I have performed extensive diagnostics, but cannot locate or remove the infection.
This is the first time in 20+ years that I have been unable to resolve a virus/spyware/malware infection.
I am posting here in the hope that somebody can help me resolve the problem.
Laptop Sony Vaio VGN-FS770/W
Windows XP Home Edition SP3
* I cannot load any non-secure web page (http://) on any browser. See below for detailed browser responses.
* I can load all secure web pages (https://) correctly on any browser.
* From a command prompt I am able to execute ping and tracert correctly, to the servers that do not load in the browser.
* From a command prompt I am able to execute nslookup correctly, to the servers that do not load in the browser.
* My hosts file is unchanged (confirmed by normal ping, tracert etc. functionality)
* Using SmartFTP I am able to connect to my FTP servers just fine.
* I am able to see other computers on my network, and shared network drives are operating normally.
* The above behavior is identical when the laptop is on a wireless connection, wired directly to my router, or wired directly to my cable modem.
* I have contacted my ISP (Comcast cable internet) and confirmed with them that everything appears normal on their end.
* This is corroborated by the fact that all other computers on my network are behaving normally.
* My laptop is operating as a local web server (apache) for development purposes, on local IP address 192.168.1.5. I cannot browse http://192.168.1.5 from other computers on the network. However, I can ping 192.168.1.5 just fine.
* From the laptop itself, I cannot access http://localhost or http://127.0.0.1 in the browser (but the laptop can ping itself OK). This is true both when the laptop is connected and when it is disconnected.
* When I restart the laptop in Safe Mode with Networking, all of these problems disappear and the computer behaves normally.
* This problem first occurred back in August or September 2009, and mysteriously resolved itself after about 1 week. It suddenly returned on 11/26 in the morning. I noticed that Windows Automatic Update had rebooted my laptop that night, but I do not know if this has anything to do with the problem.
When a http:// page fails to load, Google Chrome says:
This webpage is not available. The webpage at [url="http://www.google.com/"]http://www.google.com/[/url] might be temporarily down or it mayhave moved permanently to a new web address.+ More information on this errorBelow is the original error messageError 101 (net::ERR_CONNECTION_RESET): Unknown error.
When a http:// page fails to load, Internet Explorer says:
Internet Explorer cannot display the webpageMost likely causes:You are not connected to the Internet.The website is encountering problems.There might be a typing error in the address.What you can try:Diagnose Connection ProblemsMore Informationetc...
The fact that I can ping, tracert, nslookup etc. means that the network/internet connection itself is operational, and that DNS is OK.
Initially I thought that this may be a problem with winsock, but surely I would see broader symptoms than just failure of http:// browsing?
Because the blockage is linked specifically to browsing http:// pages, I assume that TCP port 80 has been compromised by some malware or spyware.
Apparently the offending malware is not loaded when I start the computer in Safe mode with Networking.
First of all I put together this batch file to repair TCP stack, winsock etc. This was inspired by various forum postings I saw on the ERR_CONNECTION_RESET error.
@echo offecho ## NETWORK RECONFIGURATON UTILITYecho ## THIS PROCEDURE WILL RESTART YOUR COMPUTERecho ## CLOSE ALL PROGRAMS FIRSTpauseecho Flush DNSipconfig /flushdnsecho Reload remote cache name tablenbtstat -Recho Release and Refresh WINSnbtstat -RRecho Reset TCP/IP stacknetsh int ip reset reset.logecho Delete ARP Cachenetsh int ip delete arpcacheecho Reset winsocknetsh winsock resetecho Restart computerpauseshutdown -r* RESULT - NO CHANGE
Next I rebooted into Safe Mode with Networking, and ran various virus/spyware/malware utilities
- Trend Micro Antivirus plus Antispyware
- SpyBot Search & Destroy
With each of these tools, the only suspects found were tracking cookies. Nevertheless I repeatedly ran scans until none of the tools found any more suspects.
* RESULT - NO CHANGE
In case the problem was somehow linked to Windows Automatic Update, I restored the laptop to previous Restore Points. The http:// browsing problem was identical regardless of which Restore Point I selected.
* RESULT - NO CHANGE
Finally I used Task Manager and Google to identify running processes (in normal boot mode). All the tasks appear to be legitimate processes, and killing them has no effect on the http:// browsing problem. It does stop my computer operating normally however!
* RESULT - NO CHANGE
At this point I am at a total loss. I am highly computer literate (I make a living from IT) and this has never happened to me before.
I welcome all and any advice that the experts may be able to offer.
I saw that several incidents here were resolved using tools like ComboFix and RootRepeal, but rather than try to use these tools myself, I am following the suggested approach and contacting the experts for guidance!
Thank you in advance for your help