Questions

Can't access HTTP, Can access HTTPS--What's wrong here?

Tags:
+
0 Votes
Locked

Can't access HTTP, Can access HTTPS--What's wrong here?

planetearth
Hello, all! I sure hope someone can help with this.

One of my client's PCs started having a problem last week. Long story short, the user can't acces HTTP sites using IE 7 or Chrome after the PC has been on for 5 minutes, but she CAN access HTTPS sites as well as use FTP, e-mail and other Internet-related apps. If she reboots, she can access HTTP sites again, but only for a few minutes. Then she gets the "Page cannot be displayed" error.

I connect to the PC via TeamViewer, LogMeIn and/or GoToMeeting, which work fine. The client has no XP installation CD or backup, so I'm limited as to what I can try. I also can't run the Windows System File Checker because she has no disc.

There is no proxy server showing in IE 7 on her Windows XP SP3 PC. I suspect it's a proxy server issue, but even if I force IE to use a proxy server, she can't access HTTP sites. Nothing is selected/ticked/checked in IE for proxy server use or "automatically detect settings", and enabling any of that stuff doesn't help. I'm assuming there could be a file or Registry corruption, though I can't confirm it since I can't run SFC.

This was probably caused by virus/Trojan infections (Trojan.Tracur, specifically), but I've removed all traces of the virus with AVG Internet Security and Malwarebytes.

I've done everything I could try, including:
-Reset IE 7/Disable add-ons
-Windows XP Network Diagnostics returned Error 12029
-Reset TCP/IP stack
-Reset Winsock
-Remove/re-install Intel NIC in Device Manager; Update NIC driver
-Reset Windows Firewall

I've reset everything I can except for the core Windows system files because she doesn't have her XP disc or a backup. There are no System Restore points before the virus infection date (even though System Restore is enabled), so I can't revert to that.

She's going to try "Safe Mode with Networking" to see if she can access HTTP sites for longer than 5 minutes; I'll let you know how that goes.

Does anyone have any idea what else I can do here?

Thanks in advance!

Steve

UPDATE: The PC works just fine in Safe Mode. The user has no problems accessing HTTP sites for as long as she wants to in Safe Mode. I found no entries in the Registry as to what might be running on startup. CHKDSK found some 1408 index-related disk errors and fixed them, but nothing serious. Fixing those errors didn't help.
  • +
    0 Votes
    peary

    Have you tried winsock fix xp? you can download it here http://majorgeeks.com/WinSock_XP_Fix_d4372.html.

    It can fix winsock problems that occur after removeing malware

    +
    0 Votes
    planetearth

    Tried that three times. No help unfortunately, but thanks!

    +
    1 Votes
    cpguru21

    I have often seen user profiles that are left corrupted after a virus attack. In a situation without backups/install media, I have used this to success after removing infections.

    HTH

    +
    0 Votes
    guillermogarciajr

    I second this. It's worked for me many times in the past.

    I had a similar situation a few years back and this is how i got around it.

    I still recommended reloading the PC but the customer didn't want to. To this day, he is still running on that same load.

    I hope this helps you.

    +
    0 Votes
    tomi01

    I've gone through this several times with clients and in the end I just cap the amount to charge and put the hours in just for the challenge to figure it out and fix it.
    But check for Rapport software having been installed and removed. It has been the culprit on several occassions. Also I agree with all the excellent suggestions above, it about covers the base of everything I could think of and so much more. A great thread!

    +
    0 Votes
    planetearth

    I usually cap the bill, too. Unfortunately, I've never had to spend this much time on something like this!
    Thanks for the suggestion on "Rapport". I'll look into it.

    +
    0 Votes
    databaseben

    If you can use a browser like firefox and enable the status bar at the bottom, it will show give you a read out of what is being transferred to and from the browser.

    so for example, you enter a url like www.msn.com but see in the status bar other websites that are not www.msn.com, then it implies your browser has been hijacked.

    although a freeware called hijackthis is helpful, it is not always proficient in eliminating the rogue hijack. meaning that there are cookies and temp files linked to the hijack that are also interfering with the browser.

