Kaspersky
Products
Support go
Community
Personal Account go
Check a file or link
Kaspersky Club go
Kaspersky Education go
Beta Testing
back back
support
Home Support
Business Support
Virus Fighting
back back
kaspersky club
Россия и СНГ
Global
back back
kaspersky education
Бесплатный образовательный портал
Free educational videocourses
back back
Personal Account
My Kaspersky
KSOS Management Console
CompanyAccount

wpad.domain.name, wpad.dat, wpad.dlink, wpad.homegateway, Trojan.Script.Agent.dc, Event: Malicious object detected

S

I’m receiving tons of notification (every 10 min) of Event: Malicious object detected

About wpad

 

Event: Malicious object detected
User type: Active user
Application name: svchost.exe
Application path: C:\Windows\System32
Component: Web Anti-Virus
Result description: Detected
Type: Trojan
Name: Trojan.Script.Agent.dc
Precision: Exactly
Threat level: High
Object type: File
Object name: wpad.dat
 

Virus Scan does not find anything. I need a suggestion about what I can do to stop it. Thank a lot

Danila T. 17 days ago

Hello,

There exists something called WPAD or Web Proxy Autodiscovery Protocol, it's designed to pinpoint the location of the necessary configuration file, called the pac-file. Usually such location would look like this: wpad.domain[.]name/wpad.dat. Experienced users will understand that this "location" is actually a DNS suffix.
A lot of routers/modems are preset that DNS suffix.

This isn't new, this has been used for 20 years now.

Using a DNS suffix like that means that it is theoretically possible for a mal-wisher to change the file at its location, and eventually have it loaded into the user's system, thus setting up an unwanted proxy server, and intercept browsing data.

 

Follow these steps:

  1. Try to connect to the Internet via some other Internet connection, for example, via mobile hot spot. Or try to connect without router. Will there be a detection?
  2. If there is no detection after step 1: please reset router to default settings then connect again to the Internet via router.
  3. Also update firmware on the router, if there is a newer version is available on the router manufacturer site. Change password of the router.
  4. If points 2 and 3 do not solve the problem and point 1 fix problem, then this router is not recommended for use. Or contact the support of the router manufacturer.
View original

40 replies

Wesly.Zhang
Rank
Userlevel 7
Badge +4

Hello,

Please pause KL protection and download the file:

http://wpad.domain.name/wpad.dat

 

Please zip and using a password “infected” without quote and sent it to KL support. If you don’t want to do it by yourself, You can send it to me via PM. Share the file download url to me.

After do that, Please enable KL protection again.

Regards.

Go! The world !!! ? Our CD8/CD4 T & Antibody created by B lymphocytes are on their way to destroy the Coronaviruses.? Forum Moderator China. Did it answer your question? Mark it as solved! If I don't reply your topic or post for a long time, Please send me a PM include your post or topic URL to notice me, Thanks.
Y
Userlevel 1

every minute i get this pop up and it’s annoys me and kasperskey can’t delete it what can i do please help i attached the report below 

Y
Userlevel 1

i am facing the same probleme today can someone report this to kasperskey 

 

 

Y
Userlevel 1

Hello,

Please pause KL protection and download the file:

http://wpad.domain.name/wpad.dat

 

Please zip and using a password “infected” without quote and sent it to KL support. If you don’t want to do it by yourself, You can send it to me via PM. Share the file download url to me.

After do that, Please enable KL protection again.

Regards.

but if i did download it it will infect my computer ????

 

M

During the last two days, kaspersky is constantly notifying me about malicious object detected and download denied.

it is getting frustrating since it is doing anything about it and I is disturbing my work.

this is what I get:

Event: Download denied
User: DESKTOP-9JS93UU\hp
User type: Active user
Application name: svchost.exe
Application path: C:\Windows\System32
Component: Web Anti-Virus
Result description: Blocked
Type: Trojan
Name: Trojan.Script.Agent.dc
Precision: Exactly
Threat level: High
Object type: File
Object name: wpad.dat
Object path: http://wpad.domain.name
MD5: 929C83988AAD1EF14994044D8C1175F6
Reason: Databases
Databases release date: Today, 3/25/2021 5:25:00 PM

Y
Userlevel 1

Yo bro we are three People now facing the  same problème  your name is marwane you from morocco ? 

Y
Userlevel 1

During the last two days, kaspersky is constantly notifying me about malicious object detected and download denied.

it is getting frustrating since it is doing anything about it and I is disturbing my work.

this is what I get:

Event: Download denied
User: DESKTOP-9JS93UU\hp
User type: Active user
Application name: svchost.exe
Application path: C:\Windows\System32
Component: Web Anti-Virus
Result description: Blocked
Type: Trojan
Name: Trojan.Script.Agent.dc
Precision: Exactly
Threat level: High
Object type: File
Object name: wpad.dat
Object path: http://wpad.domain.name
MD5: 929C83988AAD1EF14994044D8C1175F6
Reason: Databases
Databases release date: Today, 3/25/2021 5:25:00 PM

U from morocco ?i have the same prob since two days too we are three People now here

