Jump to content
Kaspersky Support Forum

Malicious object detected: wpad.dat, wpad.domain.name, Trojan.Script.Agent.dc [merged]

serval1959

By serval1959
in Kaspersky Total Security

 Share

Recommended Posts

Flood and Flood's wife

Flood and Flood's wife

Posted
Posted
  1. Examine the configuration of the router
  2. Or reset it back to defaults to reconfigure from scratch
  3. After + patch the software on it”

Hello @Younes,

Thank you for contacting Support, it’s great that you took proactive action👏

  • 🅰 Did you send the INC reference number to @Igor Kurzin ? 
  1. The router User manual should have information for Configuration procedures; if the User manual is not available, contact the Router manufacture/distributer.
  2. Router reset, again, the procedure will be documented in the Router User manual & or, contact the Router manufacture/distributer. A router reset = hard reset, sometimes called a factory reset, reverts the router back to defaults that existed when it shipped from the factory. Only do a hard reset if you have the router pin code or password - normally recorded on a sticker on the router, & or, the paper work that is with the router when it was purchased. 
  3. Patch the software”, means, after a hard reset, make sure the Router software is fully up-to-date,  the procedure will be documented in the Router User manual & or, contact the Router manufacture/distributer.
  • 🅱 Did you ask the Kaspersky Technical Support Team what was meant by the instructions they gave you? 

Thank you🙏

Flood🐳+🐋

Link to comment
Share on other sites
  • Replies 65
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

mahfoudlaasri

mahfoudlaasri

Posted
Posted

During the last two days, kaspersky is constantly notifying me about malicious object detected and download denied.

it is getting frustrating since it is doing anything about it and I is disturbing my work.

this is what I get:

Event: Download denied
User: DESKTOP-9JS93UU\hp
User type: Active user
Application name: svchost.exe
Application path: C:\Windows\System32
Component: Web Anti-Virus
Result description: Blocked
Type: Trojan
Name: Trojan.Script.Agent.dc
Precision: Exactly
Threat level: High
Object type: File
Object name: wpad.dat
Object path: http://wpad.domain.name
MD5: 929C83988AAD1EF14994044D8C1175F6
Reason: Databases
Databases release date: Today, 3/25/2021 5:25:00 PM

U from morocco ?i have the same prob since two days too we are three People now here

You both tried to renew you ID’s? Because I’m from Morocco too, and the problem started with the ID website. Or the driving license one. I can’t say exactly, but it’s one of both websites

Link to comment
Share on other sites
Alfa Kid

Alfa Kid

Posted
Posted
  1. Examine the configuration of the router
  2. Or reset it back to defaults to reconfigure from scratch
  3. After + patch the software on it”

Hello @Younes,

Thank you for contacting Support, it’s great that you took proactive action👏

  • 🅰 Did you send the INC reference number to @Igor Kurzin ? 
  1. The router User manual should have information for Configuration procedures; if the User manual is not available, contact the Router manufacture/distributer.
  2. Router reset, again, the procedure will be documented in the Router User manual & or, contact the Router manufacture/distributer. A router reset = hard reset, sometimes called a factory reset, reverts the router back to defaults that existed when it shipped from the factory. Only do a hard reset if you have the router pin code or password - normally recorded on a sticker on the router, & or, the paper work that is with the router when it was purchased. 
  3. Patch the software”, means, after a hard reset, make sure the Router software is fully up-to-date,  the procedure will be documented in the Router User manual & or, contact the Router manufacture/distributer.
  • 🅱 Did you ask the Kaspersky Technical Support Team what was meant by the instructions they gave you? 

Thank you🙏

Flood🐳+🐋

 

I tried factory resetting (hard reset) my router and reconfigured it. I also updated it to the latest firmware but I’m still getting the Trojan.Script.Agent.dc notification 

Link to comment
Share on other sites
Danila T.

Danila T.

