Odd network issue, unable to browse web, but internet still connected

[jnelsoninjax]

So on my wife's computer, over the last month or so, her ability to access anything through the web browser(s) is meet with error messages, in FF it is Secure connection failed, in chrome it's err_connection_reset. The only way I have been able to instruct her to fix the issue is to run netsh winsock reset from the command line. That seems to fix it every time. Today I teamviewered into her system and attempted to install Snappy Driver Installer to see if her drivers were up to date, but even with the A/V disabled something is blocking the program from the internet, I also noticed that Dropbox was also having issues connecting. I downloaded and installed the latest network adapter driver and the issue still persists. I am at a lose as to what the issue could possibly be. For the record Windows defender and Windows Firewall are both set to manual under services and all defender related items in group policy editor are disabled.

[Circaflex]

Are the time and date correct? Are you using a system wide ad blocker like AdGuard for instance? What AV are you running? Just defender? Secure connection failing is generally an HTTPS issue, maybe your cert is borked or a piece of software might be causing it.

[jnelsoninjax]

40 minutes ago, Circaflex said:

Are the time and date correct? Are you using a system wide ad blocker like AdGuard for instance? What AV are you running? Just defender? Secure connection failing is generally an HTTPS issue, maybe your cert is borked or a piece of software might be causing it.

AFIK, yes time/date are correct. Kaspesky Total Security is the a/v and no system wide ad blocker. I have checked all the running processes and installed programs and there is nothing that shouldn't be there. I have even created a new profile for FF and tried to see if maybe an add-on was the issue, but it was not as it did the same thing that the other profile was doing.

[Circaflex]

1 minute ago, jnelsoninjax said:

AFIK, yes time/date are correct. Kaspesky Total Security is the a/v and no system wide ad blocker. I have checked all the running processes and installed programs and there is nothing that shouldn't be there. I have even created a new profile for FF and tried to see if maybe an add-on was the issue, but it was not as it did the same thing that the other profile was doing.

I would put my money on Kaspersky. I would completely remove it, then use the machine as normal (within limits, maybe you do this part) and see if the issue persists. I would bet that Kaspersky is corrupted or the HTTPS filtering it uses it borked right now. Or, check to see if there is a new version of the program for download and upgrade it.

[jnelsoninjax]

Just now, Circaflex said:

I would put my money on Kaspersky. I would completely remove it, then use the machine as normal (within limits, maybe you do this part) and see if the issue persists. I would bet that Kaspersky is corrupted or the HTTPS filtering it uses it borked right now. Or, check to see if there is a new version of the program for download and upgrade it.

It was doing it prior to Kaspesky being installed. She was using Avast prior, but it was uninstalled using IOBit Uninstaller which also searches for registry keys and leftover files (or so it claims).

[Circaflex]

2 minutes ago, jnelsoninjax said:

It was doing it prior to Kaspesky being installed. She was using Avast prior, but it was uninstalled using IOBit Uninstaller which also searches for registry keys and leftover files (or so it claims).

That is curious; maybe try creating a temp user profile and browse around and attempt to replicate the error.

[jnelsoninjax]

I hadn't thought about a new user account. I'll have to see if I can do that when I talk to her again, can't hurt.

[goretsky Supervisor]

Hello,

 

Anything unusual in the computer's proxy or DNS settings?

 

Regards,

 

Aryeh Goretsky

 

[Lathanielt]

I second the post regarding the proxy. There is malware that inserts manual proxy options in registry and will stop browsing from occurring. I use Malwarebytes to remove it. 

[jnelsoninjax]

2 hours ago, goretsky said:

Hello,

 

Anything unusual in the computer's proxy or DNS settings?

 

Regards,

 

Aryeh Goretsky

 

I forgot to mention that I checked that as well. Nothing odd.

1 hour ago, Lathanielt said:

I second the post regarding the proxy. There is malware that inserts manual proxy options in registry and will stop browsing from occurring. I use Malwarebytes to remove it. 

i guess it wouldn't hurt to run MWB on the system just in case. I don't see any processes that look abnormal to me, but I will check with MWB. Thanks for the suggestion!

[jnelsoninjax]

OK, now she is reporting that her Laptop is doing the same thing as the desktop is doing. I am begging to think that the ISP is causing these issues.

[Circaflex]

6 minutes ago, jnelsoninjax said:

OK, now she is reporting that her Laptop is doing the same thing as the desktop is doing. I am begging to think that the ISP is causing these issues.

