Questions

Can't access HTTP, Can access HTTPS--What's wrong here?

Tags:
+
0 Votes
Locked

Can't access HTTP, Can access HTTPS--What's wrong here?

planetearth
Hello, all! I sure hope someone can help with this.

One of my client's PCs started having a problem last week. Long story short, the user can't acces HTTP sites using IE 7 or Chrome after the PC has been on for 5 minutes, but she CAN access HTTPS sites as well as use FTP, e-mail and other Internet-related apps. If she reboots, she can access HTTP sites again, but only for a few minutes. Then she gets the "Page cannot be displayed" error.

I connect to the PC via TeamViewer, LogMeIn and/or GoToMeeting, which work fine. The client has no XP installation CD or backup, so I'm limited as to what I can try. I also can't run the Windows System File Checker because she has no disc.

There is no proxy server showing in IE 7 on her Windows XP SP3 PC. I suspect it's a proxy server issue, but even if I force IE to use a proxy server, she can't access HTTP sites. Nothing is selected/ticked/checked in IE for proxy server use or "automatically detect settings", and enabling any of that stuff doesn't help. I'm assuming there could be a file or Registry corruption, though I can't confirm it since I can't run SFC.

This was probably caused by virus/Trojan infections (Trojan.Tracur, specifically), but I've removed all traces of the virus with AVG Internet Security and Malwarebytes.

I've done everything I could try, including:
-Reset IE 7/Disable add-ons
-Windows XP Network Diagnostics returned Error 12029
-Reset TCP/IP stack
-Reset Winsock
-Remove/re-install Intel NIC in Device Manager; Update NIC driver
-Reset Windows Firewall

I've reset everything I can except for the core Windows system files because she doesn't have her XP disc or a backup. There are no System Restore points before the virus infection date (even though System Restore is enabled), so I can't revert to that.

She's going to try "Safe Mode with Networking" to see if she can access HTTP sites for longer than 5 minutes; I'll let you know how that goes.

Does anyone have any idea what else I can do here?

Thanks in advance!

Steve

UPDATE: The PC works just fine in Safe Mode. The user has no problems accessing HTTP sites for as long as she wants to in Safe Mode. I found no entries in the Registry as to what might be running on startup. CHKDSK found some 1408 index-related disk errors and fixed them, but nothing serious. Fixing those errors didn't help.
  • +
    0 Votes
    OH Smeg

    Involved having your own Install media.

    XP has 3 distinct Install Disc's the OEM Home, Pro and the Volume License Disc's. Of course there is a 64 Bit Disc as well but it's not common to require one of those. In fact I have yet to use one.

    I would just grab one of my Disc's and run SFC with that as many off the shelf computers come with a Recovery partition and no Recovery Media. They just return the system to As New Condition and destroy all installed programs and data that has been added since the system was first started.

    Col

    +
    0 Votes
    planetearth

    Col,
    I'm not sure if you were taking a shot or you just misunderstood, but if you'd read my post, I'd said I was connecting to the user via TeamViewer and other remote-access apps. I am 1300 miles from the user, and while I have my own XP discs, that doesn't help her much. She's in an isolated area and at the mercy of unscrupulous PC repair people who rebuilt her PC last year and didn't give her back her XP disc.

    +
    0 Votes
    OH Smeg

    No I didn't see that you where so remote from the computer.

    But with the update of it working in Safe Mode with Networking you are going to have to look at what is installed as there is something killing the process. Or as suggested below a ISO that your customer can download and work with that.

    Col

    +
    0 Votes
    mperata

    Since she is 1,300 miles away and isolated:

    1. You mentioned she has FTP: do you have an ISO image of the XP install disc she could DL and create an XP install disc from.
    2.If that is not possible, why not create a backup copy of your XP disc and FedEx, USPS, UPS it to her. For $25 or so she could have it overnight.

    +
    0 Votes
    planetearth

    She can get a copy of XP by the end of the week (she's in the Adirondack mountains, and they're virtually snowed in in a remote location).

    I'm just not sure there are any missing system files since SFC couldn't run the first time, and I was wondering if anyone had any other ideas.

    Most of the informtion I've found on "Error: 12029" relates to proxy servers and/or removing the check from "automatically detect settings"; I don't remember seeing SFC as a possible solution for this specific issue. I'm willing to try it, but it will be the end of the week before she gets a disc, so if there's anything else to try in the meantime, I'd certainly like to hear it!

    Thanks again....

