http://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js

[mehuge]

e.g. visiting (remove the braces)

(http)://www.wix.com/support/forum/flash/other/other/spurious-code

The page injects some javascript (using document.write) to load the script http://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js

I can access (https)://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js (the very same code) and not get a virus alert.  I can download (http)://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js using wget and scan it and not get an alert.  The alert its giving is a URL:Mal

I can upload the downloaded code to jotti.org and it passes as clean.

http://virusscan.jotti.org/en/scanresult/9cd19dba5af53585bfcc4a5244c21382e539fc60

False positive?

[joshuachavanne]

Have had this happen on several sites today, and upon a cursory search there seems to be a lot of references to this same code.

[poppie1234]

Yep same thing just happened to me visiting a jewellery website that i have used before (all the w's acotisjewellery.co.uk) exactly the same pop up,avast blocked a malicious URL ://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js as other people are getting. 

[whetzelmomma]

I am getting this alert when I view my blog/website. I also get it when I try to expand the HTML template of my blog in the admin area. I use blogger, and have not recently made any changes to my site, nor do I allow spam comments on my blog. Pretty sure this is a false pos, but how do I report it?

[Bowdon]

I'm getting it when visiting the national newspaper Daily Mail. It was ok until this afternoon. Then this warning.

[DavidR]

@ mehuge

Please 'modify' your post change the URL from http to hXXp, to break the link and avoid accidental exposure to suspect sites, thanks.

[whetzelmomma]

It's not a site, it's part of a java script on pages.

[sfreeman]

Since it only seems to be getting caught by Avast, it would be great if someone from Avast could chime in and say if it's a false positive, or something we actually need to worry about.

[designyou]

I have the same problem and agree would be nice with some info from Avast!!!

[Pondus]

could you attach a screenshot of the avast warning popup...

[polonus]

Pondus

Somehow, do not seem able to reproduce it. Maybe it has gone with a new definition update..
RUM means real user monitoring by automatically injected javascript. Info on what RUM does from Dan Wright in this article of his -> link here: http://blog.newrelic.com/2011/05/17/how-rum-works/

polonus

[Jonny788]

Hello, I've registered just to say I'm getting this problem too and it started today, It's popping up at many safe websites I visit daily, including filehippo and ausgamers just to name a couple.

It would be great if someone at avast! could confirm if this is a false positive, before I decide to disintegrate my harddisk.

[Borgis]

could you attach a screenshot of the avast warning popup...

My warning

[poppie1234]

With so many of us getting the same pop up it must be a false positive surely?

Wish someone from Avast would let us know.

[polonus]

Just wondering what it is, and where it comes from. From the header request I get:

Code: [Select]

HTTP/1.0 403 Forbidden
Content-Type: text/html
Content-Length: 49
Connection: close
Server: CloudFront
Date: Thu, 03 Jan 2013 22:01:18 GMT
Expires: Thu, 03 Jan 2013 22:01:18 GMT
X-Amz-Cf-Id: XwrpY8dIAJVQveFH1V5Sym206IB0K8Vw7BQo_q1YB4gJ2VV87JmyXw==
X-Cache: Error from cloudfront From the GET

Code: [Select]

HTTP/1.0 403 Forbidden
Content-Type: text/html
Content-Length: 49
Connection: close
Server: CloudFront
Date: Thu, 03 Jan 2013 22:03:04 GMT
Expires: Thu, 03 Jan 2013 22:03:04 GMT
X-Amz-Cf-Id: UwQcftUvjCf9p_iJDZYCAUEnIwku1Cj3z96FN6k3L-Zgf2cRB7l8Cw==
X-Cache: Error from cloudfront

<html><body>Sorry, invalid request</body></html>
polonus