Avast continues to alert me fairly regularly of this
Object
hxtp://sso.anbtr.com/domain/wpad.work
Infection
URL:Mal
Process
C:\Windows\System32\svchost.exe
Scanning with avast has proven to be ineffective, I’ve also uninstalled and reinstalled chrome (the only browser I use regularly) This seemed to ramp up after uninstalling forticlient which we were required to add to access a client remotely. Any help would be appreciated.
I’ve attached logs from Malwarebytes, Farbar, and aswMBR
Dr.Web > known infection source Websense ThreatSeeker > bot networks. compromised websites
@dbrisendine is notified, it may take some hours before he is online
Can you modify your link to the suspect site in your post to avoid accidental exposure, change the http to hXXp (not active/clickable) as I have done in a quote of your post.
This detection is correct, this link belongs to Angler Exploit Kit
FIRST >>>>
Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed):
QuickTime 7
To do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window.
Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software.
SECOND >>>>
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[b] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/b]Download attached fixlist.txt file and save it to the Desktop:
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
LAST >>>>
Run a search with FRST.
Here’s what I found. I’m still getting an alert from avast
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[b] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/b]
Download attached fixlist.txt file and save it to the Desktop:
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
- Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
- Press the Fix button just once and wait.
- If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
- When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please attach it to your reply.
I haven’t had an alert since I applied the last fix. Here is the log, hopefully this took care of it. I’ll be back to donate or update later.
No sooner than I posted that reply I got another alert with the same information as before.
Stubborn thing this is …
FIRST >>>
Run a search with FRST.
SECOND >>>>
AdwCleaner by Xplode
Download AdwCleaner from here or from here. Save the file to the desktop.
NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.
Close all open windows and browsers.
- [b]Vista/7/8 users:[/b] Right click the [b]AdwCleaner[/b] icon on the desktop, click [b]Run as administrator[/b] and accept the UAC prompt to run AdwCleaner.
You will see the following console:
- Click the [b]Scan[/b] button and wait for the scan to finish.
- After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: [b]Waiting for action. Please uncheck elements you don't want to remove.[/b]
- Click the [b]Clean[/b] button.
- [b]Everything checked[/b] will be deleted.
- When the program has finished cleaning a report appears.
- Once done it will ask to reboot, allow this
- On reboot a log will be produced; please attach that in your next reply. This report is also saved to [b]C:\AdwCleaner\AdwCleaner[C#].txt[/b]
Optional:
NOTE: If you see AVG Secure Search being targeted for deletion, Here’s Why and Here. You can always Reinstall it.
Here are the files, I got a pop up before I could even type the reply
When you removed and re-installed Chrome, did you create a fresh new profile or did you re-use your existing profile?
Download zoek.exe from here: Bleepingcomputer
[]Close/disable all anti virus and anti malware programs so they do not interfere download or run of Zoek.exe (Here or here you can read a manual how to disable your security applications.)
[*]Doubleclick zoek.exe to start the program.
[*]Click the More Options button and select the “Do a Deep Scan” option. Also, make sure the Scan All Users option is selected.
[*]Close any open browsers.
[*]Click the “Run script” button and wait patiently.
[*]When finished the logfile will be opened in notepad.
[*]The zoek-results.log can also be found on your system drive.
[]Please post the logfile for further review in your next comment.
I didn’t initially create a new profile, I just uninstalled and reinstalled. This morning I went ahead and created a fresh new profile for chrome then ran zoek.
I’ve attached the logfile
Chrome automatically resinstalled Avast and Google Docs extensions
Got an alert pop up as soon as I re enabled Avast
Download zoek.exe from here: Zoek.exe at Bleepingcomputer (if you don’t have it any more.)
- Close/disable all anti virus and anti malware programs so they do not interfere with the download or running of Zoek.exe
(Here or here you can read a manual on how to disable your security applications.)
- Doubleclick zoek.exe to start the program.
- Copy and paste the following script in the code box:
- Note: This script is written for usage on this users computer, do not use it on another computer even if the problems are similar :!:
createsrpoint;
autoclean;
iedefaults;
chrdefaults;
FFdefaults;
bitsadmin /reset /allusers >>"%temp%\log.txt";b
ipconfig /flushdns >>"%temp%\log.txt";b
emptyalltemp;
resetIEproxy;
- Close any open browsers.
- Click the [b]Run script[/b] button and wait patiently.
- When finished the logfile will be opened in notepad.
- If a reboot is needed the logfile will be opened after reboot.
- The [b]zoek-results.log[/b] can also be found on your system drive.
- Please post the logfile for further review in your next comment.
ran the script, machine rebooted, I opened outlook, chrome, and slack then the notepad with the zoek log popped up.
Just got another avast alert.
Attaching the zoek file.
If you go to Start > Control Panel > Internet Options > Connections > LAN Settings, is there a setting enabled to use a Proxy? If so, what proxy is it?
Have you tried resetting your Modem/router? I see you are using that as a DNS server; resetting the router will clear the saved DNS settings which could have the malware redirect in it.
I thought I had already posted a reply, I apologize to keep you waiting.
Well, that should eliminate the proxy and / or modem as a source of the issue.
Go to Emsisoft and download the Emsisoft Free Emergency Kit from here.
- Double click on the EmsisoftEmergencyKit.exe file and then click on Extract to unpack the files (the default directory of C:\EEK is fine).
- Go to the new directory and right click on Start Emergency Kit Scanner.exe and choose 'Run as Administrator'.
- Once the scanner loads, click on 1.Update to check for and load the current updates.
- When the updates are finished, click on Malware Scan in the 2. Scan box.
- Please enable the PUP detection option. (The Kit may ask about this after it is loading updates or right when the scan starts; it will only ask once, so enable it when the Kit asks.)
- If the scan finds anything, it will open a scan finding window. Please click on View Report; copy this report and paste it here in reply post.
- Please close the Emergency Kit Scanner program now.