Hello, all! I sure hope someone can help with this.
One of my client's PCs started having a problem last week. Long story short, the user can't acces HTTP sites using IE 7 or Chrome after the PC has been on for 5 minutes, but she CAN access HTTPS sites as well as use FTP, e-mail and other Internet-related apps. If she reboots, she can access HTTP sites again, but only for a few minutes. Then she gets the "Page cannot be displayed" error.
I connect to the PC via TeamViewer, LogMeIn and/or GoToMeeting, which work fine. The client has no XP installation CD or backup, so I'm limited as to what I can try. I also can't run the Windows System File Checker because she has no disc.
There is no proxy server showing in IE 7 on her Windows XP SP3 PC. I suspect it's a proxy server issue, but even if I force IE to use a proxy server, she can't access HTTP sites. Nothing is selected/ticked/checked in IE for proxy server use or "automatically detect settings", and enabling any of that stuff doesn't help. I'm assuming there could be a file or Registry corruption, though I can't confirm it since I can't run SFC.
This was probably caused by virus/Trojan infections (Trojan.Tracur, specifically), but I've removed all traces of the virus with AVG Internet Security and Malwarebytes.
I've done everything I could try, including:
-Reset IE 7/Disable add-ons
-Windows XP Network Diagnostics returned Error 12029
-Reset TCP/IP stack
-Reset Winsock
-Remove/re-install Intel NIC in Device Manager; Update NIC driver
-Reset Windows Firewall
I've reset everything I can except for the core Windows system files because she doesn't have her XP disc or a backup. There are no System Restore points before the virus infection date (even though System Restore is enabled), so I can't revert to that.
She's going to try "Safe Mode with Networking" to see if she can access HTTP sites for longer than 5 minutes; I'll let you know how that goes.
Does anyone have any idea what else I can do here?
Thanks in advance!
Steve
UPDATE: The PC works just fine in Safe Mode. The user has no problems accessing HTTP sites for as long as she wants to in Safe Mode. I found no entries in the Registry as to what might be running on startup. CHKDSK found some 1408 index-related disk errors and fixed them, but nothing serious. Fixing those errors didn't help.
- Follow via:
- RSS
- Email Alert
Question
0
Votes
Can't access HTTP, Can access HTTPS--What's wrong here?
Updated - 16th Jan 2012
Answers (19)
0
Votes
Silly me here I thought being a Tech
Involved having your own Install media.
XP has 3 distinct Install Disc's the OEM Home, Pro and the Volume License Disc's. Of course there is a 64 Bit Disc as well but it's not common to require one of those. In fact I have yet to use one.
I would just grab one of my Disc's and run SFC with that as many off the shelf computers come with a Recovery partition and no Recovery Media. They just return the system to As New Condition and destroy all installed programs and data that has been added since the system was first started.
Col
XP has 3 distinct Install Disc's the OEM Home, Pro and the Volume License Disc's. Of course there is a 64 Bit Disc as well but it's not common to require one of those. In fact I have yet to use one.
I would just grab one of my Disc's and run SFC with that as many off the shelf computers come with a Recovery partition and no Recovery Media. They just return the system to As New Condition and destroy all installed programs and data that has been added since the system was first started.
Col
16th Jan 2012
Replies
Col,
I'm not sure if you were taking a shot or you just misunderstood, but if you'd read my post, I'd said I was connecting to the user via TeamViewer and other remote-access apps. I am 1300 miles from the user, and while I have my own XP discs, that doesn't help her much. She's in an isolated area and at the mercy of unscrupulous PC repair people who rebuilt her PC last year and didn't give her back her XP disc.
I'm not sure if you were taking a shot or you just misunderstood, but if you'd read my post, I'd said I was connecting to the user via TeamViewer and other remote-access apps. I am 1300 miles from the user, and while I have my own XP discs, that doesn't help her much. She's in an isolated area and at the mercy of unscrupulous PC repair people who rebuilt her PC last year and didn't give her back her XP disc.
planetearth@...
16th Jan 2012
No I didn't see that you where so remote from the computer.
But with the update of it working in Safe Mode with Networking you are going to have to look at what is installed as there is something killing the process. Or as suggested below a ISO that your customer can download and work with that.
