Access blocked?

[Platypus]

Last week I set up a newer computer for my lady friend and her girls to get going with an internet connection. As they're newbies to this, and the girls ages go down to primary school, I set the system up fairly locked down, with We-Blocker and all the usual stuff.

Fine at first, but it's looking like it might have got a nasty that blocks the connection whenever you try to go to a security site. Had a quick look last night, you can surf to your hearts content, but hit update on AdAware etc and DUN just stops, no further data transfer. Disabling We-Blocker and firewall doesn't change it, so it's not a setting there, although I did manage to update AVG with We-Blocker shut down, but the scan didn't pick up anything. Neither do AdAware or a2 squared, both a week out of date.

I ran out of time to do anything more beyond a HijackThis sweep, so I'll post it below in case anyone spots something known, or can suggest something I might have missed. Anyone know if the no-name BHO is suspect? Meanwhile I'll install the most up-to-date Spybot 1.3 Beta on it, and if that doesn't find anything, I'll pull the drive and do an online scan on my system. Grrr...

Logfile of HijackThis v1.97.7
Scan saved at 8:05:11 PM, on 4/20/04
Platform: Windows 98 SE (Win9x 4.10.2222B)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\PROGRAM FILES\AGNITUM\OUTPOST 1.0\OUTPOST.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\COMMON FILES\SCM\ICONFIG.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\SYSWB6.EXE
C:\PROGRAM FILES\MULTIKEYBOARD DRIVER\KBDDRV.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\WINKB6.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\UTIL\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:6711
O1 - Hosts: 204.244.184.143 SafeWeb.com
O1 - Hosts: 204.244.184.143 WWW.SafeWeb.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [LEDTRAY] C:\PROGRA~1\COMMON~1\SCM\LEDTRAY.EXE
O4 - HKLM\..\Run: [ICONFIG] C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost 1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [SYSWB6] SYSWB6
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST 1.0\outpost.exe /service
O4 - Startup: MutiKeyboard Driver.lnk = C:\Program Files\MultiKeyboard Driver\KbdDrv.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

[NooNoo]

Nothing obvious platy http://www.familyeducation.com/whatw...-19512,00.html this might be of some help to decide what weblocker is doing.


O1 - Hosts: 204.244.184.143 SafeWeb.com you running norton?


Finally check the java objects in ie cache.

[Platypus]

Thanks NooNoo, We-Blocker and AVG may have been a co-incidence, but anyway disabling We-Blocker didn't have any effect on the problem with AdAware, a2 squared etc.

I wondered about the hosts file, nothing Norton has been within ten-foot-pole distance of the system Renaming it didn't do anything.

I'll check the IE cache too.

[NooNoo]

So safeweb may not be what it purports to be....

[Platypus]

Well, progress I think. Had a short while to investigate tonight, and at least part of the problem may be due to installing We-Blocker after the security utilities. The new Spybot 1.3 installation pointed out that there is a 127.0.0.1 proxy set up, and updates will have to be set to use that proxy, not a direct connection.

The proxy is something We-Blocker does, and looks like appropriate settings should sort out the updating. I still don't see why the entire internet access should stop functioning though. We'll see.

Edit: Realised this morning, with a fresh mind, that when We-Blocker has blocking turned off, you still can't remove the proxy without un-installing the program, so it probably sees an attempt to make a direct connection as a security breach, ie an attempt to hack past, and kills the connection. Configuring all the updaters to use the proxy will probably cure it...(I hopes... )

[Platypus]

The proxy We-Blocker uses is the cause of the problem. It also runs a watchdog which instantly re-instates the proxy if the settings are changed, and blocks the internet connextion if access is attempted other than through the proxy.

Configuring the updaters to use a 127.0.0.1:6711 proxy works fine, easily done with SpyBot and AdAware. a² is proving difficult, seeming to have no option for this. The support site advises temporarily disabling the proxy, which isn't possible without instituting a procedure to disable all of We-Blocker's operation for the update.

Likewise AVG Free presents a difficulty in that in AVG there is supposed to be a settings button on the Update Manager where you can enter proxy settings, but it doesn't appear on what I have. Anyone with AVG know if this feature is only implemented in the paid version or in Ver 7?

I'll add this information to threads where I've suggested We-Blocker in case others find them in searches.