Port 80 is blocked. I have internet access except for port 80 connections

Bobster311
Bobster311 used Ask the Experts™
on
This is a fairly complicated story that I will not be able to entirely share with you right now (it would take too long). But I suspect a virus problem is at the root. I will be glad to fill you in as you have questions. I have conferred with my fellow IT Admins and they agree. They have made a number of recommendations which I have followed but my problem has not gone away. I am impressed with what I have seen with the experts on this site and finally am seeking expert help.

Note I am having to post this from another computer but have my laptop next to me.

Background: About 6 weeks ago I suddenly found that any attempt to reach a website via Firefox 3 failed. When I tried with IE7 a number of "linked to" urls were spawned and completely overtook IE such that only by turning off the computer completely was I able to stop this. I use Spybot and Adaware on occasion but now I downloaded a number of extra anti spy and anti malware programs and ran them, even purchased PC Spyware Doctor (normally I have just used Symantec AntiVirus). Various things were found, quarantined and/or removed. One possible factor, this happened around the time I made my last ZoneAlarm update. Don't have any direct correlation, but turning off ZoneAlarm does not make any difference.
When I forced open port 80 in Windows firewall I was able get to http sites in firefox but not MSIE7.

Current situation: after trying virtually every suggestion I found on this site and other similar ones, I can ping, reach sites via https, ftp, use VPN, Remote desktop, Email, etc. Just can't open a web page using a browser on port 80. A big problem is that I cannot update AV apps that use port 80 for their updates such as Malwarebytes.

Most recently I went into the Recovery Console and ran fixmbr. After this I was able in Safemode with networking to update all my anti spy and malware programs and ran complete scans and removed all problems that I was alerted to and then was able to visit an http site or two. Rebooted into XP and ran PC Spyware Doctor (which wanted to run only in full XP mode). But once again, found that I had no access to sites via port 80.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
NerdsOfTechTechnology Scientist

Commented:
post your hijackthis report if possible
NerdsOfTechTechnology Scientist

Commented:
run malwarebytes in safe mode first; fix all errors

read:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

download and run combofix:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Top Expert 2007

Commented:
As already suggested, run MalwareBytes and also Combofix but run them in normal mode as these tools are designed to be run in normal mode.

Scanning in safe mode is only necessary IF the pc doesn't boot in normal mode..

It the tools won't run at first time, then re-download but rename before saving the file to your desktop.

Please show us the logfiles.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Thanks for the above suggestions. As mentioned above, in June I ran full scans with Malwarebytes, PC SpyDoctor, Symantec AV, & SpyBot, in normal XP mode removing all 'infections' found. I then ran Combofix as instructed by info found on bleepingcomputer.com (though they warn you against doing this unless it is done under the guidance of an 'expert'). Nothing changed, no http (port 80) access.

Then again on July 10 I ran Malwarebytes with July 10 data files. In normal XP mode it froze upon catching an infected object. When I ran it in XP safe mode it completed the scan finding a 'setupsv.exe' rogue installer. I then ran PC SpyDoctor in normal XP mode. All the infections it found appear to be tied to Combofix. It is not clear that the setupsv.exe was not also tied to Combofix but I had MWB remove it anyway.

Attached is today's HijackThis log and I am running a full set of scans again and will let you know the results in a few hours.
hijackthis.log
NerdsOfTechTechnology Scientist

Commented:
You likely have a rootkit infection ... entry 020

HiJackThis Fixes:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\KUsrInit.exe,
O1 - Hosts: # Copyright (c) 1993-1999 Microsoft Corp.
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O20 - Winlogon Notify: kwinhook - C:\WINDOWS\SYSTEM32\kwinhook.dll
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: MySQL51 - Unknown owner - C:\Program.exe (file missing)
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE


questionable:
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O15 - Trusted Zone: http://fpg.unc.edu
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe


NerdsOfTechTechnology Scientist

Commented:
rename hijackthis to "1.exe" and run executable; fix all problems found above.
rename malware bytes to "2.exe" and run executable; fix all problems,
rename combofix to "3.exe" and run executable,
NerdsOfTechTechnology Scientist

Commented:
Correction

In Safe Mode:
rename hijackthis to "1.exe" and run executable; fix all problems found above.
use hijackthis misc tools and delete this file on reboot function:
C:\WINDOWS\SYSTEM32\kwinhook.dll

rename malware bytes to "2.exe"
rename combofix to "3.exe"

In Normal Mode:
run malwarebytes (2.exe); fix all problems,
run combofix (3.exe) executable,

=NerdsOfTech

Author

Commented:
Very encouraging, I like where this is going. Please clarify your statement:

use hijackthis misc tools and delete this file on reboot function:
C:\WINDOWS\SYSTEM32\kwinhook.dll

What are the hijackthis misc tools that I am to use. All I have know of Hijackthis is that it produces a report. And what is the reboot function I am to use to delete this dll, i.e., how do I go about this? Do I reboot into some special mode like console only?