    +
    0 Votes
    planetearth

    When HTTP fails, you can see Chrome trying to access the proxy server. It doesn't mention which one, and a search through the Registry didn't find any. But each time Chrome starts, Fiddler shows it trying to connect to randomly named hosts. These may be connected, but I can't seem to force Windows to use a "clean" proxy server.

    +
    0 Votes
    planetearth

    Also, HijackThis didn't find anything out of the ordinary. ComboFix said it fixed everything it found (and it found a few infections).

    +
    0 Votes
    databaseben

    @planetearth - since you mentioned "hosts", then you might want to either run spybot "or" rename the "hosts" file (temporarily that is) and see if it helps. also, since you mentioned time in your initial post, try looking at the modem properties and ensure that it is not powering down automatically by the system.

    +
    0 Votes
    dano2004

    sounds more like a service is starting that blocks port 80 if you can use all the other services. I've seen this happen with the proxy setting on IE but you said you checked that. I would double check any firewall software she has installed.

    +
    0 Votes
    planetearth

    The only firewall is Windows Firewall. I've even reset it (per Microsoft's instructions). There's nothing in there that shouldn't be there.

    +
    0 Votes
    Curacao_Dejavu

    re: no backup.
    you can upload the data to ms skydrive, dropbox and other online backup solutions.

    you can try to the boot versions of some programs to scan the system "offline" so to speak: Use avg boot cd/usb (free), malware bytes (paid) , windowss defender (also free) to have the os checked before it really boots into windows.

    other then that, do the backup, and have the media shipped (or better a more update date windows version if the hardware supports it) and (re)install.

    success,

    +
    0 Votes
    jstuart8

    I find it interesting. Just this past week I was looking at an old PCWorld article telling you to use HTTPS always. I didn't remember the details, so I looked online to see if there was a setting in IE & Chrome. I don't think it answers your question, though maybe you should look at it in case I missed something in my brief perusal. While searching for it, I found a lot of places encouraging you to use HTTPS always, and I've included 2 sample links to those articles.

    http://www.pcworld.com/article/226791/how_to_use_an_httpsencrypted_connection_when_browsing.html
    http://www.ghacks.net/2010/10/31/how-to-force-https-connections/
    https://www.eff.org/https-everywhere

    +
    0 Votes
    oldbaritone

    I just cleaned a virus off a client's mother-in-law's computer. Once the virus was removed, no EXE files would run. The virus had inserted itself as the handler for .EXE in the registry, and once it was deleted the system would not run .EXE files any more.

    I know that's not your symptom, but maybe it would be worth an in-depth check of the registry to see if any of the TCP, UDP or IP handlers are being re-directed. Like your problem, my client's system ran fine in safe mode.

    The fix was easy; just merge a .REG file to patch the registry back the way it should be. It was a readily-available download, free.

    +
    0 Votes
    panhwerwaseem

    First you will check you internet option -> Connection tab -> Lan Setting make sure proxy check box is unchecked if it is unchecked means you have some big problem and i have write full solution of this problem on this article check this out
    http://thinkbeyondwindow.com/2013/02/cant-access-http-websites-access-https-websites-solve-it/

  • +
    0 Votes
    peary

    Have you tried winsock fix xp? you can download it here http://majorgeeks.com/WinSock_XP_Fix_d4372.html.

    It can fix winsock problems that occur after removeing malware

    +
    0 Votes
    planetearth

    Tried that three times. No help unfortunately, but thanks!

    +
    1 Votes
    cpguru21

    I have often seen user profiles that are left corrupted after a virus attack. In a situation without backups/install media, I have used this to success after removing infections.

    HTH

    +
    0 Votes
    guillermogarciajr

    I second this. It's worked for me many times in the past.

    I had a similar situation a few years back and this is how i got around it.

    I still recommended reloading the PC but the customer didn't want to. To this day, he is still running on that same load.

    I hope this helps you.

