9anime blocked bcz of HTML/scrlnjet.B trojan

[Mekail wardak 0]

Hello there,

I have been using the site 9anime.to for a while and i am pretty sure that it is clean but recently sometimes ESET blocks it, saying that it detected and blocked a Trojan. If there is anyway of solving  this issue of mine plz reply to this post. I have been using ESET for a while and plan on using it for a it if there are no other problems. 

[Marcos 4,909]

It is because of loading a script from defpush.com which doesn't seem to be good: https://malwaretips.com/blogs/remove-defpush-com/

[Nightowl 198]

Try to use uBlock Origin it might help remove the ad that brings this trojan , so you will be able to access the website normally.

uMatrix will stop all scripts in the website unless you instruct it to allow , it also can help but might break the websites you enter unless you tweak it to them.

You can allow the website in uMatrix so it can load it's scripts , but keep defpush one blocked , I think then you will be able to access because uMatrix prevented Defpush to load , so there is no trojan anymore for ESET to detect.

Edited December 31, 2019 by Rami

[Mekail wardak 0]

First of all, thanks alot for replying so fast. I appreciate it. but i still had problems with it.

On 12/31/2019 at 2:18 AM, Marcos said:

It is because of loading a script from defpush.com which doesn't seem to be good: https://malwaretips.com/blogs/remove-defpush-com/

I followed all the steps but it was still not working.

On 12/31/2019 at 8:31 AM, Rami said:

Try to use uBlock Origin it might help remove the ad that brings this trojan , so you will be able to access the website normally.

uMatrix will stop all scripts in the website unless you instruct it to allow , it also can help but might break the websites you enter unless you tweak it to them.

You can allow the website in uMatrix so it can load it's scripts , but keep defpush one blocked , I think then you will be able to access because uMatrix prevented Defpush to load , so there is no trojan anymore for ESET to detect.

i also used the uBlock and uMatrix to the best of my capability and tried making it work but it didn't seem to work. (for umatrix i paused the  internet security functiom of ESET and blocked defpush access). if i did anything wrong or if there are any extra steps involved, it will be well received.

[itman 1,627]

Doubt uBlock, uMatrix, or any other browser based extension will work here. Eset is detecting the malware prior to the web page even rendering.

[Mekail wardak 0]

since its not working can i just turn off internet security and visit the site? will it in any way harm my pc?

[itman 1,627]

9 minutes ago, Mekail wardak said:

since its not working can i just turn off internet security and visit the site? will it in any way harm my pc?

You can add * 9anime.to* to "List of addresses excluded from context scan" in Web Access protection section: https://help.eset.com/eis/13/en-US/idh_config_epfw_url_set_manager.html .

Since the above obviously will ignore all malware detected on the web site, your PC could be infected by anything malicious on that web site.

[Mekail wardak 0]

10 minutes ago, itman said:

Since the above obviously will ignore all malware detected on the web site, your PC could be infected by anything malicious on that web site.

i don't know much about all the viruses and malwares and stuff, so i would really like to ask if i should do it or not?

[itman 1,627]

Just now, Mekail wardak said:

so i would really like to ask if i should do it or not?

You shouldn't do it since the site is being detected as hosting malware.

[peteyt 387]

1 hour ago, Mekail wardak said:

i don't know much about all the viruses and malwares and stuff, so i would really like to ask if i should do it or not?

No. If a site is hosting malware then it is a dangerous site and really should be avoided. As Itman had said allowing the site access can and probably will put you at risk. 

[local 0]

On "Virus Total" , 9anime.to   has 2(two) hits from 72 engines.  The 2 engine detecting the site as "malicious" are Quttera and CRDF  (practically unknown players)

I would say that is safe to access 9anime.to in proportion of 99.9%

[peteyt 387]

1 hour ago, local said:

On "Virus Total" , 9anime.to   has 2(two) hits from 72 engines.  The 2 engine detecting the site as "malicious" are Quttera and CRDF  (practically unknown players)

I would say that is safe to access 9anime.to in proportion of 99.9%

A mod had said it is trying to load a script from a malicious site. Users can choose to allow this site but it's at their own risk. If its blocking it there generally is a reason and I'd be concerned

[local 0]

1 hour ago, peteyt said:

If its blocking it there generally is a reason and I'd be concerned

"a reason" could be a FP

1 hour ago, peteyt said:

A mod had said it is trying to load a script from a malicious site

and 70 other antiviruses said  the other way;

[itman 1,627]

2 hours ago, peteyt said:

A mod had said it is trying to load a script from a malicious site.

So noted here: https://forum.eset.com/topic/22049-9anime-blocked-bcz-of-htmlscrlnjetb-trojan/?do=findComment&comment=106655 .

A naive user might just mouse click on the "Allow" prompt from the offending web page ad resulting with them being hit by pop-up malware.

[peteyt 387]

2 hours ago, local said:

"a reason" could be a FP

and 70 other antiviruses said  the other way;

As itman has linked above Marcos has stated the reason as it is trying to load a script from a malicious site. If someone who works for Eset is saying it is suspicious then to me it is suspicious and I wouldn't recommend using it. The fact it is trying to load this script is bad enough.

[itman 1,627]

As far as defpush.com being a malicious domain, refer to this: https://hybrid-analysis.com/sample/cafa07a79320db1a395469f27b70dadecb033efa9eb608d6314d69db6cc859be?environmentId=100

The solution to this is simple. Inform 9anime.to that they have a malicious ad on their web site and remove it. I somewhat suspect that they are aware of this situation.

Note that Virus Total is not a place to verify if a domain is malicious or not. It just runs hosted product's real-time engine and an in depth scan of domain behavior is not being performed.

Of note is defpush.com is blacklisted at Quttera: https://quttera.com/detailed_report/defpush.com

I also went through uBlock Origin's default filter lists. No where was defpush.com listed. So a browser ad blocker extension would not protect you on this puppy.

Edited January 6, 2020 by itman

[local 0]

Went to "9anime.to" on my Win10 PC (Defender)

Clicked everything and everywhere.. nothing happened.

[itman 1,627]

1 hour ago, local said:

Went to "9anime.to" on my Win10 PC (Defender)

Clicked everything and everywhere.. nothing happened.

Have you enabled PUA checking in WD? It is not enabled by default: https://www.windowscentral.com/how-block-potentially-unwanted-programs-using-windows-defender-antivirus .

Also did you use IE11 or Edge that enable browser based SmartScreen? The detection within the browser would be by SmartScreen. Since defpush.com is classified as phishing malware, pretty sure SmartScreen will flag it. -EDIT- Possibly not since the web site is https; SmartScreen is IP address/domain based only; and does not have SSL/TLS protocol scanning ability.

Finally, just opening the 9anime.to site home page might not be enough to trigger the redirect to defpush.com.

Also reboot your PC and let us know if the popups start.

Edited January 6, 2020 by itman

[itman 1,627]

Here is Quttera's detailed report on 9anime.to: https://quttera.com/detailed_report/9anime.to

It found 23 malicious JavaScript files on the web site. All appear to be hosted at defpush.com.

Edited January 6, 2020 by itman