How to resolve Avast we've safely aborted connection on ... URL:Blacklist

Viruses and worms
1

Hi, quick question.
I am using Avast and recently I keep getting this message:
hxtps://lensvid.com/wp-content/uploads/2020/10/URL-Blacklist.png
I am not sure if it happens on any specific site or just in general when using chrome.
How do I resolve this?

Thanks,
Id.

2

This site has been blacklisted (by McAfee and also avast’s) → https://sitecheck.sucuri.net/results/polobear.shop
IP also blacklisted by Missouri Cyber Security Portal.

Whenever you are the owner/admin of that site you could report an FP and ask for a final verdict.
Looks however the detection is genuine,

polonus

3

Hi,
Thanks for the info.
The thing is - I am not trying to access this site (in fact I had not idea what this site is).
So it seems there is a deeper issue here - something is forcing the browser to try and enter this site every few min.
How can I check what is causing this? I ran Avast on the computer - nothing - what else can I do?

P.S. what with the constant verification of each post on this site - it is super difficult.
Id

4

Captcha is only needed for your first 3 posts. (Spam protection)

5

I see - thanks.

And what about my question - ideas?

6

If you aren’t actually trying to connect to the polobear.shop mentioned in Polonus’s post as that is what is being blocked by Avast. That site is blocked by another security application besides Avast, it is also considered a Critical Security Risk in the link Polonus gave.

So it is possible there is something on your system that is trying to connect it possible a new browser add-on or a piece of hidden or undetected malware.

7

That makes sense - but how will you go about finding what it is and removing it?
Avast can’t seem to find it (I ran the software) so what should I do?

Id

8

I have investigated a bit more and I am suspicious of this website:
h ttps://lensvid.com/
I checked it using several tools and it seems to be green but I keep getting this message from time to time (not always) when I browse it.
Is it related or is it something else?

Id

9

Please ‘modify’ your post change the URL from http to hXXp or www to wXw As I have in the quoted text), to break the link and avoid accidental exposure to suspect sites, thanks.

Though nothing much found on it https://sitecheck.sucuri.net/results/lensvid.com
Though lensvid.com does have a redirect to the polobear.shop triggering the avast alert, see attached image.
It also doesn’t get a good review from this site, https://webhint.io/scanner/c2ed8d14-7942-4067-8965-eab6f53a3e9c

What makes you suspicious about the lensvid.com site then ?
So are you actually visiting the lensvid.com site or not ?

If not - Then this needs further analysis by a malware removal specialist:
Go to this topic https://forum.avast.com/index.php?topic=194892.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.

10

Hi DavidR,
Thanks for the reply.
I fixed the link.

So just to be sure - you also got the same polobear.shop notice when you went into the site?
If you did then this is a problem with the site (I visit it often). I did try browsing it when in incognito and didn’t get the notice but it doesn’t happen all the time anyway so I am not sure what is going on here.

I added my files (I think this is what you were asking right?).

I am far from an expert but since I am still getting those massages when getting into the lensvid.com site it seems to be originating from the site (at least based on what I see from my computer).

Id

11

If the lensvid.com site is one that you regularly visit, then I would say that there is less of a likelihood of it being malware on the system or malicious browser extension.

Though this isn’t an area that I’m familiar with (I leave that to those trained malware removal specialists.

That said there isn’t that many available and regular visitors to the avast forums, so there could be a delay in availability, etc.

For now I would suggest that you stop using the lensvid.com site for a day (or more given its poor report in the second link I posted) or so and see if these alerts continue or not and report back.

12

Thanks DavidR.
I’ll do that and try a few other things and we shall see where we land with this.

I’ll post back if this won’t be resolved.

13

You’re welcome.

14

@ zorg 44 & DavidR,

Here we can establish it is just -polobear.shop that is a PHISH: https://www.virustotal.com/gui/domain/polobear.shop/detection

The Namecheap, Panama organization has been found out to be a hide-out for many a scammer/spammer.