Col
But with the update of it working in Safe Mode with Networking you are going to have to look at what is installed as there is something killing the process. Or as suggested below a ISO that your customer can download and work with that.
Col
OH Smeg
16th Jan 2012
0
Votes
Old Fashioned solution
Since she is 1,300 miles away and isolated:
1. You mentioned she has FTP: do you have an ISO image of the XP install disc she could DL and create an XP install disc from.
2.If that is not possible, why not create a backup copy of your XP disc and FedEx, USPS, UPS it to her. For $25 or so she could have it overnight.
1. You mentioned she has FTP: do you have an ISO image of the XP install disc she could DL and create an XP install disc from.
2.If that is not possible, why not create a backup copy of your XP disc and FedEx, USPS, UPS it to her. For $25 or so she could have it overnight.
16th Jan 2012
Replies
She can get a copy of XP by the end of the week (she's in the Adirondack mountains, and they're virtually snowed in in a remote location).
I'm just not sure there are any missing system files since SFC couldn't run the first time, and I was wondering if anyone had any other ideas.
Most of the informtion I've found on "Error: 12029" relates to proxy servers and/or removing the check from "automatically detect settings"; I don't remember seeing SFC as a possible solution for this specific issue. I'm willing to try it, but it will be the end of the week before she gets a disc, so if there's anything else to try in the meantime, I'd certainly like to hear it!
Thanks again....
Steve
I'm just not sure there are any missing system files since SFC couldn't run the first time, and I was wondering if anyone had any other ideas.
Most of the informtion I've found on "Error: 12029" relates to proxy servers and/or removing the check from "automatically detect settings"; I don't remember seeing SFC as a possible solution for this specific issue. I'm willing to try it, but it will be the end of the week before she gets a disc, so if there's anything else to try in the meantime, I'd certainly like to hear it!
Thanks again....
Steve
planetearth@...
16th Jan 2012
0
Votes
Look at the installed Software
There is something running in Normal Mode that is killing the Process.
As it was infected you could start with the AV program which may have been corrupted and also check the Firewall as another possibility. Though if it's one of those and it's the result of the infection you may be stuck with a reinstall which isn't going to be easy with it being so remote.
Also check any games on the system it's possible that one of those has some Idiot Network Playing Setting that has caused this or maybe some Commercial Accounting Program.
Col
As it was infected you could start with the AV program which may have been corrupted and also check the Firewall as another possibility. Though if it's one of those and it's the result of the infection you may be stuck with a reinstall which isn't going to be easy with it being so remote.
Also check any games on the system it's possible that one of those has some Idiot Network Playing Setting that has caused this or maybe some Commercial Accounting Program.
Col
16th Jan 2012
Replies
Thanks, Col.
She was using Microsoft Security Essentials when she was infected. (MSE just watched the infection to make sure it all went smoothly, I guess.) She used Malwarebytes to remove the infections before calling me. I put AVG Internet Security on to remove what little was left.
I've reset the Windows Firewall (the only one in use), and there are no other games or unnecessary apps on the machine.
I'm afraid it'll turn out to be a re-install, too.
She was using Microsoft Security Essentials when she was infected. (MSE just watched the infection to make sure it all went smoothly, I guess.) She used Malwarebytes to remove the infections before calling me. I put AVG Internet Security on to remove what little was left.
I've reset the Windows Firewall (the only one in use), and there are no other games or unnecessary apps on the machine.
I'm afraid it'll turn out to be a re-install, too.
planetearth@...
17th Jan 2012
Way back when I first learned to troubleshoot Windows we learned the 'Half off' technique where you turn off 1/2 the startup process and programs (including any non-vital OS stuff) and troubleshoot the exact problem down that way using--> Msconfig.exe
You can launch this from Run or CMD and it has and does still work for me.
You can launch this from Run or CMD and it has and does still work for me.
jamblaster
19th Jan 2012
0
Votes
Follow Manual Removal Procedure for Trojan
The Trojan infection is not entirely gone. Symantec has some good technical removal procedures for specific malware. Following this will ensure it's gone and fix the network redirects that is causing the connectivity problem on http. It's also useful to use a tool like Autoruns from Sysinternals/Microsoft to verify the malware's startup points. See the DLL tab.
