Kaspersky

wpad.domain.name, wpad.dat, wpad.dlink, wpad.homegateway, Trojan.Script.Agent.dc, Event: Malicious object detected


I’m receiving tons of notification (every 10 min) of Event: Malicious object detected

About wpad

 

Event: Malicious object detected
User type: Active user
Application name: svchost.exe
Application path: C:\Windows\System32
Component: Web Anti-Virus
Result description: Detected
Type: Trojan
Name: Trojan.Script.Agent.dc
Precision: Exactly
Threat level: High
Object type: File
Object name: wpad.dat
 

Virus Scan does not find anything. I need a suggestion about what I can do to stop it. Thank a lot

Danila T. 17 days ago

Hello,

There exists something called WPAD or Web Proxy Autodiscovery Protocol, it's designed to pinpoint the location of the necessary configuration file, called the pac-file. Usually such location would look like this: wpad.domain[.]name/wpad.dat. Experienced users will understand that this "location" is actually a DNS suffix.
A lot of routers/modems are preset that DNS suffix.

This isn't new, this has been used for 20 years now.

Using a DNS suffix like that means that it is theoretically possible for a mal-wisher to change the file at its location, and eventually have it loaded into the user's system, thus setting up an unwanted proxy server, and intercept browsing data.

 

Follow these steps:

  1. Try to connect to the Internet via some other Internet connection, for example, via mobile hot spot. Or try to connect without router. Will there be a detection?
  2. If there is no detection after step 1: please reset router to default settings then connect again to the Internet via router.
  3. Also update firmware on the router, if there is a newer version is available on the router manufacturer site. Change password of the router.
  4. If points 2 and 3 do not solve the problem and point 1 fix problem, then this router is not recommended for use. Or contact the support of the router manufacturer.
View original

40 replies

Userlevel 7
Badge +4

Hello,

Please pause KL protection and download the file:

http://wpad.domain.name/wpad.dat

 

Please zip and using a password “infected” without quote and sent it to KL support. If you don’t want to do it by yourself, You can send it to me via PM. Share the file download url to me.

After do that, Please enable KL protection again.

Regards.

Userlevel 1

every minute i get this pop up and it’s annoys me and kasperskey can’t delete it what can i do please help i attached the report below 

Userlevel 1

i am facing the same probleme today can someone report this to kasperskey 

 

 

Userlevel 1

Hello,

Please pause KL protection and download the file:

http://wpad.domain.name/wpad.dat

 

Please zip and using a password “infected” without quote and sent it to KL support. If you don’t want to do it by yourself, You can send it to me via PM. Share the file download url to me.

After do that, Please enable KL protection again.

Regards.

but if i did download it it will infect my computer ????

 

During the last two days, kaspersky is constantly notifying me about malicious object detected and download denied.

it is getting frustrating since it is doing anything about it and I is disturbing my work.

this is what I get:

Event: Download denied
User: DESKTOP-9JS93UU\hp
User type: Active user
Application name: svchost.exe
Application path: C:\Windows\System32
Component: Web Anti-Virus
Result description: Blocked
Type: Trojan
Name: Trojan.Script.Agent.dc
Precision: Exactly
Threat level: High
Object type: File
Object name: wpad.dat
Object path: http://wpad.domain.name
MD5: 929C83988AAD1EF14994044D8C1175F6
Reason: Databases
Databases release date: Today, 3/25/2021 5:25:00 PM

Userlevel 1

Yo bro we are three People now facing the  same problème  your name is marwane you from morocco ? 