Could be it, you might want to double check the router as well and ensure it is malware free. https://www.bleepingcomputer.com/forums/t/515385/can-a-router-be-infected/

[jnelsoninjax]

I am going to bump this and ask for more insight. My daughter called me this afternoon and reported that the desktop was doing strange things like BSOD's. I had her download Whocrashed and read me the conclusion(s).

It turned out that her or her mother (most likely mother) was having problems browsing the web so she assumed that Kaspsersky was the cause of the problems and disabled, then went and downloaded and installed Avsat.

Obviously two AV's don't play nice together and they were causing the BSOD's.

Using TeamViewer I was able to remove Avast and reinstall Kaspersky Total Security. Problem solved, at least I assumed so, not even 5 minutes later my wife calls me and starts saying that her laptop is unusable because Kaspersky won't let her browse any site through any browser. I have tried to explain that there is no way that Kaspersky could be blocking normal web traffic, that it must be the ISP, she countered by saying that the TV, cell phones and tablets all work, so it can't be the ISP. I am completely out of my realm when it comes to network issues, and being 3000 miles apart doesn't help either. What else could be preventing web traffic to even the most common sites like Google and Yahoo? I have not been able to do a malware scan yet, but I did run SFC and it came back clean, so there is nothing, system wise, that is corrupt.

[Mando]

18 hours ago, jnelsoninjax said:

I am going to bump this and ask for more insight. My daughter called me this afternoon and reported that the desktop was doing strange things like BSOD's. I had her download Whocrashed and read me the conclusion(s).

It turned out that her or her mother (most likely mother) was having problems browsing the web so she assumed that Kaspsersky was the cause of the problems and disabled, then went and downloaded and installed Avsat.

Obviously two AV's don't play nice together and they were causing the BSOD's.

Using TeamViewer I was able to remove Avast and reinstall Kaspersky Total Security. Problem solved, at least I assumed so, not even 5 minutes later my wife calls me and starts saying that her laptop is unusable because Kaspersky won't let her browse any site through any browser. I have tried to explain that there is no way that Kaspersky could be blocking normal web traffic, that it must be the ISP, she countered by saying that the TV, cell phones and tablets all work, so it can't be the ISP. I am completely out of my realm when it comes to network issues, and being 3000 miles apart doesn't help either. What else could be preventing web traffic to even the most common sites like Google and Yahoo? I have not been able to do a malware scan yet, but I did run SFC and it came back clean, so there is nothing, system wise, that is corrupt.

Kapersky ive always found way too instrusive tbh if there was any browser hijacking going on Kapersky would probs have a fit and could cause web pages "not to appear" to the layman.  

 

I dont personally rate Kapersky (too many deep system hooks), but thats just me, im a Webroot Secure anywhere fan, if its good enough for Checkpoint thumbs up, thats enough for me.  

[jnelsoninjax]

1 minute ago, Mando said:

Kapersky ive always found way too instrusive tbh if there was any browser hijacking going on Kapersky would probs have a fit and could cause web pages "not to appear" to the layman.  

 

I dont personally rate Kapersky (too many deep system hooks), but thats just me, im a Webroot Secure anywhere fan, if its good enough for Checkpoint thumbs up, thats enough for me.  

So even when it was not installed it was still acting strange, so I assumed it was related to the fact that it was still installed and interfering with Avast. What other issues could there be? Let's assume that it is not a virus, but it's possible that there might be malware, but again I see no indication of it.

[Mando]

8 hours ago, jnelsoninjax said:

So even when it was not installed it was still acting strange, so I assumed it was related to the fact that it was still installed and interfering with Avast. What other issues could there be? Let's assume that it is not a virus, but it's possible that there might be malware, but again I see no indication of it.

check the systems host file, make sure there are nothing over the ordinary (C:\Windows\System32\drivers\etc\host) the host file should look like the entry below. Id also use a web based AV scanner like trend housecall for a second opinion.

 

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#	127.0.0.1       localhost
#	::1             localhost

 

[farmeunit]

I have had issue with Kaspersky only when updating large files (Steam) over gigabit internet (Google Fiber).  When Steam is running full speed, updates and such, I would get some odd issues.   

 

[T3X4S]

@jnelsoninjax-


Dont assume Avast or Kaspersky has done, and did their jobs.  Disable/remove Kasperky after you download mbam.