Symantec's writeup on the Trojan.Tracur;
http://www.symantec.com/security_response/writeup.jsp?docid=2011-071504-5259-99&tabid=2
Terry
Symantec's writeup on the Trojan.Tracur;
http://www.symantec.com/security_response/writeup.jsp?docid=2011-071504-5259-99&tabid=2
Terry
16th Jan 2012
Replies
Thanks, Terry, I'll review this again to see if I missed something. It's just odd that the redirects don't happen for the first five minutes after a reboot, though.
planetearth@...
17th Jan 2012
0
Votes
You might try reinstalling Internet Explorer...
it may be a corrupted Internet Explorer file...might as well upgrade to IE 8 if
her system has the resources for it...at least 512 meg RAM, plenty of HD space...
you can also run the Microsoft Malware Removal tool from the "Run" command,
Start, Run then type MRT and press Enter. Let it run and clean anything found.
her system has the resources for it...at least 512 meg RAM, plenty of HD space...
you can also run the Microsoft Malware Removal tool from the "Run" command,
Start, Run then type MRT and press Enter. Let it run and clean anything found.
16th Jan 2012
Replies
That is the first thing I thought of. The next thing I thought of was downloading Chrome, Opera and Firefox browsers and seeing if they work.
The third thing I thought of was finding a WinXPSP3 box with IE7 that does work, telephoning the client from that location and comparing her settings with those of a known working box.
DOS prompt and ipconfig might tell you something. If it comes up with strange numbers you might still have a virusy thing going.
I'm actually surprised the OP hasn't tried using a different browser (not even a new copy of IE7 or even an old copy of IE*6*.) If nothing else, that would eliminate the *browser* as the source of the issue.
It might be worthwhile running through services.msc and msconfig to see if something in there looks odd. Taskmanager might also help.
I'd assume a professional has already done most or all of the above, but I'm mentioning them just in case the OP has forgotten something dead simple and is searching for zebras not horses.
Add/Remove Programs is also a fun place to go. If the client has the patience to play with this she can slowly remove stuff - starting with anything new or odd-looking - while testing IE to see if anything fixes the issue. Personally, as I said above, I'd start with the browser. Removing IE7 and doing a clean-ish install might work.
Sorry if I sound patronising. That was not my intention. Sometimes we pro's get so hung up looking for zebras and unicorns that we forget the herds of horses that cause most problems.
Hope some of this helps,
H.
The third thing I thought of was finding a WinXPSP3 box with IE7 that does work, telephoning the client from that location and comparing her settings with those of a known working box.
DOS prompt and ipconfig might tell you something. If it comes up with strange numbers you might still have a virusy thing going.
I'm actually surprised the OP hasn't tried using a different browser (not even a new copy of IE7 or even an old copy of IE*6*.) If nothing else, that would eliminate the *browser* as the source of the issue.
It might be worthwhile running through services.msc and msconfig to see if something in there looks odd. Taskmanager might also help.
I'd assume a professional has already done most or all of the above, but I'm mentioning them just in case the OP has forgotten something dead simple and is searching for zebras not horses.
Add/Remove Programs is also a fun place to go. If the client has the patience to play with this she can slowly remove stuff - starting with anything new or odd-looking - while testing IE to see if anything fixes the issue. Personally, as I said above, I'd start with the browser. Removing IE7 and doing a clean-ish install might work.
Sorry if I sound patronising. That was not my intention. Sometimes we pro's get so hung up looking for zebras and unicorns that we forget the herds of horses that cause most problems.
Hope some of this helps,
H.
hartiq
17th Jan 2012
Thanks. I'd considered that, but since this affects IE 7 and Google Chrome, it didn't seem to be browser-specific, so I didn't think moving to IE 8 would help. I'll look again at upgrading while Microsoft's Malware Removal tool is running, though.
We had to re-install Google Chrome last night because some core files were deleted or corrupted (according to Chrome). When we re-installed, it still couldn't access HTTP sites after 5 minutes. Don't know what screwed up Chrome, but CHKDSK scans have been clean.
