Jump to content

Malicious object detected: wpad.dat, wpad.domain.name, Trojan.Script.Agent.dc [merged]


Recommended Posts

Flood and Flood's wife
Posted
  1. Examine the configuration of the router
  2. Or reset it back to defaults to reconfigure from scratch
  3. After + patch the software on it”

Hello @Younes,

Thank you for contacting Support, it’s great that you took proactive action👏

  • 🅰 Did you send the INC reference number to @Igor Kurzin ? 
  1. The router User manual should have information for Configuration procedures; if the User manual is not available, contact the Router manufacture/distributer.
  2. Router reset, again, the procedure will be documented in the Router User manual & or, contact the Router manufacture/distributer. A router reset = hard reset, sometimes called a factory reset, reverts the router back to defaults that existed when it shipped from the factory. Only do a hard reset if you have the router pin code or password - normally recorded on a sticker on the router, & or, the paper work that is with the router when it was purchased. 
  3. Patch the software”, means, after a hard reset, make sure the Router software is fully up-to-date,  the procedure will be documented in the Router User manual & or, contact the Router manufacture/distributer.
  • 🅱 Did you ask the Kaspersky Technical Support Team what was meant by the instructions they gave you? 

Thank you🙏

Flood🐳+🐋

  • Replies 65
  • Created
  • Last Reply

Top Posters In This Topic

  • Flood and Flood's wife

    8

  • Younes

    8

  • Berny

    6

  • Danila T.

    6

mahfoudlaasri
Posted

During the last two days, kaspersky is constantly notifying me about malicious object detected and download denied.

it is getting frustrating since it is doing anything about it and I is disturbing my work.

this is what I get:

Event: Download denied
User: DESKTOP-9JS93UU\hp
User type: Active user
Application name: svchost.exe
Application path: C:\Windows\System32
Component: Web Anti-Virus
Result description: Blocked
Type: Trojan
Name: Trojan.Script.Agent.dc
Precision: Exactly
Threat level: High
Object type: File
Object name: wpad.dat
Object path: http://wpad.domain.name
MD5: 929C83988AAD1EF14994044D8C1175F6
Reason: Databases
Databases release date: Today, 3/25/2021 5:25:00 PM

U from morocco ?i have the same prob since two days too we are three People now here

You both tried to renew you ID’s? Because I’m from Morocco too, and the problem started with the ID website. Or the driving license one. I can’t say exactly, but it’s one of both websites

Posted
  1. Examine the configuration of the router
  2. Or reset it back to defaults to reconfigure from scratch
  3. After + patch the software on it”

Hello @Younes,

Thank you for contacting Support, it’s great that you took proactive action👏

  • 🅰 Did you send the INC reference number to @Igor Kurzin ? 
  1. The router User manual should have information for Configuration procedures; if the User manual is not available, contact the Router manufacture/distributer.
  2. Router reset, again, the procedure will be documented in the Router User manual & or, contact the Router manufacture/distributer. A router reset = hard reset, sometimes called a factory reset, reverts the router back to defaults that existed when it shipped from the factory. Only do a hard reset if you have the router pin code or password - normally recorded on a sticker on the router, & or, the paper work that is with the router when it was purchased. 
  3. Patch the software”, means, after a hard reset, make sure the Router software is fully up-to-date,  the procedure will be documented in the Router User manual & or, contact the Router manufacture/distributer.
  • 🅱 Did you ask the Kaspersky Technical Support Team what was meant by the instructions they gave you? 

Thank you🙏

Flood🐳+🐋

 

I tried factory resetting (hard reset) my router and reconfigured it. I also updated it to the latest firmware but I’m still getting the Trojan.Script.Agent.dc notification 

Flood and Flood's wife
Posted

I tried factory resetting (hard reset) my router and reconfigured it. I also updated it to the latest firmware but I’m still getting the Trojan.Script.Agent.dc notification 

Hello @Alfa Kid

Welcome!

Did you also log a case with Kaspersky Technical Support? 

Thank you🙏

Flood🐳+🐋

Posted

@Alfa Kidhello!

 

    Let us know the router model/brand and version of router firmware.
    Try to connect to the Internet via some other Internet connection, for example, via mobile hot spot or without router. Will there be a detection?

Posted

Hello,

There exists something called WPAD or Web Proxy Autodiscovery Protocol, it's designed to pinpoint the location of the necessary configuration file, called the pac-file. Usually such location would look like this: wpad.domain[.]name/wpad.dat. Experienced users will understand that this "location" is actually a DNS suffix.
A lot of routers/modems are preset that DNS suffix.

This isn't new, this has been used for 20 years now.

Using a DNS suffix like that means that it is theoretically possible for a mal-wisher to change the file at its location, and eventually have it loaded into the user's system, thus setting up an unwanted proxy server, and intercept browsing data.

 

Follow these steps:

  1. Try to connect to the Internet via some other Internet connection, for example, via mobile hot spot. Or try to connect without router. Will there be a detection?
  2. If there is no detection after step 1: please reset router to default settings then connect again to the Internet via router.
  3. Also update firmware on the router, if there is a newer version is available on the router manufacturer site. Change password of the router.
  4. If points 2 and 3 do not solve the problem and point 1 fix problem, then this router is not recommended for use. Or contact the support of the router manufacturer.
Link

 

Posted

Yes I have contacted Kaspersky Technical Support and the response was to follow the steps as outlined by @Danila T. 

The router is a NETGEAR D1500 with firmware version 1.0.0.28 

I will try connecting to a mobile hotspot to check if if the issue will persist. I’ll provide feedback on the outcome as soon as possible. 

