Threat Detected: http://sso.anbtr.com/domain/wpad.efs-emcor.com

Avast pops up a threat detected warning about 3-5 or so times every minute.

Object
http://sso.anbtr.com/domain/wpad.efs-emcor.com

Infection
URL:Mal

Process
C:\Windows\System32\svchost.exe

Running smart scan finds nothing. Also, I’ve downloaded: Malwarebytes, HitmanPro, SpyHunter and CCleaner. None of these tools has found anything. I uninstalled Chrome and Firefox then reinstalled them. I also booted up in safe mode and ran HitmanPro and SpyHunter with no luck. I’ve read some bad things online about sso.anbtr.com but is this a false positive? The popups are killing me! Any advice? Thanks!

Please follow the instructions > http://forum.avast.com/index.php?topic=53253.0
It looks like a wpad infection.

Updated my original post to include the log files for review. Please advise if you need anything else. Thanks in advance!

Jim

Could you start FRST and in the search box copy/paste the following:

wpad.efs-emcor.com;efs-emco

Then press Search Registry
On completion a search report will be generated
Please attach that

Here are the results for that registry search.

OK start notepad and copy all of the following text in the quote box to it

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\efs-emcor.com]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters]
“SearchList”=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
“SearchList”=-

Then select Save file as…

At the bottom select all files (.)

Then save as wpd.reg to your desktop

From the desktop right click the reg file and select Merge

Allow all warnings and reboot

The alerts should now have ceased

For a while it looked like that fixed my problem. Then I had to connect to a customer’s VPN (which I do using Cisco AnyConnect). As soon as I connected, I got the Malwarebytes popup again. Same info as before… Do I need to remove Cisco AnyConnect and inform my customer of the issue? I kind of need this currently for work. Please advise. Also… Thank you very much for all of your support. Truly impressed with the level of support given by Avast!

Jim

I shut down Cisco AnyConnect and for the last 3-4 hours have been working without it running in the system tray. The number of Malwarebytes popups during this time has dropped significantly. I still get a few every now and then but nowhere near the number of popups as when AnyConnect was actually running (whether connected to VPN or not). As I mentioned previously I can’t uninstall AnyConnect at the moment because I need it to access a customer’s VPN while I’m wrapping up a dev project. Is there a way to determine if Cisco AnyConnect is indeed the culprit here? Thanks in advance!

It would seem that maybe MBAM is detecting a false positive… Is Avast still alerting or is it just MBAM

I quit MBAM and launched my Cisco AnyConnect. Right after doing so, Avast started alerting me. It seems that when MBAM is running, Avast won’t alert me but once MBAM is shut down, Avast will start to alert me.

OK and stopping Cisco stops the alert

Emcor.com is under construction at the moment

Could you run the search registry scan again please to see if it is cisco inserting this

I ran the registry scan again and have attached the results.

OK merge the wpd.reg file again reboot the computer but do not run Cisco, use the system for a while and ensure that the alerts haves ceased.

Then run Cisco and see if the alerts restart

I merged the wpd.reg file again and rebooted (making sure that Cisco AnyConnect didn’t launch at startup). My computer was whipser quiet. Then I launched Cisco AnyConnect and connected to my customer’s VPN. Immediately after doing so, I got the “Threat has been detected” warning. I’m going to uninstall Cisco AnyConnect and inform my customer of the issue. Aside from that is there anything else I need to do to clean my computer? Thanks again for all your help!

Should I try the following?

[ol]- Uninstall Cisco AnyConnect

  • Merge the wpd.reg file again and reboot
  • Verify that there are no threat warnings
  • Attempt to install Cisco AnyConnect again and see if any threats are detected[/ol]

idea. could the threat be coming from the customer’s end and not cisco itself?

Unsure at this point. I’m now working with the support team for our customer’s help desk to see if any users have experienced the same type of problem. Could this even be something unrelated to Cisco or my customer, and just a rogue malware that is targeting a specific site from my computer?

There is that possibility that as you connect to your client server you are getting the wpad added

http://resources.infosecinstitute.com/hacking-clients-wpad-web-proxy-auto-discovery-protocol/

You will need to re-run the wpd reg to reset the system

I am also getting the http://sso.anbtr.com/domain/cdn1-craveonline.com threat alert from Avast. Can someone tell me how to get rid of it? and is it dangerous for my computer?

Start a new topic and post your logs there: https://forum.avast.com/index.php?action=post;board=4