Avast is reporting virus JS: Downloader-FHO [Trj] on my blog

Avast is reporting this virus: JS: Downloader-FHO [Trj] (print below) on my blogger. I have tested with several anti-viruses, including online and everything went negative. Can someone help me, please?

https://3.bp.blogspot.com/-blZOGPk8BKc/Xa9hTDJtYSI/AAAAAAAAoP0/JoDTO_k_eek92nG3EVrRyiAk58uDroMnACLcBGAsYHQ/s1600/avg%2Balert%2Bpapermau%2B01.JPG

My blog: http://papermau.blogspot.com

entering your blog (-hxxp://papermau.blogspot.com) give these messages

Chrome report: This site try to load unsafe script

Sophos AV block it: hostingcloud.racing - C2∕Generic-A

Norton AV block it saying: intrusion attempt from hostingcloud.racing - JS-coinminer

hostingcloud.racing
https://www.virustotal.com/gui/url/d94830cfbd38691a9f25f05382d0e4f059ba4cfa8832ebfb95167ce5f8b13ac9/detection

https://sitecheck.sucuri.net/results/hostingcloud.racing

“This specific URL was identified in malicious campaigns to disseminate malware. Reason: crypto miner”

Avast is reporting virus JS: Downloader-FHO [Trj]
Screenshot you posted is from AVG and not avast (yea i know, on the inside they are one and the same)

Hi Pondus & mauther,

I see nothing than the default index page: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=aF1zdFtuZ15sXXUjLn18XltuZw%3D%3D~enc
Nada - http://isithacked.com/check/http%3A%2F%2Fhostingcloud.racing%20

It is a general IP detection: https://www.virustotal.com/gui/url/44385784099f6c463f7a02e639ca884ed0c31d6f94e4f24abf63fc368545148e/detection

Dutch Leaseweb has kind of an abuse rep: https://www.virustotal.com/gui/ip-address/212.32.255.93/relations

Scan of 31 minutes ago: https://www.virustotal.com/gui/url/d94830cfbd38691a9f25f05382d0e4f059ba4cfa8832ebfb95167ce5f8b13ac9/detection

Reanalyzed results, but that is not a final verdict:
https://www.virustotal.com/gui/url/d94830cfbd38691a9f25f05382d0e4f059ba4cfa8832ebfb95167ce5f8b13ac9/detection

Final verdict should come from an avast team member, as they are the only ones to come and unblock under te present
situation of that website, as we here are volunteers with relative knowledge, but cannot come and unblock, just advise.

By the way uBlock Origin blocks access to your site according to the EasyPrivacy list.

Webbug renders:

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 22 Oct 2019 21:06:54 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Wed, 24 Oct 2018 10:52:39 GMT
Connection: close
ETag: “5bd04ef7-264”
Accept-Ranges: bytes

Welcome to nginx! body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; }

Welcome to nginx!

If you see this page, the nginx web server is successfully installed and working. Further configuration is required.

For online documentation and support please refer to -nginx.org.

Commercial support is available at
-nginx.com.

Thank you for using -nginx.

That’s all we know :wink:

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

Many thanks for all. I will wait for more results.

Hello mauther.

Pondus said is really.The detection is file cryptocurrency xEhO.js in an html line of code.
attached

https://www.virustotal.com/gui/file/7241e823b417d4caf938f9263856c00e9b41632b18f6cd513106011230c39a5b/detection

https://zulu.zscaler.com/report/c96086a8-f582-4e51-a54d-0fdb7a193442

Hello, jefferson sant,

I will take a look at this line. Many thanks for the support.

I really appreciate all the effort of all you, guys! You are great!

Greetings from Brazil!

Mauther

To jefferson sant and all friends of the forum,

I take a look at the file below and I don`t find the lines at my blog html. Can you be more specific about where are located these lines, please?

https://3.bp.blogspot.com/-gwTxCwyxxtg/XbBN3RDRHPI/AAAAAAAAoRA/CxYahI2AD_039HzvEao2Qb1VIE9cvtwWgCLcBGAsYHQ/s1600/papermau.blogspot.JPG

Thanks in advance and greetings from Brazil.

