Avast WEBforum
Other => Viruses and worms => Topic started by: mehuge on January 03, 2013, 07:59:16 PM
-
e.g. visiting (remove the braces)
(http)://www.wix.com/support/forum/flash/other/other/spurious-code
The page injects some javascript (using document.write) to load the script http://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js
I can access (https)://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js (the very same code) and not get a virus alert. I can download (http)://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js using wget and scan it and not get an alert. The alert its giving is a URL:Mal
I can upload the downloaded code to jotti.org and it passes as clean.
http://virusscan.jotti.org/en/scanresult/9cd19dba5af53585bfcc4a5244c21382e539fc60
False positive?
-
Have had this happen on several sites today, and upon a cursory search there seems to be a lot of references to this same code.
-
Yep same thing just happened to me visiting a jewellery website that i have used before (all the w's acotisjewellery.co.uk) exactly the same pop up,avast blocked a malicious URL ://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js as other people are getting. :-\
-
I am getting this alert when I view my blog/website. I also get it when I try to expand the HTML template of my blog in the admin area. I use blogger, and have not recently made any changes to my site, nor do I allow spam comments on my blog. Pretty sure this is a false pos, but how do I report it?
-
I'm getting it when visiting the national newspaper Daily Mail. It was ok until this afternoon. Then this warning.
-
@ mehuge
Please 'modify' your post change the URL from http to hXXp, to break the link and avoid accidental exposure to suspect sites, thanks.
-
It's not a site, it's part of a java script on pages.
-
Since it only seems to be getting caught by Avast, it would be great if someone from Avast could chime in and say if it's a false positive, or something we actually need to worry about.
-
I have the same problem and agree would be nice with some info from Avast!!!
-
could you attach a screenshot of the avast warning popup...
-
Pondus
Somehow, do not seem able to reproduce it. Maybe it has gone with a new definition update..
RUM means real user monitoring by automatically injected javascript. Info on what RUM does from Dan Wright in this article of his -> link here: http://blog.newrelic.com/2011/05/17/how-rum-works/
polonus
-
Hello, I've registered just to say I'm getting this problem too and it started today, It's popping up at many safe websites I visit daily, including filehippo and ausgamers just to name a couple.
It would be great if someone at avast! could confirm if this is a false positive, before I decide to disintegrate my harddisk.
-
could you attach a screenshot of the avast warning popup...
My warning
-
With so many of us getting the same pop up it must be a false positive surely?
Wish someone from Avast would let us know. :(
-
Just wondering what it is, and where it comes from. From the header request I get:
HTTP/1.0 403 Forbidden
Content-Type: text/html
Content-Length: 49
Connection: close
Server: CloudFront
Date: Thu, 03 Jan 2013 22:01:18 GMT
Expires: Thu, 03 Jan 2013 22:01:18 GMT
X-Amz-Cf-Id: XwrpY8dIAJVQveFH1V5Sym206IB0K8Vw7BQo_q1YB4gJ2VV87JmyXw==
X-Cache: Error from cloudfront From the GET
HTTP/1.0 403 Forbidden
Content-Type: text/html
Content-Length: 49
Connection: close
Server: CloudFront
Date: Thu, 03 Jan 2013 22:03:04 GMT
Expires: Thu, 03 Jan 2013 22:03:04 GMT
X-Amz-Cf-Id: UwQcftUvjCf9p_iJDZYCAUEnIwku1Cj3z96FN6k3L-Zgf2cRB7l8Cw==
X-Cache: Error from cloudfront
<html><body>Sorry, invalid request</body></html>
polonus
-
My screenshot and the one from Borgis refers to the same exact file.
EDIT: Forgot to mention that prior to Firefox, I had Waterfox installed (64bit Firefox variant) and that's where I got the message first, my screenshot shows firefox portable cause I uninstalled waterfox thinking the exe got infected and so I switched on to the portable firefox I use for work.
-
i see both screenshot show Firefox as process.....does it only happend with Firefox ?
-
Ya exact same warning as everyone else, getting really worried about what is going on :( , was fine browsing until today with these pop ups....
PS: No, not only firefox, I am using Opera myself, still getting the same warning.
-
Just updated avast and still getting the pop ups. What on earth is going on and why are only some people affected and not others.
Come on Avast we need to know.
-
AVG flags it now on urlvoid: http://www.avgthreatlabs.com/sitereports/domain/d1ros97qkrwjf5.cloudfront.net/
Also blocked according to adblock lists: http://forums.fanboy.co.nz/forums/viewtopic.php?f=6&t=6857 Fanboy's Adblock Forum...
polonus
-
Alright , I have tested with IE and Chrome one more time, still getting same warning with both browsers, kinda odd.
