:tools: Scheduled maintenance

Heads up! Downtime for the Forums, related to the NodeBB upgrade, is planned for Thursday, December 14, starting from 10:00 UTC.
Please make sure to finish all your posts before this time. The downtime should only last for a few minutes.

Trojan.JS.Obfjs.Y (v) on latest version of Opera.

  • After I start my machine I open Opera which is the only browser I use and speed dial opens. After few seconds my anti virus software sending me warning that it has blocked Trojan.JS.Obfjs.Y (v). I am using latest version of Opera and it started exactly after this version was installed in my machine. Since I am not a gamer what so ever and am using internet moderately I am highly surprised where does that crap is coming from?! Since last 3-4 years I haven't gotten nothing more than some tracking cookies (which probably is normal),but never any Trojan wasn't seen even close! So does anyone with experience can explain what is this,why is this,where it could come from and - how to get rid of it,please? Thanks in advance!

  • Where exactly your AV is finding it?

    Have you checked your computer for malware?

  • The thing is that I can't find a log file folder of AV on my machine...This is what surprises me more than! If about malware AV is meant to take a care of all the crap what is trying to get into computer.
    I've been checking all the stand-alone softwares I have on machine by un- and reinstalling them,but noting has changed!
    My computer knowledge is slowly growing,but I am still not computer savvy....
    Thanks for your attitude!

  • The Trojan.JS.Obfjs.Y (v) is probably being identified as a variant of an obfuscated JavaScript executable. If valid malware, such executables either try to download malicious files or redirect to a malicious site. The virus name you've provided is a typical naming syntax of a Vipre malware identification. Is Vipre the AV product you're using?

    This kind of identification is usually derived by the AV program using heuristic techniques (ones which track the behavior of the JavaScript after the obfuscation is removed by the AV, and flagging it as malware if it looks like the resulting code will attempt suspicious behavior on your system). Heuristics can produce more false alarms than signature comparison with known malware lists, but can also block new malware before its signature gets incorporated into the AV's downloaded signature comparison lists.

    A possible explanation is that a website being called up by your Opera speed dial or a prior Opera session either contains suspicious JavaScripting or calls up another site with such coding. It's also possible that your AV is false-alarming on some website's legitimate JavaScript.

    One thing to try is to do a full system scan with your AV while Opera is shut off. If the malware alert is coming from a malicious file that Opera has saved, then the AV should still find it with Opera turned off. If the alert only occurs when Opera is turned on, the chances are that the AV is intercepting malicious-looking JavaScript coming from a website being auto-accessed by Opera, via speed-dial or prior session resumption or hijacking of the browser.

  • Oh my gosh!... (LOL) I have to try to memorize all this precisely and to quote it at the front of my buddies - my reputation will sky rocket immediately!...
    If seriously I've been trying both options - have scanned with and without Opera. The result was the same.
    Yes I am using Vipre for about 5 years for now and it never let me down nor brought some nasty surprises - I am satisfied with it!
    The only strange thing is that there is no log file folder for AV (is it normal?).
    In my non-cyber mind I have assumed that Vipre is taking something else like a thread because it doesn't recognize it,ruffly saying. How to calm Vipre down and let him do its job without unnecessary panic - I've no idea...
    A while ago I've been trying out Malwarbites and there were occasions when some malware was caught,but the system didn't functioned smoothly then and I asked Vipre technicians about compatibility of these two programs. The answer was negative and now I am not using Malwarebites any more.
    So...
    Thanks a mill for support!

  • If about malware AV is meant to take a care of all the crap what is trying to get into computer.

    It would be interesnting to also check with Malwarebytes and related software.

    have scanned with and without Opera. The result was the same.

    Try this:

    Go to OMenu > About Opera and take note of the path to Opera's cache folder;
    With Opera closed, open Windows Explorer and go to go to Opera's cache folder;
    Delete everything inside it;
    Run a AV scan and see if it still find something.

    The only strange thing is that there is no log file folder for AV (is it normal?).

    Doesn't the help file of your AV say something about the logs?

  • I recently thinking of coming back to Malwarebites and to see what it will tell...
    If about Opera cache I haven't it tried it yet - thanks for this idea! BUT I have CCleaner who cleans (?) all the temporary files and cache at the end of every session (I am doing it manually).
    If about logs then I've been advised by Vipre technicians to find some hidden folder on C:\ProgramData\VIPRE\ tough I couldn't find such. Unfortunate!
    Anyways I am so glad by your responsiveness and willingness to help me,guys!
    Blessings!

  • If about logs then I've been advised by Vipre technicians to find some hidden folder on C:\ProgramData\VIPRE\ tough I couldn't find such

    Maybe you have to change Explorer settings to show hidden folders.

