system
1
Might this be a false positive?
everytime I go there starting last night
I get that pop-up
*see image
thanks for any and all help
Infection: js:Downloader-BDP [Trj]
http://i.imgur.com/cJbPU.jpg
http://hphosts.blogspot.com/
Pondus
2
system
3
It might be a FP. Not sure why urlQuery says “Suspicous” though…
system
4
It is definitely something in the blog!
DavidR
5
The Suspicious, if you checked out the URLQuery link is Reputation based, which would seem a bit strange for either blogspot or HpHosts sub-domain, though you get all sorts of dross using blockspot.com for their blog.
That said there is a compressed script file being loaded when you open that hphosts.blogspot.com/ page, as indicated by the |>{gzip} at the end of the alert URL and it is this that avast doesn’t like, see image extract of the file contents.
Having said that subsequent visits I don’t get the alert (after the web shield aborted the connection, for the gzip element)
system
6
thank you and Dave…where did you find that file?
DavidR
7
It is the compressed file that otherwise would be loaded/run when you use that blogspot.com link, a temporary file is created by avast to scan, I captured that.
system
8
I forgot where Avast places the unp*.tmp file. Not sure if it’s in windows/temp or elsewhere…
DavidR
9
It is the avast sub-folder of windows\temp
Though for obvious reasons, playing with suspect files comes with the usual health warning and disclaimer.