Hello,
Since the beginning of the year in certain periods of the day like the morning I constantly get bombarded that a “Threat has been neutralized”
Attaching photo of a recent threat: https://prnt.sc/wha3oc
The neutralized URLs are the same everytime - 4 or 5 at total.
Can you help to stop them totally?
@Georgi27
FYI. Best if you attach screenshots direct to your post using the “Attachments and other options link” you will see below the text box.
Some people on here are reluctant to visit 3rd party image sites to view them.
Thanks for the input but the thread is not targeted at the average Joe.
http://prnt.sc/ is a world renowned service
Whilst that may be the case, attaching the images in the actual topic means no one has to visit an off site/forum link.
Also clicking the More Information in the Avast alert window gives more information on the source responsible for making the connection. So a screenshot of that could help
Valid point. Excuse me.
Here is an expanded view. I tried to delete Skype but Windows didn’t allow me.
You can’t attach an external image in this way, use the Attachments and other options.
Second attempt.
That’s fine, now we can see the image within the forum.
Did you install Skype on your system and is/was it running when these alerts occur ?
The reason I ask is I didn’t think skype would need to be running if you weren’t actually using it.
Second point, I actually connected to zunsoach.com directly and didn’t get an Avast alert, effectively an empty page (Empty OK - see attached image).
So it must have something to do with the afu.php? string/parameters.
I personally don’t have/use skype so I don’t know why it would need to connect to this site zunsoach.com
Some issues reported on this check https://sitecheck.sucuri.net/results/zunsoach.com, which considered a Medium Security Risk. This may possibly be taken advantage of (hacking, etc.), but I don’t know if this would be why avast alerts.
Yes, I installed Skype several months ago and ran it only once.
It’s disabled from Startup so I don’t think its running.
Yes, the sites that I get alerts for seem harmless but I seem to be ‘infected’ with something that tries to open them in certain time periods like shortly after startup or late at night.
zunsoach belongs to a series of new(er) domains that appear to be tied to advertisements. Given Avast’s description, I would say false positive.
Threat Info: https://otx.alienvault.com/pulse/5fbe3146fb50e6267db3bd13
@ Georgi27
Well your avast alert window indicates that it is running (for whatever reason), as the process responsible for the connection attempt is that in your attached image.
I don’t know if this is some update attempt/check, but the destination URL is somewhat obscure if it were an update check, etc.
You could check if there isn’t some scheduled task for skype.
You could also try uninstalling skype as a check to see if the Avast alerts cease.
Note: Given Michael’s post, yes it could be malvertising (malicious 3rd party ads) and could be a false positive. How to report this as a false positive isn’t going to easy, as I mentioned I didn’t get an alert on a direct connection to the domain, nor is there an avast alert on skype.exe
But my point is still this, why would skype be responsible for the connection, when as you say it isn’t meant to be running (on startup). Yes many free programs have in app/process ads, but the key here is in the app/process if it isn’t meant to be running.
I opened Scheduled tasks and sorted by ‘active’ but Skype wasn’t there.
Also, I tried uninstalling it by right clicking it and clicking on “Deinstall” - it takes me to the Applications but Skype for business isn’t there.
Dunno what to do.
.
What windows version are you using ?
Is skype in the windows programs list to try an uninstall from there.
The reason I mention this is that I generally don’t try right click uninstall from a program executable file.
Given its location in c\users\your-name\AppData\local\packages\Microsoft.Windows.Skype… I just wonder this originated from the windows app store.
Unfortunately I can’t be of much practical help, having never installed or used it.
I’m making an assumption this is a windows 10 OS - if so check this https://www.google.co.uk/search?q=uninstall+skype+for+business+windows+10
@Georgi27
Additional to David’s post. Does Skype appear in Task Manager or icon in Task Bar?
David raises a valid question. Did you download Skype from a reliable source i.e. Microsoft Store?
The problem apparently is with afu.php for -zunsoach.com. There are several RETN.net ANY.RUN reports alerting afu.php with one malicious process. So we have to wait for avast team to confirm, that this is the case here as well and whether that is an FP. (particular malicious adware process)
-zunsoach website itself has empty code, and redirects in a scan to-> -Results from scanning URL:
-https://www.assemblea.emr.it/portal_javascripts/al_agidtheme/collective.js.jqueryui.custom.min-cachekey-14f98667ff14b45eb9b97c7c7e65557a.js website for serving up dynamic content for websites through Plone JavaScript.
That is all we know, so far,
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
I’m using Windows 10 x64
No, Skype isn’t in windows programs. I usually don’t do right click and deinstall too but noticed just now that there is such an option. It still takes me to windows programs but Skype isn’t there.
I googled the issue and found out that it comes preinstalled with the Office package and in order to remove it, the Office package needs to be removed as well.
It doesn’t appear in the Task Bar, but there re two processes in the Task Manager.
Of course, I always download stuff from reliable sources but I found that it’s preinstalled with the Office package so that’s why I cant deinstall it. I need to remove the Office package to remove Skype for business.
I’ll posts screenshots of the other sites when I get alerts for (they are the same sites everytime).
Thanks for clarifying that you have “Skype for business”. That is slightly different from the original “Skype” product.