Issue with site blocked: hxxp://sso.anbtr.com/domain/wpad.work

I’ve been getting notifications from Avast about a possible threat:
Object
hxxp://sso.anbtr.com/domain/wpad.work

Infection
URL:Mal

Process
C:\Windows\System32\svchost.exe

It seems to be the same issue as in this thread: https://forum.avast.com/?topic=189484.15

Any help would be greatly appreciated. I’ll attach a malwarebytes report file below

follow instructions here and attach requested logs >> https://forum.avast.com/index.php?topic=194892.0

  • Malwarebytes scan log
  • Farbar Recovery Scan Tool diagnostic logs

This malware is being flagged here: http://urlquery.net/report.php?id=1489683313589
IP has locky ransomeware: https://otx.alienvault.com/indicator/ip/195.22.28.222/
Blocked via this blocklist: https://feodotracker.abuse.ch/host/195.22.28.222?id=c944f6d4ef0e02fcdaaa824921f50105

polonus

@Pondus I attached the malwarebytes scan log and FRST logs.

Malware expert is notified, he will probably not be online before tomorrow

Please run the following search with FRST.

  • Right click on FRST on your desktop and select “Run as Administrator…” When the tool opens click Yes to disclaimer.
  • Type sso.anbtr.com;wpad;SearchList into the Search Box.
  • Press the Search Registry button.
  • It will produce a log called search.txt or SearchReg.txt in the same directory the tool is run from.
  • Please attach the log file back here.

Hi, dbrisendine, I apologize for the lack of response.

I’ve attached the search results.

Thanks for the SearchReg log.

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[b] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/b]
Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

How is your system running now?

Attached the log below.

So I hadn’t seen the popup for a while after my message from a few weeks ago. I did see it DURING the Farbar fix, but I haven’t seen it since, although it’s only been an hour or two. I can let you know if I see it again.

Hey dbrisendine, I just got a notification for this again when logging in today, this time from Malwarebytes. :-\

Do you have a malwarebytes log he can see? … protection log

Let’s check to see if the OS file has been modified:

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[b] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/b]
Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

Okay, I’ve attached a Malwarebytes log for the protection event, as well as fixlog.txt

Please download Farbar Service Scanner to your desktop and double click on the file to run it.

[*]Make sure the following options are checked:

[*]Internet Services
[*]Windows Firewall
[*]System Restore
[*]Security Center
[*]Windows Update
[*]Windows Defender
[*]Other Services

[*]Press “Scan”.
[]It will create a log (FSS.txt) in the same directory the tool is run.
[
]Please copy and paste the log to your reply.