Need help removing URL:Mal2, svchost.exe virus

Avast alerted me to an infection / malicious website, and I’m seeking help locating and removing it.
I’m running upgraded Windows 10 Home edition, build 10586 on a Dell XPS 15 laptop.
I tried to follow the steps in the post: https://forum.avast.com/index.php?topic=53253.0

The Avast message read as follows:
"Infection blocked

Infection details:
URL: http://sso.anbtr.com/domain/wpad.wds02.com
Infection: URL:Mal
Process: C:\Windows\System32\svchost.exe"

I installed MalwareBytes and ran scans, which found several pups and adware. I quarantined and eliminated them, although I saved the log file identifying the malware.

However, I’m still getting alerts, though now they’re from MalwareBytes.

Malicious Website Blocked
Domain: sso.anbtr.com
ip: 195.22.28.222
port: 51405
type: outbound
process: c:\Windows\System32\svchost.exe

I ran Farbar Recovery Scan Tool and aswMBR and attached log files as instructed in the above referenced post.

Any help would be greatly appreciated.
Thanks in advance

Tim

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File 2015-07-20 14:47 - 2015-07-20 14:47 - 0000000 _____ () C:\Users\Tim\AppData\Local\{FF742E5F-F320-4D5D-8B16-ABA4D76D1B5B} Reg: reg delete "HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f Reg: reg delete "HKEY_USERS\S-1-5-21-3016000360-1041427054-1883944200-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f Reg: reg add "HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f Reg: reg add "HKEY_USERS\S-1-5-21-3016000360-1041427054-1883944200-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Start FRST again and in the search box copy/paste the following :

wpad.wds02.com;wpad

Press search registry

A log will be generated please atthach that

First, thank you for your help.

I apologize for taking several days to get back to this. I have to work a lot.

I have attached fixlist.txt as instructed.

I will run FRST again as instructed and post that log, too.

TD

Attached is the second log, search.txt.

Thanks again
TD

Hmm it did not appear to see it, are you still getting the alerts

Unfortunately, yes.
I have been manually starting the Internet connection, and a Malwarebyte’s alert launches as soon as it connects, even before a browser is launched.
If the computer stays connected, Malwarebytes launches an alert about every 10 minutes.

In trying to understand what’s happening, is it that I have a program or process that’s trying to reach that URL, but is getting blocked by Malwarebytes and/or Avast?
And that means the malware is in the registry, or programs, somewhere?

I ask that because I’m wondering that if I have to start deleting and reloading, or wipe the hard drive and reload everything, how far back I would have to go.

Early in the process, before posting here, I tried to roll back to a restore point before the alerts began. But it would not restore and crashed the computer.

Again, thank you for your help.
TD

Could you do one further registry search please … Just one term this time :

wds02.com

I’ll do whatever search you suggest. :slight_smile:
I appreciate the help. I’ve gone past my knowledge level.

I attached the new search.txt

Thank you


Also, for what it’s worth, a search for the exact phrase of the error message returns only one result: at virustotal.com.
The more information tab for this detected URL led to a page with the following message under http response headers.

“date: Tue, 10 May 2016 17:18:40 GMT
set-cookie: anbtr=b3aed85f8d129a0929aadeab66f778ea; domain=.wds02.com
connection: close
content-type: text/html
server: nginx”

the actual web page is https://www.virustotal.com/en/url/f354ba0c9492df353703792ecf96dfb284630e04f9164711c39510047b826a96/analysis/

OK got it now, it is hiding in a different area

Copy the text below to a notepad file :

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\WDS02.COM]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles{BDFFB8D7-2491-419B-886B-4D4299112A8C}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed\010103000F0000F0A00000000F0000F010AB49216D9E3CEB4686F1A45EA40417CED017DAAB0647CCDFE12B6E7CF74A16]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed\010103000F0000F0A00000000F0000F010AB49216D9E3CEB4686F1A45EA40417CED017DAAB0647CCDFE12B6E7CF74A16]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed\010103000F0000F0A00000000F0000F010AB49216D9E3CEB4686F1A45EA40417CED017DAAB0647CCDFE12B6E7CF74A16]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters]
“SearchList”=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
“SearchList”=-

Select save as types to all files (.)
Save the file as tcpip.reg to your desktop
Right click the file and select merge
Accept the warnings and reboot

Alerts should now cease

You rock!
That worked.
No more alerts.

I have been trying to remove that for several weeks.
I truly appreciate your help.

Thank you
Tim

Any further problems ?