Avast WEBforum
Other => Viruses and worms => Topic started by: REDACTED on August 28, 2017, 03:28:28 PM
-
Since days I often get messages
The pop-up says:
Object:
https://ad.adtr.02.com/js/ad.js?v=72
Infection:
JS:Downloader-DEF [Trj]
Process:
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Have tried adwcleaner, CCleaner and Malwarebytes - no success
Get this message mostly on ebay site
-
https://forum.avast.com/index.php?topic=194892.0
-
ad.adtr.02.com/js/ad.js?v=72 seems to be down >> https://isitdownorjust.me/ad-adtr-02-com/
Not sure if CCleaner empty firefox cache, but you may try this >> https://support.mozilla.org/en-US/kb/how-clear-firefox-cache
If still problem follow instructions in the link Eddy posted
-
I used another site checker and only used the top level domain, 02.com no sub-domains and that too suggests it is down for everyone. Even the full sub.domain URL ad.adtr.02.com results in the same down for everyone.
http://downforeveryoneorjustme.com/02.com
-
Can you please submit particular file?
-
which file?
-
log files attached as explained (https://forum.avast.com/index.php?topic=194892.0 (https://forum.avast.com/index.php?topic=194892.0)
-
again... (whilst on ebay site)
-
The malwarebytes log you attached is not the scan log, anyway if nothing was detected there is no need for it
Malware experts are notified, they may not be online before tomorrow
-
- Open Notepad (click Start button -> type notepad.exe -> press Enter)
- Copy text from code block below and paste it into Notepad
GroupPolicy: Beschränkung - Chrome <==== ACHTUNG
GroupPolicyScripts: Beschränkung <==== ACHTUNG
CHR HKLM\SOFTWARE\Policies\Google: Beschränkung <==== ACHTUNG
OPR Extension: (Video Downloader Prime) - C:\Users\rw\AppData\Roaming\Opera Software\Opera Stable\Extensions\diefijfleiebcgdkmaefbjehgcokpdjl [2016-12-16]
- Go to File -> Save As
- Make sure that UTF-8 is selected as Encoding (left side of Save button)
- Save it as fixlist.txt on Desktop
- Open again FRST and click on button Fix
- Wait until FRST finishes
- fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.
Tell me, does Avast blocks that URL while surfing in Chrome and if possible, paste here URLs which are currently opened in browser when you get Avast message.
-
- Open Notepad (click Start button -> type notepad.exe -> press Enter)
- Copy text from code block below and paste it into Notepad
GroupPolicy: Beschränkung - Chrome <==== ACHTUNG
GroupPolicyScripts: Beschränkung <==== ACHTUNG
CHR HKLM\SOFTWARE\Policies\Google: Beschränkung <==== ACHTUNG
OPR Extension: (Video Downloader Prime) - C:\Users\rw\AppData\Roaming\Opera Software\Opera Stable\Extensions\diefijfleiebcgdkmaefbjehgcokpdjl [2016-12-16]
- Go to File -> Save As
- Make sure that UTF-8 is selected as Encoding (left side of Save button)
- Save it as fixlist.txt on Desktop
- Open again FRST and click on button Fix
- Wait until FRST finishes
- fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.
Tell me, does Avast blocks that URL while surfing in Chrome and if possible, paste here URLs which are currently opened in browser when you get Avast message.
fixlog.txt attached
Okay, I´ll try Chrome for some time today.
-
Using Chrome some minutes (surfing on ebay) Avast blocked again
URL: http://www.ebay.de/itm/372052893067?ssPageName=STRK:MESELX:IT&_trksid=p3984.m1558.l2649 (http://www.ebay.de/itm/372052893067?ssPageName=STRK:MESELX:IT&_trksid=p3984.m1558.l2649)
UPDATE
It also happened using Opera browser
URL: http://www.ebay.de/itm/372052867035?ssPageName=STRK:MESELX:IT&_trksid=p3984.m1558.l2649 (http://www.ebay.de/itm/372052867035?ssPageName=STRK:MESELX:IT&_trksid=p3984.m1558.l2649)
-
Zulu Zcalers also comes up with two suspicious links: https://zulu.zscaler.com/submission/e274211d-416b-4a3f-bcb6-13bd4637a621
External Elements
URL RISK
-http://pages.ebay.de/ebaybuyerprotection/inde Suspicious
-http://cgi1.ebay.de/ws/eBayISAPI.dll?ReportTh Benign
-http://contact.ebay.de/ws/eBayISAPI.dll?ShowC Benign
-http://www.ebay.de/itm/RAC-Rallye-1980-Triump Suspicious
-http://my.ebay.de/ws/eBayISAPI.dll?MyEbay&gbh Benign
iFrames detected...
Found mail servers without 'AAAA' record
-lore.ebay.com: ?
-data.ebay.com: ?
-gort.ebay.com: ?