    Steve

    +
    0 Votes
    OH Smeg

    There is something running in Normal Mode that is killing the Process.

    As it was infected you could start with the AV program which may have been corrupted and also check the Firewall as another possibility. Though if it's one of those and it's the result of the infection you may be stuck with a reinstall which isn't going to be easy with it being so remote.

    Also check any games on the system it's possible that one of those has some Idiot Network Playing Setting that has caused this or maybe some Commercial Accounting Program.

    Col

    +
    0 Votes
    planetearth

    Thanks, Col.
    She was using Microsoft Security Essentials when she was infected. (MSE just watched the infection to make sure it all went smoothly, I guess.) She used Malwarebytes to remove the infections before calling me. I put AVG Internet Security on to remove what little was left.

    I've reset the Windows Firewall (the only one in use), and there are no other games or unnecessary apps on the machine.

    I'm afraid it'll turn out to be a re-install, too.

    +
    0 Votes
    jamblaster

    Way back when I first learned to troubleshoot Windows we learned the 'Half off' technique where you turn off 1/2 the startup process and programs (including any non-vital OS stuff) and troubleshoot the exact problem down that way using--> Msconfig.exe

    You can launch this from Run or CMD and it has and does still work for me.

    +
    0 Votes
    TDinSD41

    The Trojan infection is not entirely gone. Symantec has some good technical removal procedures for specific malware. Following this will ensure it's gone and fix the network redirects that is causing the connectivity problem on http. It's also useful to use a tool like Autoruns from Sysinternals/Microsoft to verify the malware's startup points. See the DLL tab.

    Symantec's writeup on the Trojan.Tracur;
    http://www.symantec.com/security_response/writeup.jsp?docid=2011-071504-5259-99&tabid=2

    Terry

    +
    0 Votes
    planetearth

    Thanks, Terry, I'll review this again to see if I missed something. It's just odd that the redirects don't happen for the first five minutes after a reboot, though.

    +
    0 Votes

    it may be a corrupted Internet Explorer file...might as well upgrade to IE 8 if
    her system has the resources for it...at least 512 meg RAM, plenty of HD space...
    you can also run the Microsoft Malware Removal tool from the "Run" command,
    Start, Run then type MRT and press Enter. Let it run and clean anything found.

    +
    0 Votes
    hartiq

    That is the first thing I thought of. The next thing I thought of was downloading Chrome, Opera and Firefox browsers and seeing if they work.
    The third thing I thought of was finding a WinXPSP3 box with IE7 that does work, telephoning the client from that location and comparing her settings with those of a known working box.
    DOS prompt and ipconfig might tell you something. If it comes up with strange numbers you might still have a virusy thing going.
    I'm actually surprised the OP hasn't tried using a different browser (not even a new copy of IE7 or even an old copy of IE*6*.) If nothing else, that would eliminate the *browser* as the source of the issue.
    It might be worthwhile running through services.msc and msconfig to see if something in there looks odd. Taskmanager might also help.
    I'd assume a professional has already done most or all of the above, but I'm mentioning them just in case the OP has forgotten something dead simple and is searching for zebras not horses.
    Add/Remove Programs is also a fun place to go. If the client has the patience to play with this she can slowly remove stuff - starting with anything new or odd-looking - while testing IE to see if anything fixes the issue. Personally, as I said above, I'd start with the browser. Removing IE7 and doing a clean-ish install might work.
    Sorry if I sound patronising. That was not my intention. Sometimes we pro's get so hung up looking for zebras and unicorns that we forget the herds of horses that cause most problems.
    Hope some of this helps,
    H.

    +
    0 Votes
    planetearth

    Thanks. I'd considered that, but since this affects IE 7 and Google Chrome, it didn't seem to be browser-specific, so I didn't think moving to IE 8 would help. I'll look again at upgrading while Microsoft's Malware Removal tool is running, though.

    We had to re-install Google Chrome last night because some core files were deleted or corrupted (according to Chrome). When we re-installed, it still couldn't access HTTP sites after 5 minutes. Don't know what screwed up Chrome, but CHKDSK scans have been clean.

    Hartiq, there are no unnecessary apps, only 3 entries running on startup and no questionable services running. No offense taken by your suggestions, and I appreciate the horse/zebra analogy.

    I've been removing malware and viruses for years, and while I'm pretty sure I know how to hunt them down and remove them, I certainly appreciate everyone's input here! I think this one just screwed up Windows.