-
Hi Gangplank,
What for users that have ABP in Fx or Chrome with fanboy's list installed. Are they not being affected?
polonus
-
Ok I've kinda found a "solution" for now, Went ahead and installed the DoNotTrackMe addon and the popup stopped.
Addon Website: http://www.abine.com/dntdetail.php
Unfortunately there's no opera version but at least it's avoidable.
I've tried disabling the addon and visited ausgamers.com and the avast popup appeared, enabled the addon and no popup. I've tested this only on firefox.
If this helps let me know please, at least I'll know if the addon is making effect or not.
Cheers!
-
Hi polonus,
I've just installed adblock plus for opera and updated the block list from fanboyz, not getting the same warning anymore for now, will do a test with chrome right now with the same setup and i will give you an update on the result asap.
cheers.
-
Okay, I've just done testing with chrome, with adblock and updated block list, Twitch TV is fine for now, but when visiting Gawker.com and AusGamers.com I was still getting the "RUM" warnings, I think adblock does not affect it, at least on my end.
Cheers.
-
I'm having the same issue when visiting http://www.captureminnesota.com/ with both Firefox & Chrome beginning today. Is this a false positive & how can I stop it from popping up all the time?
Thanks.
Kim
-
@Gangplank,
Good suggestion for those that want to be without that kind of ad-monitoring to have it blocked for now and also as it later seems to come unblocked by av-solutions..
Fanboy's adblocking list does not flag it for no reason, I guess..
@micahwedemeyer
Wepawet gives the code as benign. And according to me it does not fall into the realm of suspicious or unwanted malicious code. The injecting nature of the benign code could have been an issue here to flag it. So wait for what the avast team analysts will decide.
On second thought I know that there are users that would like to block that code via an anti-tracking add-on, or via enhanced adblocking or via NoScript or RequestPolicy add-ons in firefox or sinilar extensions for GoogleChrome. Adblocking and the evasion thereof by ad-launchers is an ongoing chess-game...
polonus
-
UPDATE
Installed DoNotTrackMe on Chrome as Jonny788 suggested, the warning somehow stopped for particular reason. Tested multiple times and it seems to be the perfect solution for now.
For anyone having the pop up issue, here is the link to the addon.
hxxp://www.abine.com/dntdetail.php replace(x) with (t).
-
I get the alert with IE, and I have removed all code that I can find with the Cloud attached to it. Still getting the alert.
-
This is on the differing variant:
In the code that comes up with Internet Explorer, block "beacon-.newrelic.com" without the "" and see if that is sufficient to block the alerts?
On what the code does: https://newrelic.com/docs/features/how-does-real-user-monitoring-work -> link info from: Jonah Kowall and Will Cappelli
polonus
-
GET Request with Firefox 17.0.1 returns a benign 0/46 here: https://www.virustotal.com/file/147683625bd70ea7029186e4b71a622c8e4f851fd2a3941dd115a2bdddd91259/analysis/1357254590/
Installed DoNotTrackMe on Chrome as Jonny788 suggested, the warning somehow stopped for particular reason. Tested multiple times and it seems to be the perfect solution for now.
It is only natural that "DoNotTrackMe" will prevent the alert, as "Real User Monitoring" is a form of tracking.
~!Donovan
-
could you attach a screenshot of the avast warning popup...
(http://i.imgur.com/1RXSE.png) (http://imgur.com/1RXSE)
More Details (http://www.avast.com/en-gb/lp-fr-virus-alert?p_ext=&utm_campaign=Virus_alert&utm_source=prg_fav_70_0&utm_medium=prg_systray&utm_content=.%2Ffa%2Fen-gb%2Fvirus-alert-default&p_vir=URL:Mal&p_prc=C:\Users\Austin\AppData\Local\Google\Chrome\Application\chrome.exe&p_obj=http://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js&p_var=.%2Ffa%2Fen-gb%2Fvirus-alert-default&p_pro=0&p_vep=7&p_ves=0&p_lqa=0&p_lsu=24&p_lst=0&p_lex=190&p_lng=en&p_lid=en-gb&p_elm=7&p_vbd=1474)
I should have mentioned, the following additional details:-
I am using:
Google Chrome 23.0.1271.97 (Official Build 171054) m
OS Windows
WebKit 537.11 (@136278)
JavaScript V8 3.13.7.5
Avast 7.0.1474
virus definitions 130103-1
...
