js:Downloader-gen@bhv [Expl]

I seem to get that warning every once in a while as I surf on youtube. I don’t get it…

It tells me that the website is

hxxp://www.zormince.com/jerknull/68349jj683|%3E[Embedded:DeanEdwards]

yet I’m at youtube. I wouldn’t go to that website because I have no idea what that is.

So, I’m lost. Do I have some malware installed on my computer somehow? I’ve done a few virus checks and I never find anything.

I guess I should add I’m using Firefox 9.0.1 and I’m running on Windows 7 Professional 64 bit.

This only occurs when you visit youtube? Only while using firefox?

This detection is correct. The site contains a long packed javascript.

Please can you modify the link, to prevent others potentially becoming infected. (change http to hXXp) Thanks.

Is it specific pages at YouTube or random?

Unmaskparasites - - 1 suspicious inline script found.
http://www.UnmaskParasites.com/security-report/?page=www.zormince.com/jerknull/68349jj683

Other online webscanners does not report it…yet

VirusTotal
http://www.virustotal.com/file-scan/report.html?id=b26d7beaa0d48f9769c01ded8e84efd91aec195a656b1d4596d9b5c5bd3544c6-1325703112

Indeed, Pondus.

Reported clean by Sucuri SiteCheck, Google Safe Browsing, Norton Safe Web, Phish tank, and Opera.

Wepawet report - Suspicious
http://wepawet.iseclab.org/view.php?hash=546eec3d3ffb82fb1af356b235a2c4cc&t=1325702561&type=js

urlquery
http://urlquery.net/report.php?id=14559

Site Scan URL Void 0/21:
http://www.urlvoid.com/scan/zormince.com

Virus Scan URL Void 0/9:
http://vscan.urlvoid.com/analysis/f193e0d87917cb8866ef6464c5096c6a/em9ybWluY2UtY29t/

Lots of url analyzers miss this. :-\


I can’t access the site directly and have to click on a link to get to it.

Gives me a 404 when I try copy paste into address bar or try to view with HTML viewer.

Norman lab

e8e09c97034b2e4964beb9aed3c93a449fc5 : Processed - HTML/Agent.RC

Avira lab

The file 'e8e09c97034b2e4964beb9aed3c93a449fc5' has been determined to be 'MALWARE'.Our analysts named the threat JS/Obfuscated.HK.The term "JS/" denotes a Java scriptvirus.Detection will be added to our virus definition file (VDF) with one of the next updates.

Wow, didn’t expect so many replies in so little time…but yeah it seems to only happen to me when I visit youtube and watch videos. And sorry I didn’t edit the link earlier. Hope no one went there and had anything happen. =\

And yes, it’s just random youtube pages and I haven’t tried with any other browser. I guess I can give Chrome a test.

I’m curious, what were all those links posted about? I’m going to check them out in the mean time to try to find out myself. But anyway, what does all this mean? Was I right that I have malware?

what does all this mean? Was I right that I have malware?
yes, that is answered in my last post.....as you see Norman and Avira lab confirms infected

I see. Any program recommendations to getting rid of this?

Hi

Taken from the virusinfo description here: http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=144426#none

Description

JS/Obfuscated.b is a generic detection for obfuscated malicious script files which attempts to exploit unpatched vulnerabilities in the system.
Indication of Infection

This detection is sufficiently generic, such that it can cover a number of threats that contain the exploit code. Therefore, it is not possible to describe specific symptoms or details about system changes that can occur from this threat. However, simply seeing this detection does not mean that any exploit code was run at all as such exploit code could only run on a vulnerable system.
Additionally some exploits simply cause Internet Explorer to crash and nothing more.
Methods of Infection

This threat could be delivered via an email message, IM or an infectious web page.


source of link and quote info McAfee Virus Information

polonus

I see. Any program recommendations to getting rid of this?

follow the guide here and let essexboy have a look inside

attach all logs (not copy and paste) http://forum.avast.com/index.php?topic=53253.0

lower left corner: additional options > attach

Thanks buddy!