Kaspersky
Question

Has my install of Microsoft 365 caught a virus? Object path : https://best-winnerspace1.life

  • 23 February 2021
  • 9 replies
  • 151 views

Userlevel 3
Badge

I have just installed Microsoft 365 (Office)  with windows 10 Home 64 bit and then accessed the internet.
Kaspersky Internet Security v21.2.16.590(b) - Web Anti-Virus has reported:-
Event :    Download denied
User :    MEDION-LAPTOP-G\Me
User type :    Active user
Application name :    firefox.exe
Application path :    C:\Program Files\Mozilla Firefox
Component :    Web Anti-Virus
Result description :    Blocked
Type :    Probability of unauthorized software download
Name :    https://best-winnerspace1.life/?u=utt8wwl&o=67zmqf5&t=en_mac.txt&cid=41-297-20210223015523b67eb1f15
Threat level :    High
Object type :    Web page
Object name :    ?u=utt8wwl&o=67zmqf5&t=en_mac.txt&cid=41-297-20210223015523b67eb1f15
Object path :    https://best-winnerspace1.life

I never searched for best-winnerspace1.life and did not attempt any download.  KIS has reported a further two further instances of attempted downloads.

I'm now concerned that MS 365 contains some malicious code.

 


9 replies

Userlevel 7
Badge +9

Hello @wgcuser

Welcome back!

  1. Was the Microsoft 365 (Office) install from a legitimate source?
  2. Post a full screen image of the error? 
  3. Are all 3 KIS Reports of “attempted downloads” the same? 
  4. Save the KIS Report & attach to your reply? 

Thank you:pray_tone3:

Flood:whale: +:whale2:

Userlevel 3
Badge

Q1. The MS  365 was from MS via my MS Account.

Q2. Sorry no images.

Q3. Yes.

Q4. I’ll PM the report to you.

BR

Userlevel 7
Badge +9

Hello @wgcuser

Thank you for posting back. 

What does “ Sorry no images” mean? 

Thank you:pray_tone3:

Flood:whale: +:whale2:

Userlevel 7
Badge +8

@wgcuser
KSN is detecting a suspicious website [Adware]
Please see this important pinned Topic

 

 

 

 

Userlevel 7
Badge +9

 I’ll PM the report to you.

 

Hello @wgcuser

Thank you for your message:ok_hand_tone3:

We’re looking forward to hearing from you as per your message. 

Thank you:pray_tone3:

Flood:whale: +:whale2:

Userlevel 7
Badge +8

I’ll PM the report to you.

Can you please share the report with the Community.
Thank you.

Userlevel 7
Badge +4

Hello @wgcuser 

I see the firefox want to access that website. Could you please check if this issue will not happen with disabling all firefox addones?

Regards.

Userlevel 3
Badge

@Flood and Flood's wife@Berny@Wesly.Zhang 

 @Berny

@Wesly.Zhang

@Flood and Flood's wife

Thank you for your comments.

Mr & Mrs Flood, - “Sorry no images” = I failed to make a screen grab of the error message! However, Berny’s post does show a screen grab which I believe is very similar to the one that I observed.

Berny, thanks for the screen grab and the link to various fixes and KIS settings to enhance protection. I have now altered the config of KIS and hope these will keep the problem suppressed! Not that KIS was doing a bad job when the site first tried to appear.

Wesly Zhang, the only active FireFox Add-on is the Extension ‘Kaspersky Protection”  v 1.3.8.0 Dec 2020 - which I believe is required for KIS protection.

Below is Report showing the Web Anti-Virus Report for Best-Winnerspace :-

 