Mauther

Using any browser Click the F12 (developer tools) and inspect DOM

https://developers.google.com/web/tools/chrome-devtools

https://developer.mozilla.org/en-US/docs/Learn/Common_questions/What_are_browser_developer_tools

Thanks again, Mr. jefferson sant, you`re very kind.

Greetings from Brazil!

Mauther

You’re welcome.

Hello again,

Sorry for bothering you again, I spent several days racking my brains over this. Mr. jefferson sant instructed me to look for DOMusing developer tools on the template, but what I found was that (image below). I could not find the malicious script in these lines. Can anyone help me?

https://1.bp.blogspot.com/-D8jet_9chb8/Xcoau8oZxcI/AAAAAAAAosU/xFnJCZhCXk0rqFzMy5ELoR7b1vV3D5ynACLcBGAsYHQ/s1600/DOM.JPG

Thanks in advance.

Mauther

Avast can identified why code is still back in the same place.New Mozilla Firefox 70.0.1 was also able to block cryptominerators with its Enhanced Tracking Protection.

This was prevented from loading for me: -https://feedjit.com/serve/?vv=955&tft=3&dd=0&wid=3592ed36b3fbc106&pid=0&proid=0&bc=FFFFFF&tc=000000&brd1=012B6B&lnk=135D9E&hc=FFFFFF&hfc=2853A8&btn=C99700&ww=200&wne=10&wh=Live%20Traffic%20Feed&hl=0&hlnks=0&hfce=0&srefs=0&hbars=0
without parameters = -https://feedjit.com/serve/
vv = 955
tft = 3
dd = 0
wid = 3592ed36b3fbc106
pid = 0
proid = 0
bc = FFFFFF

See pocket_miner detections here: https://www.virustotal.com/gui/ip-address/74.207.249.166/relations

polonus
tc = 000000
brd1 = 012B6B
lnk = 135D9E
hc = FFFFFF
hfc = 2853A8
btn = C99700
ww = 200
wne = 10
wh = Live Traffic Feed
hl = 0
hlnks = 0
hfce = 0
srefs = 0
hbars = 0

Also consider this scan report: https://webcookies.org/cookies/papermau.blogspot.com/28630090?998999

This seems OK: https://dnsviz.net/d/papermau.blogspot.com/dnssec/

pol

Hello for all,

I have been blogging for almost ten years and it has always been a place of fraternization for paper model hobbyists, always free of charge. I have received several messages from friends warning about this infection and I myself feel slow to load the blog.

Thanks everyone for your support, but despite blogging all this time, I don’t understand anything about scripts and things like this and I don’t understand how to proceed: I can’t find this line “Hostincloud.Racing”, either in HTML or in the console of blog.

I don’t know if it’s allowed at this forum, but I’d like to know if anyone can be more specific about this line “Hostincloud.Racing” and how can I effectively visualize it?

Sorry for the bad English, thanks is advance and greetings from Brazil!

Mauther

Thanks everyone for your support, but despite blogging all this time, I don't understand anything about scripts and things like this and I don't understand how to proceed: I can't find this line "Hostincloud.Racing", either in HTML or in the console of blog.
You could ask Sucuri to help you, but it is not free >> https://sucuri.net/

Hello, Pondus,

I will contact Sucuri and see if I can afford this service. Thanks for the tip and greetings from Brazil!

Mauther

Hello for all,

Just to close this thread, I would like to say that I contacted Sucuri, but the annual fee is prohibitive for me, since the blog is not for profit, just a hobby. So I decided to disable the blog so that the Trojan no longer affects any computer.

Many thanks to everyone here on the forum for all the tips and help. I learned some things that will help me in the future.

Greetings form Brazil!

Mauther