Userlevel 1

During the last two days, kaspersky is constantly notifying me about malicious object detected and download denied.

it is getting frustrating since it is doing anything about it and I is disturbing my work.

this is what I get:

Event: Download denied
User: DESKTOP-9JS93UU\hp
User type: Active user
Application name: svchost.exe
Application path: C:\Windows\System32
Component: Web Anti-Virus
Result description: Blocked
Type: Trojan
Name: Trojan.Script.Agent.dc
Precision: Exactly
Threat level: High
Object type: File
Object name: wpad.dat
Object path: http://wpad.domain.name
MD5: 929C83988AAD1EF14994044D8C1175F6
Reason: Databases
Databases release date: Today, 3/25/2021 5:25:00 PM

U from morocco ?i have the same prob since two days too we are three People now here

Userlevel 7
Badge +9

Hello @serval1959, @MARWAN & @Younes

While you’re waiting for @Wesly.Zhang, please do the following:

  1. Check the detected object using Kaspersky Open Threat portaland select the Submit to reanalyze option, add your email address & comments to send to Kaspersky experts for further analysis.
  2. Log a case with Kaspersky Technical Support, fill in the Malware, False positive template; zip the .exe file, name the zip archive malware, or infected & protect the zip archive with a password, add the zip archive to the request; add the password to the request; in the problem description provide a detailed history, & the zipped file:

 

 

  • After submitting the case, you’ll receive an automated email with an INC+12digits reference number, then, normally, within 5 business days, a Kaspersky Technical Support human will be in touch, also by email, you may continue to engage with the Kaspersky Technical Team via email or by updating the INC in their MyKaspersky account.

Please share the outcome with the Community when it’s available? 

Thank you:pray_tone3:

Flood:whale:+:whale2:

Userlevel 7
Badge +8

@serval1959 @Younes  @MARWAN 

Can you please run AdwCleaner as ADMIN and provide the Log. 

⚠️ Please don’t clean eventual detections ⚠️

Userlevel 7
Badge +4

Hello,

Please pause KL protection and download the file:

http://wpad.domain.name/wpad.dat

 

Please zip and using a password “infected” without quote and sent it to KL support. If you don’t want to do it by yourself, You can send it to me via PM. Share the file download url to me.

After do that, Please enable KL protection again.

Regards.

but if i did download it it will infect my computer ????

 


Hello,

It couldn’t infect your computer.

Regards.

Userlevel 7
Badge +5

Hi @serval1959 , @Younes , @MARWAN , 

Did you have a chance to submit a ticket to technical support? Please share with me the incident number. 

Userlevel 7
Badge +4

Hello,

I guess the wpad.dat file maybe include google url Web Proxy. such as:

    function FindProxyForURL(url, host)
{
if (isPlainHostName(host)(host, ".google.com"))
return "DIRECT";
return “PROXY any IP: any PORT”;
else if....
}

Telecom operators send this file to you. Please check whether you enable Web Proxy Auto Discovery function in the Internet Options → Connections → LAN settings.

Regards.

 

 

 

During the last two days, kaspersky is constantly notifying me about malicious object detected and download denied.

it is getting frustrating since it is doing anything about it and I is disturbing my work.

this is what I get:

Event: Download denied
User: DESKTOP-9JS93UU\hp
User type: Active user
Application name: svchost.exe
Application path: C:\Windows\System32
Component: Web Anti-Virus
Result description: Blocked
Type: Trojan
Name: Trojan.Script.Agent.dc
Precision: Exactly
Threat level: High
Object type: File
Object name: wpad.dat
Object path: http://wpad.domain.name
MD5: 929C83988AAD1EF14994044D8C1175F6
Reason: Databases
Databases release date: Today, 3/25/2021 5:25:00 PM

U from morocco ?i have the same prob since two days too we are three People now here

YES I AM

 

I’m receiving tons of notification (every 10 min) of Event: Malicious object detected.

Event: Malicious object detected
User: AM17XR3-SER\sergio
User type: Active user
Application name: svchost.exe
Application path: C:\Windows\System32
Component: Web Anti-Virus
Result description: Detected
Type: Trojan
Name: Trojan.Script.Agent.dc
Precision: Exactly
Threat level: High
Object type: File
Object name: wpad.dat
Object path: http://wpad.domain.name
MD5: 929C83988AAD1EF14994044D8C1175F6
Reason: Databases
Databases release date: Today, 2021-03-24 06:10:00

Virus Scan does not find anything. I need a suggestion about what I can do to stop it. Thank a lot

I’m experiencing the exact same problem since the last three days

@serval1959 @Younes @MARWAN Please let me know when you find out how to resolve the issue. 