Posted

It was indeed a problem with my router. When I tried connecting my laptop to my mobile hotspot I had no issues, but as soon as I reverted to my NETGEAR router the notifications started popping up again. Given that I’ve already tried resetting the router and updating the firmware, but to no avail, I think it is time for me to replace my router.

Thank you for your assistance 

EdgarEdge81
Posted

Hello everyone.

 

I also have this problem, my router brand is D-Link, and the message is:

 

Evento :    Se detectó un objeto malintencionado
Usuario :    LAPTOP-D07JGEVV\erosa
Tipo de usuario :    Usuario activo
Nombre de la aplicación :    svchost.exe
Ruta de la aplicación :    C:\Windows\System32
Componente :    Web Anti-Virus
Descripción del resultado :    Detectado
Tipo :    Troyano
Nombre :    Trojan.Script.Agent.dc
Precisión :    Exacta
Nivel de amenaza :    Alta
Tipo de objeto :    Archivo
Nombre del objeto :    wpad.dat
Ruta del objeto :    http://wpad.domain.name
MD5 :    929C83988AAD1EF14994044D8C1175F6
Motivo :    Bases de datos
Fecha de publicación de las bases de datos :    30/03/2021 05:15:00 p. m.

Thanks is advance.

Posted

Hello @EdgarEdge81 

 

  1. Let us know the router model/brand and version of router firmware.
  2. Try to connect to the Internet via some other Internet connection, for example, via mobile hot spot. Or try to connect without router. Will there be a detection?
  3. If there is no detection after step 2: please reset router to default settings (via resset button) then connect again to the Internet via router. WIll the issue persist?
  4. If yes, update firmware on the router, if there is a newer version is available on the router manufacturer site.
Posted

hi,

same problem here and same router model !

The router is a NETGEAR D1500 ADSL modem and I updated firmware from 1.0.0.21 to the last one released in 2018  1.0.0.28 next to contact Kaspersky support.

Next to the update I made yesterday I got just an other advice when connection was established next to update and yesterday worked fine but today it happen again one time.

Next week I’ll try to use an other modem but I’m almost sure its this router model that cause this problem.

 

 

Posted

hi,

same problem here and same router model !

The router is a NETGEAR D1500 ADSL modem and I updated firmware from 1.0.0.21 to the last one released in 2018  1.0.0.28 next to contact Kaspersky support.

Next to the update I made yesterday I got just an other advice when connection was established next to update and yesterday worked fine but today it happen again one time.

Next week I’ll try to use an other modem but I’m almost sure its this router model that cause this problem.

 

 

I can confirm that for this router modem firmware update solve the problem but not at 100%.

Sometimes message popup likes 2 / 3 times but not as before the update (around 50 times in a working day!) 

adiraj_india
Posted

How to remove notification permanently or kill virus 

Dangerous URL blocked http://185.38.111.1/wpad.dat
 

Anton Mefodys
Posted

@shybear hello!

Have you tried also to check DNS suffix settings?  

Posted

@shybear hello!

Have you tried also to check DNS suffix settings?  

Hello Anton,

right now I’m 100% sure that problem is Netgear modem router D1500.

Without any change on computer settings I changed it with a refurbished Tp-Link  TD-W8691ND. Even if last firmware is older then Netgear (2017) its 4 days I’m using it without any warning from Antivirus.

Posted

Hi @shybear 

Yes, this router (it seems) has settings that are causing this situation.

  • 5 months later...
Posted
I did not accessed any malicious website or downloaded any program that wasn’t properly scanned and permited by Kaspersky. I have no idea why this is happening. Just bought 2 years of kaspersky total security and ran every type of scan possible. I’m already going crazy.Event: Access DeniedUser: *censored*User Type: Active UserApplication name: svchost.exeApplication path: C:\Windows\System32Component: Web Anti-VirusDescription Result: BlockedType: Malicious LinkName: http://wpad.domain.name/wpad.datAccuracy: Precise Threat Level: HighObject Type: Web PageObject name: wpad.datObject path.: http://wpad.domain.nameReason: DatabasesDatabase version date: Yesterday, 09/16/2021 06:40:00

 

Edit: Sorry, but I’m unable to format this text, already tried every way I know and it simply doesn’t stay formatted

 

Posted

Event: Access denied
User: DESKTOP-JJ1GL98\T.N.SWAMY
User type: Active user
Application name: svchost.exe
Application path: C:\Windows\System32
Component: Web Anti-Virus
Result description: Blocked
Type: Malicious link
Name: http://wpad.domain.name/wpad.dat
Precision: Exactly
Threat level: High
Object type: Web page
Object name: wpad.dat
Object path: http://wpad.domain.name
Reason: Databases
Databases release date: Today, 17-09-2021 13:53:00

Posted

Hello @mehdifirefox

Welcome!

  1. Please follow all steps in tutorial What to do if Kaspersky detects wpad, by @Danila T. 
  2. Also, read topic: Malicious object detected: wpad.dat, wpad.domain.name, Trojan.Script.Agent.dc, raised by @serval1959

Please let us know the outcome?

Thank you🙏

Flood🐳+🐋

Some of these people are automatically created without opening the site and file this problem
That by changing the solved problem router
Of course i doubt the solution to this

If the malware manipulated the modem why Kaspersky did not
I opened several sites yesterday that Kaspersky had an error

From yesterday so far this is the same problem
my question is
Why is nothing registered in the reports section?
If something is blocked shall be in the reports section
This is a bug

How many years we are screaming, Kaspersky is weak in web  security
Have no progress

 


 

 

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now



×
×
  • Create New...