Hartiq, there are no unnecessary apps, only 3 entries running on startup and no questionable services running. No offense taken by your suggestions, and I appreciate the horse/zebra analogy.
I've been removing malware and viruses for years, and while I'm pretty sure I know how to hunt them down and remove them, I certainly appreciate everyone's input here! I think this one just screwed up Windows.
We had to re-install Google Chrome last night because some core files were deleted or corrupted (according to Chrome). When we re-installed, it still couldn't access HTTP sites after 5 minutes. Don't know what screwed up Chrome, but CHKDSK scans have been clean.
Hartiq, there are no unnecessary apps, only 3 entries running on startup and no questionable services running. No offense taken by your suggestions, and I appreciate the horse/zebra analogy.
I've been removing malware and viruses for years, and while I'm pretty sure I know how to hunt them down and remove them, I certainly appreciate everyone's input here! I think this one just screwed up Windows.
planetearth@...
17th Jan 2012
Has the user tried using Firefox? Just my opinion, but I wouldn't put Internet Explorer on my worst enemies computer (LOL). IE most probably isn't the problem, but changing browsers might be the solution.
jamblaster
19th Jan 2012
0
Votes
Trend Micro
If the problem is not already installed check her machine for Trend Micro antivirus. I faced this problem once on a machine. Stop the Trend micro firewall and things should be fine.
Cheers !
Harish.
Cheers !
Harish.
17th Jan 2012
Replies
I've seen Trend Micro do that, too! Had to re-install it for a client after it did more damage to her machine than the malware infection. However, it isn't and has never been on this machine. Microsoft Security Essentials was "on duty"/asleep when this happened.
planetearth@...
17th Jan 2012
0
Votes
Can't access HTTP
Have you checked the hosts file to see if that has some entries in it redirecting the browser?
17th Jan 2012
Replies
I checked the HOSTS file, and found nothing. I even had Spybot check the system and review the HOSTS file. No problems there. I should have mentioned that in the beginning, too.
planetearth@...
18th Jan 2012
2
Votes
Good golly
I honestly don't think a run that anti-virus software or rootkit killer will help her. It is far more realistic for you to wipe the drive and start from scratch. It will take 2-3 hours to re-install the system from ground up. How many hours had been used already? Even if you can get her to browse http again, how do you know every trace is gone?
17th Jan 2012
Replies
She has no backup of her data and no XP installation CD, thanks to an unscrupulous PC build/repair shop. She's getting an XP disc, but even with that, remotely walking a user through wiping and re-installing Windows is not an easy task, and likely to take many more hours. That's why I was hoping my fellow Tech Republic members would help me think of something that might work in this rather unusual situation. I've gotten some good ideas so far, and I'll be trying them today.
planetearth@...
18th Jan 2012
1
Vote
Try Combofix?
I've seen this utility from Bleeping Computer clean up a system that nothing else would clean. Be sure to only download it from www.bleepingcomputer.com and run it under safe mode. And you have to disable any running AV software...
The five minute thing sure sounds like a trojan/virus phoning home etc.
http://www.bleepingcomputer.com/download/anti-virus/combofix
The five minute thing sure sounds like a trojan/virus phoning home etc.
http://www.bleepingcomputer.com/download/anti-virus/combofix
Updated - 18th Jan 2012
Replies
That was the first thing I used, actually. ComboFix said it fixed everything it found, and it found a few infections.
planetearth@...
19th Jan 2012
0
Votes
Several things to try
1. Does HTTP start working again after logging off and on again, without rebooting?
2. Does HTTP work when logged on as Guest?
3. Try "telnet google.com 80" and see if the connection fails.
4. If connection works, enter "GET /" in uppercase. You should get some kind of response.
5. Install Fiddler, then try the browsers again. Fiddler acts as a proxy, and if it cannot connect to the server, the browser shouold display a useful error message. Fiddler is a great tool for HTTP debugging.
2. Does HTTP work when logged on as Guest?
3. Try "telnet google.com 80" and see if the connection fails.
4. If connection works, enter "GET /" in uppercase. You should get some kind of response.
5. Install Fiddler, then try the browsers again. Fiddler acts as a proxy, and if it cannot connect to the server, the browser shouold display a useful error message. Fiddler is a great tool for HTTP debugging.