Found differences in TXT records returned by your name servers. No connection on connection check for nameservers.
verisign dynect abuse? possibly PHISHING
blacklisted link -https://srv.de.ebayrtm.com/clk?rtmclk&%3Bu%3D1h4siaaaaaaaaag1rxy%2baqbr9n%2fe%2fkdtyvp0zpgzmsdpg6mrxioafuyfpgbmuakihfnhf3%2fghferjzc3jybnn5uz%2bce5mivelhewjwllizagutn4giqdxemtv1rvt63a%2bmzw8n1i2zxe08lacjlu5s4r8m9ewtphl99ccr2qzjv%2bg7b573dnahlfjufh01wzrbhjmh
and blacklisted host: -srv.de.ebayrtm.com
polonus (volunteer website security analyst and website error-hunter)
-
Very strange obfuscation is used. :-\
-
Just checked both links in reply #11 and no warnings with Opera 47.0.2631.71 (PGO) on W10 (fully up to date) and latest avast free.
Just a guess, but perhaps because the ads are "targeted".
Searching for adtr in the source code gives 0 results.
-
Meanwhile I know from the German Avadas Forum (http://forum.avadas.de/threads/8095-st%C3%A4ndige-Meldung-Bedrohung-durch-quot-JS-Downloader-DEF-quot (http://forum.avadas.de/threads/8095-st%C3%A4ndige-Meldung-Bedrohung-durch-quot-JS-Downloader-DEF-quot)) that there are at least two other users with the same problem as mine
-
There is also a post about it on the MAC forum.
https://forum.avast.com/index.php?topic=207906.0
avadas.de is NOT the German avast forum/webboard.
-
avadas.de is NOT the German avast forum/webboard.
okay
-
Logs say that your system is clean which means you don't have adware on your system which cause Avast to block mentioned JS. I'm still waiting for this VirusTotal scan finishes and until then we will not know for sure is it Avast false positive or not.
https://www.virustotal.com/#/file-analysis/MjE1ZjMwYWYzMTY1NWYxMmZlOTgxODcwODI2M2I2YjQ6MTUwNDAzNzIyNQ==
http://r.virscan.org/report/9ca20a9db021ed64aad9df7ebb3e1488
EDIT: As for targeting, Germany is targeted as far as I know.
EDIT2:
Buggy VT: https://www.virustotal.com/#/file/9e086ce4bbc3aa9e89823af5fa43c591ae152e261f35d035b64d135436b0b820/detection
-
Obviously the problem has been solved - no more alerts in this case since yesterday. Fine
-
It is not exactly the same issue, but very similar one.
Few users of our site reported Avast alerts recently,
that JS:Downloader-YT [Trj] has been detected.
For instance this page gave the alert http://video.meta.ua/9443596.video
I assume that an obfuscated javascript cause false positive, is there any method to whitelist javascripts?
-
avast doesn't alert there as the page doesn't even load.
-
avast doesn't alert there as the page doesn't even load.
Loading fine here ;)
anyway @metamaster you should start your own topic
-
Well, the jascript, which is a media player, is generated dynamically, so time to time it could have a signature that leads to detection.
So I am looking for a whitelisting method for the site scripts.
-
So I am looking for a whitelisting method for the site scripts.
How to report >> https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438
and start your own topic ...
-
@Eddy and others,
I get a message for this adware related detection JS:Downloader-YT [Trj] on -http://video.meta.ua/9443596 [gzip]
Probably those that do not detect have pup-detection disabled within avast free. Detection was there from 2010.
DNS issues on site:
With this domain I find stealth name servers: found stealth name servers at some of your servers. All name servers returned by domain name servers should be listed at parent servers
-ns1.meta.ua at -ns4.top.net.ua
-ns1.meta.com.ua at -ns4.top.net.ua
-ns1.meta.ua at -ns5.top.net.ua
-ns1.meta.com.ua at -ns5.top.net.ua
No detections at the main domain address: http://toolbar.netcraft.com/site_report?url=http://video.meta.ua
Certificates installed in the wrong order.
Some certificates in the chain are installed in the wrong order. See details below. Reinstall the certificates in the proper order.
Add Trust External CA root and Tested certificate....
Warnings
RC4
Your server's encryption settings are vulnerable. This server uses the RC4 cipher algorithm which is not secure. More information.
Root installed on the server.
For best practices, remove the self-signed root from the server.
This server uses a Domain Validated (DV) certificate. No information about the site owner has been validated. Data is protected, but exchanging personal or financial information is not recommended.
Similar detection as the one at hand here: https://www.scumware.org/report/194.0.131.28.html
XPL/Gen BE
Rank this week: Nº 702
Websites affected: 14
Users affected: 100 - 5,000
Affected Operating Systems: All Windows OS
excessive server info proliferation detected: nginx 1.7.6 10 disallowed entries
| /cron /mui /api /script /logs /vpla /mediaplugin vulnerable to :wp-content/plugins/ad-injection
|_/uploader /ajax /feedpath TLS randomnes on http 1.1
Also consider: http://retire.insecurity.today/#!/scan/b61198803f57314e7c5cfbf2b2ef6e52e0ba5b70af374f10c56b4a54f4caf1bc
polonus (volunteer website security analyst and website error-hunter)
-
@polonus, thank you for information.
But, as Pondus has suggested I would start a separate topic for further discussion.
-
Hi metamaster,
No sweat, I'd follow you there then, certainly when Pondus ;) suggested this.
Thanks again for putting the issue up and discussing it.
polonus