6 detected files communicating with that address: https://www.virustotal.com/gui/ip-address/162.0.235.12/detectionhttps://www.virustotal.com/gui/ip-address/162.0.235.12/relations

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

15

Whilst that may be correct, we still have to wonder WHY there is a redirect from lensvid.com.

There is a possibility that given the poor review given on lensvid.com by the webhint.io/scanner that its weaknesses are being exploited, on the Security tests 2/10 or just plain sloppy.

16

Yes, DavidR, is right where LENSVID is being concerned,
we find a vulnerable Word Press plug-in there,
that could have been the cause of this, see: https://vulners.com/cve/CVE-2020-26596?utm_source=scanner&utm_medium=chromePlugin&utm_campaign=scan

It can then be pinpointed at the Dynamic 000 Widget.
Oversight:

HTML
-lensvid.com/
116,667 bytes, 1108 nodes

INLINE:

<form method=“get” class="sear
437 bytes

Javascript 51 (external 28, inline 23)
INLINE: try { Object.defineProperty(screen, “availTop”, { value:
4,254 bytes

INLINE: (function() { let alreadyInsertedMetaTag = false function __insertDappDete
1,238 bytes

INLINE: /* * This entire block is wrapped in an IIFE to prevent polluting the scope of
38,144 bytes

INLINE: window._wpemojiSettings = {“baseUrl”:"https://s.w.org/images/core/emoji
2,128 bytes

-lensvid.com/wp-includes/js/​wp-emoji-release.min.js?ver=5.5.1
INLINE: try { Object.defineProperty(screen, “availTop”, { value:
4,254 bytes

-lensvid.com/wp-includes/js/jquery/​jquery.js?ver=1.12.4-wp
INLINE: /* <![CDATA[ */ var Cli_Data = {“nn_cookie_ids”:,“cookielist”:,"ccpaEnabled
1,657 bytes

-lensvid.com/wp-content/plugins/cookie-law-info/public/js/​cookie-law-info-public.js?ver=1.9.3
INLINE: var mejsL10n = {“language”:“en”,“strings”:{“mejs.download-file”:“Download File”
2,358 bytes

-lensvid.com/wp-includes/js/mediaelement/​mediaelement-and-player.min.js?ver=4.2.13-9993131
-lensvid.com/wp-includes/js/mediaelement/​mediaelement-migrate.min.js?ver=5.5.1
INLINE: /* <![CDATA[ */ var _wpmejsSettings = {“pluginPath”:"/wp-includes/js/mediael
149 bytes

-lensvid.com/wp-includes/js/mediaelement/​wp-mediaelement.min.js?ver=5.5.1
lensvid.com/wp-content/plugins/featured-video-plus/js/​jquery.fitvids.min.js?ver=master-2015-08
INLINE: /* <![CDATA[ */ var fvpdata = {“ajaxurl”:"https://lensvid.com/wp-admin/admi
209 bytes

-lensvid.com/wp-content/plugins/featured-video-plus/js/​frontend.min.js?ver=2.3.3
-lensvid.com/wp-content/plugins/embed-video-thumbnail/assets/js/​main.js?ver=5.5.1
INLINE: ;(function(o) { var w=window.top,a=‘apdAdmin’,ft=w.document.getElem
932 bytes

-ecdn.analysis.fi/static/js/​fab.js
-ecdn.firstimpression.io/​fi_client.js
INLINE: var clicky_custom = clicky_custom || {}; clicky_custom.html_media_track = 1
82 bytes

INLINE: var clicky_custom = clicky_custom || {}; clicky_custom.outbound_pattern = [
97 bytes

INLINE: var clicky_site_ids = clicky_site_ids || ;clicky_site_ids.push(100621280);
76 bytes

-static.getclicky.com/​js
-static.getclicky.com/inc/javascript/video/​youtube.js
-www.googletagmanager.com/gtag/​js?id=UA-47099226-1
INLINE: window.dataLayer = window.dataLayer || ; function gtag(){dataLayer.push(argum
146 bytes

