Author Topic: always messages "JS:Downloader-DEF [Trj]" blocked  (Read 5496 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
always messages "JS:Downloader-DEF [Trj]" blocked
« on: August 28, 2017, 03:28:28 PM »
Since days I often get messages

The pop-up says:
Object:
https://ad.adtr.02.com/js/ad.js?v=72
Infection:
JS:Downloader-DEF [Trj]
Process:
C:\Program Files (x86)\Mozilla Firefox\firefox.exe

Have tried adwcleaner, CCleaner and Malwarebytes - no success

Get this message mostly on ebay site


Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37153
  • Not a avast user
Re: always messages "JS:Downloader-DEF [Trj]" blocked
« Reply #2 on: August 28, 2017, 03:41:57 PM »
ad.adtr.02.com/js/ad.js?v=72   seems to be down  >>  https://isitdownorjust.me/ad-adtr-02-com/

Not sure if CCleaner empty firefox cache, but you may try this  >>  https://support.mozilla.org/en-US/kb/how-clear-firefox-cache

If still problem follow instructions in the link Eddy posted

« Last Edit: August 28, 2017, 03:47:14 PM by Pondus »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86950
  • No support PMs thanks
Re: always messages "JS:Downloader-DEF [Trj]" blocked
« Reply #3 on: August 28, 2017, 04:18:35 PM »
I used another site checker and only used the top level domain, 02.com no sub-domains and that too suggests it is down for everyone. Even the full sub.domain URL ad.adtr.02.com results in the same down for everyone.

http://downforeveryoneorjustme.com/02.com
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.9.6034 (build 22.9.7554.734) UI 1.0.728/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline savcin

  • Avast team
  • Full Member
  • *
  • Posts: 114
Re: always messages "JS:Downloader-DEF [Trj]" blocked
« Reply #4 on: August 28, 2017, 05:09:41 PM »
Can you please submit particular file?

REDACTED

  • Guest
Re: always messages "JS:Downloader-DEF [Trj]" blocked
« Reply #5 on: August 28, 2017, 06:05:24 PM »
which file?

REDACTED

  • Guest
Re: always messages "JS:Downloader-DEF [Trj]" blocked
« Reply #6 on: August 28, 2017, 08:49:04 PM »
log files attached as explained (https://forum.avast.com/index.php?topic=194892.0

REDACTED

  • Guest
Re: always messages "JS:Downloader-DEF [Trj]" blocked
« Reply #7 on: August 28, 2017, 09:30:58 PM »
again... (whilst on ebay site)
« Last Edit: August 28, 2017, 09:33:14 PM by jr1r22 »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37153
  • Not a avast user
Re: always messages "JS:Downloader-DEF [Trj]" blocked
« Reply #8 on: August 28, 2017, 09:33:37 PM »
The malwarebytes log you attached is not the scan log, anyway if nothing was detected there is no need for it

Malware experts are notified, they may not be online before tomorrow


Offline Sass Drake

  • MyCity AMF R2
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 827
Re: always messages "JS:Downloader-DEF [Trj]" blocked
« Reply #9 on: August 28, 2017, 10:04:20 PM »
  • Open Notepad (click Start button -> type notepad.exe -> press Enter)
  • Copy text from code block below and paste it into Notepad
Code: [Select]
GroupPolicy: Beschränkung - Chrome <==== ACHTUNG
GroupPolicyScripts: Beschränkung <==== ACHTUNG
CHR HKLM\SOFTWARE\Policies\Google: Beschränkung <==== ACHTUNG
OPR Extension: (Video Downloader Prime) - C:\Users\rw\AppData\Roaming\Opera Software\Opera Stable\Extensions\diefijfleiebcgdkmaefbjehgcokpdjl [2016-12-16]
  • Go to File -> Save As
  • Make sure that  UTF-8 is selected as Encoding (left side of Save button)
  • Save it as fixlist.txt on Desktop
  • Open again FRST and click on button Fix
  • Wait until FRST finishes
  • fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.



Tell me, does Avast blocks that URL while surfing in Chrome and if possible, paste here URLs which are currently opened in browser when you get Avast message.

