6 Replies Latest reply: Feb 6, 2012 1:08 PM by Jon Scholten

# Furious after McAfee Web Gateway 7 has suddenly appeared on my computer and is blocking sites.

In the last hour somehow McAfee Web Gateway 7 has been installed onto my computer and is now actively preventing me from viewing certain webpages.

The first thing I will say is that in the last hour I have not installed anything. I have Nod32 Firewall and AV. I have done a scan.

Secondly I have DEP enabled and UAC is enabled.

I also have Malwarebytes paid, actively protecting my PC and I have immunized my computer with Spybot S&D.

I have done scans with ALL of these programs and can find NOTHING.

This problem only appears on Firefox. It does not appear on Google Chrome or Internet Explorer.

It has only been happening for an hour. I have so many security modules in place that I have no idea how this sort of thing can happen and it honestly really frustrates me that this can happen.

I have tried uninstalling (to my absolute displeasure) Firefox and reinstalling it. Nothing works...

Whenever I try to go to some websites I get this page:

[IMG]http://i39.tinypic.com/i1z3fl.png[/IMG]

Alternatively when I download something it goes to the same page and apparently searches the file for viruses before letting me download it.

I have NEVER installed this program or anything from McAfee. I have no idea in hell how this has gotten onto my computer. This is one of the most frustrating things ever because I cannot simply find the extension in Firefox settings where I can remove it.

I have disabled all of my addons, and then checked and disabled all of my extensions and plugins as well. Nothing stops this from showing up.

I have searched my whole computer for 'McAfee' including my registry and I do not have a single entry at all with anything to do with McAfee.

Before 1 hour ago I could download files normally without this annoying popup and I could browse any website I wanted without this stupid thing telling me that I cannot...

I have tried disabling all of my protection and re-enabling. I have tried restarting and shutting down.

Here is a Hijack This log file:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 20:11:28, on 6.2.2012

Platform: Windows 7 SP1 (WinNT 6.00.3505)

MSIE: Internet Explorer v9.00 (9.00.8112.16421)

Boot mode: Normal

Running processes:

C:\Program Files (x86)\ASUS\AI Suite II\AsRoutineController.exe

C:\Program Files (x86)\ASUS\AI Manager\AsShellApplication.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Users\Kuutti\AppData\Roaming\Dropbox\bin\Dropbox.exe

C:\Program Files (x86)\MagicDisc\MagicDisc.exe

C:\Program Files (x86)\ASUS\AI Suite II\EPU\EPUHelp.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://asus.msn.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://asus.msn.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://asus.msn.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

F2 - REG:system.ini: UserInit=userinit.exe

O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL

O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

O4 - HKLM\..\Run: [RunAIShell] C:\Program Files (x86)\ASUS\AI Manager\AsShellApplication.exe

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKCU\..\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe

O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-21-2863558729-1456226192-851000428-1003\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'UpdatusUser')

O4 - Startup: Dropbox.lnk = Kuutti\AppData\Roaming\Dropbox\bin\Dropbox.exe

O4 - Global Startup: AsusVibeLauncher.lnk = C:\Program Files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe

O4 - Global Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe

O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics

O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: ASUS Com Service (asComSvc) - Unknown owner - C:\Program Files (x86)\ASUS\AXSP\1.00.13\atkexComSvc.exe

O23 - Service: ASUS HM Com Service (asHmComSvc) - Unknown owner - C:\Program Files (x86)\ASUS\AAHM\1.00.11\aaHMSvc.exe

O23 - Service: ASUS System Control Service (AsSysCtrlService) - Unknown owner - C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.10\AsSysCtrlService.exe

O23 - Service: Bonjour-palvelu (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Device Handle Service - ASUSTeK Computer Inc. - C:\Windows\SysWOW64\AsHookDevice.exe

O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)

O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe

O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod-palvelu (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)

O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)

O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)

O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)

O23 - Service: Splashtop® Remote Service (SplashtopRemoteService) - Splashtop Inc. - C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe

O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)

O23 - Service: Splashtop Software Updater Service (SSUService) - Splashtop Inc. - C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe

O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)

O23 - Service: Intel(R) Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe

O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)

O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)

O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)

O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--

End of file - 9865 bytes

I cannot see anything related at all to McAfee or even Firefox in that log... and I can't see anything wrong with anything there...

