Serious Discussion Suspicious host wpad.fritz.box

  • Thread starter Thread starter ForgottenSeer 94738
  • Start date Start date
F

ForgottenSeer 94738

Thread author
My AV program Emsisoft Business regularly reports to me that svchost.exe is accessing the dangerous host wpad.fritz.box and recommends that I block access. What is behind this message? Should I permanently block access?
I use the Fritz!Box 7590 as a router.
 
  • Like
Reactions: simmerskool
The message you are receiving from your AV program Emsisoft Business about svchost.exe accessing the host wpad.fritz.box can be a cause for concern, as it may indicate potential malicious activity or a security vulnerability on your network. Let's break down the situation to better understand what might be happening:

1. **svchost.exe**: Svchost.exe is a legitimate Windows process that hosts multiple Windows services. It is common for svchost.exe to access various network resources as part of its normal operation. However, cybercriminals have been known to abuse this process to carry out malicious activities.

2. **wpad.fritz.box**: The host wpad.fritz.box is typically used for Web Proxy Auto-Discovery (WPAD) within a local network. WPAD is a protocol used to automatically configure proxy settings for devices on the network. However, wpad.fritz.box could also be used by attackers to carry out man-in-the-middle attacks or other malicious activities.

Given this information, here are some steps you can take to address the situation:

1. **Investigate Further**: Check your network settings and devices to ensure that there are no unauthorized configurations or devices accessing wpad.fritz.box. Look for any signs of suspicious activity or unauthorized access.

2. **Block Access**: While blocking access to wpad.fritz.box may temporarily mitigate the risk, it is essential to understand the implications of doing so. Blocking access could potentially disrupt legitimate network operations that rely on WPAD. Consider consulting with your IT department or a cybersecurity professional before making this decision.

3. **Update Firmware and Software**: Ensure that your Fritz!Box router's firmware is up to date, as outdated firmware could contain vulnerabilities that attackers could exploit. Additionally, keep all software on your devices, including Windows and your AV program, updated to the latest versions to patch any known security issues.

4. **Monitor Network Traffic**: Consider using network monitoring tools to keep an eye on network traffic and detect any unusual or suspicious activity. This can help you identify potential threats and take appropriate action.

In conclusion, while the message from your AV program is a cause for concern, it is essential to investigate further before deciding to block access to wpad.fritz.box. Understanding the context of the alert and taking proactive steps to secure your network can help mitigate potential risks. If you are unsure about how to proceed, consider seeking assistance from a cybersecurity professional.
 
  • Like
Reactions: simmerskool

What to do if Kaspersky detects wpad

If Kaspersky products show detection notifications about wpad.dat, wpad.domain.name, Trojan.Script.Agent.dc and etc, then read the information below:There exists something called WPAD or Web Proxy Autodiscovery Protocol, it's designed to pinpoint the location of the necessary configuration file, ...
forum.kaspersky.com forum.kaspersky.com
 
  • +Reputation
  • Like
  • Applause
Reactions: Berny, simmerskool, vtqhtr413 and 6 others
Oldie1950 said:
My AV program Emsisoft Business regularly reports to me that svchost.exe is accessing the dangerous host wpad.fritz.box and recommends that I block access. What is behind this message? Should I permanently block access?
I use the Fritz!Box 7590 as a router
Click to expand...
Assuming your PC is clean, ....
Is your router protected by a firewall? if not switch it on. If it supports "doh" use it with a doh service with malware blocking capability. Disable port forwarding, if it's on. Change default password immediately after a reset. If your router has not received any security update for the past many years, consider changing it to a newer version.
 
  • Like
Reactions: simmerskool, Shadowra, B-boy/StyLe/ and 1 other person
My router contains a firewall. Port forwarding is disabled. The router firmware was only recently updated to a current version.
I'll keep watching for now.
 
  • Like
Reactions: simmerskool and Brahman
It would not hurt to give FRST a go or to post the logs in the Malware Removal section to be checked (if you can't analyze the logs by yourself) to see if there are altered settings like these below:
ProxyServer: [S-1-5-21-1208604061-1613956415-3034501670-1000] => hxxp://***********.com/wpad.dat?0345774752064e9f4ea9aec8d6771ea633341123
AutoConfigURL: [S-1-5-21-1208604061-1613956415-3034501670-1000] => hxxp://***********.com/wpad.dat?0345774752064e9f4ea9aec8d6771ea633341123
ManualProxies: 0hxxp://***********.com/wpad.dat?0345774752064e9f4ea9aec8d6771ea633341123
Click to expand...
MBAM is usually detecting and removing the malicious registry entries automatically without the need to manually fix them.

The colleagues already gave you hint about checking the router settings, but I will share this little guide as well:

forums.malwarebytes.com

Ad Malware help, pop-ups on web and inside programs like Steam and LoL

I've already tried a lot of programs and procedures to remove it but with no success, among them are: CCleaner, Emsisoft Emergency kit, Malwarebits, AdwClener, HitmanPro, AVG free version and some others, even returned chrome and firefox (web browsers that I use most) settings to their original d...
forums.malwarebytes.com forums.malwarebytes.com
 
  • Like
Reactions: simmerskool, Brahman, ForgottenSeer 94738 and 1 other person
They had some problems with the domain. Not sure if it's fixed and I only found that with a quick search (but you would get a starting point).
borncity.com

FRITZ!Box: Entering the URL fritz.box suddenly redirects to an external page

[German]Problem for users of an AVM FRITZ!Box family broadband routers who try to access the router's administration interface from the home network. However, when entering the URL fritz.box, users do not end up on the routers firmware FRITZ!Box login page, but are redirected to an external...
borncity.com
Verwirrend: Internet-Domain fritz.box zeigt NFT-Galerie statt Router-Verwaltung German maybe google translate will help
 
  • Like
  • Hundred Points
  • Applause
Reactions: Gandalf_The_Grey, simmerskool, harlan4096 and 3 others
I am not paranoid and will therefore end the matter. I suspect that the host fritz.box ended up on Emsisoft's list of dangerous hosts because AVM, the manufacturer of the Fritz!Box router, which is very popular in Germany, failed to acquire the domain fritz.box for itself. It was purchased by another person who used it to redirect to a website that offered NFTs. This led to confusion because fritz.box usually led to the login page of the Fritz!Box router. In the meantime, there were probably negotiations between this person and AVM, because the website is no longer active. Furthermore, the domain fritz.box on VT is not classified as dangerous by any AV program.
I would like to thank all the MT members who gave me advice.
 
  • Like
  • Hundred Points
Reactions: Gandalf_The_Grey, simmerskool, Brahman and 2 others

You may also like...