Thanks
NerdsOfTechTechnology Scientist

Commented:
When hijackthis is open

click the button "Open the Misc Tools section"
click "Delete file on reboot..." button
copy and paste :
C:\WINDOWS\SYSTEM32\kwinhook.dll
as filename.

reboot computer.

=NerdsOfTech

NerdsOfTechTechnology Scientist

Commented:
Correction:

1. Open HiJackThis
2. click the "Open the Misc Tools section" button
3. click "Delete file on reboot..." button
4. copy and paste :

C:\WINDOWS\SYSTEM32\kwinhook.dll

in filename textbox. click open.

5. click restart now to reboot computer when prompted.

=NerdsOfTech

Author

Commented:
One more thing. You wrote - HiJackThis Fixes:

O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE

O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent

The above are all Lenovo Thinkpad utilities and/or services installed upon build. Are they really suspect? Will I lose any important functionality like the TPShocks which is supposed to help protect the harddrive? Or can I just reinstall them again later if needed? (This computer was initially a university 'build' so I don't know what a lot of these "Run" apps do and have been reluctant to remove them.

Again, much thanks for your help.
NerdsOfTechTechnology Scientist

Commented:
You are correct please IGNORE and do not fix:

O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
NerdsOfTechTechnology Scientist

Commented:
Also IGNORE deletion of:
if KBOX is used

C:\WINDOWS\SYSTEM32\kwinhook.dll
NerdsOfTechTechnology Scientist

Commented:
Strange question but do you have any server running like apache on this computer?

Otherwise, your ip/tcp stack or lsp may be messed up... try running:

http://download.cnet.com/XP-TCP-IP-Repair/3000-2094_4-10410929.html

See if you can get a connection and report back.

Thanks!

Author

Commented:
Not a strange question. Yes, Kbox is in use. And yes many 'server' environments have been tested on this computer including Plone, MySQL 5, IIS (personal), and New Atlanta's Bluedragon .NET server (none active at this time). Never Apache.

Question: Should I try fixing the ip/tcp stack as suggested above before I go forward with the Hijackthis + cleanup routines?

Thanks
Top Expert 2007

Commented:
NerdsOf Tech may I know what's your reason for disabling those entries?
It's okay to fix the 04 entries because that doesn't affect the program but fixing the 020 and 023 entries stop the program from working and any programs that are dependent on those 023 service to run will also stop working.


C:\WINDOWS\SYSTEM32\kwinhook.dll
The above 020 file belongs to KBox System Deployment it should be left alone if the user use it.
Top Expert 2007

Commented:
Bobster311,
You mentioned that you already run Combofix, can we look at the logfile?

Author

Commented:
rpggamergirl, thanks but NerdsOf Tech commented on this:

"Also IGNORE deletion of:
if KBOX is used

C:\WINDOWS\SYSTEM32\kwinhook.dll"

and I did not remove this entry which I understood to be:
O20 - Winlogon Notify: kwinhook - C:\WINDOWS\SYSTEM32\kwinhook.dll

I am needing to download a newer version of combofix. My version is less than a month old but apparently is not valid. I will run this and get back with you all.

Thanks

Author

Commented:
Followed the instruction verbatim. Combofix log attached:

A single trojan found in both MSAM and Superantispyware ran before I started the above fixes suggested, none found after these scans in MSAM or combofix, i.e., no change in http: (port 80) availability (can't even do an MSAM update). Everything else appears ok.

Attached is the combofix log

Planning to try the tcp/ip stack fix unless told not to in the next 12 hours. It sounds like it could cause trouble, just don't know what the actual risks are [not spelled out clearly in any of the documentation but I am getting rather desperate].
combolog.txt

Author

Commented:
NerdsOf Tech, et. al.
I ran the tcpip stack repair program suggested above and still no http (port 80) connection.

Another question; does it matter which user account I run these various scans (especially Combofix) as long as the user account has Administrator rights and privileges?

Thanks
NerdsOfTechTechnology Scientist

Commented:
It doesn't matter as long as you have admin rights.

Do you have a web server running on port 80?

Try shutting down both zonealarm and windows firewall and attempt internet access.

Have you considered backup and clean OS reinstall?
Try to use TCPView from Sysinternals and see what application is using the port 80. It can be downloaded from:

http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

Hope it helps.

