Hi guys,

Avast keeps informing me that it has just blocked a threat. It started yesterday and happens again and again, roughly every 30 minutes while using Firefox.

The pop-up says:
Object:
https://ad.adtr.02.com/js/ad2.js
Infection:
JS:Downloader-DEF [Trj]
Process:
C:\Program Files (x86)\Mozilla Firefox\firefox.exe

I already un- and reinstalled Firefox. Neither avast nor malwarebytes are able to detect any malicious files or viruses.

I really hope that any of you can help me to fix this, or if it is not a problem, at least explain to me why it keeps happening again and again.

I already ran the programmes as explained in the “Logs to assist in cleaning malware” thread. Please find the logs attached.

Kind regards and thank you for your time,

Megalo

Try run this >> https://www.malwarebytes.com/adwcleaner/

any change?

Malware experts are notified, they may not be online before tomorrow

Hi Pondus,

thanks for your help. I installed the programme and it removed some files after the scan. I’ll check if the problem is solved and report here if I still need help.

I assume that malicious obfuscation is used. However the file is not reachable for me. Is it possible to submit this script file?

I’m afraid I don’t know which file you mean. Do you mean the one created by the adwcleaner?

Hi savcin,

Domain can no longer be resolved.

For the IP the Apache2Ubunbtu Default page is shown.
See: http://toolbar.netcraft.com/site_report?url=http://185.64.114.13
Could well be 02.com has been taken down, because of such issues.
Probably centron.de Optitrust abuse. http://toolbar.netcraft.com/site_report?url=https://www.centron.de

Certificate Comodo RSA and Validation Secure Server CA and *.trsv3.com tested certificate, correctly installed.
Strict Transport Security (HSTS):
Not Enabled
SSL/TLS compression:
Not Enabled

Also consider earlier scans as: https://urlscan.io/result/b4343360-a579-42ed-a129-32636e397e4e/#summary

Where our example does not resolve, this does → -ad.trsv3.com/js.php benign

status: saved 738 bytes 539eeda9632d984bde83f9aab2817a1c1fc447db info: [decodingLevel=0] found JavaScript error: undefined variable _adrx error: undefined function _adrx.push file: 539eeda9632d984bde83f9aab2817a1c1fc447db: 738 bytes

Whenever the second example does not kick-up any detection, it is water under the bridge anyway…

polonus (volunteer website security analyst and website error-hunter)

He probably mean this js script

hxxps://ad.adtr.02.com/js/ad2.js

Hi Pondus,

I bet it was a banner adloader obfuscation detected, like in hxtp://foo.bar/ad2.js and in that case for the 2nd banner (ad2 that is).
So CrapLoader detection. Good avast has that one covered.
Some developers make such adcrap like gregersrygg/crapLoader does (even works with a time delay :o ).

polonus

@Megalo

I don’t see malware traces in FRST logs. Can you tell us which webpages are loaded in Firefox while Avast displays those messages?

The webpages that were loaded were just normal online newspapers, wikipedia, Facebook,… pages I visit frequently without having experienced any problems in the past. As I usually have quite a few tabs open it’s not possible to exactly locate the page that caused trouble.

I thought it had stopped, but I’m still receiving the notification every now and then.

Thank you very much for your help everybody!

Can you test if same thing happens while using Google Chrome?

OK. Lets try this in Firefox:
Remove extension called PDF Architect Converter For Firefox and test again if you still getting Avast mesages during browsing in Firefox.

https://forum.avast.com/index.php?topic=207906.msg1417212#msg1417212