Issue with site blocked: hxxp://sso.anbtr.com/domain/wpad.work

[REDACTED]

I've been getting notifications from Avast about a possible threat:
Object
hxxp://sso.anbtr.com/domain/wpad.work

Infection
URL:Mal

Process
C:\Windows\System32\svchost.exe

It seems to be the same issue as in this thread: https://forum.avast.com/?topic=189484.15

Any help would be greatly appreciated. I'll attach a malwarebytes report file below

[Pondus]

follow instructions here and attach requested logs  >>  https://forum.avast.com/index.php?topic=194892.0

- Malwarebytes scan log
- Farbar Recovery Scan Tool diagnostic logs

[polonus]

This malware is being flagged here: http://urlquery.net/report.php?id=1489683313589
IP has locky ransomeware: https://otx.alienvault.com/indicator/ip/195.22.28.222/
Blocked via this blocklist: https://feodotracker.abuse.ch/host/195.22.28.222?id=c944f6d4ef0e02fcdaaa824921f50105

polonus

[REDACTED]

@Pondus I attached the malwarebytes scan log and FRST logs.

[Pondus]

Malware expert is notified, he will probably not be online before tomorrow

[dbrisendine]

Please run the following search with FRST.

• Right click on FRST on your desktop and select "Run as Administrator..." When the tool opens click Yes to disclaimer.
• Type sso.anbtr.com;wpad;SearchList into the Search Box.
• Press the Search Registry button.
• It will produce a log called search.txt or SearchReg.txt in the same directory the tool is run from.
• Please attach the log file back here.

[REDACTED]

Hi, dbrisendine, I apologize for the lack of response.

I've attached the search results.

[dbrisendine]

Thanks for the SearchReg log.

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

How is your system running now?

[REDACTED]

Attached the log below.

So I hadn't seen the popup for a while after my message from a few weeks ago. I did see it DURING the Farbar fix, but I haven't seen it since, although it's only been an hour or two. I can let you know if I see it again.

[REDACTED]

Hey dbrisendine, I just got a notification for this again when logging in today, this time from Malwarebytes. 

[Pondus]

Hey dbrisendine, I just got a notification for this again when logging in today, this time from Malwarebytes. 

Do you have a malwarebytes log he can see? .... protection log

[dbrisendine]

Let's check to see if the OS file has been modified:


Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

[REDACTED]

Okay, I've attached a Malwarebytes log for the protection event, as well as fixlog.txt

[dbrisendine]

Please download Farbar Service Scanner to your desktop and double click on the file to run it.

• Make sure the following options are checked:
• Internet Services
  
• Windows Firewall
  
• System Restore
  
• Security Center
  
• Windows Update
  
• Windows Defender
  
• Other Services
  
• Press "Scan".
  
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please copy and paste the log to your reply.