Might this be a false positive?
everytime I go there starting last night
I get that pop-up
*see image
thanks for any and all help
Infection: js:Downloader-BDP [Trj]
http://hphosts.blogspot.com/
Sucuri say Clean…but
Virustotal URLscan
http://www.virustotal.com/url-scan/report.html?id=925972bfb862f58c2c7011b21da57e9f-1323841407
VirusTotal HTMLscan - only detected by avast/Gdata
http://www.virustotal.com/file-scan/report.html?id=a2428944d9bf9331d245bb5279047384f4ec1b78901bc095aa84187038a90659-1323845158
urlQuery - Suspicous
http://urlquery.net/report.php?id=11753
could be it is detecting on something posted in the blog ?
It might be a FP. Not sure why urlQuery says “Suspicous” though…
It is definitely something in the blog!
The Suspicious, if you checked out the URLQuery link is Reputation based, which would seem a bit strange for either blogspot or HpHosts sub-domain, though you get all sorts of dross using blockspot.com for their blog.
That said there is a compressed script file being loaded when you open that hphosts.blogspot.com/ page, as indicated by the |>{gzip} at the end of the alert URL and it is this that avast doesn’t like, see image extract of the file contents.
Having said that subsequent visits I don’t get the alert (after the web shield aborted the connection, for the gzip element)
thank you and Dave…where did you find that file?
It is the compressed file that otherwise would be loaded/run when you use that blogspot.com link, a temporary file is created by avast to scan, I captured that.
I forgot where Avast places the unp*.tmp file. Not sure if it’s in windows/temp or elsewhere…
It is the avast sub-folder of windows\temp
Though for obvious reasons, playing with suspect files comes with the usual health warning and disclaimer.
Thanks, DavidR.
You’re welcome.