Since days I often get messages
The pop-up says:
Object:
https://ad.adtr.02.com/js/ad.js?v=72
Infection:
JS:Downloader-DEF [Trj]
Process:
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Have tried adwcleaner, CCleaner and Malwarebytes - no success
Get this message mostly on ebay site
ad.adtr.02.com/js/ad.js?v=72 seems to be down >> https://isitdownorjust.me/ad-adtr-02-com/
Not sure if CCleaner empty firefox cache, but you may try this >> https://support.mozilla.org/en-US/kb/how-clear-firefox-cache
If still problem follow instructions in the link Eddy posted
I used another site checker and only used the top level domain, 02.com no sub-domains and that too suggests it is down for everyone. Even the full sub.domain URL ad.adtr.02.com results in the same down for everyone.
Can you please submit particular file?
which file?
log files attached as explained (https://forum.avast.com/index.php?topic=194892.0
again… (whilst on ebay site)
The malwarebytes log you attached is not the scan log, anyway if nothing was detected there is no need for it
Malware experts are notified, they may not be online before tomorrow
GroupPolicy: Beschränkung - Chrome <==== ACHTUNG
GroupPolicyScripts: Beschränkung <==== ACHTUNG
CHR HKLM\SOFTWARE\Policies\Google: Beschränkung <==== ACHTUNG
OPR Extension: (Video Downloader Prime) - C:\Users\rw\AppData\Roaming\Opera Software\Opera Stable\Extensions\diefijfleiebcgdkmaefbjehgcokpdjl [2016-12-16]
Tell me, does Avast blocks that URL while surfing in Chrome and if possible, paste here URLs which are currently opened in browser when you get Avast message.
fixlog.txt attached
Okay, I´ll try Chrome for some time today.
Using Chrome some minutes (surfing on ebay) Avast blocked again
URL: http://www.ebay.de/itm/372052893067?ssPageName=STRK:MESELX:IT&_trksid=p3984.m1558.l2649
UPDATE
It also happened using Opera browser
URL: http://www.ebay.de/itm/372052867035?ssPageName=STRK:MESELX:IT&_trksid=p3984.m1558.l2649
Zulu Zcalers also comes up with two suspicious links: https://zulu.zscaler.com/submission/e274211d-416b-4a3f-bcb6-13bd4637a621
External Elements
URL RISK
-http://pages.ebay.de/ebaybuyerprotection/inde Suspicious
-http://cgi1.ebay.de/ws/eBayISAPI.dll?ReportTh Benign
-http://contact.ebay.de/ws/eBayISAPI.dll?ShowC Benign
-http://www.ebay.de/itm/RAC-Rallye-1980-Triump Suspicious
-http://my.ebay.de/ws/eBayISAPI.dll?MyEbay&gbh Benign
iFrames detected…
Found mail servers without ‘AAAA’ record
-lore.ebay.com: ?
-data.ebay.com: ?
-gort.ebay.com: ?
Found differences in TXT records returned by your name servers. No connection on connection check for nameservers.
verisign dynect abuse? possibly PHISHING
and blacklisted host: -srv.de.ebayrtm.com
polonus (volunteer website security analyst and website error-hunter)
Very strange obfuscation is used. :-\
Just checked both links in reply #11 and no warnings with Opera 47.0.2631.71 (PGO) on W10 (fully up to date) and latest avast free.
Just a guess, but perhaps because the ads are “targeted”.
Searching for adtr in the source code gives 0 results.
Meanwhile I know from the German Avadas Forum (http://forum.avadas.de/threads/8095-ständige-Meldung-Bedrohung-durch-quot-JS-Downloader-DEF-quot) that there are at least two other users with the same problem as mine
There is also a post about it on the MAC forum.
https://forum.avast.com/index.php?topic=207906.0
avadas.de is NOT the German avast forum/webboard.
okay
Logs say that your system is clean which means you don’t have adware on your system which cause Avast to block mentioned JS. I’m still waiting for this VirusTotal scan finishes and until then we will not know for sure is it Avast false positive or not.
http://r.virscan.org/report/9ca20a9db021ed64aad9df7ebb3e1488
EDIT: As for targeting, Germany is targeted as far as I know.
EDIT2:
Buggy VT: https://www.virustotal.com/#/file/9e086ce4bbc3aa9e89823af5fa43c591ae152e261f35d035b64d135436b0b820/detection
Obviously the problem has been solved - no more alerts in this case since yesterday. Fine