Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: dr_j on January 29, 2006, 07:02:26 AM

Title: Latest update and Proxomitron
Post by: dr_j on January 29, 2006, 07:02:26 AM
While I was out this evening, I received the latest update on all of my machines (0605-0). Now, whenever I open my browser, I get a malware warning (script). I believe this is due to my use of Proxomitron as my ad blocker of choice.  It appears that Proxomitron is prepending and appending some script code at the start/bottom of each web page that it visits. Note that this was never flagged as an issue before the latest update.

How concerned should I be? If Avast continually flags every web page I visit while Proxomitron is enabled, I see I have several choices: stop using Proxomitron and use an alternative; stop using Avast and use an alternative; tolerate the warnings for every page.

How concerned should I really be? Is Proxomitron really placing malicious code in the web pages, or is it just code to help it block ads and popups?

Thanks!

j
Title: Re: Latest update and Proxomitron
Post by: Vlk on January 29, 2006, 10:11:27 AM
What malware is reported, exactly?
On which page?
Title: Re: Latest update and Proxomitron
Post by: dr_j on January 29, 2006, 05:34:22 PM
It's reported as "VBS:Malware [Script]", and it's reported on every web page that is visited (every cached web page as well).

Proxomitron is prepending the following on every page:

<!--//--><script>var PrxLC=new Date(0);var PrxModAtr=0;var PrxInst; if(!PrxInst++) PrxRealOpen=window.open;function PrxOMUp(){PrxLC=new Date();}function PrxNW(){return(this.window);} function PrxOpen(url,nam,atr){ if(PrxLC){  var cdt=new Date();  cdt.setTime(cdt.getTime()-PrxLC.getTime());  if(cdt.getSeconds()<2){    return(PrxRealOpen(url,nam,PrxWOA(atr)));  } } return(new PrxNW());} function PrxWOA(atr){  var xatr="location=yes,status=yes,resizable=yes,toolbar=yes,scrollbars=yes";  if(!PrxModAtr) return(atr);  if(atr){    var hm;    hm=atr.match(/height=[0-9]+/i);    if(hm) xatr+="," + hm;    hm=atr.match(/width=[0-9]+/i);    if(hm) xatr+="," + hm;  }  return(xatr);}window.open=PrxOpen;</script>
<!--//--><script> function NoError(){return(true);} onerror=NoError; </script>
<!--//--><script> function moveTo(){return true;}function resizeTo(){return true;}</script>






and it is appending this on every page:





<!--//--><script>if(document.layers){document.captureEvents(Event.MOUSEUP);}document.onmouseup=PrxOMUp;</script>







I never gave it much thought, as it's such a good ad blocker.  With Avast now reporting every single web page a potentially infected, it's a pain.


j
Title: Re: Latest update and Proxomitron
Post by: BlankaM on January 29, 2006, 07:20:00 PM
I also use Proxomitron and I'm getting exactly the same message, but I only seem to get it in Internet Explorer, not in Firefox.
Title: Re: Latest update and Proxomitron
Post by: dr_j on January 29, 2006, 07:31:14 PM
Interesting ..... I'm using IE.

j
Title: Re: Latest update and Proxomitron
Post by: BlankaM on January 29, 2006, 07:33:06 PM
Nows a good time to switch to Firefox then! ;)

The money spender in the house likes to use IE so I'm kinda stuffed unless it can be sorted. :(
Title: Re: Latest update and Proxomitron
Post by: DavidR on January 29, 2006, 07:37:14 PM
Nows a good time to switch to Firefox then! ;)

The money spender in the house likes to use IE so I'm kinda stuffed unless it can be sorted. :(
That doesn't mean you have to use IE, firefox and others, Opera, etc. are free ;D
Title: Re: Latest update and Proxomitron
Post by: BlankaM on January 29, 2006, 07:39:01 PM
Oh, I use Firefox, that's not the problem, but you try and retrain a loved one to use a new browser! :D Having said that, I'll go ahead and do it if it's not sorted in the next few days. I'll get Opera on here probably.
Title: Re: Latest update and Proxomitron
Post by: dr_j on January 29, 2006, 09:16:53 PM
I can certainly look at using FireFox; it has ad-blocking built in, right? And wouldn't Proxomitron still add it's $0.02 to the html to block ads (if I still used it)? I'm not sure switching browsers fixes the problem ---- looks like a false positive to me.

j
Title: Re: Latest update and Proxomitron
Post by: BlankaM on January 29, 2006, 09:20:14 PM
Oh it's a false positive alright, but whatever the reason, I don't get the problems with Firefox. I'd say use Firefox as a stopgap until the problem gets fixed. You may even move permanently anyway. ;)
Title: Re: Latest update and Proxomitron
Post by: Vlk on January 29, 2006, 09:42:49 PM
Hopefully the virus guys will have a look at it shortly.
BTW Blanka I see your based in the UK but your first name (or your nick) looks very Czech. How come? :)
Title: Re: Latest update and Proxomitron
Post by: Scott Gilmore on January 29, 2006, 11:52:39 PM
Interesting ..... I'm using IE.

I'm getting the same problem with every browser I use that connects through Proxomitron.  If I change settings so that the browser doesn't connect through Proxomitron, close and re-launch, I have no more problems.