Yesterday, 22/02/2021 22:50:54    Download denied    Firefox    firefox.exe    C:\Program Files\Mozilla Firefox\firefox.exe    C:\Program Files\Mozilla Firefox    20020    MEDION-LAPTOP-G\Mike    Active user    Blocked    Blocked    https://best-winnerspace1.life/?u=utt8wwl&o=67zmqf5&t=en_mac.txt&cid=41-297-202102230150449de7d5200    Probability of unauthorized software download    High        https://best-winnerspace1.life/?u=utt8wwl&o=67zmqf5&t=en_mac.txt&cid=41-297-202102230150449de7d5200    ?u=utt8wwl&o=67zmqf5&t=en_mac.txt&cid=41-297-202102230150449de7d5200    https://best-winnerspace1.life    Web page    Cloud Protection
Yesterday, 22/02/2021 22:50:54    Download denied    Firefox    firefox.exe    C:\Program Files\Mozilla Firefox\firefox.exe    C:\Program Files\Mozilla Firefox    20020    MEDION-LAPTOP-G\Mike    Active user    Blocked    Blocked    https://best-winnerspace1.life/favicon.ico    Probability of unauthorized software download    High        https://best-winnerspace1.life/favicon.ico    favicon.ico    https://best-winnerspace1.life    Web page    Cloud Protection
Yesterday, 22/02/2021 22:55:33    Download denied    Firefox    firefox.exe    C:\Program Files\Mozilla Firefox\firefox.exe    C:\Program Files\Mozilla Firefox    20020    MEDION-LAPTOP-G\Mike    Active user    Blocked    Blocked    https://best-winnerspace1.life/?u=utt8wwl&o=67zmqf5&t=en_mac.txt&cid=41-297-20210223015523b67eb1f15    Probability of unauthorized software download    High        https://best-winnerspace1.life/?u=utt8wwl&o=67zmqf5&t=en_mac.txt&cid=41-297-20210223015523b67eb1f15    ?u=utt8wwl&o=67zmqf5&t=en_mac.txt&cid=41-297-20210223015523b67eb1f15    https://best-winnerspace1.life    Web page    Cloud Protection
Yesterday, 22/02/2021 23:32:39    Download denied    Firefox    firefox.exe    C:\Program Files\Mozilla Firefox\firefox.exe    C:\Program Files\Mozilla Firefox    12444    MEDION-LAPTOP-G\Mike    Active user    Blocked    Blocked    https://best-winnerspace1.life/    Probability of unauthorized software download    High        https://best-winnerspace1.life        https://best-winnerspace1.life    Web page    Cloud Protection
Yesterday, 22/02/2021 23:32:39    Download denied    Firefox    firefox.exe    C:\Program Files\Mozilla Firefox\firefox.exe    C:\Program Files\Mozilla Firefox    12444    MEDION-LAPTOP-G\Mike    Active user    Blocked    Blocked    https://best-winnerspace1.life/favicon.ico    Probability of unauthorized software download    High        https://best-winnerspace1.life/favicon.ico    favicon.ico    https://best-winnerspace1.life    Web page    Cloud Protection
Today, 23/02/2021 14:57:12    Download denied    Firefox    firefox.exe    C:\Program Files\Mozilla Firefox\firefox.exe    C:\Program Files\Mozilla Firefox    15156    MEDION-LAPTOP-G\Mike    Active user    Blocked    Blocked    https://best-winnerspace1.life/?u=utt8wwl&o=67zmqf5&t=en_mac.txt&cid=41-297-20210223175703fd53e417e    Probability of unauthorized software download    High        https://best-winnerspace1.life/?u=utt8wwl&o=67zmqf5&t=en_mac.txt&cid=41-297-20210223175703fd53e417e    ?u=utt8wwl&o=67zmqf5&t=en_mac.txt&cid=41-297-20210223175703fd53e417e    https://best-winnerspace1.life    Web page    Cloud Protection
Today, 23/02/2021 14:57:12    Download denied    Firefox    firefox.exe    C:\Program Files\Mozilla Firefox\firefox.exe    C:\Program Files\Mozilla Firefox    15156    MEDION-LAPTOP-G\Mike    Active user    Blocked    Blocked    https://best-winnerspace1.life/favicon.ico    Probability of unauthorized software download    High        https://best-winnerspace1.life/favicon.ico    favicon.ico    https://best-winnerspace1.life    Web page    Cloud Protection

 

 

Userlevel 7
Badge +4

Hello,

That’s strange. Does the detection only occur when you access Microsoft 365 website application? How about other websites when you access.

There are serval reason could be explained to this detection behavior:

One, There is a process inject its code to firefox and filter the website traffic and post to you some banner.

Two, Firefox addone do a good job, post a banner to you.

Three, Your ISP do a DNS pollution or capture network traffic to send you ads.

As I see,

https://best-winnerspace1.life/?u=utt8wwl&o=67zmqf5&t=en_mac.txt&cid=41-297-20210223015523b67eb1f15

The website do a serval jump to a random ads website, such as aliexpress.com or tmall.ru. I think the website is a ads popularize link. I think aliexpress and tmall are belong to alibaba. Who do this job, As you can see the parameter cid, means client id, But this parameter is meaningless to us. As we know, This is a billing account. Receive account information for advertising delivery. Usually the operations behind this are from browser addones with little actions. Give addone developers a little income. You say you don't have any addones installed in your firefox, So I feel very strange.

If conviences, Could you change the dns server ip to google dns?  Let us exclude the third possibility I just mentioned - DNS pollution. If this detection occure again, Please tell us know.

Regards.

Reply / Ответить