Posted
Posted

Hello,

There exists something called WPAD or Web Proxy Autodiscovery Protocol, it's designed to pinpoint the location of the necessary configuration file, called the pac-file. Usually such location would look like this: wpad.domain[.]name/wpad.dat. Experienced users will understand that this "location" is actually a DNS suffix.
A lot of routers/modems are preset that DNS suffix.

This isn't new, this has been used for 20 years now.

Using a DNS suffix like that means that it is theoretically possible for a mal-wisher to change the file at its location, and eventually have it loaded into the user's system, thus setting up an unwanted proxy server, and intercept browsing data.

 

Follow these steps:

  1. Try to connect to the Internet via some other Internet connection, for example, via mobile hot spot. Or try to connect without router. Will there be a detection?
  2. If there is no detection after step 1: please reset router to default settings then connect again to the Internet via router.
  3. Also update firmware on the router, if there is a newer version is available on the router manufacturer site. Change password of the router.
  4. If points 2 and 3 do not solve the problem and point 1 fix problem, then this router is not recommended for use. Or contact the support of the router manufacturer.
Link

 

Link to comment
Share on other sites
Alfa Kid

Alfa Kid

Posted
Posted

Yes I have contacted Kaspersky Technical Support and the response was to follow the steps as outlined by @Danila T. 

The router is a NETGEAR D1500 with firmware version 1.0.0.28 

I will try connecting to a mobile hotspot to check if if the issue will persist. I’ll provide feedback on the outcome as soon as possible. 

Link to comment
Share on other sites
Alfa Kid

Alfa Kid

Posted
Posted

It was indeed a problem with my router. When I tried connecting my laptop to my mobile hotspot I had no issues, but as soon as I reverted to my NETGEAR router the notifications started popping up again. Given that I’ve already tried resetting the router and updating the firmware, but to no avail, I think it is time for me to replace my router.

Thank you for your assistance 

Link to comment
Share on other sites
EdgarEdge81

EdgarEdge81

Posted
Posted

Hello everyone.

 

I also have this problem, my router brand is D-Link, and the message is:

 

Evento :    Se detectó un objeto malintencionado
Usuario :    LAPTOP-D07JGEVV\erosa
Tipo de usuario :    Usuario activo
Nombre de la aplicación :    svchost.exe
Ruta de la aplicación :    C:\Windows\System32
Componente :    Web Anti-Virus
Descripción del resultado :    Detectado
Tipo :    Troyano
Nombre :    Trojan.Script.Agent.dc
Precisión :    Exacta
Nivel de amenaza :    Alta
Tipo de objeto :    Archivo
Nombre del objeto :    wpad.dat
Ruta del objeto :    http://wpad.domain.name
MD5 :    929C83988AAD1EF14994044D8C1175F6
Motivo :    Bases de datos
Fecha de publicación de las bases de datos :    30/03/2021 05:15:00 p. m.

Thanks is advance.

Link to comment
Share on other sites
Danila T.

Danila T.

Posted
Posted

Hello @EdgarEdge81 

 

  1. Let us know the router model/brand and version of router firmware.
  2. Try to connect to the Internet via some other Internet connection, for example, via mobile hot spot. Or try to connect without router. Will there be a detection?
  3. If there is no detection after step 2: please reset router to default settings (via resset button) then connect again to the Internet via router. WIll the issue persist?
  4. If yes, update firmware on the router, if there is a newer version is available on the router manufacturer site.
Link to comment
Share on other sites
shybear

shybear

Posted
Posted

hi,

same problem here and same router model !

The router is a NETGEAR D1500 ADSL modem and I updated firmware from 1.0.0.21 to the last one released in 2018  1.0.0.28 next to contact Kaspersky support.

Next to the update I made yesterday I got just an other advice when connection was established next to update and yesterday worked fine but today it happen again one time.

Next week I’ll try to use an other modem but I’m almost sure its this router model that cause this problem.

 

 

Link to comment
Share on other sites
shybear

shybear

Posted
Posted

hi,

same problem here and same router model !