    +
    0 Votes
    jamblaster

    Has the user tried using Firefox? Just my opinion, but I wouldn't put Internet Explorer on my worst enemies computer (LOL). IE most probably isn't the problem, but changing browsers might be the solution.

    +
    0 Votes
    harishdixit

    If the problem is not already installed check her machine for Trend Micro antivirus. I faced this problem once on a machine. Stop the Trend micro firewall and things should be fine.

    Cheers !
    Harish.

    +
    0 Votes
    planetearth

    I've seen Trend Micro do that, too! Had to re-install it for a client after it did more damage to her machine than the malware infection. However, it isn't and has never been on this machine. Microsoft Security Essentials was "on duty"/asleep when this happened.

    +
    0 Votes
    peary

    Have you checked the hosts file to see if that has some entries in it redirecting the browser?

    +
    0 Votes
    planetearth

    I checked the HOSTS file, and found nothing. I even had Spybot check the system and review the HOSTS file. No problems there. I should have mentioned that in the beginning, too.

    +
    2 Votes
    slam5

    I honestly don't think a run that anti-virus software or rootkit killer will help her. It is far more realistic for you to wipe the drive and start from scratch. It will take 2-3 hours to re-install the system from ground up. How many hours had been used already? Even if you can get her to browse http again, how do you know every trace is gone?

    +
    0 Votes
    planetearth

    She has no backup of her data and no XP installation CD, thanks to an unscrupulous PC build/repair shop. She's getting an XP disc, but even with that, remotely walking a user through wiping and re-installing Windows is not an easy task, and likely to take many more hours. That's why I was hoping my fellow Tech Republic members would help me think of something that might work in this rather unusual situation. I've gotten some good ideas so far, and I'll be trying them today.

    +
    1 Votes
    Too-Tired Techie

    I've seen this utility from Bleeping Computer clean up a system that nothing else would clean. Be sure to only download it from www.bleepingcomputer.com and run it under safe mode. And you have to disable any running AV software...

    The five minute thing sure sounds like a trojan/virus phoning home etc.

    http://www.bleepingcomputer.com/download/anti-virus/combofix

    +
    0 Votes
    planetearth

    That was the first thing I used, actually. ComboFix said it fixed everything it found, and it found a few infections.

    +
    0 Votes
    TomRobinson

    1. Does HTTP start working again after logging off and on again, without rebooting?
    2. Does HTTP work when logged on as Guest?
    3. Try "telnet google.com 80" and see if the connection fails.
    4. If connection works, enter "GET /" in uppercase. You should get some kind of response.
    5. Install Fiddler, then try the browsers again. Fiddler acts as a proxy, and if it cannot connect to the server, the browser shouold display a useful error message. Fiddler is a great tool for HTTP debugging.

    +
    0 Votes
    planetearth

    HTTP won't start working again without a reboot.
    I haven't tried as Guest, but I will.
    Telnet didn't work once HTTP stopped working.
    Fiddler give me a LOT of information, but just installing it didn't help. It's showing me what's happening when IE or Chrome can't access a Website, but not specifically why. I used it to "Clear WinINET" cache and cookies.
    Fiddler also shows me Chrome is trying to connect to some randomly named hosts when it starts. I renamed/recreated the HOSTS file, rebooted, and Chrome still wants to connect to randomly named hosts that Fiddler can't resolve using DNS searches.
    Unfortunately, since I've never used Fiddler before, I don't know if this is legitimate. It appears not, but I'm not sure.

  • +
    0 Votes
    OH Smeg

    Involved having your own Install media.

    XP has 3 distinct Install Disc's the OEM Home, Pro and the Volume License Disc's. Of course there is a 64 Bit Disc as well but it's not common to require one of those. In fact I have yet to use one.

    I would just grab one of my Disc's and run SFC with that as many off the shelf computers come with a Recovery partition and no Recovery Media. They just return the system to As New Condition and destroy all installed programs and data that has been added since the system was first started.

    Col

    +
    0 Votes
    planetearth

    Col,
    I'm not sure if you were taking a shot or you just misunderstood, but if you'd read my post, I'd said I was connecting to the user via TeamViewer and other remote-access apps. I am 1300 miles from the user, and while I have my own XP discs, that doesn't help her much. She's in an isolated area and at the mercy of unscrupulous PC repair people who rebuilt her PC last year and didn't give her back her XP disc.

    +
    0 Votes
    OH Smeg

    No I didn't see that you where so remote from the computer.

