wpad.domain.name and dreesfootler.uno

Hello,

For the last couple of weeks, suddenly my Avast keeps ringing and telling me that

"We’ve safely aborted connection on wpad.domain.name because it was infected with URL:Blacklist.
Threat name: URL:Blacklist
URL: http://wpad.domain.name/wpad.dat
Process: C:\Windows\System32\svchost.exe
Detected by: Web Shield
Status: Connection aborted

2b3e04620fd7/2023-08-17T08:04:27.424Z"

Then for the last week, another one appeared:

"We’ve safely aborted connection on dreesfootler.uno because it was infected with URL:Blacklist.
Threat name: URL:Blacklist
URL: http://dreesfootler.uno/rf/48172
Process: C:\Program Files\Google\Chrome\Application\chrome.exe
Detected by: Web Shield
Status: Connection aborted

5977bd9ba801/2023-08-17T08:05:13.287Z"

And yet scanning my computer with both Avast and Malwarebytes give nothing.
What is happening with my computer? Or is it a problem with my wireless network?

Thank you for the assistance.

4 solutions to flag this: https://www.virustotal.com/gui/url/3265a50b86ac80c18cf47fd16694a4ef3cf1ce12aaadd017c99c4a0663ffd615?nocache=1 See: https://www.shodan.io/host/23.109.170.48

Flagged for PHISHING

polonus

I see that at least dreesfootler.uno is a phishing link, thank you!
What about wpad.domain.name?

Hi Trifoilum,

Considering your last question, see: https://www.virustotal.com/gui/url/9eda52ddddb7243835f9f3cecbf1b160d22ac4143dd7258042374a5ce1caeca7/details

Detection could be given because of an old or compromised version of Java is being used.
To not be troubled anymore turn off the “Automatically detect proxy settings” feature in Internet Options.

Could be the original infection was using svchost.exe in order to download and configure a WPAD file on the system,
and then at some point, Chrome tried to use the same WPAD file. A likely scenario.

Contact MBAM forum to have this fixed for ye,
as we recently do not have officially qualified malware removers on the here avast forums,

Various vulnerabilities - https://www.shodan.io/host/185.38.111.1 (Neroso - Belgrade).
→ Server: DirectAdmin Daemon v1.53.0 Registered to Gransy s.r.o.

polonus (volunteer 3rd party cold recon website security-analyst and website error-hunter)