    +
    0 Votes
    tomi01

    I've gone through this several times with clients and in the end I just cap the amount to charge and put the hours in just for the challenge to figure it out and fix it.
    But check for Rapport software having been installed and removed. It has been the culprit on several occassions. Also I agree with all the excellent suggestions above, it about covers the base of everything I could think of and so much more. A great thread!

    +
    0 Votes
    planetearth

    I usually cap the bill, too. Unfortunately, I've never had to spend this much time on something like this!
    Thanks for the suggestion on "Rapport". I'll look into it.

    +
    0 Votes
    databaseben

    If you can use a browser like firefox and enable the status bar at the bottom, it will show give you a read out of what is being transferred to and from the browser.

    so for example, you enter a url like www.msn.com but see in the status bar other websites that are not www.msn.com, then it implies your browser has been hijacked.

    although a freeware called hijackthis is helpful, it is not always proficient in eliminating the rogue hijack. meaning that there are cookies and temp files linked to the hijack that are also interfering with the browser.

    +
    0 Votes
    planetearth

    When HTTP fails, you can see Chrome trying to access the proxy server. It doesn't mention which one, and a search through the Registry didn't find any. But each time Chrome starts, Fiddler shows it trying to connect to randomly named hosts. These may be connected, but I can't seem to force Windows to use a "clean" proxy server.

    +
    0 Votes
    planetearth

    Also, HijackThis didn't find anything out of the ordinary. ComboFix said it fixed everything it found (and it found a few infections).

    +
    0 Votes
    databaseben

    @planetearth - since you mentioned "hosts", then you might want to either run spybot "or" rename the "hosts" file (temporarily that is) and see if it helps. also, since you mentioned time in your initial post, try looking at the modem properties and ensure that it is not powering down automatically by the system.

    +
    0 Votes
    dano2004

    sounds more like a service is starting that blocks port 80 if you can use all the other services. I've seen this happen with the proxy setting on IE but you said you checked that. I would double check any firewall software she has installed.

    +
    0 Votes
    planetearth

    The only firewall is Windows Firewall. I've even reset it (per Microsoft's instructions). There's nothing in there that shouldn't be there.

    +
    0 Votes
    Curacao_Dejavu

    re: no backup.
    you can upload the data to ms skydrive, dropbox and other online backup solutions.

    you can try to the boot versions of some programs to scan the system "offline" so to speak: Use avg boot cd/usb (free), malware bytes (paid) , windowss defender (also free) to have the os checked before it really boots into windows.

    other then that, do the backup, and have the media shipped (or better a more update date windows version if the hardware supports it) and (re)install.

    success,

    +
    0 Votes
    jstuart8

    I find it interesting. Just this past week I was looking at an old PCWorld article telling you to use HTTPS always. I didn't remember the details, so I looked online to see if there was a setting in IE & Chrome. I don't think it answers your question, though maybe you should look at it in case I missed something in my brief perusal. While searching for it, I found a lot of places encouraging you to use HTTPS always, and I've included 2 sample links to those articles.

    http://www.pcworld.com/article/226791/how_to_use_an_httpsencrypted_connection_when_browsing.html
    http://www.ghacks.net/2010/10/31/how-to-force-https-connections/
    https://www.eff.org/https-everywhere

    +
    0 Votes
    oldbaritone

    I just cleaned a virus off a client's mother-in-law's computer. Once the virus was removed, no EXE files would run. The virus had inserted itself as the handler for .EXE in the registry, and once it was deleted the system would not run .EXE files any more.

    I know that's not your symptom, but maybe it would be worth an in-depth check of the registry to see if any of the TCP, UDP or IP handlers are being re-directed. Like your problem, my client's system ran fine in safe mode.

    The fix was easy; just merge a .REG file to patch the registry back the way it should be. It was a readily-available download, free.

    +
    0 Votes
    panhwerwaseem

    First you will check you internet option -> Connection tab -> Lan Setting make sure proxy check box is unchecked if it is unchecked means you have some big problem and i have write full solution of this problem on this article check this out
    http://thinkbeyondwindow.com/2013/02/cant-access-http-websites-access-https-websites-solve-it/