Me too, is kasperky broken or smth!?

I even sended the file at virustotal and it was clean but smh im getting the notifications over and over

Userlevel 7
Badge +9

Hello @serval1959@MARWAN & @Younes@Alfa Kid & @ErjonKoci

Has anyone logged a case with Kaspersky Technical Support & provided the INC reference # to @Igor Kurzin? If “no”, please do the following: 

Log a case with Kaspersky Technical Support, fill in the Malware, False positive template; zip the .exe file, name the zip archive malware, or infected & protect the zip archive with a password, add the zip archive to the request; add the password to the request; in the problem description provide a detailed history, & the zipped file:

 

 

  • :red_circle: Share the INC reference # with @Igor Kurzin please? 

&, has anyone followed @Berny’s request: 

Please run AdwCleaner as ADMIN and provide the Log?  

⚠️ Please don’t clean eventual detections ⚠️

Thank you:pray_tone3:

Flood:whale:+:whale2:

Userlevel 1

Hi @serval1959 , @Younes , @MARWAN , 

Did you have a chance to submit a ticket to technical support? Please share with me the incident number. 

 

Thank you for your help 

Userlevel 1

1

I will try to do the adw scan

Hello,

 

Same issue here ( from morocco if it can help)

Userlevel 7
Badge +8

For all those who are encountering this issue please contact Kaspersky Technical Support 

https://my.kaspersky.com/techsupport#/requests/new 

I think the issue is with the router (I’m not from morocco) but since I turned nord vpn on I’m not receiving messages by Kas. (My router has problems with steam too)

Userlevel 1

hello guys (im from morocco) i just contacted Kaspersky Technical Support and after 3 days of discussion they find out that the problem is with the router (i have a D-Link one) 

here is their solution but i don’t know how to do it 

“We have just received an update from the experts. It appears that your router was likely compromised. The wpad.dat file is likely being served from there.

Please examine the configuration of the router or reset it back to defaults to reconfigure from scratch after + patch the software on it”

 

Userlevel 7
Badge +9
  1. Examine the configuration of the router
  2. Or reset it back to defaults to reconfigure from scratch
  3. After + patch the software on it”

Hello @Younes,

Thank you for contacting Support, it’s great that you took proactive action:clap_tone3:

  • :a: Did you send the INC reference number to @Igor Kurzin ? 
  1. The router User manual should have information for Configuration procedures; if the User manual is not available, contact the Router manufacture/distributer.
  2. Router reset, again, the procedure will be documented in the Router User manual & or, contact the Router manufacture/distributer. A router reset = hard reset, sometimes called a factory reset, reverts the router back to defaults that existed when it shipped from the factory. Only do a hard reset if you have the router pin code or password - normally recorded on a sticker on the router, & or, the paper work that is with the router when it was purchased. 
  3. Patch the software”, means, after a hard reset, make sure the Router software is fully up-to-date,  the procedure will be documented in the Router User manual & or, contact the Router manufacture/distributer.
  • :b: Did you ask the Kaspersky Technical Support Team what was meant by the instructions they gave you? 

Thank you:pray_tone3:

Flood:whale:+:whale2:

During the last two days, kaspersky is constantly notifying me about malicious object detected and download denied.

it is getting frustrating since it is doing anything about it and I is disturbing my work.

this is what I get:

Event: Download denied
User: DESKTOP-9JS93UU\hp
User type: Active user
Application name: svchost.exe
Application path: C:\Windows\System32
Component: Web Anti-Virus
Result description: Blocked
Type: Trojan
Name: Trojan.Script.Agent.dc
Precision: Exactly
Threat level: High
Object type: File
Object name: wpad.dat
Object path: http://wpad.domain.name
MD5: 929C83988AAD1EF14994044D8C1175F6
Reason: Databases
Databases release date: Today, 3/25/2021 5:25:00 PM

U from morocco ?i have the same prob since two days too we are three People now here

You both tried to renew you ID’s? Because I’m from Morocco too, and the problem started with the ID website. Or the driving license one. I can’t say exactly, but it’s one of both websites

Reply