The behavior is identical with Firefox, my default browser, IE6 SP1, Opera, Mozilla and Avant (which is basically just IE6 with its own shell).  In each case, the cached .HTM and .ASPX files return the same false positives - regardless of browser.  The behavior is always the same.

Very frustrating.  I just spent much of the day trying to figure out what was writting that script code into the top and bottom of those files.

Thank you,
Scott Gilmore
Title: Re: Latest update and Proxomitron
Post by: BjMarowitz on January 30, 2006, 12:02:35 AM
My experience is the same as Scott's -- every browser that connects through Proxomitron.

This is only with the latest updates from Saturday (28 JAN 06).

I REALLY don't want to browse without Proxomitron -- it is an extremely useful tool.

Thanks!
Bj
Title: Re: Latest update and Proxomitron
Post by: dr_j on January 30, 2006, 01:56:42 AM
That's what I would have expected. For now, I've curtailed browsing, and I just "bypass" Proxomitron while I'm on the net. Not ideal .... but at least it doesn't throw the false positive warnings when I'm on the web.

j
Title: Re: Latest update and Proxomitron
Post by: BlankaM on January 30, 2006, 09:27:43 AM
Hmm... I guess it's the way I've got Firefox then that doesn't get it spouting viruses at me all the time... At any rate, I'm not getting them at the moment but it's still a pain in the backside because a few applications, namely Steam in my case, access webpages using IE and I get virus warnings whenever I login...

And Vlk, the nickname comes from many many hours of playing Street Fighter 2! ;) Brilliant game!
Title: Re: Latest update and Proxomitron
Post by: Umath on January 30, 2006, 01:41:47 PM
How about letting Web Shield ignore local communication (On-Access Protection Control>Web Shield>Basic>check "Ignore local communication") and monitor Proxomitron (http://avast.com/eng/webshield_issues.html#idt_6874)?  Of course, this is not a conclusive solution but may work.

About the Off Topic, I thought it is spelled Blanca in English...though the setting is Venice, Cassio's mistress had this name, for example.  There are some local variations in Europe but basically, the name sounds feminine to me while the illustration (http://en.wikipedia.org/wiki/Blanka) is quite contrary... ;D
Title: Re: Latest update and Proxomitron
Post by: BlankaM on January 30, 2006, 05:26:04 PM
I tried the suggestion above but I'm still getting the warning... :(
Title: Re: Latest update and Proxomitron
Post by: Umath on January 31, 2006, 01:04:53 AM
I tried the suggestion above but I'm still getting the warning... :(

Did you close Web Shield and restart it after the changes?    This ritual may seem to be stupid but needed.
Title: Re: Latest update and Proxomitron
Post by: igor on January 31, 2006, 09:56:46 AM
BlankaM, you still get the warning with 0605-1 VPS?
Title: Re: Latest update and Proxomitron
Post by: Nokia3510 on January 31, 2006, 11:41:11 AM
Igor, I can confirm that the problem regarding 0605-0 VPS and Proxomitron was solved in 0605-1 VPS. I could'n t understand, though, why this false alarm appeared randomly. Out of 5 identically PC's, only one had this annoying problem.

On the other hand, could you explain to me please the logic in numbering the VPS versions ? Other AV products release their updates in a dd/mm/yyyy form. Thanks in advance :)
Title: Re: Latest update and Proxomitron
Post by: igor on January 31, 2006, 11:55:27 AM
Generally, it's YYWW-N, where N is the number of VPS within the week.
Title: Re: Latest update and Proxomitron
Post by: BlankaM on January 31, 2006, 09:03:59 PM
My apologies guys for not posting here sooner,

yes it's sorted now and doesn't appear! :D Thanks a lot!
Title: Re: Latest update and Proxomitron
Post by: Umath on February 01, 2006, 02:55:11 AM
No news may be good news but a confirmation is always nice.

I cannot understand, though.  Why did it happen only with IE/Proxomitron combination and was it persistent even when Web Shield was supposed to be checking before Proxomitron?
Title: Re: Latest update and Proxomitron
Post by: dr_j on February 01, 2006, 03:05:44 AM
I can reply too, that it is now gone (the false positives). On that note, this appeared on every one of the machines I use that have Proxomitron installed..... so there was no randomness at all in my case.

j
Title: Re: Latest update and Proxomitron
Post by: Scott Gilmore on February 01, 2006, 05:24:02 AM
BlankaM, you still get the warning with 0605-1 VPS?
You guys are fast. Problem solved.

Thanks,
Scott Gilmore
Title: Re: Latest update and Proxomitron
Post by: BjMarowitz on February 01, 2006, 12:34:42 PM
Problem resolved for me as well.

As to the randomness, I have a home machine that isn't used regularly -- it was running Firefox 1.0.4 -- and there was no problem.

Firefox 1.5 on my company machine had the issue, as well as another test machine with Firefox 1.0.6.

Doesn't seem to matter whether it was Avast Home or Pro.

Thanks for the quick fix!
Title: Re: Latest update and Proxomitron
Post by: Nokia3510 on February 01, 2006, 02:30:29 PM
I have an answer for the apparently randomness of the problem. It depends of the Proxomitron's Version. The June release worked fine. Older releases had this problem. Check your Proxo's Help-About guys :)