The router is a NETGEAR D1500 ADSL modem and I updated firmware from 1.0.0.21 to the last one released in 2018  1.0.0.28 next to contact Kaspersky support.

Next to the update I made yesterday I got just an other advice when connection was established next to update and yesterday worked fine but today it happen again one time.

Next week I’ll try to use an other modem but I’m almost sure its this router model that cause this problem.

 

 

I can confirm that for this router modem firmware update solve the problem but not at 100%.

Sometimes message popup likes 2 / 3 times but not as before the update (around 50 times in a working day!) 

Link to comment
Share on other sites
shybear

shybear

Posted
Posted

@shybear hello!

Have you tried also to check DNS suffix settings?  

Hello Anton,

right now I’m 100% sure that problem is Netgear modem router D1500.

Without any change on computer settings I changed it with a refurbished Tp-Link  TD-W8691ND. Even if last firmware is older then Netgear (2017) its 4 days I’m using it without any warning from Antivirus.

Link to comment
Share on other sites
  • 5 months later...
darkcyberia

darkcyberia

Posted
Posted 
I did not accessed any malicious website or downloaded any program that wasn’t properly scanned and permited by Kaspersky. I have no idea why this is happening. Just bought 2 years of kaspersky total security and ran every type of scan possible. I’m already going crazy.Event: Access DeniedUser: *censored*User Type: Active UserApplication name: svchost.exeApplication path: C:\Windows\System32Component: Web Anti-VirusDescription Result: BlockedType: Malicious LinkName: http://wpad.domain.name/wpad.datAccuracy: Precise Threat Level: HighObject Type: Web PageObject name: wpad.datObject path.: http://wpad.domain.nameReason: DatabasesDatabase version date: Yesterday, 09/16/2021 06:40:00

 

Edit: Sorry, but I’m unable to format this text, already tried every way I know and it simply doesn’t stay formatted

 

Link to comment
Share on other sites
mehdifirefox

mehdifirefox

Posted
Posted

I have exactly the same problem.
I think this form is from Kaspersky side ...
Yesterday this site was blocked
Today, notifications are repeated
If there is a problem why not announced in the report?
If you've blocked. So why repeat it

I followed these steps. Were not resolved
https://community.kaspersky.com/advice-and-solutions-122/kaspersky-notification-of-detection-file-or-website-detected-1313

 

Link to comment
Share on other sites
Sathwik

Sathwik

Posted
Posted

Event: Access denied
User: DESKTOP-JJ1GL98\T.N.SWAMY
User type: Active user
Application name: svchost.exe
Application path: C:\Windows\System32
Component: Web Anti-Virus
Result description: Blocked
Type: Malicious link
Name: http://wpad.domain.name/wpad.dat
Precision: Exactly
Threat level: High
Object type: Web page
Object name: wpad.dat
Object path: http://wpad.domain.name
Reason: Databases
Databases release date: Today, 17-09-2021 13:53:00

Link to comment
Share on other sites
mehdifirefox

mehdifirefox

Posted
Posted

Hello @mehdifirefox

Welcome!

  1. Please follow all steps in tutorial What to do if Kaspersky detects wpad, by @Danila T. 
  2. Also, read topic: Malicious object detected: wpad.dat, wpad.domain.name, Trojan.Script.Agent.dc, raised by @serval1959

Please let us know the outcome?

Thank you🙏

Flood🐳+🐋

Some of these people are automatically created without opening the site and file this problem
That by changing the solved problem router
Of course i doubt the solution to this

If the malware manipulated the modem why Kaspersky did not
I opened several sites yesterday that Kaspersky had an error

From yesterday so far this is the same problem
my question is
Why is nothing registered in the reports section?
If something is blocked shall be in the reports section
This is a bug

How many years we are screaming, Kaspersky is weak in web  security
Have no progress

 


 

 

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing


×
×
  • Create New...