Flood and Flood's wife
Rank
Userlevel 7
Badge +9

Hello @serval1959, @MARWAN & @Younes

While you’re waiting for @Wesly.Zhang, please do the following:

  1. Check the detected object using Kaspersky Open Threat portaland select the Submit to reanalyze option, add your email address & comments to send to Kaspersky experts for further analysis.
  2. Log a case with Kaspersky Technical Support, fill in the Malware, False positive template; zip the .exe file, name the zip archive malware, or infected & protect the zip archive with a password, add the zip archive to the request; add the password to the request; in the problem description provide a detailed history, & the zipped file:

 

 

  • After submitting the case, you’ll receive an automated email with an INC+12digits reference number, then, normally, within 5 business days, a Kaspersky Technical Support human will be in touch, also by email, you may continue to engage with the Kaspersky Technical Team via email or by updating the INC in their MyKaspersky account.

Please share the outcome with the Community when it’s available? 

Thank you:pray_tone3:

Flood:whale:+:whale2:

Edgar's Mission: "If we could live happy and healthy lives without harming others... why wouldn't we?" --- "One should examine oneself for a very long time before thinking of condemning others" Moliere --- Did a reply answer your question? Please mark it as Best answer, the Topic status will change to Solved, thank you!
Berny
Rank
Userlevel 7
Badge +8

@serval1959 @Younes  @MARWAN 

Can you please run AdwCleaner as ADMIN and provide the Log. 

⚠️ Please don’t clean eventual detections ⚠️

Forum Moderator France & BeNeLux - Did it answer your question? Please mark it as "Best Answer” | Est-ce la réponse à votre question? Marquez-le comme résolu | Is dit het antwoord op uw vraag? Markeer het als opgelost | Errare humanum est.
Wesly.Zhang
Rank
Userlevel 7
Badge +4

Hello,

Please pause KL protection and download the file:

http://wpad.domain.name/wpad.dat

 

Please zip and using a password “infected” without quote and sent it to KL support. If you don’t want to do it by yourself, You can send it to me via PM. Share the file download url to me.

After do that, Please enable KL protection again.

Regards.

but if i did download it it will infect my computer ????

 


Hello,

It couldn’t infect your computer.

Regards.

Go! The world !!! ? Our CD8/CD4 T & Antibody created by B lymphocytes are on their way to destroy the Coronaviruses.? Forum Moderator China. Did it answer your question? Mark it as solved! If I don't reply your topic or post for a long time, Please send me a PM include your post or topic URL to notice me, Thanks.
Igor Kurzin
Rank
Userlevel 7
Badge +5

Hi @serval1959 , @Younes , @MARWAN , 

Did you have a chance to submit a ticket to technical support? Please share with me the incident number. 

Did a reply answer your question? Please mark it as Best answer, the Topic status will change to Solved, thank you!
Wesly.Zhang
Rank
Userlevel 7
Badge +4

Hello,

I guess the wpad.dat file maybe include google url Web Proxy. such as:

    function FindProxyForURL(url, host)
    {
        if (isPlainHostName(host)(host, ".google.com"))
            return "DIRECT";
            return “PROXY any IP: any PORT”;
        else if....
    }

Telecom operators send this file to you. Please check whether you enable Web Proxy Auto Discovery function in the Internet Options → Connections → LAN settings.

Regards.

Go! The world !!! ? Our CD8/CD4 T & Antibody created by B lymphocytes are on their way to destroy the Coronaviruses.? Forum Moderator China. Did it answer your question? Mark it as solved! If I don't reply your topic or post for a long time, Please send me a PM include your post or topic URL to notice me, Thanks.
M

 

 

 

During the last two days, kaspersky is constantly notifying me about malicious object detected and download denied.

it is getting frustrating since it is doing anything about it and I is disturbing my work.

this is what I get:

Event: Download denied
User: DESKTOP-9JS93UU\hp
User type: Active user
Application name: svchost.exe
Application path: C:\Windows\System32
Component: Web Anti-Virus
Result description: Blocked
Type: Trojan
Name: Trojan.Script.Agent.dc
Precision: Exactly
Threat level: High
Object type: File
Object name: wpad.dat
Object path: http://wpad.domain.name
MD5: 929C83988AAD1EF14994044D8C1175F6
Reason: Databases
Databases release date: Today, 3/25/2021 5:25:00 PM

U from morocco ?i have the same prob since two days too we are three People now here

YES I AM

 

A

I’m receiving tons of notification (every 10 min) of Event: Malicious object detected.

Event: Malicious object detected
User: AM17XR3-SER\sergio
User type: Active user
Application name: svchost.exe
Application path: C:\Windows\System32
Component: Web Anti-Virus
Result description: Detected
Type: Trojan
Name: Trojan.Script.Agent.dc
Precision: Exactly
Threat level: High
Object type: File
Object name: wpad.dat
Object path: http://wpad.domain.name
MD5: 929C83988AAD1EF14994044D8C1175F6
Reason: Databases
Databases release date: Today, 2021-03-24 06:10:00

Virus Scan does not find anything. I need a suggestion about what I can do to stop it. Thank a lot

I’m experiencing the exact same problem since the last three days

@serval1959 @Younes @MARWAN Please let me know when you find out how to resolve the issue. 

