strange block action against attempted trusted site addition

  • Thread starter Thread starter John
  • Start date Start date
J

John

Today, on two client PCs running XP Home SP2, MS
Antispyware prompted with an "allow"-or-"block" dialog.

It stated that something (didn't state what) was attempting
to add the following to the trusted site list in Internet
Options.

"//@mail.mar@"

This client uses MSN software and this MS Antispyware
prompt appeared right after I installed MS Antispyware,
rebooted, then started the MSN software.

On one PC I hit allow and the other I hit block.

It appears this "//@mail.mar@" is part of something MSN
needs, but I'm unsure since next to nothing showed up in a
clusty.com and google search for this. (Except a
Mar29,2005 posting by someone else about this exact same MS
Antispware prompt.

Questions:
1. What is //@mail.mar@ ?
2. What is trying to add it to Trusted Sites?
3. Why is something trying to add it to Trusted Sites?
4. If MSN is the culprit, does it need to add this for MSN
to work?
5. How can a "remember this action" "Block" action in MS
Antispyware be undone, so that the prompt reappears?

Thank you,
John
 
Seems unlikely that mail.mar needs to be in the Trusted
Zone. The address is not a valid URL but you could have a
DNS hijacker that knows the fake domain or an entry in
your hosts file that mapped it to a real address.

Get HijackThis.exe from
http://tomcoyote.org/hjt/hjt199//HijackThis.exe

Save it to C:\hjt (new folder) then Open it and select
Scan and Save Log. Note where you saved the log then
send it to me as an attachment. Maybe I can see what is
going on from that.

Ron Kinner
MVP 2004
(e-mail address removed)
 
You can ignore it, its safe:

This relates to Microsoft Money, but the same applies to the MSN Client
also:
You may spot this in the Internet Explorer Local Intranet Zone (under
control panel->Security->Local Intranet->Sites->Advanced).

If you browse to that location, you'll find it starts Money. A couple of
examples of it's use are:

money://@surf.mar@/investing.htm

money://@surf.mar@/ols_accttype.htm?{7F136766-E2F1-43D7-9405-9529D9799376}

Because Money is built on IE, these appear to be mechanisms within the
program to launch pages from within itself, and it's not because something
external has infiltrated your machine.

You can delete the entry, but I have found that if you do so, it can
reappear when running Money again.

A similar item "//@signup.mar@" can also be displayed when running Money
(this has been witnessed in anti-spyware tools). This also seems to be part
of Money, but related more to login type procedures.

Thanks to Tony Linguini & Money FAQs
 
Back
Top