Threat Blocked: http://sso.anbtr.com/domain/wpad.work

[REDACTED]

Avast continues to alert me fairly regularly of this

Object
hxtp://sso.anbtr.com/domain/wpad.work

Infection
URL:Mal

Process
C:\\Windows\System32\svchost.exe

Scanning with avast has proven to be ineffective, I've also uninstalled and reinstalled chrome (the only browser I use regularly)  This seemed to ramp up after uninstalling forticlient which we were required to add to access a client remotely.  Any help would be appreciated.

I've attached logs from Malwarebytes, Farbar, and aswMBR

[Pondus]

https://virustotal.com/en/url/8e11fb274ae4f96d9c0dc009f84cd4510dc3d36dabc73b7ee04c1a4f35789f69/analysis/1470343853/

Dr.Web > known infection source
Websense ThreatSeeker > bot networks. compromised websites

@dbrisendine  is notified, it may take some hours before he is online

[DavidR]

Avast continues to alert me fairly regularly of this

Object  -  hXXp://sso.anbtr.com/domain/wpad.work
Infection  -  URL:Mal
Process -  C:\\Windows\System32\svchost.exe
<snip>

Can you modify your link to the suspect site in your post to avoid accidental exposure, change the http to hXXp (not active/clickable) as I have done in a quote of your post.

[Sirmer]

This detection is correct, this link belongs to Angler Exploit Kit

[dbrisendine]

FIRST >>>>

Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed):

QuickTime 7

To do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window. 

Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software.


SECOND >>>>

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.


LAST >>>>

Run a search with FRST.

• Right click on FRST on your desktop and select "Run as Administrator..." When the tool opens click Yes to disclaimer.
• Type wpad into the Search Box.
• Press the Search Registry button.
• It will produce a log called search.txt or SearchReg.txt in the same directory the tool is run from.
• Please attach the log file back here.

[REDACTED]

Here's what I found.  I'm still getting an alert from avast

[dbrisendine]

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

[REDACTED]

I haven't had an alert since I applied the last fix. Here is the log, hopefully this took care of it.  I'll be back to donate or update later.

[REDACTED]

No sooner than I posted that reply I got another alert with the same information as before.

[dbrisendine]

Stubborn thing this is .....

FIRST >>>

Run a search with FRST.

• Right click on FRST on your desktop and select "Run as Administrator..." When the tool opens click Yes to disclaimer.
• Type sso.anbtr.com;wpad.work into the Search Box.
• Press the Search Registry button.
• It will produce a log called search.txt or SearchReg.txt in the same directory the tool is run from.
• Please attach the log file back here.

SECOND >>>>

AdwCleaner by Xplode

Download AdwCleaner from here or from here. Save the file to the desktop.


NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

• Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
  You will see the following console:
  
  
• Click the Scan button and wait for the scan to finish.
• After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Waiting for action. Please uncheck elements you don't want to remove.
• Click the Clean button.
• Everything checked will be deleted.
• When the program has finished cleaning a report appears.
• Once done it will ask to reboot, allow this

• On reboot a log will be produced; please attach that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C#].txt
  
  Optional:
  
  NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.

[REDACTED]

Here are the files, I got a pop up before I could even type the reply

[dbrisendine]

When you removed and re-installed Chrome, did you create a fresh new profile or did you re-use your existing profile?

Download zoek.exe from here: Bleepingcomputer

• Close/disable all anti virus and anti malware programs so they do not interfere download or run of Zoek.exe (Here or here you can read a manual how to disable your security applications.)
  
• Doubleclick zoek.exe to start the program.
• Click the More Options button and select the "Do a Deep Scan" option.  Also, make sure the Scan All Users option is selected.
• Close any open browsers.
• Click the "Run script" button and wait patiently.
  
• When finished the logfile will be opened in notepad.
• The zoek-results.log can also be found on your system drive.
  
• Please post the logfile for further review in your next comment.

[REDACTED]

I didn't initially create a new profile, I just uninstalled and reinstalled.  This morning I went ahead and created a fresh new profile for chrome then ran zoek.

I've attached the logfile

Chrome automatically resinstalled Avast and Google Docs extensions

Got an alert pop up as soon as I re enabled Avast

[dbrisendine]

Download zoek.exe from here: Zoek.exe at Bleepingcomputer (if you don't have it any more.)

• Close/disable all anti virus and anti malware programs so they do not interfere with the download or running of Zoek.exe
     (Here or here you can read a manual on how to disable your security applications.)
• Doubleclick zoek.exe to start the program.
• Copy and paste the following script in the code box:
• Note: This script is written for usage on this users computer, do not use it on another computer even if the problems are similar :!:

Code: [Select]

createsrpoint;
autoclean;
iedefaults;
chrdefaults;
FFdefaults;
bitsadmin /reset /allusers >>"%temp%\log.txt";b
ipconfig /flushdns >>"%temp%\log.txt";b
emptyalltemp;
resetIEproxy;


• Close any open browsers.
• Click the Run script button and wait patiently.
• When finished the logfile will be opened in notepad.
• If a reboot is needed the logfile will be opened after reboot.
• The zoek-results.log can also be found on your system drive.
• Please post the logfile for further review in your next comment.

[REDACTED]

ran the script, machine rebooted, I opened outlook, chrome, and slack then the notepad with the zoek log popped up. 

Just got another avast alert.

Attaching the zoek file.