18th Jan 2012
Replies
HTTP won't start working again without a reboot.
I haven't tried as Guest, but I will.
Telnet didn't work once HTTP stopped working.
Fiddler give me a LOT of information, but just installing it didn't help. It's showing me what's happening when IE or Chrome can't access a Website, but not specifically why. I used it to "Clear WinINET" cache and cookies.
Fiddler also shows me Chrome is trying to connect to some randomly named hosts when it starts. I renamed/recreated the HOSTS file, rebooted, and Chrome still wants to connect to randomly named hosts that Fiddler can't resolve using DNS searches.
Unfortunately, since I've never used Fiddler before, I don't know if this is legitimate. It appears not, but I'm not sure.
I haven't tried as Guest, but I will.
Telnet didn't work once HTTP stopped working.
Fiddler give me a LOT of information, but just installing it didn't help. It's showing me what's happening when IE or Chrome can't access a Website, but not specifically why. I used it to "Clear WinINET" cache and cookies.
Fiddler also shows me Chrome is trying to connect to some randomly named hosts when it starts. I renamed/recreated the HOSTS file, rebooted, and Chrome still wants to connect to randomly named hosts that Fiddler can't resolve using DNS searches.
Unfortunately, since I've never used Fiddler before, I don't know if this is legitimate. It appears not, but I'm not sure.
planetearth@...
19th Jan 2012
0
Votes
winsock fix xp
Have you tried winsock fix xp? you can download it here http://majorgeeks.com/WinSock_XP_Fix_d4372.html.
It can fix winsock problems that occur after removeing malware
It can fix winsock problems that occur after removeing malware
18th Jan 2012
Replies
Tried that three times. No help unfortunately, but thanks!
planetearth@...
19th Jan 2012
1
Vote
Try creating a new user profile
I have often seen user profiles that are left corrupted after a virus attack. In a situation without backups/install media, I have used this to success after removing infections.
HTH
HTH
18th Jan 2012
Replies
I second this. It's worked for me many times in the past.
I had a similar situation a few years back and this is how i got around it.
I still recommended reloading the PC but the customer didn't want to. To this day, he is still running on that same load.
I hope this helps you.
I had a similar situation a few years back and this is how i got around it.
I still recommended reloading the PC but the customer didn't want to. To this day, he is still running on that same load.
I hope this helps you.
guillermogarciajr@...
19th Jan 2012
0
Votes
How do you bill for this
I've gone through this several times with clients and in the end I just cap the amount to charge and put the hours in just for the challenge to figure it out and fix it.
But check for Rapport software having been installed and removed. It has been the culprit on several occassions. Also I agree with all the excellent suggestions above, it about covers the base of everything I could think of and so much more. A great thread!
But check for Rapport software having been installed and removed. It has been the culprit on several occassions. Also I agree with all the excellent suggestions above, it about covers the base of everything I could think of and so much more. A great thread!
19th Jan 2012
Replies
I usually cap the bill, too. Unfortunately, I've never had to spend this much time on something like this!
Thanks for the suggestion on "Rapport". I'll look into it.
Thanks for the suggestion on "Rapport". I'll look into it.
planetearth@...
19th Jan 2012
0
Votes
Try looking at the status bar
If you can use a browser like firefox and enable the status bar at the bottom, it will show give you a read out of what is being transferred to and from the browser.
so for example, you enter a url like www.msn.com but see in the status bar other websites that are not www.msn.com, then it implies your browser has been hijacked.
although a freeware called hijackthis is helpful, it is not always proficient in eliminating the rogue hijack. meaning that there are cookies and temp files linked to the hijack that are also interfering with the browser.
so for example, you enter a url like www.msn.com but see in the status bar other websites that are not www.msn.com, then it implies your browser has been hijacked.
although a freeware called hijackthis is helpful, it is not always proficient in eliminating the rogue hijack. meaning that there are cookies and temp files linked to the hijack that are also interfering with the browser.