REDACTED

  • Guest
Re: always messages "JS:Downloader-DEF [Trj]" blocked
« Reply #10 on: August 29, 2017, 07:24:13 AM »
  • Open Notepad (click Start button -> type notepad.exe -> press Enter)
  • Copy text from code block below and paste it into Notepad
Code: [Select]
GroupPolicy: Beschränkung - Chrome <==== ACHTUNG
GroupPolicyScripts: Beschränkung <==== ACHTUNG
CHR HKLM\SOFTWARE\Policies\Google: Beschränkung <==== ACHTUNG
OPR Extension: (Video Downloader Prime) - C:\Users\rw\AppData\Roaming\Opera Software\Opera Stable\Extensions\diefijfleiebcgdkmaefbjehgcokpdjl [2016-12-16]
  • Go to File -> Save As
  • Make sure that  UTF-8 is selected as Encoding (left side of Save button)
  • Save it as fixlist.txt on Desktop
  • Open again FRST and click on button Fix
  • Wait until FRST finishes
  • fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.



Tell me, does Avast blocks that URL while surfing in Chrome and if possible, paste here URLs which are currently opened in browser when you get Avast message.

fixlog.txt attached

Okay, I´ll try Chrome for some time today.
« Last Edit: August 29, 2017, 07:40:24 AM by jr1r22 »

REDACTED

  • Guest
Re: always messages "JS:Downloader-DEF [Trj]" blocked
« Reply #11 on: August 29, 2017, 08:02:02 AM »
Using Chrome some minutes (surfing on ebay) Avast blocked again

URL:  http://www.ebay.de/itm/372052893067?ssPageName=STRK:MESELX:IT&_trksid=p3984.m1558.l2649

UPDATE
It also happened using Opera browser
URL:  http://www.ebay.de/itm/372052867035?ssPageName=STRK:MESELX:IT&_trksid=p3984.m1558.l2649

« Last Edit: August 29, 2017, 08:14:52 AM by jr1r22 »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33532
  • malware fighter
Re: always messages "JS:Downloader-DEF [Trj]" blocked
« Reply #12 on: August 29, 2017, 10:41:32 AM »
Zulu Zcalers also comes up with two suspicious links: https://zulu.zscaler.com/submission/e274211d-416b-4a3f-bcb6-13bd4637a621
External Elements

URL   RISK
-http://pages.ebay.de/ebaybuyerprotection/inde   Suspicious
-http://cgi1.ebay.de/ws/eBayISAPI.dll?ReportTh   Benign
-http://contact.ebay.de/ws/eBayISAPI.dll?ShowC   Benign
-http://www.ebay.de/itm/RAC-Rallye-1980-Triump   Suspicious
-http://my.ebay.de/ws/eBayISAPI.dll?MyEbay&gbh   Benign

iFrames detected...

Found mail servers without 'AAAA' record
-lore.ebay.com: ?
-data.ebay.com: ?
-gort.ebay.com: ?
Found differences in TXT records returned by your name servers. No connection on connection check for nameservers.

verisign dynect abuse? possibly PHISHING

blacklisted link -https://srv.de.ebayrtm.com/clk?rtmclk&%3Bu%3D1h4siaaaaaaaaag1rxy%2baqbr9n%2fe%2fkdtyvp0zpgzmsdpg6mrxioafuyfpgbmuakihfnhf3%2fghferjzc3jybnn5uz%2bce5mivelhewjwllizagutn4giqdxemtv1rvt63a%2bmzw8n1i2zxe08lacjlu5s4r8m9ewtphl99ccr2qzjv%2bg7b573dnahlfjufh01wzrbhjmh

and blacklisted host: -srv.de.ebayrtm.com

polonus (volunteer website security analyst and website error-hunter)
« Last Edit: August 29, 2017, 10:43:53 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline savcin

  • Avast team
  • Full Member
  • *
  • Posts: 114
Re: always messages "JS:Downloader-DEF [Trj]" blocked
« Reply #13 on: August 29, 2017, 03:05:16 PM »
Very strange obfuscation is used.  :-\

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31205
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: always messages "JS:Downloader-DEF [Trj]" blocked
« Reply #14 on: August 29, 2017, 03:18:17 PM »
Just checked both links in reply #11 and no warnings with Opera 47.0.2631.71 (PGO) on W10 (fully up to date) and latest avast free.

Just a guess, but perhaps because the ads are "targeted".

Searching for adtr in the source code gives 0 results.
« Last Edit: August 29, 2017, 03:20:22 PM by Eddy »