Windows Defender detecting Virus JS/Adrozek.A

jclinansmtih

jclinansmtih @Svarnoy60 last edited by

@Svarnoy60 I had it. Removed it. Scanned and no new threats yet.

mouse

mouse @burnout426 last edited by

@burnout426 - i think this is it: https://addoncrop.com/en/

But what is the suspect link now? Someone sounded like we know what it is.

mouse

mouse @tjall last edited by

@tjall - I never had SaveFrom.net installed.

mouse

mouse @tjall last edited by

@tjall - I searched for "c0ac6bec106548d2_0" and didnt find it. But I've done nothing except let Defender do it's thing. No troubleshooting yet. And no Defender warning in 8 hours. So far.

burnout426

burnout426 Volunteer @mouse last edited by

@mouse said in Windows Defender detecting Virus JS/Adrozek.A:

@burnout426 - i think this is it: https://addoncrop.com/en/

The Youtube Downloader one? I checked it out and it doesn't seem like that's the culprit. It does contain some obfuscated strings in its apps/scripts/background.js file though, so I wouldn't totally trust it without looking more into it and decoding the string escapes.

burnout426

burnout426 Volunteer @Svarnoy60 last edited by

@Svarnoy60 said in Windows Defender detecting Virus JS/Adrozek.A:

Removed the SaveFrom.net video upload extension. The threats are gone.

Upload extension or download extension? As in, is it this one https://addons.opera.com/en/extensions/details/savefromnet-helper/?display=en?

I installed that one and don't get the problem. I looked at the source briefly, but there's a lot of code in there.

wanderlei

wanderlei @tjall last edited by

@tjall said in Windows Defender detecting Virus JS/Adrozek.A:

But, today it doesn't - the file exists.
Wtf, are you sure you guys don't have the file still?
Please try to search "c0ac6bec106548d2_0"

Seems like the Microsoft AV likes the file now... :S

Same, not getting alerts from defender anymore but I searched and found the same file.

@Svarnoy60 said in Windows Defender detecting Virus JS/Adrozek.A:

Removed the SaveFrom.net video upload extension. The threats are gone.
Who has this extension?

I have that extension.

The file has link to https://lookmeet.tv/ a russian site.

I will delete file and disable extension and see if it regenerates again.

mouse

mouse @wanderlei last edited by

@wanderlei - Perhaps "https://lookmeet.tv/" is not the culprit.

I have 44,450 files in my js folder. I found "https://lookmeet.tv/" in 20 of those files. Yet I had no Defender warnings since 9-8 @11:24AM (ie over 24 hrs). Either it's not the threat or else Microsoft turned off the warnings for that site. But I'm no expert in this stuff.

wanderlei

wanderlei @mouse last edited by

@mouse no more occurrences for me either.

Tried with and without 'save from' extension. Manually searched for the "c0ac6bec106548d2_0" and it is no longer being generated.

I'm no expert either, I guess maybe false positive.

mouse

mouse @wanderlei last edited by

@wanderlei - So perhaps MS got wind of this nuisance from various sources and adjusted Defender's virus signatures.

burnout426

burnout426 Volunteer @mouse last edited by

@mouse I reported the string in https://forums.opera.com/post/223970 as a false positive to the Defender time. I got notification that the issue was resolved. And, that string in Notepad++'s backup files (for documents you're editing) no longer triggers Defender after today's 9/9/2020 Virus and Thread Protection update. So, perhaps it's indeed sorted out.

jclinansmtih

jclinansmtih @jclinansmtih last edited by

@jclinansmtih Its been over 24 hours now with plenty of intensive Opera usage. No new threats. I have to hang my hat on that SaveFrom.net extension.

mouse

mouse @burnout426 last edited by

@burnout426 - Been busy offline. Just want to thank you and others for troubleshooting this sucker.

I don't know if this is related in any way, but years ago I used to send out emails to clients. It was getting blocked, so I had to convert the pdf file attachment to a simple text file.

Two years later, another one of my information files was getting blocked by clients with gmail accts. I created a gmail account and tested enough to determine gmail was content screening.

So I stripped off all file attachments. it was still being blocked! So I then started deleting sentences in the body of the email message, starting with suspect things like links. Then I searched for names and any inflammatory comments.

After 5 hours, I traced the string of text that gmail was rejecting. It was just a few innocuous words from a sentence. i can't remember the words, but I was shocked. The words were completely innocuous and ordinary. It contained now names of people or things. nothing.

I've learned a lot since then. Lots of reasons why ESPs would black list or gray list an ip address. But also, as the story reflects, how fickle and erratic that content screening can be.

So can it be possible that whatever is was that was triggering Defender alerts was something we wouldn't even consider suspect. Unless MS announces what it was, we may never know. Does that make sense?