-z-na.associates-amazon.com/onetag/​v2?MarketPlace=US&instanceId=08d9c31f-7ec2-44c7-901f-834bebe795d8
INLINE: var essbInstagramUpdater = {“nonce”:“87e3d00234”,“ajaxurl”:"https://lensvid.c
111 bytes

INLINE: /* <![CDATA[ */ var wpcf7 = {“apiSettings”:{“root”:"https://lensvid.com/wp-j
151 bytes

-lensvid.com/wp-content/plugins/contact-form-7/includes/js/​scripts.js?ver=5.3
-lensvid.com/wp-content/plugins/easy-social-share-buttons3/assets/js/​essb-core.min.js?ver=7.5
INLINE: var essb_settings = {“ajax_url”:"https://lensvid.com/wp-admin/admin-ajax.ph
296 bytes

INLINE: /* <![CDATA[ */ var wp_post_blocks_vars = {“ajaxurl”:"https://lensvid.com/?w
124 bytes

-lensvid.com/wp-content/plugins/wp-post-blocks/js/​script.min.js?ver=11012015
-lensvid.com/wp-includes/js/​hoverIntent.min.js?ver=1.8.1
-lensvid.com/wp-content/plugins/js_composer/assets/lib/bower/flexslider/​jquery.flexslider-min.js?ver=6.0.5
-lensvid.com/wp-content/themes/newsbeat/js/​jquery.fitvids.min.js?ver=20190710
-lensvid.com/wp-content/themes/newsbeat/js/​bootstrap.min.js?ver=3.3.5
-lensvid.com/wp-content/themes/newsbeat/js/​raf.min.js?ver=1.0
INLINE: /* <![CDATA[ */ var wpthmsNewsbeat = {“version”:“1.0”,“template”:“newsbeat”,"id
3,654 bytes

-lensvid.com/wp-content/themes/newsbeat/js/​custom.min.js?ver=20191010
INLINE: /* */
71 bytes

-lensvid.com/wp-content/themes/newsbeat/js/​priority-navigation.min.js?ver=1.0.1
INLINE: /* <![CDATA[ */ var wpthmsNewsbeat_postBricksAnimation = {“is_vc_edit_mode”:“”,
152 bytes

-lensvid.com/wp-content/plugins/wpthms-newsbeat-addon-animations-effects/js/​post-bricks-animation.min.js?ver=1.0
-lensvid.com/wp-includes/js/​wp-embed.min.js?ver=5.5.1
-lensvid.com/wp-content/plugins/js_composer/assets/js/dist/​js_composer_front.min.js?ver=6.0.5
INLINE:
0 bytes

INLINE: jQuery(document).ready(function(){ jQuery(‘#masthead .after-header-ads’).app
393 bytes

CSS 38 (external 25, inline 13)
INLINE: .vc_custom_1504175963422{margin-bottom: 0px !important;}.vc_custom_1504175954322
199 bytes INJECTED

INLINE: :root{ --base-gutter:15px;–base-gutter-x2:30px;–thumbnail-radius:0px;–entry-c
1,505 bytes INJECTED

INLINE: @media print {#ghostery-purple-box {display:none !important}}
61 bytes INJECTED

INLINE: img.wp-smiley, img.emoji { display: inline !important; border: none !importan
283 bytes INJECTED

-lensvid.com/wp-includes/css/dist/block-library/​style.min.css?ver=5.5.1
INJECTED

-lensvid.com/wp-content/plugins/contact-form-7/includes/css/​styles.css?ver=5.3
INJECTED

INLINE: .-wpcf7 .wpcf7-recaptcha iframe {margin-bottom: 0;}.wpcf7 .wpcf7-recaptcha[data-
191 bytes INJECTED

-lensvid.com/wp-content/plugins/cookie-law-info/public/css/​cookie-law-info-public.css?ver=1.9.3
INJECTED

-lensvid.com/wp-content/plugins/cookie-law-info/public/css/​cookie-law-info-gdpr.css?ver=1.9.3
INJECTED