As micahwedemeyer has pointed out, its part of the newrelic api for performance monitoring a website. Hence why its popping up on numerous unrelated websites I guess.
I could access the JS code directly via https variant of the URI and avast does not alert, but accessing the http variant it does, which is a bit odd. Also it doesn't matter which version? (the /42/ part of the URI) I access, I can change it to a different number, and for the http version avast will alert, for the https version it wont. The code is identical in both cases.
-
I updated my AdBlock list on both Chrome & Firefox and it stopped happening if I use Chrome but it still pops up with the warning if I use Firefox on http://www.captureminnesota.com/.
Kim
-
Getting the same error on my PC using Firefox or IE.
Infection Details
URL: hXXtp://d1ros97qkrwjf5.cloudfront.net/42/...
Process: C:\Program Files\Mozilla Firefox\firefox...
Infection: URL:Mal
-
This script is also present on various wikis on http://www.wikia.com/Wikia
-
Guys whenever I go to kongerate a well respected website for games, I get the warning EVERY TIME no jokes, you can test it too, just go to it and you will get it for some reason, never had this happen before
-
Frustrating that no one from Avast is addressing this formally... I don't want to make it stop for MY computer, I want it to stop for any of my visitors that come and get this seemingly bogus warning!!
-
Still getting the same pop up this morning :(
Wish someone from Avast would sort this out >:(
-
I too have gotten this infection pop up when i visited a trusted site. Avast get on the roll and DO SOMETHING!!!!!!!!!!!! Tell us wth this script is, whether it is a virus or a false pos.... But fix it, come on this is nuts. >:(
-
Well, I'm going to uninstall Avast on my laptop and try another anti-virus program for now.
Maybe someone at Avast will take notice of this and extend the courtesy of an update. >:(
-
If you google the URL avast is blocking there are now loads of references to it. I am still getting the pop up >:(
Can't believe Avast haven't been on here to let us know whats going on. If they don't do something soon i am going to uninstall Avast and install a different anti-virus.
-
I updated the fanboy list on adblock plus and its not appearing on the daily mail website. I'm surprised this hasnt been corrected in the latest avast update.
Also because its not a virus is it safe to just ignore the warning, until the situation is cleared up?
-
I am too hoping it's safe to just ignore the warning as that i exactly what i have been doing. :-\
-
I emailed Avast about this yesterday & got this response just now:
"Thank you for contacting AVAST Software company with your concerns. My name is Michal and I will assist you today. Sorry for late reply.
I was able to browse the site without any warning being displayed, having avast! set to most sensitive level. Therefore I assume the false alarm was already fixed. Please update your virus database and check if the problem persists."
Since I downloaded Do Not Track Me for Chrome, the warning wasn't happening to me anymore while using Chrome. I did check http://www.captureminnesota.com/ (the site I was getting the warning on) with Firefox & Avast did not give me the pop-up warning this morning.
-
I installed DoNotTrackMe as well for chrome and IE, the alarm hasn't been poped up since the installation, DoNotTrackMe is the way to go before any official update i guess.
-
Hi Gangplank,
DoNotTrackMe certainly is the way to go in case of new tracking code hacks and to stay clear of further tracking hacks or FPs. Of course avast should not have flagged this as there are a lot of users that do not know or care about in-browser protection and only blame a solutions when there is an issue.
I still am not aware of the reason why avast started to alert it, but these tracking codes are often benign hacks to enable multilevel browser user tracking.
There is always a grey area between acceptable user monitoring and privacy intrusion and there is always the possibility for FP alert interpretation with such code,
polonus
-
Yesterday i couldn't get on the Daily Mail website or Acotis Jewellery without the pop up appearing. I haven't done anything to block things like others have done but i have just switched my computer on and it is no longer popping up with the malicious URL blocked warning on them websites. ;D
My virus definitions have been updated to 130134-0.
-
I also haven't done anything new on my blog (that worked) or used any tracker blocking. The alerts stopped last night.
-
Might have been a silent FP repair through the last avast update as it seems now. We weren't informed. As I see this, this javascript shouldn't have been blocked by anti-malware programs as it is not malicious or suspicious as such. For those that want to exclude it from their browsers for other and personal reasons they should install the appropriate extensions in their browser that block these.
Some like to block third party access like certain ads, web beacons etc. or third party scripts altogether as they see fit.
With Quttera scanner I see a lot of script alerted as potentially suspicious as later found that it is not. Sometimes obfuscation of scripts could lead to misinterpretation and some solutions block obfuscation per se as it could be easily be abused....
polonus