So why is this happening to me? Why can I find no trace of this program or little piece of software in my 'Add/Remove Programs'? Why can I find no trace of this at all anywhere.

I would consider myself a highly skilled computer user. I do freelance coding in Ruby and this is my work computer, it is extremely important that I do not have any sort of unauthorised software on my computer that I did not allow to be installed personally. No one else has acess to this computer, it's just my computer. Yet I am mindful of everything that I click on, I scan everything before opening, I never make mistakes so I have no idea how on earth this could have gotten onto my computer and why even when I do an uninstall of Firefox that it is still persistant.

I will also send an email to the customer support here, because this is unacceptable regardless. The fact that there is absolutely no easy, end-user-friendly way of uninstalling this little piece of software, or addon or whatever it is. Is absolutely absurd.

Lastly I have also run this file: MCPR.exe

I have run the program and let it uninstall any sort of trace of anything McAfee related, not that I have installed anything in the first place.

There is also nothing new in 'Startup items' in msconfig, as well as 'Services'.

There is also no suspicious processes running in taskmanager and other than this problem nothing at all is out of the ordinary.

I honestly have no idea in all of my years how this has happened and why it has happened and how I cannot be able to remove this. I have never had a problem that I have not been able to find an answer to on google. But searching google just gives me garbage links that lead me nowhere at all.

Please someone provide assistance on removing this horrible thing from my computer.

Also I am sorry for the long post but I did not want anyone to offer simple advice when I have more or less covered all the bases to no avail. You have no idea how frustrating this is....

Message was edited by: leijonasisu on 06/02/12 12:22:21 CST
• ###### 1. Re: Furious after McAfee Web Gateway 7 has suddenly appeared on my computer and is blocking sites.

McAfee Web Gateway is not something that you install on your computer. No amount of uninstalling will make it go away.

It is a gateway device that your organization has decided to put on the network to prevent access to sites and scan for malware coming in according to your organizations policy.

You should contact your helpdesk for assistance.

• ###### 2. Re: Furious after McAfee Web Gateway 7 has suddenly appeared on my computer and is blocking sites.

That is impossible. If this was the case then I would not be able to access that website from a different broswer but I still can... and my friends are not reporting the same issue on their machines either using Firefox.

• ###### 3. Re: Furious after McAfee Web Gateway 7 has suddenly appeared on my computer and is blocking sites.

It's totally possible. Administrators can selectively authenticate and identify specific users to have specific policies. One group of users may be be able to access something while others are not.

But in your case, the fact that IE behaves differently than FF tells me that you have different LAN settings defined in each. A default install of FF uses IE settings, but they can be unlinked and individually set as well.

• ###### 4. Re: Furious after McAfee Web Gateway 7 has suddenly appeared on my computer and is blocking sites.

Do you have an anonymizing plugin in Firefox?  If so, the proxy it's using is probably a Web Gateway that was left exposed, then discovered and added to some public proxy list now.

• ###### 5. Re: Furious after McAfee Web Gateway 7 has suddenly appeared on my computer and is blocking sites.

I worked out what it was. I had accidently swapped to using my work proxy. Naturally they have many things blocked which I have funnily enough, not even in 6 years ever come across a website I have been blocked to at work. Which is why I had never familiarised myself with this problem. I simply cleared out the custom settings in Firefox (which is the bowser I use for work) and voilá! Everything works again.

I wrote up a longer reply but when I pressed post, it cleared everything instead of posting it.

Sorry for the frustration and thank you to everyone for your time and help in this matter. I had really feared the worst. At least I can put my faith back into my methods, at least in just that respect.

I am quite embarassed that I spent such a large amount of time trying to find out what the problem was. Not only that but it explains why I could not find any trace of anything... I am going to do a little bit of digging into this tool that swapped my settings over and stop it from running every time I start Python...

Thanks again everyone and have a really good weekend.

I am glad that I had not yet bothered customer support with this message.

• ###### 6. Re: Furious after McAfee Web Gateway 7 has suddenly appeared on my computer and is blocking sites.

Is this a computer of yours or something your company issued?

Edit: nevermind, people have already replied...

~Jon

Message was edited by: jscholte on 2/6/12 1:08:22 PM CST