E

Me too, is kasperky broken or smth!?

I even sended the file at virustotal and it was clean but smh im getting the notifications over and over

Flood and Flood's wife
Rank
Userlevel 7
Badge +9

Hello @serval1959@MARWAN & @Younes@Alfa Kid & @ErjonKoci

Has anyone logged a case with Kaspersky Technical Support & provided the INC reference # to @Igor Kurzin? If “no”, please do the following: 

Log a case with Kaspersky Technical Support, fill in the Malware, False positive template; zip the .exe file, name the zip archive malware, or infected & protect the zip archive with a password, add the zip archive to the request; add the password to the request; in the problem description provide a detailed history, & the zipped file:

 

 

  • :red_circle: Share the INC reference # with @Igor Kurzin please? 

&, has anyone followed @Berny’s request: 

Please run AdwCleaner as ADMIN and provide the Log?  

⚠️ Please don’t clean eventual detections ⚠️

Thank you:pray_tone3:

Flood:whale:+:whale2:

Edgar's Mission: "If we could live happy and healthy lives without harming others... why wouldn't we?" --- "One should examine oneself for a very long time before thinking of condemning others" Moliere --- Did a reply answer your question? Please mark it as Best answer, the Topic status will change to Solved, thank you!
Y
Userlevel 1

Hi @serval1959 , @Younes , @MARWAN , 

Did you have a chance to submit a ticket to technical support? Please share with me the incident number. 

 

Thank you for your help 

Y
Userlevel 1

1

E

I will try to do the adw scan

H

Hello,

 

Same issue here ( from morocco if it can help)

Berny
Rank
Userlevel 7
Badge +8

For all those who are encountering this issue please contact Kaspersky Technical Support 

https://my.kaspersky.com/techsupport#/requests/new 

Forum Moderator France & BeNeLux - Did it answer your question? Please mark it as "Best Answer” | Est-ce la réponse à votre question? Marquez-le comme résolu | Is dit het antwoord op uw vraag? Markeer het als opgelost | Errare humanum est.
E

I think the issue is with the router (I’m not from morocco) but since I turned nord vpn on I’m not receiving messages by Kas. (My router has problems with steam too)

Y
Userlevel 1

hello guys (im from morocco) i just contacted Kaspersky Technical Support and after 3 days of discussion they find out that the problem is with the router (i have a D-Link one) 

here is their solution but i don’t know how to do it 

“We have just received an update from the experts. It appears that your router was likely compromised. The wpad.dat file is likely being served from there.

Please examine the configuration of the router or reset it back to defaults to reconfigure from scratch after + patch the software on it”

 

Flood and Flood's wife
Rank
Userlevel 7
Badge +9
  1. Examine the configuration of the router
  2. Or reset it back to defaults to reconfigure from scratch
  3. After + patch the software on it”

Hello @Younes,

Thank you for contacting Support, it’s great that you took proactive action:clap_tone3:

  • :a: Did you send the INC reference number to @Igor Kurzin ? 
  1. The router User manual should have information for Configuration procedures; if the User manual is not available, contact the Router manufacture/distributer.
  2. Router reset, again, the procedure will be documented in the Router User manual & or, contact the Router manufacture/distributer. A router reset = hard reset, sometimes called a factory reset, reverts the router back to defaults that existed when it shipped from the factory. Only do a hard reset if you have the router pin code or password - normally recorded on a sticker on the router, & or, the paper work that is with the router when it was purchased. 
  3. Patch the software”, means, after a hard reset, make sure the Router software is fully up-to-date,  the procedure will be documented in the Router User manual & or, contact the Router manufacture/distributer.
  • :b: Did you ask the Kaspersky Technical Support Team what was meant by the instructions they gave you? 

Thank you:pray_tone3:

Flood:whale:+:whale2:

Edgar's Mission: "If we could live happy and healthy lives without harming others... why wouldn't we?" --- "One should examine oneself for a very long time before thinking of condemning others" Moliere --- Did a reply answer your question? Please mark it as Best answer, the Topic status will change to Solved, thank you!
M

During the last two days, kaspersky is constantly notifying me about malicious object detected and download denied.

it is getting frustrating since it is doing anything about it and I is disturbing my work.

this is what I get:

Event: Download denied
User: DESKTOP-9JS93UU\hp
User type: Active user
Application name: svchost.exe
Application path: C:\Windows\System32
Component: Web Anti-Virus
Result description: Blocked
Type: Trojan
Name: Trojan.Script.Agent.dc
Precision: Exactly
Threat level: High
Object type: File
Object name: wpad.dat
Object path: http://wpad.domain.name
MD5: 929C83988AAD1EF14994044D8C1175F6
Reason: Databases
Databases release date: Today, 3/25/2021 5:25:00 PM

U from morocco ?i have the same prob since two days too we are three People now here

You both tried to renew you ID’s? Because I’m from Morocco too, and the problem started with the ID website. Or the driving license one. I can’t say exactly, but it’s one of both websites

Reply


 Utilities