Hundreds of URL:Blacklist pop-ups. Am I in danger?

Since last Sunday, sometimes while using Google Chrome (mostly when opening a new tab, but not only, and not always) I get exactly 101 “Threat secured URL:Blacklist” notifications from Avast.

It seems Avast blocked a connection to images.aurora.enhanced.live. Looking online this address does not return any match (except I found out that an infamous Aurora Stealer exists). Also the URLs contain weird png file names that I cannot find anywhere on my PC. They are mostly named “Screenshot” or “Schermata” (screenshot in Italian).

If I run Avast Smart Scan everything looks okay. No threat / virus / malware is found. What should I do? Is this a false positive? Is my PC infected? I am becoming a bit paranoid after having read what Aurora Stealer can do. Could this be related?

I have screenshots of two of the 101 notifications but I am not sure what is the best place to host them (as it seems they cannot be uploaded here). I also saved the "ID"s of those detections, I am not sure if they can be useful:

28f09747897e/2024-03-13T17:00:07.631Z 748681e73d7e/2024-03-13T17:00:11.900Z

They can be uploaded to the forum.

Attaching Images to your post - When you Click the Reply button it opens a text window for you to post your comment (reply or post).
Click the Preview button, that shows what you have input and expands it to include ‘Attachments and other options’. Click that it further expands, here you can attach images, etc. at the bottom of your post.
See my attached image, click to expand.

That said if you aren’t intending to go to that site (most likely not):
If not start by clearing your browser cache and cookies, including 3rd party cookies and restart your browser.
If that resolves it you should be good to go.
If it doesn’t try running your browser with add-ons disabled.

If that resolves it, have you added or updated any add-ons ?
If so try disabling that add-on - and restart and try again.
If still not resolved and you are using Chrome based browser - try this suggest by Avast Team member ‘lukor’
What about page notifications? Here: chrome://settings/content/notifications ? Do you have all cleared?

Thank you! I completely overlooked the “Attachment and other options” section. I edited the original message and added the screenshots.

About the other part of your reply:

  • I will try to clear browser cookies and cache, and I’ll monitor the situation!
  • I did not add any add-on or extension recently
  • I will still try to disable the ones I have active and monitor
  • I am using Chrome, and have all my notifications blocked. However I now explicitly disabled all notifications.

In any case, do you think it’s something to be very worried about, or it looks like something mostly harmless? Of course it may be very hard to make an educated guess about this :slight_smile:

Add-ons can be updated which could have an impact if they connect to a site on Avasts URL Blacklist.

I don’t use Chrome so I can’t speak from personal experience.
But for sure clearing the Chrome Notifications is advisable if something like this occurs.

The steps I outlined above should be followed in order, they should only need to advance should that action not resolve the problem.
So there should be a short period of testing to see if it stops the alerts. Then proceed to the next step, doing too much at once may not pinpoint the direct issue.

As for being worried, Avast is blocking so the risk currently is low, but that is no guarantee it couldn’t change.

https://www.virustotal.com/gui/url/2563041f72e753f109b5c3dfff2975ecc38c8b88db9e754b44e89e1186e07377?nocache=1

redirect to
https://www.virustotal.com/gui/url/3a297fe6a3e3a510b7f55c4d3b60c59ae2c59f3401227497ba51265b66290c33?nocache=1

The steps I outlined above should be followed in order, they should only need to advance should that action not resolve the problem. So there should be a short period of testing to see if it stops the alerts. Then proceed to the next step, doing too much at once may not pinpoint the direct issue.

True, I may overdone it, but I both cleared cache / cookies AND disabled all extensions except AdBlock. I was not really using them anyway. But it’s true, I should have proceeded more calmly to analyze and pinpoint the situation.

https://www.virustotal.com/gui/url/2563041f72e753f109b5c3dfff2975ecc38c8b88db9e754b44e89e1186e07377?nocache=1

redirect to
https://www.virustotal.com/gui/url/3a297fe6a3e3a510b7f55c4d3b60c59ae2c59f3401227497ba51265b66290c33?nocache=1

I did not know such a service existed! Pretty cool :slight_smile: However I am not sure how to interpret the results. It seems it has been flagged by some providers as malicious, but in general it’s flagged as clean by many? It would seem it’s not so bad?

Oh, I have so many questions right now! When Avast reports that “Threat detection” is it because my computer was trying to access that URL? If this is the case then why would it try to access those image URLs, sometimes in Italian? I am from Italy, but my computer has no Italian setting whatsoever! Also could it really have been only a (rougish) extension trying to access those URLs? Let’s see if it stops now. In any case, at least from a first impression, it looks like the aurora in the URL name and the Aurora Stealer are just coincidentally named the same right?

BTW thank you so much for the replies! Much much appreciated!

Also, feels good using an old school forum! Brings back so many memories!

I did not know such a service existed! Pretty cool :) However I am not sure how to interpret the results. It seems it has been flagged by some providers as malicious, but in general it's flagged as clean by many? It would seem it's not so bad?
It show who has that url on its blacklist. You can check urls and suspicious files at www.virustotal.com

Always see the scan time/date in top right corner, if the date is old, use the reanalyze button above to refresh scan result

Oh, I have so many questions right now! When Avast reports that "Threat detection" is it because my computer was trying to access that URL?
If you look at Your screenshot under process, you will see that connection come from chrome
If you look at Your screenshot under process, you will see that connection come from chrome

Yes, makes sense. I was just wondering why would Chrome try to access such a site, seemingly to retrieve some “screenshots”, with some clearly Italian names. It just happened again BTW, when opening a new tab (it doesn’t happen every time, though, as I opened multiple new tabs both before and after). This time it was “only” 3 alerts though (from the original, consistently, 101).

The only Italian-related thing in a Chrome new tab could have possibly been the shortcuts to “previously viewed” web pages. I just got rid of those shortcuts, maybe one of them was the culprit of these calls? I will monitor the situation. It still feels very weird.

That in itself is suspect, your browser shouldn’t be making connection that you haven’t initiated.