19th Jan 2012
Replies
When HTTP fails, you can see Chrome trying to access the proxy server. It doesn't mention which one, and a search through the Registry didn't find any. But each time Chrome starts, Fiddler shows it trying to connect to randomly named hosts. These may be connected, but I can't seem to force Windows to use a "clean" proxy server.
planetearth@...
19th Jan 2012
Also, HijackThis didn't find anything out of the ordinary. ComboFix said it fixed everything it found (and it found a few infections).
planetearth@...
19th Jan 2012
@planetearth - since you mentioned "hosts", then you might want to either run spybot "or" rename the "hosts" file (temporarily that is) and see if it helps. also, since you mentioned time in your initial post, try looking at the modem properties and ensure that it is not powering down automatically by the system.
databaseben
20th Jan 2012
0
Votes
sounds like a blocked port to me
sounds more like a service is starting that blocks port 80 if you can use all the other services. I've seen this happen with the proxy setting on IE but you said you checked that. I would double check any firewall software she has installed.
19th Jan 2012
Replies
The only firewall is Windows Firewall. I've even reset it (per Microsoft's instructions). There's nothing in there that shouldn't be there.
planetearth@...
19th Jan 2012
0
Votes
backup and avg rescue media
re: no backup.
you can upload the data to ms skydrive, dropbox and other online backup solutions.
you can try to the boot versions of some programs to scan the system "offline" so to speak: Use avg boot cd/usb (free), malware bytes (paid) , windowss defender (also free) to have the os checked before it really boots into windows.
other then that, do the backup, and have the media shipped (or better a more update date windows version if the hardware supports it) and (re)install.
success,
you can upload the data to ms skydrive, dropbox and other online backup solutions.
you can try to the boot versions of some programs to scan the system "offline" so to speak: Use avg boot cd/usb (free), malware bytes (paid) , windowss defender (also free) to have the os checked before it really boots into windows.
other then that, do the backup, and have the media shipped (or better a more update date windows version if the hardware supports it) and (re)install.
success,
19th Jan 2012
0
Votes
No answer, but ...
I find it interesting. Just this past week I was looking at an old PCWorld article telling you to use HTTPS always. I didn't remember the details, so I looked online to see if there was a setting in IE & Chrome. I don't think it answers your question, though maybe you should look at it in case I missed something in my brief perusal. While searching for it, I found a lot of places encouraging you to use HTTPS always, and I've included 2 sample links to those articles.
http://www.pcworld.com/article/226791/how_to_use_an_httpsencrypted_connection_when_browsing.html
http://www.ghacks.net/2010/10/31/how-to-force-https-connections/
https://www.eff.org/https-everywhere
http://www.pcworld.com/article/226791/how_to_use_an_httpsencrypted_connection_when_browsing.html
http://www.ghacks.net/2010/10/31/how-to-force-https-connections/
https://www.eff.org/https-everywhere
19th Jan 2012
0
Votes
.EXE execution vector
I just cleaned a virus off a client's mother-in-law's computer. Once the virus was removed, no EXE files would run. The virus had inserted itself as the handler for .EXE in the registry, and once it was deleted the system would not run .EXE files any more.
I know that's not your symptom, but maybe it would be worth an in-depth check of the registry to see if any of the TCP, UDP or IP handlers are being re-directed. Like your problem, my client's system ran fine in safe mode.
The fix was easy; just merge a .REG file to patch the registry back the way it should be. It was a readily-available download, free.
I know that's not your symptom, but maybe it would be worth an in-depth check of the registry to see if any of the TCP, UDP or IP handlers are being re-directed. Like your problem, my client's system ran fine in safe mode.
The fix was easy; just merge a .REG file to patch the registry back the way it should be. It was a readily-available download, free.
20th Jan 2012
0
Votes
its really easy to solve this issue within 5 minutes
First you will check you internet option -> Connection tab -> Lan Setting make sure proxy check box is unchecked if it is unchecked means you have some big problem and i have write full solution of this problem on this article check this out
http://thinkbeyondwindow.com/2013/02/cant-access-http-websites-access-https-websites-solve-it/
http://thinkbeyondwindow.com/2013/02/cant-access-http-websites-access-https-websites-solve-it/
21st Mar
