Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ERR_CONNECTION_RESET and malware on port 80?


  • Please log in to reply
2 replies to this topic

#1 robd66

robd66

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 30 November 2009 - 10:49 AM

My computer appears to be infected with malware that is blocking my TCP port 80, both inbound and outbound.

I have performed extensive diagnostics, but cannot locate or remove the infection.

This is the first time in 20+ years that I have been unable to resolve a virus/spyware/malware infection.

I am posting here in the hope that somebody can help me resolve the problem.

MACHINE:
Laptop Sony Vaio VGN-FS770/W
Windows XP Home Edition SP3

SYMPTOMS:
* I cannot load any non-secure web page (http://) on any browser. See below for detailed browser responses.
* I can load all secure web pages (https://) correctly on any browser.
* From a command prompt I am able to execute ping and tracert correctly, to the servers that do not load in the browser.
* From a command prompt I am able to execute nslookup correctly, to the servers that do not load in the browser.
* My hosts file is unchanged (confirmed by normal ping, tracert etc. functionality)
* Using SmartFTP I am able to connect to my FTP servers just fine.
* I am able to see other computers on my network, and shared network drives are operating normally.
* The above behavior is identical when the laptop is on a wireless connection, wired directly to my router, or wired directly to my cable modem.
* I have contacted my ISP (Comcast cable internet) and confirmed with them that everything appears normal on their end.
* This is corroborated by the fact that all other computers on my network are behaving normally.
* My laptop is operating as a local web server (apache) for development purposes, on local IP address 192.168.1.5. I cannot browse http://192.168.1.5 from other computers on the network. However, I can ping 192.168.1.5 just fine.
* From the laptop itself, I cannot access http://localhost or http://127.0.0.1 in the browser (but the laptop can ping itself OK). This is true both when the laptop is connected and when it is disconnected.
* When I restart the laptop in Safe Mode with Networking, all of these problems disappear and the computer behaves normally.
* This problem first occurred back in August or September 2009, and mysteriously resolved itself after about 1 week. It suddenly returned on 11/26 in the morning. I noticed that Windows Automatic Update had rebooted my laptop that night, but I do not know if this has anything to do with the problem.

When a http:// page fails to load, Google Chrome says:
This webpage is not available. The webpage at [url="http://www.google.com/"]http://www.google.com/[/url] might be temporarily down or it mayhave moved permanently to a new web address.+ More information on this errorBelow is the original error messageError 101 (net::ERR_CONNECTION_RESET): Unknown error.

When a http:// page fails to load, Internet Explorer says:
Internet Explorer cannot display the webpageMost likely causes:You are not connected to the Internet.The website is encountering problems.There might be a typing error in the address.What you can try:Diagnose Connection ProblemsMore Informationetc...

PRESUMED DIAGNOSIS
The fact that I can ping, tracert, nslookup etc. means that the network/internet connection itself is operational, and that DNS is OK.
Initially I thought that this may be a problem with winsock, but surely I would see broader symptoms than just failure of http:// browsing?
Because the blockage is linked specifically to browsing http:// pages, I assume that TCP port 80 has been compromised by some malware or spyware.
Apparently the offending malware is not loaded when I start the computer in Safe mode with Networking.

REMEDIES ATTEMPTED
First of all I put together this batch file to repair TCP stack, winsock etc. This was inspired by various forum postings I saw on the ERR_CONNECTION_RESET error.
@echo offecho ## NETWORK RECONFIGURATON UTILITYecho ## THIS PROCEDURE WILL RESTART YOUR COMPUTERecho ## CLOSE ALL PROGRAMS FIRSTpauseecho Flush DNSipconfig /flushdnsecho Reload remote cache name tablenbtstat -Recho Release and Refresh WINSnbtstat -RRecho Reset TCP/IP stacknetsh int ip reset reset.logecho Delete ARP Cachenetsh int ip delete arpcacheecho Reset winsocknetsh winsock resetecho Restart computerpauseshutdown -r
* RESULT - NO CHANGE

