Author Topic: hpHosts Blog and avast! Pop-Up Trojan! (Read 4793 times)

hayc59 · « **on:** December 14, 2011, 02:39:03 AM »

Might this be a false positive?
everytime I go there starting last night
I get that pop-up
*see image
thanks for any and all help

Infection: js:Downloader-BDP [Trj]

Code: [Select]

http://hphosts.blogspot.com/

Pondus · « **Reply #1 on:** December 14, 2011, 07:55:29 AM »

Sucuri say Clean...but

Virustotal URLscan
http://www.virustotal.com/url-scan/report.html?id=925972bfb862f58c2c7011b21da57e9f-1323841407

VirusTotal HTMLscan - only detected by avast/Gdata
http://www.virustotal.com/file-scan/report.html?id=a2428944d9bf9331d245bb5279047384f4ec1b78901bc095aa84187038a90659-1323845158

urlQuery - Suspicous
http://urlquery.net/report.php?id=11753

could be it is detecting on something posted in the blog ?

Tetsuo · « **Reply #2 on:** December 14, 2011, 12:12:03 PM »

It might be a FP. Not sure why urlQuery says "Suspicous" though...

YoKenny · « **Reply #3 on:** December 14, 2011, 03:41:46 PM »

Quote from: Pondus on December 14, 2011, 07:55:29 AM

could be it is detecting on something posted in the blog ?

It is definitely something in the blog!

DavidR · « **Reply #4 on:** December 14, 2011, 05:01:47 PM »

Quote from: Tetsuo on December 14, 2011, 12:12:03 PM

It might be a FP. Not sure why urlQuery says "Suspicous" though...

The Suspicious, if you checked out the URLQuery link is Reputation based, which would seem a bit strange for either blogspot or HpHosts sub-domain, though you get all sorts of dross using blockspot.com for their blog.

That said there is a compressed script file being loaded when you open that hphosts.blogspot.com/ page, as indicated by the |>{gzip} at the end of the alert URL and it is this that avast doesn't like, see image extract of the file contents.

Having said that subsequent visits I don't get the alert (after the web shield aborted the connection, for the gzip element)

hayc59 · « **Reply #5 on:** December 18, 2011, 03:34:19 AM »

thank you and Dave...where did you find that file?

DavidR · « **Reply #6 on:** December 18, 2011, 01:34:06 PM »

It is the compressed file that otherwise would be loaded/run when you use that blogspot.com link, a temporary file is created by avast to scan, I captured that.

Tetsuo · « **Reply #7 on:** December 18, 2011, 02:07:48 PM »

Quote from: DavidR on December 18, 2011, 01:34:06 PM

It is the compressed file that otherwise would be loaded/run when you use that blogspot.com link, a temporary file is created by avast to scan, I captured that.

I forgot where Avast places the unp*.tmp file. Not sure if it's in windows/temp or elsewhere...

DavidR · « **Reply #8 on:** December 18, 2011, 03:58:09 PM »

It is the _avast_ sub-folder of windows\temp

Though for obvious reasons, playing with suspect files comes with the usual health warning and disclaimer.

Tetsuo · « **Reply #9 on:** December 18, 2011, 04:06:25 PM »

Thanks, DavidR.

DavidR · « **Reply #10 on:** December 18, 2011, 04:12:28 PM »

You're welcome.

Author Topic: hpHosts Blog and avast! Pop-Up Trojan! (Read 4793 times)

hayc59

hpHosts Blog and avast! Pop-Up Trojan!

Pondus

Re: hpHosts Blog and avast! Pop-Up Trojan!

Tetsuo

Re: hpHosts Blog and avast! Pop-Up Trojan!

YoKenny

Re: hpHosts Blog and avast! Pop-Up Trojan!

DavidR

Re: hpHosts Blog and avast! Pop-Up Trojan!

hayc59

Re: hpHosts Blog and avast! Pop-Up Trojan!

DavidR

Re: hpHosts Blog and avast! Pop-Up Trojan!

Tetsuo

Re: hpHosts Blog and avast! Pop-Up Trojan!

DavidR

Re: hpHosts Blog and avast! Pop-Up Trojan!

Tetsuo

Re: hpHosts Blog and avast! Pop-Up Trojan!

DavidR

Re: hpHosts Blog and avast! Pop-Up Trojan!