    But with the update of it working in Safe Mode with Networking you are going to have to look at what is installed as there is something killing the process. Or as suggested below a ISO that your customer can download and work with that.

    Col

    +
    0 Votes
    mperata

    Since she is 1,300 miles away and isolated:

    1. You mentioned she has FTP: do you have an ISO image of the XP install disc she could DL and create an XP install disc from.
    2.If that is not possible, why not create a backup copy of your XP disc and FedEx, USPS, UPS it to her. For $25 or so she could have it overnight.

    +
    0 Votes
    planetearth

    She can get a copy of XP by the end of the week (she's in the Adirondack mountains, and they're virtually snowed in in a remote location).

    I'm just not sure there are any missing system files since SFC couldn't run the first time, and I was wondering if anyone had any other ideas.

    Most of the informtion I've found on "Error: 12029" relates to proxy servers and/or removing the check from "automatically detect settings"; I don't remember seeing SFC as a possible solution for this specific issue. I'm willing to try it, but it will be the end of the week before she gets a disc, so if there's anything else to try in the meantime, I'd certainly like to hear it!

    Thanks again....

    Steve

    +
    0 Votes
    OH Smeg

    There is something running in Normal Mode that is killing the Process.

    As it was infected you could start with the AV program which may have been corrupted and also check the Firewall as another possibility. Though if it's one of those and it's the result of the infection you may be stuck with a reinstall which isn't going to be easy with it being so remote.

    Also check any games on the system it's possible that one of those has some Idiot Network Playing Setting that has caused this or maybe some Commercial Accounting Program.

    Col

    +
    0 Votes
    planetearth

    Thanks, Col.
    She was using Microsoft Security Essentials when she was infected. (MSE just watched the infection to make sure it all went smoothly, I guess.) She used Malwarebytes to remove the infections before calling me. I put AVG Internet Security on to remove what little was left.

    I've reset the Windows Firewall (the only one in use), and there are no other games or unnecessary apps on the machine.

    I'm afraid it'll turn out to be a re-install, too.

    +
    0 Votes
    jamblaster

    Way back when I first learned to troubleshoot Windows we learned the 'Half off' technique where you turn off 1/2 the startup process and programs (including any non-vital OS stuff) and troubleshoot the exact problem down that way using--> Msconfig.exe

    You can launch this from Run or CMD and it has and does still work for me.

    +
    0 Votes
    TDinSD41

    The Trojan infection is not entirely gone. Symantec has some good technical removal procedures for specific malware. Following this will ensure it's gone and fix the network redirects that is causing the connectivity problem on http. It's also useful to use a tool like Autoruns from Sysinternals/Microsoft to verify the malware's startup points. See the DLL tab.

    Symantec's writeup on the Trojan.Tracur;
    http://www.symantec.com/security_response/writeup.jsp?docid=2011-071504-5259-99&tabid=2

    Terry

    +
    0 Votes
    planetearth

    Thanks, Terry, I'll review this again to see if I missed something. It's just odd that the redirects don't happen for the first five minutes after a reboot, though.

    +
    0 Votes

    it may be a corrupted Internet Explorer file...might as well upgrade to IE 8 if
    her system has the resources for it...at least 512 meg RAM, plenty of HD space...
    you can also run the Microsoft Malware Removal tool from the "Run" command,
    Start, Run then type MRT and press Enter. Let it run and clean anything found.

    +
    0 Votes
    hartiq

    That is the first thing I thought of. The next thing I thought of was downloading Chrome, Opera and Firefox browsers and seeing if they work.
    The third thing I thought of was finding a WinXPSP3 box with IE7 that does work, telephoning the client from that location and comparing her settings with those of a known working box.
    DOS prompt and ipconfig might tell you something. If it comes up with strange numbers you might still have a virusy thing going.
    I'm actually surprised the OP hasn't tried using a different browser (not even a new copy of IE7 or even an old copy of IE*6*.) If nothing else, that would eliminate the *browser* as the source of the issue.
    It might be worthwhile running through services.msc and msconfig to see if something in there looks odd. Taskmanager might also help.
    I'd assume a professional has already done most or all of the above, but I'm mentioning them just in case the OP has forgotten something dead simple and is searching for zebras not horses.
    Add/Remove Programs is also a fun place to go. If the client has the patience to play with this she can slowly remove stuff - starting with anything new or odd-looking - while testing IE to see if anything fixes the issue. Personally, as I said above, I'd start with the browser. Removing IE7 and doing a clean-ish install might work.
    Sorry if I sound patronising. That was not my intention. Sometimes we pro's get so hung up looking for zebras and unicorns that we forget the herds of horses that cause most problems.
    Hope some of this helps,
    H.

