...maybe i gotta change my settings?
     
  8. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi veles, welcome to Wilders.
    There is a thread here on tweaking Nod32.

    Hope this helps...

    Cheers :D
     
Thread Status:
Not open for further replies.