Next I rebooted into Safe Mode with Networking, and ran various virus/spyware/malware utilities
- Trend Micro Antivirus plus Antispyware
- Malware
- SUPERAntiSpyware
- SpyBot Search & Destroy
With each of these tools, the only suspects found were tracking cookies. Nevertheless I repeatedly ran scans until none of the tools found any more suspects.
* RESULT - NO CHANGE

In case the problem was somehow linked to Windows Automatic Update, I restored the laptop to previous Restore Points. The http:// browsing problem was identical regardless of which Restore Point I selected.
* RESULT - NO CHANGE

Finally I used Task Manager and Google to identify running processes (in normal boot mode). All the tasks appear to be legitimate processes, and killing them has no effect on the http:// browsing problem. It does stop my computer operating normally however!
* RESULT - NO CHANGE

CONCLUSION
At this point I am at a total loss. I am highly computer literate (I make a living from IT) and this has never happened to me before.

I welcome all and any advice that the experts may be able to offer.

I saw that several incidents here were resolved using tools like ComboFix and RootRepeal, but rather than try to use these tools myself, I am following the suggested approach and contacting the experts for guidance!

Thank you in advance for your help
Rob

BC AdBot (Login to Remove)

 


#2 Eric ~ Computer Guy

Eric ~ Computer Guy

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas, TX
  • Local time:02:51 PM

Posted 30 November 2009 - 03:33 PM

It appears you have tried everything I would recommend. Try reinstalling your firewall driver, if any, and see if that helps. You may need to reinstall any AV security programs (Trend Micro) and use their removal tool found here: http://esupport.trendmicro.com/3/How-do-I-...my-compute.aspx.

After you fully remove the program and all firewall drivers, try reinstalling it from scratch. The virus could have caused an issue with your firewall, and typically the only way to fix that is to fully remove the firewall drivers and security software and reinstall it.

#3 robd66

robd66
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 01 December 2009 - 02:09 PM

FOLLOW-UP FROM MY ORIGINAL POST

OK folks you are going to enjoy this one. Hopefully at least as much as I did.

Usually I never go online without some kind of protection - firewall, anti-virus, anti-spyware etc. But in this case, faced with the inexplicable situation described above, I decided that if the culprit were not a virus then it MUST be one of the security packages.

Before reinstalling my whole machine I figured, what do I have to lose? Let's try browsing with no protection and see what happens. So I booted in normal mode, switched off Windows Firewall and stopped all my security software.

At which point guess what... my normal http:// connection started working again!

It then took about 30 seconds to ascertain that the culprit was Trend Micro Antivirus and Antispyware 2009.

Following this I spent about an hour online with Trend Micro technical support, who recommended upgrading to the 2010 version of the same package.

This effectively corrected the problem.

Despite my insistent demands, I was unable to get the slightest technical explanation. Nor did the Trend micro representative offer even a shadow of apology for the days I have wasted trying to fix this.

So put this in your arsenal of tricks. Any time someone has a blocked TCP port 80, and/or ERR_CONNECTION_RESET on Google Chrome, ask them if they are using a Trend Micro product. Have them upgrade to the latest version, and if my experience is anything to go by, the problem may well disappear.

Incidentally this explains why the incident appeared for no reason back in August or September and then just as mysteriously went away - there is something in the Trend Micro auto-updates that sometimes creates the port 80 blockage but then gets corrected by a subsequent update...

If anyone else suffers the same problem and is able to fix it this way (or any other way) I will be interested to hear about it.

TO ANY TREND MICRO STAFF READING THIS FORUM

Your software, for which I pay an annual subscription, was directly responsible for a total of 6 business days without internet connectivity in my home office. This has delayed projects and led directly to a loss of revenue for my business.

Beyond fixing the technical problem, I expect at the VERY least an apology. In reality it would seem only reasonable to refund all or part of my subscription.

Based on my exchange with your customer service representative, I have to conclude that your customer service strategy is: "fix the problem if you can, but then cut off the call as soon as the customer starts asking for apologies or refunds". I have the transcript of our conversation to prove this.

As a business owner in IT/Software, I would be frankly ashamed to operate according to this principle. I would immediately put on notice any of my employees who behaved this way with one of my clients.

Your attitude contributes to giving a bad reputation to those of us who strive to be professional.

If you have the gumption to contact me and discuss this directly I will be glad to hear from you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users