Avast keeps notifying me of a Malware block but scans come out clean

Hi,

I have been trying to get rid of the notification that comes up while I’m browsing the internet. Avast keeps saying that there is a threat blocked and refers to it as a malicious website block. It says the object is “sso.anbtr.cxm/domain/wpad.wds16.cxm” (I’ve replaced the o’s with x’s so nobody can click on it), and that the process is coming from “Windows\System32\svchost.exe”. I’ve ran multiple scans on both Avast and Malwarebytes and they have come back clean, yet I continue to get the popups. I have attached all relevant logs and a picture of the message that pops up every once in a while. Thank you very much for your help!

sso.anbtr.com/domain/wpad.wds16.cxm
https://www.virustotal.com/en/url/640997231bf66b9ae2bb440e22ce4ec0ff9b285ade43952a9d4d08809b453fbd/analysis/1487791794/

Malware expert is notified, he may not be online before tomorrow

Thank you for the logs (so far). We also need the following to help remove all the problem. Thanks.

Run a search with FRST.

  • Right click on FRST on your desktop and select “Run as Administrator…” When the tool opens click Yes to disclaimer.
  • Type wpad into the Search Box.
  • Press the Search Registry button.
  • It will produce a log called search.txt or SearchReg.txt in the same directory the tool is run from.
  • Please attach the log file back here.

Attached is the log file.

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[b] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/b]
Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

How is your system running now?

Attached is the log. The notification hasn’t come up, but I will let you know if it does. Could you just walk me through what was wrong with the computer? Was there a keylogger? Just want to make sure I don’t have to go back and change passwords and all that stuff. I greatly appreciate your help!

Avast just reported another malware block. Same as in the original post.

Run a search with FRST.

  • Right click on FRST on your desktop and select “Run as Administrator…” When the tool opens click Yes to disclaimer.
  • Type sso.anbtr.cxm/domain/wpad.wds16.cxm;sso.anbtr.cxm;wpad.wds16.cxm into the Search Box.
  • Press the Search Registry button.
  • It will produce a log called search.txt or SearchReg.txt in the same directory the tool is run from.
  • Please attach the log file back here.

Log is attached.

Thanks for the log and correcting the search string (good call on your part):

FIRST >>>>

Junkware Removal Tool
Please download JRT from here to your desktop.

Note: Temporarily disable/shut down your protection software now to avoid potential conflicts, how to do so can be read here.

Double click the JRT.exe file to run the application.

The application will open an Command Prompt window and run from there (this is normal for this program, so not to be alarmed).

When it is asked, press any key to allow the program to continue / run.

This will create a log on the desktop; please copy and paste the JRT.txt log text in your next post.

Note: After the log file is created, please enable your protection software / reboot your system and verify your protection software is enabled.

SECOND >>>>

AdwCleaner by Xplode

Download AdwCleaner from here or from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
You will see the following console:

http://i1351.photobucket.com/albums/p785/dbreeze2/Scanners%20screens/AdwCleaner_v6_start_zps5nymee4e.png

Click the Scan button and wait for the scan to finish.

After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Waiting for action. Please uncheck elements you don’t want to remove.

Click the Clean button.

Everything checked will be deleted.

When the program has finished cleaning a report appears.

Once done it will ask to reboot, allow this

http://1.bp.blogspot.com/-vitKqfMQS4o/UEDylIQ7HJI/AAAAAAAABLc/Hx-IwqKoaxg/s1600/adwcleaner_delete_restart.jpg

On reboot (if one is needed) a log will be produced; please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C#].txt

Optional:
NOTE: If you see AVG Secure Search being targeted for deletion, Here’s Why and Here. You can always Reinstall it.

Logs are attached! Again, I greatly appreciate you helping me with this.

Still getting the malware block notifications. How should I proceed?

Please download Malwarebytes Anti-Rootkit from here

[*]Unzip the contents to a folder in a convenient location.
[*]Open the folder where the contents were unzipped and run mbar.exe
[*]Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
[*]Click on the Cleanup button to remove any threats and reboot if prompted to do so.
[*]Wait while the system shuts down and the cleanup process is performed.
[*]Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
[*]When done, please post the two logs produced they will be in the MBAR folder… mbar-log.txt and system-log.txt

Logs are attached.

This is the log after the reboot. It seems I am in the clear! I will keep you updated. Also, would it be necessary to update passwords and all that good stuff? Or what do you recommend now that the computer has been cleaned?

Updating your passwords would not be a bad idea; there is no way to tell for sure now if your passwords were accessed or not but better safe than sorry.

Please monitor the system for a day or so and let us know how it is. If fine we will remove our tools and get you on your way.

Bad news. Just got another ping from Avast, same as original.

  • Download random’s system information tool (RSIT) by random/random from 64bit here and save the file to your desktop.
    • Double click on RSIT64.exe to run the scanner.
    • Click Continue at the disclaimer screen.
    • Once it has finished, please attach the log.txt log file.

Log is attached.

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[b] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/b]
Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

How is the system now?