Run mbam and any other top malware removal/detection tool you have 

Once you know the machines are 100% free of malware - then you can put one of those AV back on - (this is where I say I wouldnt use Kaspersky Complete Anything) - as mentioned in the posts above - its too intrusive.
If you need some way to lock down your family's internet presence, dont give them admin accounts, use UAC, etc.

Have you checked the proxy settings ?

You're able to remote in, but the computers cant browse anything.

Can you even ping a  website ?


My 1st advice would be to stop assuming Kaspersky, or anything else did its job 100%.

[+BudMan MVC]

7 hours ago, T3X4S said:

Once you know the machines are 100% free of malware

The only way to know that is to nuke it from orbit.. It is the ONLY way to be sure!!

[Mando]

16 minutes ago, BudMan said:

The only way to know that is to nuke it from orbit.. It is the ONLY way to be sure!!

yep and sadly Js a good few miles away from the machines.

[jnelsoninjax]

10 hours ago, T3X4S said:

@jnelsoninjax-


Dont assume Avast or Kaspersky has done, and did their jobs.  Disable/remove Kasperky after you download mbam.

Run mbam and any other top malware removal/detection tool you have 

Once you know the machines are 100% free of malware - then you can put one of those AV back on - (this is where I say I wouldnt use Kaspersky Complete Anything) - as mentioned in the posts above - its too intrusive.
If you need some way to lock down your family's internet presence, dont give them admin accounts, use UAC, etc.

Have you checked the proxy settings ?

You're able to remote in, but the computers cant browse anything.

Can you even ping a  website ?


My 1st advice would be to stop assuming Kaspersky, or anything else did its job 100%.

OK, I did not say that I assumed the programs did their jobs. I said I see no indication(s), such as odd processes running, of malware.

Proxy settings are fine (none).

I can ping websites.

The error that is coming up is in Firefox: Secure connection failed, in Chrome it's err_connection_reset. Now if this is a browser hijack or some other type of malware, why does doing a winsock reset always correct the issue (at least temporarily)?

[Mando]

2 hours ago, jnelsoninjax said:

OK, I did not say that I assumed the programs did their jobs. I said I see no indication(s), such as odd processes running, of malware.

Proxy settings are fine (none).

I can ping websites.

The error that is coming up is in Firefox: Secure connection failed, in Chrome it's err_connection_reset. Now if this is a browser hijack or some other type of malware, why does doing a winsock reset always correct the issue (at least temporarily)?

ok err_connection_reset is normally caused by 3 things.

 

1) ISP bad packets being received (suspect its not that as other devices are ok on the same connection, it would affect all systems on said connection)

2) generic MS network drivers in windows. < try and obtain the makers drivers for said network adapters.

3) firewall or Av issues causing it to corrupt packets, requesting packets continually until it resets your TCP/IP stack (also why winsock reset fixes it temporarily) , i wager its Kaperskys firewall malforming them somehow.

 

Remove all AV security suites, ensuring all remnants are cleaned, then install a demo/trial of Webroot Secure anywhere. See if it still happens, if not, its Kapersky (Avast is gash these days) Webroot will happily run alongside most other Avs.

 

If i was a betting man, its either Item 2 or item 3, with 3 more likely imo.

[jnelsoninjax]

So I may have figured out what was going on. Somehow 2 different versions of Kaspesky were installed, and apparently running, though I have no clue how. Of course true to form, one can not simply uninstall the program, because it claims it does, but does not. I was forced to download the program Unlocker, and use it to kill the processes and delete the files off the drive. Once I got all that done I installed MWB and did a scan, and it only found one item a PuP on something living in the temp folder, so it was quarantined, and I reinstalled Kaspersky, verifying that there was only one copy installed. I give it a day and see what happens. 

[Circaflex]

18 minutes ago, jnelsoninjax said:

So I may have figured out what was going on. Somehow 2 different versions of Kaspesky were installed, and apparently running, though I have no clue how. Of course true to form, one can not simply uninstall the program, because it claims it does, but does not. I was forced to download the program Unlocker, and use it to kill the processes and delete the files off the drive. Once I got all that done I installed MWB and did a scan, and it only found one item a PuP on something living in the temp folder, so it was quarantined, and I reinstalled Kaspersky, verifying that there was only one copy installed. I give it a day and see what happens. 

Kaspersky has a removal tool I would highly suggest running that, then downloading the newest version and reinstalling. 

 

https://support.kaspersky.com/common/service.aspx?el=1464

[T3X4S]

13 hours ago, BudMan said:

The only way to know that is to nuke it from orbit.. It is the ONLY way to be sure!!

"F*****n A"