-lensvid.com/wp-includes/js/mediaelement/​mediaelementplayer-legacy.min.css?ver=4.2.13-9993131
INJECTED

-lensvid.com/wp-includes/js/mediaelement/​wp-mediaelement.min.css?ver=5.5.1
INJECTED

-lensvid.com/wp-content/plugins/featured-video-plus/styles/​frontend.css?ver=2.3.3
INJECTED

-lensvid.com/wp-content/plugins/youtube-information-widget/includes/​style.css?ver=5.5.1
INJECTED

-fonts.googleapis.com/​css?family=Rajdhani%3Aregular%2C700%2C500%2C600&subset=latin%2Call&ver=5.5.1
INJECTED

-lensvid.com/wp-content/plugins/embed-video-thumbnail/assets/css/​main.css?ver=5.5.1
INJECTED

-lensvid.com/wp-content/plugins/easy-social-share-buttons3/assets/css/​essb-subscribe.min.css?ver=7.5
INJECTED

-lensvid.com/wp-content/plugins/easy-social-share-buttons3/assets/css/​essb-display-methods.min.css?ver=7.5
INJECTED

-lensvid.com/wp-content/plugins/easy-social-share-buttons3/assets/css/​easy-social-share-buttons.min.css?ver=7.5
INJECTED

INLINE: body .essb_displayed_postfloat{margin-left:-50px!important;top:100px!important;
82 bytes INJECTED

-lensvid.com/wp-content/plugins/js_composer/assets/css/​js_composer.min.css?ver=6.0.5
INJECTED

l-ensvid.com/wp-content/plugins/wp-real-review/css/​style.css?ver=1.0
INJECTED

-lensvid.com/wp-content/plugins/wp-social-counter/css/​style.css?ver=1.0
INJECTED

-lensvid.com/wp-content/plugins/wp-post-blocks/css/​style.css?ver=11012015
INJECTED

-lensvid.com/wp-content/themes/newsbeat/css/​bootstrap.min.css?ver=3.3.5
INJECTED

-lensvid.com/wp-content/themes/newsbeat/css/​themicons.min.css?ver=20190405
INJECTED

-lensvid.com/wp-content/themes/newsbeat/css/​flexslider.min.css?ver=2.6.0
INJECTED

-lensvid.com/wp-content/themes/newsbeat/inc/css/​style.min.css?ver=5.5.1
INJECTED

INLINE: .inline-related-posts h3{font-size: 120%;margin-bottom: 5px;}.inline-related-po
11,102 bytes INJECTED

-fonts.googleapis.com/​css?family=Dosis%3A400%2C600%7CRoboto%3A300%2C700&display=swap&ver=5.5.1
INJECTED

-lensvid.com/wp-content/themes/newsbeat/inc/typo/dosis_roboto/​style.css?ver=5.5.1
INJECTED

-lensvid.com/wp-content/themes/newsbeat-child/​style.css?ver=5.5.1
INJECTED

INLINE:
0 bytes INJECTED

INLINE: /** * Plugin Name: Subtitles * Plugin URI: http://wordpress.org/p
1,155 bytes INJECTED

INLINE: .primary-nav .menu > li > a, .mmenu-posts-nav li a, .taxonomy-nav li a, .h-n
618 bytes INJECTED

INLINE: p { font-family: ‘Rajdhani’; font-style: normal; font-weight: 400; } h1 { font-f
1,994 bytes INJECTED

INLINE: .fluid-width-video-wrapper{width:100%;position:relative;padding:0;}.fluid-width-
224 bytes INJECTED

INLINE: :root #content > #center > .dose > .dosesingle, :root #content > #right > .dose
137 bytes INJECTED

-lensvid.com/wp-content/plugins/js_composer/assets/lib/bower/font-awesome/css/​font-awesome.min.css?ver=6.0.5
INJECTED

polonus (volunteer 3rd party cold rcon website-security analyst and website error-hunter)