Author Topic: Avast blocks threat "JS:Downloader-DEF [Trj]" again and again  (Read 15386 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Hi guys,

Avast keeps informing me that it has just blocked a threat. It started yesterday and happens again and again, roughly every 30 minutes while using Firefox.

The pop-up says:
Object:
https://ad.adtr.02.com/js/ad2.js
Infection:
JS:Downloader-DEF [Trj]
Process:
C:\Program Files (x86)\Mozilla Firefox\firefox.exe

I already un- and reinstalled Firefox. Neither avast nor malwarebytes are able to detect any malicious files or viruses.

I really hope that any of you can help me to fix this, or if it is not a problem, at least explain to me why it keeps happening again and again.

I already ran the programmes as explained in the "Logs to assist in cleaning malware" thread. Please find the logs attached.

Kind regards and thank you for your time,

Megalo

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: Avast blocks threat "JS:Downloader-DEF [Trj]" again and again
« Reply #1 on: August 24, 2017, 09:38:36 PM »
Try run this  >>  https://www.malwarebytes.com/adwcleaner/

any change?

Malware experts are notified, they may not be online before tomorrow


REDACTED

  • Guest
Re: Avast blocks threat "JS:Downloader-DEF [Trj]" again and again
« Reply #2 on: August 24, 2017, 10:06:47 PM »
Hi Pondus,

thanks for your help. I installed the programme and it removed some files after the scan. I'll check if the problem is solved and report here if I still need help.

Offline savcin

  • Avast team
  • Full Member
  • *
  • Posts: 113
Re: Avast blocks threat "JS:Downloader-DEF [Trj]" again and again
« Reply #3 on: August 24, 2017, 10:14:03 PM »
I assume that malicious obfuscation is used. However the file is not reachable for me. Is it possible to submit this script file?

REDACTED

  • Guest
Re: Avast blocks threat "JS:Downloader-DEF [Trj]" again and again
« Reply #4 on: August 24, 2017, 10:29:25 PM »
I'm afraid I don't know which file you mean. Do you mean the one created by the adwcleaner?

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Avast blocks threat "JS:Downloader-DEF [Trj]" again and again
« Reply #5 on: August 24, 2017, 10:52:32 PM »
Hi savcin,

Domain can no longer be resolved.

For the IP the Apache2Ubunbtu Default page is shown.
See: http://toolbar.netcraft.com/site_report?url=http://185.64.114.13
Could well be 02.com has been taken down, because of such issues.
Probably centron.de Optitrust abuse. http://toolbar.netcraft.com/site_report?url=https://www.centron.de

Certificate Comodo RSA and Validation Secure Server CA and  *.trsv3.com  tested certificate, correctly installed.
Strict Transport Security (HSTS):
 Not Enabled
SSL/TLS compression:
 Not Enabled

Also consider earlier scans as: https://urlscan.io/result/b4343360-a579-42ed-a129-32636e397e4e/#summary

Where our example does not resolve, this does -> -ad.trsv3.com/js.php benign
Quote
     status: saved 738 bytes 539eeda9632d984bde83f9aab2817a1c1fc447db
     info: [decodingLevel=0] found JavaScript
     error: undefined variable _adrx
     error: undefined function _adrx.push
     file: 539eeda9632d984bde83f9aab2817a1c1fc447db: 738 bytes
Trying to get property of a non-object, to use different variable values for different contexts (managing variables).

Whenever the second example does not kick-up any detection, it is water under the bridge anyway.... ;)

polonus (volunteer website security analyst and website error-hunter)
« Last Edit: August 24, 2017, 11:04:39 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: Avast blocks threat "JS:Downloader-DEF [Trj]" again and again
« Reply #6 on: August 24, 2017, 10:54:26 PM »
I'm afraid I don't know which file you mean. Do you mean the one created by the adwcleaner?
He probably mean this js script


hxxps://ad.adtr.02.com/js/ad2.js

« Last Edit: August 24, 2017, 10:57:58 PM by Pondus »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Avast blocks threat "JS:Downloader-DEF [Trj]" again and again
« Reply #7 on: August 24, 2017, 11:13:16 PM »
Hi Pondus,

I bet it was a banner adloader obfuscation detected,  like in hxtp://foo.bar/ad2.js and in that case for the 2nd banner (ad2 that is).
So CrapLoader detection. Good avast has that one covered.  ;)
Some developers make such adcrap like gregersrygg/crapLoader does (even works with a time delay  :o ).

polonus
« Last Edit: August 24, 2017, 11:15:23 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Sass Drake

  • MyCity AMF R2
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 820
Re: Avast blocks threat "JS:Downloader-DEF [Trj]" again and again
« Reply #8 on: August 25, 2017, 12:54:41 AM »
@Megalo

I don't see malware traces in FRST logs. Can you tell us which webpages are loaded in Firefox while Avast displays those messages?

REDACTED

  • Guest
Re: Avast blocks threat "JS:Downloader-DEF [Trj]" again and again
« Reply #9 on: August 25, 2017, 01:00:48 PM »
The webpages that were loaded were just normal online newspapers, wikipedia, Facebook,.... pages I visit frequently without having experienced any problems in the past. As I usually have quite a few tabs open it's not possible to exactly locate the page that caused trouble.

I thought it had stopped, but I'm still receiving the notification every now and then.

Thank you very much for your help everybody!
« Last Edit: August 25, 2017, 01:21:23 PM by Megalo »

Offline Sass Drake

  • MyCity AMF R2
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 820
Re: Avast blocks threat "JS:Downloader-DEF [Trj]" again and again
« Reply #10 on: August 25, 2017, 07:58:58 PM »
Can you test if same thing happens while using Google Chrome?

Offline Sass Drake

  • MyCity AMF R2
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 820
Re: Avast blocks threat "JS:Downloader-DEF [Trj]" again and again
« Reply #11 on: August 26, 2017, 09:19:14 PM »
The webpages that were loaded were just normal online newspapers, wikipedia, Facebook,.... pages I visit frequently without having experienced any problems in the past. As I usually have quite a few tabs open it's not possible to exactly locate the page that caused trouble.

I thought it had stopped, but I'm still receiving the notification every now and then.

Thank you very much for your help everybody!

OK. Lets try this in Firefox:
Remove extension called PDF Architect Converter For Firefox and test again if you still getting Avast mesages during browsing in Firefox.

Offline Sass Drake

  • MyCity AMF R2
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 820
Re: Avast blocks threat "JS:Downloader-DEF [Trj]" again and again
« Reply #12 on: August 29, 2017, 11:44:15 PM »
https://forum.avast.com/index.php?topic=207906.msg1417212#msg1417212

Logs say that your system is clean which means you don't have adware on your system which cause Avast to block mentioned JS. I'm still waiting for this VirusTotal scan finishes and until then we will not know for sure is it Avast false positive or not.

https://www.virustotal.com/#/file-analysis/MjE1ZjMwYWYzMTY1NWYxMmZlOTgxODcwODI2M2I2YjQ6MTUwNDAzNzIyNQ==

http://r.virscan.org/report/9ca20a9db021ed64aad9df7ebb3e1488

EDIT: As for targeting, Germany is targeted as far as I know.

EDIT2:
Buggy VT: https://www.virustotal.com/#/file/9e086ce4bbc3aa9e89823af5fa43c591ae152e261f35d035b64d135436b0b820/detection