Author

Commented:
Nerds of Tech
Do you have a web server running on port 80?
No. IIS is disabled

Try shutting down both zonealarm and windows firewall and attempt internet access.
Makes no difference

Have you considered backup and clean OS reinstall?
Have considered it, but only as a last resort which looks like where I am heading }:-{

Warturtle
Try to use TCPView from Sysinternals and see what application is using the port 80.
It shows nothing using port 80.

What besides a virus (rootkit) could simply lock down port 80?? Again, if I force this port open in MS Internet firewall I can get through, and I can get to many sites using port 443 (https). Really curious.

Thanks for your efforts
If you don't already have SuperAntiSpyware installed on your PC, I suggest that you download it from www.superantispyware.com and install it. After the installation is done, then open the main screen->Preferences->Repairs tab. Then try the different options in there.

Have you restarted your computer after doing the Winsock LSP Fix (that you did before)? If not, then that is surely recommended.

Try doing the Internet Security Zone Reset and Intenet Explorer Policy Restrictions Reset.
NerdsOfTechTechnology Scientist

Commented:
LSPFix may do the trick

It sounds like corrupted LSP if your port scanner didn't detect 80 used

http://www.bleepingcomputer.com/files/lspfix.php

Author

Commented:
Warturtle:
I have already downloaded and run superantispyware (it took 4 hours!!) yesterday, found nothing.

Nerds of Tech:
I ran Lspfix and it only told me that that 'no problems found.'

After multiple runs of at least 10 recommended anti-virus and anti-malware apps along with Combofix, following all your instructions, none are finding any problems at this point (except for things related to Combofix). All attempts to fix the tcp/ip stack + have made no difference. I am ready to give up the ghost, throw in the towel. Rootkit problems are hard to get rid of I know, but I have been successful before.

I just  don't understand why port 80 is so completely blocked and won't let up (except for that brief time after doing a mbrfix and then restarting in Safe mode with networking (wired) on a university network. Combofix has cleared this problem up before. Could it be something that ZoneAlarm did when I installed the new free version in June?

In the end, my computer runs fine except for getting out on Port 80. I will use remote desktop until I have time to start over. Looks like I am going to have to hand it over to the university to wipe it clean and start over (gag me with a spoon).

I will award points because you guys (gals) have done it by the book, everything you have suggested follows/matches the protocol that other experts have recommended on other forums. But it looks like this story does not have a happy ending.

Thanks for all your help (unless you have something else to suggest). want to see any other logs? I have plenty. (;- )
Did you play around with the Repairs in SuperAntiSpyware?? Scanning with SuperAntiSpyware is for removing malware, but the repair tools could be helpful in resolving the problem.
NerdsOfTechTechnology Scientist

Commented:
Thanks for your patience!
Sorry we could not get it solved. If you are to redo the OS do you want to try and remove that hooked program for experimentation?:

C:\WINDOWS\SYSTEM32\kwinhook.dll"

O20 - Winlogon Notify: kwinhook - C:\WINDOWS\SYSTEM32\kwinhook.dll

=NerdsOfTech

Commented:
Try this -
Start Internet Explorer.
On the Tools menu, click Manage Add-ons.
Click the name of the add-on.
Use one of the following methods:
click Disable, and then click OK.
You may have to restart Internet Explorer for the changes to take effect after you enable or disable an add-on.

Author

Commented:
Note: This thread is not completely finished. It is just that I am preparing for a vacation. I will be back in touch in the next day or so to conclude with comments on your suggestions above.

Thanks again for your help.
Technology Scientist
Commented:
Try:
Tools > Internet Options > Advanced > Reset IE Settings > Reset

Else:
Backup user data...reinstall OS

Author

Commented:
NerdsofTech and Warturtle both responded with good ideas and new tests to run. If it was easier to do I would give Warturtle 100 of these points.
None of their solutions actually fixed my problem but I appreciated their thoroughness and knowledge regarding the testing protocols for this kind of deep virus infection and learned alot [probably as NerdsofTech said early on, a rootkit infection]. I know these to be difficult to clean out. I will be wiping the machine and starting over. However, I really would like to better understand how port 80 can be so thoroughly blocked and no other signs of infection are present. Multiple scanners say I am clean.
Thanks for all your efforts.
Iain MacMillanIT Regional Manager - UK

Commented:
sound very similar to an issue i had with a senior staff member's laptop -- basically your Winsock stack is knackered, and although there are programs out there to fix it, and allow port 80 (web access) to work again, it only lasts for a few hours, and then reverts back, in the end we had to rebuild the system.  that laptop used Firefox as its primary browser, so not sure if the previously posted IE fix would have made any difference.

everything else worked OWA over SSL, secure HTTPS and VPN all worked, even Skype.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial