This is a static archive of the old Zorin Forum.

The information below may be outdated. Visit the new Zorin Forum here ›

If you have registered on the old forum, you will need to create an account on the new forum.

Old Zorin Forum archiveHelp and Support

(SOLVED) Nuisance tradeadxchange webpage - blocked by uBlock

Finston Pickle

Mon Aug 28, 2017 7:23:59 am

Slimjet on Zorin 12 (Ubuntu 16.04), while browsing, randomly tries to open a new tab to http://www.tradeadexchange.com, which in turn is blocked from opening by uBlock Origin - which opens an explanatory tab, immediately and in full page, instead of what I am looking at - something like:

"uBlock Origin has prevented the following page from loading:http://www.tradeadexchange.com/a/display.php?r=310486 Because of the following filter ||tradeadexchange.com^"

but formatted differently. Blow me it has done it again whilst I was typing this!


Whilst this is admirable (uBlock kicking in) it is still an interruption and the tab needs repeatedly switching or closing.

Does anyone have any idea how to track and eliminate the offending tradeadxchange script, or whatever it is, without losing my settings?

Finston Pickle

Tue Aug 29, 2017 6:05:16 pm

This tradeadexchange forwarding does seem to be an issue with Linux and without as many ADW tools to sort it out in Linux as Windows.

I am going to investigate various workarounds like (once uBlockOrigin has fired) minimising that instance of Slimjet (leaving it permanently minimised) and continuing in another instance of Slimjet.

Slimjet forums are not able to help so far, but I have come across a Linux manual removal method, which I will post if it works.

Swarfendor437

Tue Aug 29, 2017 8:40:42 pm

Hi, take a look at this thread - you may need to install and run a full scan using clamav? ;) :D

https://askubuntu.com/questions/856618/ ... -04-01-lts

A possible solution could be this?:

https://help.ubuntu.com/community/DansGuardian

Finston Pickle

Wed Aug 30, 2017 6:48:14 pm

Thanks you for your input, Swarf - looks a little tricky!

I found that activating ad blocker, ublockOrigin and Ghostery

Fortunately, the most promising line of attack seems to be covered in this posting:

https://askubuntu.com/questions/602499/ ... rom-chrome

I am using the Slimjet browser based on Chromium and in turn related to Chrome - so a promising avenue to look at, I thought.

The last time uBlockOrigin stopped the action I noted the URL, it was:

chrome-extension://cjpalhdlnbpafiamejdnhcphjbkeiagm/document-blocked.html?details=eyJ1cmwiOiJodHRwOi8vd3d3LnRyYWRlYWRleGNoYW5nZS5jb20vYS9kaXNwbGF5LnBocD9yPTMxMDQ4NiIsImhuIjoid3d3LnRyYWRlYWRleGNoYW5nZS5jb20iLCJkbiI6InRyYWRlYWRleGNoYW5nZS5jb20iLCJmYyI6IlswLDYyLFwidHJhZGVhZGV4Y2hhbmdlLmNvbVwiXSIsImZzIjoifHx0cmFkZWFkZXhjaGFuZ2UuY29tXiJ9

Looking in home/.config/slimjet/default/extensions I find cjpalhdlnbpafiamejdnhcphjbkeiagm - just what had to be removed in the posting above.

I think that I am getting very close here - I am going to look whether the same file is in the extensions folder of Chromium and Chrome - then I will know what to delete.

Strangely enough, when I looked in Slimjet history, I found:

Screenshot from 2017-08-30 19-45-39.png


What can be the newpage club? - it does not appear each time Chrome extension cjpalhdlnbpafiamejdnhcphjbkeiagm appears, but often enough to be implicated.

I would like to find out more about “newpage club” and whether it needs removal before removing cjpalhdlnbpafiamejdnhcphjbkeiagm – any ideas, anyone?

Swarfendor437

Wed Aug 30, 2017 7:45:25 pm

Interesting comment on DNS infection here:

https://askubuntu.com/questions/840349/ ... -04#840362

Finston Pickle

Thu Aug 31, 2017 6:58:18 pm

Trying to find out what newpage.club is seems to reach a dead end, for me - anyone got any ideas what it is?

Swarfendor437

Thu Aug 31, 2017 7:49:05 pm

Does this match any of your code?

"CHR NewTab: Default -> Active:"chrome-extension://ncdfeghkpohnalmpblddmnppfooljekh/core/newpage-pop.html""

from here:

https://www.bleepingcomputer.com/forums ... ks-screen/

Finston Pickle

Fri Sep 01, 2017 10:40:46 am

No, Swarf, I don't have that rather dogy looking alphabetically labelled file, but I do have “my” rogue one and ten others - whatever can they be?
They are all in in Home>.Config>Slimjet>Default>Extensions (Chrome has only one)


Anyway, I am ready to go:

A

chrome-extension://cjpalhdlnbpafiamejdnhcphjbkeiagm/document-blocked.html?details=eyJ1cmwiOiJodHRwOi8vd3d3LnRyYWRlYWRleGNoYW5nZS5jb20vYS9kaXNwbGF5LnBocD9yPTMxMDQ4NiIsImhuIjoid3d3LnRyYWRlYWRleGNoYW5nZS5jb20iLCJkbiI6InRyYWRlYWRleGNoYW5nZS5jb20iLCJmYyI6IlswLDYyLFwidHJhZGVhZGV4Y2hhbmdlLmNvbVwiXSIsImZzIjoifHx0cmFkZWFkZXhjaGFuZ2UuY29tXiJ9

in the Wastebasket.

B

http://www.newpage.club safely in uBlockOrigin > my filters.


I will see how Slimjet performs from here on in. If no joy, seemingly Opera is immune to this bug, so I might start using that as my default browser.


Question: Does placing http://www.newpage.club safely in uBlockOrigin > my filters apply to all my browsers using uBlockOrigin or only Slimjet, where I made the addition to my filters?

Swarfendor437

Sat Sep 02, 2017 8:52:50 am

Hi Finston, I don't use any such filters. Did you read that article I posted a link to and how infections can come through DNS settings? That's why I was wondering if the 'private' DNS settings you were using were suspect. Also have you checked your firewall settings? ;) :D

Finston Pickle

Sun Sep 03, 2017 4:22:02 pm

It's all over for Slimjet - nothing I tried worked - just more redirection to advertising sites. Slimjet is now fully deleted - it was great whilst it lasted.

I am now back to Firefox, Chrome, Opera - which looks promising is its latest guise - and Midori and my laptop seems to be finally flying (see sepatate DNS issues posting).

I will keep my eyes open for any irregularities in the O/S and reinstall from my back up image (taken when everything was OK) if necessary.