    +
    0 Votes
    planetearth

    Thanks. I'd considered that, but since this affects IE 7 and Google Chrome, it didn't seem to be browser-specific, so I didn't think moving to IE 8 would help. I'll look again at upgrading while Microsoft's Malware Removal tool is running, though.

    We had to re-install Google Chrome last night because some core files were deleted or corrupted (according to Chrome). When we re-installed, it still couldn't access HTTP sites after 5 minutes. Don't know what screwed up Chrome, but CHKDSK scans have been clean.

    Hartiq, there are no unnecessary apps, only 3 entries running on startup and no questionable services running. No offense taken by your suggestions, and I appreciate the horse/zebra analogy.

    I've been removing malware and viruses for years, and while I'm pretty sure I know how to hunt them down and remove them, I certainly appreciate everyone's input here! I think this one just screwed up Windows.

    +
    0 Votes
    jamblaster

    Has the user tried using Firefox? Just my opinion, but I wouldn't put Internet Explorer on my worst enemies computer (LOL). IE most probably isn't the problem, but changing browsers might be the solution.

    +
    0 Votes
    harishdixit

    If the problem is not already installed check her machine for Trend Micro antivirus. I faced this problem once on a machine. Stop the Trend micro firewall and things should be fine.

    Cheers !
    Harish.

    +
    0 Votes
    planetearth

    I've seen Trend Micro do that, too! Had to re-install it for a client after it did more damage to her machine than the malware infection. However, it isn't and has never been on this machine. Microsoft Security Essentials was "on duty"/asleep when this happened.

    +
    0 Votes
    peary

    Have you checked the hosts file to see if that has some entries in it redirecting the browser?

    +
    0 Votes
    planetearth

    I checked the HOSTS file, and found nothing. I even had Spybot check the system and review the HOSTS file. No problems there. I should have mentioned that in the beginning, too.

    +
    2 Votes
    slam5

    I honestly don't think a run that anti-virus software or rootkit killer will help her. It is far more realistic for you to wipe the drive and start from scratch. It will take 2-3 hours to re-install the system from ground up. How many hours had been used already? Even if you can get her to browse http again, how do you know every trace is gone?

    +
    0 Votes
    planetearth

    She has no backup of her data and no XP installation CD, thanks to an unscrupulous PC build/repair shop. She's getting an XP disc, but even with that, remotely walking a user through wiping and re-installing Windows is not an easy task, and likely to take many more hours. That's why I was hoping my fellow Tech Republic members would help me think of something that might work in this rather unusual situation. I've gotten some good ideas so far, and I'll be trying them today.

    +
    1 Votes
    Too-Tired Techie

    I've seen this utility from Bleeping Computer clean up a system that nothing else would clean. Be sure to only download it from www.bleepingcomputer.com and run it under safe mode. And you have to disable any running AV software...

    The five minute thing sure sounds like a trojan/virus phoning home etc.

    http://www.bleepingcomputer.com/download/anti-virus/combofix

    +
    0 Votes
    planetearth

    That was the first thing I used, actually. ComboFix said it fixed everything it found, and it found a few infections.

    +
    0 Votes
    TomRobinson

    1. Does HTTP start working again after logging off and on again, without rebooting?
    2. Does HTTP work when logged on as Guest?
    3. Try "telnet google.com 80" and see if the connection fails.
    4. If connection works, enter "GET /" in uppercase. You should get some kind of response.
    5. Install Fiddler, then try the browsers again. Fiddler acts as a proxy, and if it cannot connect to the server, the browser shouold display a useful error message. Fiddler is a great tool for HTTP debugging.

    +
    0 Votes
    planetearth

    HTTP won't start working again without a reboot.
    I haven't tried as Guest, but I will.
    Telnet didn't work once HTTP stopped working.
    Fiddler give me a LOT of information, but just installing it didn't help. It's showing me what's happening when IE or Chrome can't access a Website, but not specifically why. I used it to "Clear WinINET" cache and cookies.
    Fiddler also shows me Chrome is trying to connect to some randomly named hosts when it starts. I renamed/recreated the HOSTS file, rebooted, and Chrome still wants to connect to randomly named hosts that Fiddler can't resolve using DNS searches.
    Unfortunately, since I've never used Fiddler before, I don't know if this is legitimate. It appears not, but I'm not sure.