Quttera results give this as VT file scan results: https://www.virustotal.com/nl/file/120fdca70ef210023700733571a8a967b952e5ee0d1f49fc120d3a30be232018/analysis/1389914725/ (thanks to Pondus!)
avast! does not detect JS/Dldr.Agent.gpq or TrojWare.JS.Agent.BB malware there. Could this be a false positive detection according to an earlier analysis at Majorgeelks?
Some av solutions still adding the malcode to their detection: AC_RunActiveContent.js there as Exploit.AJN by Norman’s for instance.
So the debate is still going on.
Well we gonna give the old pinpoint executable a twirl inside sandboxie (see attachments) and also do a scan at Anubis.
Pinpoint logs could have been blocked by the avast! Webshield!
Seems that for this site also this domain played a role in the spreading of this malcode. e.g.: htxp://engine.adzerk.net/
Read this: http://meta.stackoverflow.com/questions/95504/why-do-some-so-adverts-seem-to-pass-rep-as-an-url-parameter
link article author = Tom White.
This demonstrates again beyond a shred of doubt why the browser-user to-day should at least have a decent ad-blocking extension enabled in the browser.
One could think of for instance the ABP extension or the Bluhell firewall extension against tracking issues.
Additional scanning:
See: http://jsunpack.jeek.org/?report=bf5e6cb1380c7ac41443f7141a915f9693db7a9a
See: http://anubis.iseclab.org/?action=result&task_id=143a312b558ae6af4a903eaf0dcafb7e4&format=html
On there this was striking:
- “@C:\WINDOWS\System32\wshext.dll,-4804”=“JScript Script File” “@C:\WINDOWS\System32\wshext.dll,-4805”=“JScript Encoded Script File” will produce unwanted pop-ups.
2, Multi-client code → 0x5400630070006900700000004e0065007400420049004f005300000000
Here follows an important scan that confirms the direct malcode link: http://app.webinspector.com/public/reports/19523206
No alerts detected here: http://urlquery.net/report.php?id=8866039
But detection and alerts on Recent reports on same IP/ASN/Domain: http://urlquery.net/report.php?id=8846972
and an earlier report yet: http://urlquery.net/report.php?id=422748 is being blocked by avast! Webshield as infested by KS:Includer-NS[Trj].
Assumption site has malcode and has now been cleansed? This is an assumption on basis of the recent urlquery dot net scans for this site!
pol