Hey there,
Recently a few days ago I got a “Threat secured” URL:Blacklist when I came back to my PC after being idle for a few mins and thought nothing much of it so I moved on.
Then yesterday, the 31st I came back to my PC with over 5 of them, all from the same thing in a row. It was something like c.zetadeo.com/goto?9as0dahs8dads09h12dq09n90n.
So I was like nope and reset my PC completely with freshly formatted drives and Windows install and installed all my normal programs etc. even resetting my Chrome sync data and removing any unneeded Chrome extensions. Then after thinking it was all good, today, the 1st I came back to my PC after it being locked for around 5 mins with another single notification like a few days ago of the same thing.
Since then I’ve installed WireShark and been looking at my connections wondering when and why its happening and what from, but the only thing fishy stuff that keeps showing up in WireShark is random amazonaws.com subdomain websites on http/80, akamaitechnologies.com subdomains like a92-123-64-161.deploy.static.akamaitechnologies.com and some random connections to blacknight.ie like 242-118.colo.sta.blacknight.ie, again both on http/80. The amazonaws.com subdomain websites mostly all have the same fake-looking “404 page not found” very randomly, just like the c.zetadeo.com. It can not show up for an hour then they’ll be a few of them then nothing completely randomly and unrelated to anything I’m doing on the machine. I’ve obviously looked into the website and everything about it I can and found a few things like
Zetader.club
ponk.pro
alfad.pro
tare.pro
p.zetadeo.com
p.zetadeo.com/ad
when googling which all have the same 404 and seem related. I also found http://p.zetadeo.com/go/35927/437054/aHR0cHMlM0EvL2FrYXBsYXllci5jb20vdHJhaWxlcnMvdHJhaWxlcnMucGhwJTNGaWQlM0R0dDAxMDg3NzgtNS0xMw==?cb=7522394612662835
My first thought was okay, I must of some bad Chrome extension or something that’s silently pushing ads in the background to generate income so I’ve been looking at the sources of all my extensions for the less “trusted” ones and the sources all checks out just fine.
Here is the one I found today in the Avast logs:
[2020-11-01 22:11:15.085] [info ] [JS_console ] [11192:11196] https://local.avast.com/plugins.js:2 - [“DATA notificationCenter.onStatusChanged.insertItem:”,“{"Desc":"We’ve safely aborted connection on c.zetadeo.com because it was infected with URL:Blacklist.","ItemUID":4,"Subtype":"","Timestamp":"1604268675","Title":"Threat blocked","Type":1,"Viewed":true}”]
Obviously, I don’t have the previous ones due to my PC reset.
I Have checked for Windows, Avast, Malwarebytes and more for any updates. Full scans from Avast and Malwarebytes all on highest sensitive show anything and have never shown anything for years.
I’m a software developer and I like to keep everything tightened down on my PC/Network, I don’t install random things and even if I do I always check the source or has to be very trusted for me to use closed-source but this one has stumped me and the first kind of Malware/Virus I’ve had since I was a child.
Anyone got any idea what/why and where it’s coming from and what is the best course of action to stop this?
Thanks!