Author Topic: Repeated connection attempts from a certain website  (Read 3583 times)

0 Members and 1 Guest are viewing this topic.

Offline smorestea

  • Newbie
  • *
  • Posts: 6
Repeated connection attempts from a certain website
« on: May 30, 2020, 06:09:54 AM »
Hello,

I have originally posted this in another forum, and was directed to post it here:

I have been getting repeated warning from Avast whenever I am on chrome saying a connection to joyshoul.com was stopped because it was infected with Other:Malware-gen [Tri]. It is great that they are stopping it, but how do I stop it? I have never visited that website, and never will, it doesnt even come up in a google search so i am not too sure what that thing is, and not too sure how it is repeatedly trying to connect to my pc when I am not even accessing it. How do I stop this? I really do want to continue using chrome since firefox wasnt really my thing.

More info:
Name: Other:Malware-gen [Tri]
Danger level: low

While I was running the tests to get the log, Malwarebytes caught the same website attempting to connect, it said it had a trojan horse (total of 3 times while i was writing this), and apparently it is a outbound connection


« Last Edit: May 30, 2020, 06:30:43 AM by smorestea »

Offline smorestea

  • Newbie
  • *
  • Posts: 6
Re: Repeated connection attempts from a certain website
« Reply #1 on: May 30, 2020, 06:12:40 AM »
Oops, sorry guys, just saw the post two steps down that has a very similar issue with me. I will try to figure it out based on that and come back if im stuck.

Update: I checked out:
https://www.urlvoid.com/scan/joyshoul.com/
https://www.scumware.org/search.php
https://www.virustotal.com/gui/domain/joyshoul.com/details

Not too sure what I need to do with they data they provide me though, I did clear my history as advised in the other post. However the problem is still occurring. Now I am checking out my downloads, but I am not seeing anything suspicious. Help would be much appreciated.

More updates: I ran a detailed search on downloads folder, found a virus in my profs lecture ppt (kinda weird;), solved it, but it wasnt it. Blocked javascript from that website. I am still getting connection attempts from that website.

I checked out my log, incase i would be able to understand anything, saw some file names that needed to be covered, and so those changes were made to my logs. "zz" as a filename means I changed the name. I also see in my uorigin, that joyshoul dot com is always running with other webpages, currently trying to just block that web page, and hoping that the website did not cause any harm to me yet.
« Last Edit: May 30, 2020, 10:56:27 AM by smorestea »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: Repeated connection attempts from a certain website
« Reply #2 on: May 30, 2020, 10:28:17 AM »
 
Site blacklisted for being used to distribute malware. / Domain detected on spam or phishing campaigns
https://www.virustotal.com/gui/url/1cd15ee7e911c0fa4223f54f63c810ea5e2c36795a9dcbecc59a337dc640bffc/detection
https://sitecheck.sucuri.net/results/joyshoul.com


Do you have any browser extensions that may want to connect to this site?



Offline Sass Drake

  • MyCity AMF R2
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 820
Re: Repeated connection attempts from a certain website
« Reply #3 on: May 30, 2020, 10:44:01 AM »
Go to this URL

chrome://serviceworker-internals/

and click on "Unregister" for all listed entries.

Offline smorestea

  • Newbie
  • *
  • Posts: 6
Re: Repeated connection attempts from a certain website
« Reply #4 on: May 30, 2020, 10:45:31 AM »
Go to this URL

chrome://serviceworker-internals/

and click on "Unregister" for all listed entries.

I had youtube, amazon, gmail, reddit, and school website opened up, and I unregistered all of them
« Last Edit: May 30, 2020, 10:52:46 AM by smorestea »

Offline smorestea

  • Newbie
  • *
  • Posts: 6
Re: Repeated connection attempts from a certain website
« Reply #5 on: May 30, 2020, 10:47:04 AM »

Site blacklisted for being used to distribute malware. / Domain detected on spam or phishing campaigns
https://www.virustotal.com/gui/url/1cd15ee7e911c0fa4223f54f63c810ea5e2c36795a9dcbecc59a337dc640bffc/detection
https://sitecheck.sucuri.net/results/joyshoul.com


Do you have any browser extensions that may want to connect to this site?

Thank you for your reply, I was waiting to get some help so badly haha

I do not think so, Im running adobe acrobat, avast online security, honey, sybu java script blocker, and ublock origin

Offline smorestea

  • Newbie
  • *
  • Posts: 6
Re: Repeated connection attempts from a certain website
« Reply #6 on: May 30, 2020, 10:52:29 AM »
Go to this URL

chrome://serviceworker-internals/

and click on "Unregister" for all listed entries.

and omg i think this did it. ive been watching uorigin block showing me a list of websites running from the current page (not too sure how to describe this, it was showing me a list of urls of all services? running from the current page on the side), and it has been showing joyshoul dot com, but that has disappeared after unregistering to all of them. Even though none of them was looking suspicious.  Thank you so much! and if you dont mind, what is the logic behind this? Was one of the services not what they were showing to be?

And hmph kinda scared that there were more downloads than the number of comments, hopefully there wasnt any important info in those logs
« Last Edit: May 30, 2020, 10:57:30 AM by smorestea »

Offline Sass Drake

  • MyCity AMF R2
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 820
Re: Repeated connection attempts from a certain website
« Reply #7 on: May 30, 2020, 12:05:23 PM »

Offline Andre450

  • Newbie
  • *
  • Posts: 1
Re: Repeated connection attempts from a certain website
« Reply #8 on: May 31, 2020, 11:45:41 AM »
Go to this URL

chrome://serviceworker-internals/

and click on "Unregister" for all listed entries.

Hey pplz,

I also do get this message, but neither Avast nor Avira can find the source.

As you proposed I unregistered everything, it seems like it is nested somewhere inside Chrome, but it did not go away for me.

Now I Blacklisted the page in my Router so I and the other devices should be safe.


As I googled it I found out that joyshoul . com has been registered just a week ago.

"
Joyshoul : 403 Forbidden; joyshoul.com.cutestat.com
joyshoul.com is 1 week 1 day old. It is a domain having com extension. This website is estimated worth of $ 8.95 and have a daily income of around $ 0.15.
"

I'm not into this cyber security stuff alot, but it seems like it's new maleware.
Looking forward to get an update :-P

Best,
Andre from Germany

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Repeated connection attempts from a certain website
« Reply #9 on: May 31, 2020, 01:37:57 PM »
Cloudflarenet may now have stopped the abuse, as we get a 403 Forbidden from this scan:
https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3d3LmpdeXNoXXVsLl5dbQ%3D%3D~enc

Abuse reports could go to: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct

Most detections now for Android malcode: https://www.virustotal.com/gui/ip-address/172.64.106.19/relations

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!