    I have CCleaner who cleans (?) all the temporary files and cache at the end of every session (I am doing it manually).

    And does your AV finds anything just after that cleanup?

  • #1 Thanks! I'll check it later on!
    #2 Yes! If I am opening opera after cleaning the story is always the same - AV finds the same Trojan.
    Thank you so much!

  • 2 Yes! If I am opening opera after cleaning the story is always the same - AV finds the same Trojan.

    Could you please try to check if Opera's cache is really empty when the scan is being done?

    If your AV finds the infected file in the cache then it's more likely that the file is coming from a page.

  • If you clean the temp files and cache using CCleaner with Opera off and Vipre produces no error messages, what happens if you then unhook the computer's Internet connection and turn on Opera? That is, do you get a malware alert from Vipre after Opera comes alive (ignoring any protests Opera may make about no connection present)?

    Also, when you start Opera normally with a good Internet connection, what pages (URLs) is its Speed Dial set to load or display?

  • @ leoch:
    When I click on Opera icon on the top left of the page and on the drop down menu chosing Developer-Developer Tools and then go to Cache storage - it is totally clean.
    @ blackbird71:
    When I unhook the internet I simply can't open a browser (I think it is logical). AV doesn't finds nothing in any scenario used - machine itself is clean. I recently installed Malwarebites and did a full scan on C drive and it is clean. Perfectly clean!
    If about Speed Dial than I am using it like a mini bookmark page for quick access of mostly used links on everyday basis. So as I told there were no any problems never ever what so ever,but they started some couple of weeks ago without my interaction with the system settings-I do not touch what is working perfectly and do not push my nose into the holes where my head doesn't fits into,so saying.
    I think I must leave it on self flow - whatever will come! More over because I am not happy to abuse (and to waste) a time of other people unnecessarily. I am very grateful to all of you,guys who have showed a good will to help me in this situation! I really appreciate it from all of my heart!
    If something new will follow I will update this thread.
    Blessings!

  • One of the possibilities for causing an almost-immediate AV warning message (especially if related to JavaScript) is if the browser is set, upon being started up with an active Internet connection, to automatically refresh or retrieve website data from a specific site which happens to be hosting infected code. That could occur upon browser opening via a speed dial entry refresh, a session restore, or a homepage refresh (in those browsers or extensions supporting homepage options). The infected code could be buried directly within the referenced site's code or could be obtained via a coding 'call' to some other infected websites' code (especially 3rd-party ads) from within the referenced site code. Regardless, as soon as the infected code is loaded into the browser cache, the AV will sound an alarm. An alternative, yet related problem, occurs if malware has somehow hijacked a browser to cause it to automatically attempt to access a malicious site each time the browser is opened, in which case the AV will sound an alarm when the malicious site's code is loaded.

    The usual method of cross-checking questionable files by uploading a copy to VirusTotal or Jotti for free analysis by a host of other AV programs only can be used if one can identify the questionable file in the first place. It appears that Vipre doesn't have an easily-accessible way to identify or obtain copies of the file(s) it's blocking.

  • @blackbird71:
    I thank you very much for your (especially yours) contribution in solving the problem I currently meet since you brought an information what makes me think about broadening my horizons in computer related field!
    Even if I naturally have no given gift of cyber thinking it seems like one way or another it comes as a necessity in modern world! Therefore I will carefully read all what you wrote and will try to activate the left part of my brain for getting closer to the machine world and to understand it a little bit more than just pressing certain buttons! :)
    I do apology again for possibly wasting your time as well as for your willingness to help someone you even do not know in tough situation!
    My blessings!

  • One of the possibilities for causing an almost-immediate AV warning message (especially if related to JavaScript) is if the browser is set, upon being started up with an active Internet connection, to automatically refresh or retrieve website data from a specific site which happens to be hosting infected code. That could occur upon browser opening via a speed dial entry refresh, a session restore, or a homepage refresh (in those browsers or extensions supporting homepage options).

    Extensions, or - RSS?

    Some sites may also install their elements into the browser - like Yandex did. Such might get considered malicious by AVs as well. (Those can appear listed as plug-ins.)

  • :) I've been working on this stuff all day long today. Tried all possible options and recommendations what people have been giving me here and at the end when there were no progress of any kind I decided to go the simplest way-the way of dummies! I uninstalled my Vipre and intalled different anti virus. After the full scan was done and machine was restarted I opened Opera and there were no nasty warning about Trojan any more! Maybe by doing so I am fooling myself,but scan results were absolutely positive which means that there were no any conflicts of threats found on machine which brings some peace of mind for now. One way or another I have invaluable experience after I visited this forum and gained more understanding. Thanks a mill! :coffee:

Log in to reply
 

Looks like your connection to Opera forums was lost, please wait while we try to reconnect.