# Can't access some secure websites



## parabola50 (Feb 9, 2007)

I've been away for a week and I've just got back to find that I can't access certain websites. I can't view my bank's site, or a few other banks that I tried. Also My Ebay doesn't load. I was worried incase it could be some kind of virus that keylogs the password and then prevents me accessing it. I just wanted to check to see if there may be a simpler explanation before I go through the removal steps?

Thanks!


----------



## hammer1 (Feb 19, 2006)

It doesn't sound like anything good. I think it is time for the "removal steps" that you eluded to. Good Luck


----------



## parabola50 (Feb 9, 2007)

I completed the steps, except the windows update one because the site wont load. It isn't just secure sites now, it's completely random ones. Pandascan only found cookies but the log is below anyway. Also included a HJT log...
Thanks


----------



## koala (Mar 27, 2005)

> General Computer Security Get Help With System Security - *This forum is not for malware removal assistance*. For malware removal assistance, read the sticky topic at the top of the HijackThis Log Help forum, or the "First Steps" link at the top right of each page.


----------



## parabola50 (Feb 9, 2007)

I know, I only posted the logs because someone suggested doing so. I'm 99% sure it isn't Malware which is why I posted it in this forum. I've ran about 10 different scans and they've all came back clean.

Before I went away I upgraded my internet connection to 20Mb but virginmedia staff accounts messed it up and I lost my connection. My girlfriend phoned them a few times while I was away, and they did some stuff on their end and told her to remove my wireless router which restored the connection. When I got back, certain sites wouldn't load. I've reinstalled the router and it works, and I've tried messing about with IE security settings and the sites still wont load. I've also tried opera and firefox with no luck. I'm going to phone them, but they aren't open till Monday and they work office hours and I'm not off till Thursday so I just wanted some suggestions on what the issue could be and if it's fixable by me?

Thanks.


----------



## sobeit (Nov 11, 2007)

what browser are you using? did you try another browser to see if you can access those sites?


----------



## parabola50 (Feb 9, 2007)

I'm using IE. I've tried the same sites with firefox and opera and I just get 'page can't be displayed' error.


----------



## sobeit (Nov 11, 2007)

looks like you were getting help at the first of the month with your hijackthis log.. You need to go back and finish with them before we do anymore here.


----------



## parabola50 (Feb 9, 2007)

Do you mean the onestopsearch thread? If so, I started that thread on behalf of someone else that can't access the internet at all, it isn't about my computer.


----------



## sobeit (Nov 11, 2007)

thanks for the clarification - sometimes we have to go into past immediate history to see if there were other problems that might be related...

see if you can access those sites from safemode with network.


----------



## AquariusFX (Aug 14, 2008)

check router firewall/policy configuration. "https" may have been blocked.


----------



## parabola50 (Feb 9, 2007)

sobeit said:


> thanks for the clarification - sometimes we have to go into past immediate history to see if there were other problems that might be related...
> 
> see if you can access those sites from safemode with network.


yeah I know what you mean. I just formatted my hard drive and reinstalled windows as a quick fix, but it still doesn't work. Does this mean it's definately a problem with virgin media or could it be a router issue? I'm dreading phoning them cos they don't have a clue what they're talking about.

Thanks for the assistance!


----------



## parabola50 (Feb 9, 2007)

AquariusFX said:


> check router firewall/policy configuration. "https" may have been blocked.


Where would I find that setting? I had a browse but couldn't see it.

Thanks.


----------



## AquariusFX (Aug 14, 2008)

You need to log into the router. What's your router brand/model?


----------



## koala (Mar 27, 2005)

parabola50 said:


> Where would I find that setting? I had a browse but couldn't see it.


If you're using the standard router that comes with the Virgin Media broadband package, then it's a Netgear.

Open Internet Explorer and type *http://192.168.1.1* into the address bar to enter the router config.

Then type *admin* for the user name and *password* for the password and click OK. If this doesn't work, leave the password blank.


----------



## parabola50 (Feb 9, 2007)

I meant I couldn't find the setting in my router settings. I looked through every option and couldn't find anything about https. Although I did try disabling the firewall and it didn't help. It's a Belkin wireless G plus.

Thanks.


----------



## AquariusFX (Aug 14, 2008)

On Firewall > Client IP Filter page.
Make sure nothing is there or Enable. Especially anything that referred to port 443.


Or you may try to isolate the router problem. 

Connect your modem directly to your pc. see if http and https work or not.
if it's working then you may have to do a router reset. (default manufacturer setting)
or get a new router.

Good luck


----------



## parabola50 (Feb 9, 2007)

I checked the settings and they were all ok, and I tried bypassing the router and it didn't make any difference :upset:. Do you have any other suggestions? Could it be a virgin media problem?

Thanks!


----------



## AquariusFX (Aug 14, 2008)

I would just take the pc to a friend house and try there. Once and for all. So we can blame virgin if it work at the friend house.


----------



## parabola50 (Feb 9, 2007)

I tried my PC at someone elses house and I could access the sites fine. I've emailed Virgin Media and they just refused to accept that it could be a fault at their end. Does anyone know what the fault could be, as they're too stupid to know so it looks like I'm gonna have to tell them what to do. If it doesn't get sorted out I'm gonna have to leave them because I can't access sites that I need frequent access to, I'd just rather it didn't come to that as I'm on a staff deal and it only costs me £10 a month.

Thanks.


----------



## parabola50 (Feb 9, 2007)

Bump...

Doesn't anyone have any more ideas? Virgin still think it's nothing to do with them. They asked me to ping the sites I can't access and send them the results, but they just all timed out.


----------



## grue155 (May 29, 2008)

What kind of firewall are you running? And how are you connecting to the Internet (modem? router? what make and model?)

Do you have any proxy settings set in Internet Explorer? It's the IE Internet Properties 'Connections' tab, under the LAN settings.


----------



## parabola50 (Feb 9, 2007)

I'm using BitDefender firewall, but I tried the sites without it installed and it wouldn't work. I'm using a Belkin router, but I've already tried without the router attached, and there are no proxy settings active. I tried from a completely fresh XP and vista install and also had no luck.

Thanks


----------



## grue155 (May 29, 2008)

Have you tried a route check, using the tracert command?

If not, then from a command prompt (Start -> All Programs, Accessories, Command Prompt), enter "tracert -d www.google.com" which will show the path that packets are taking from your machine to the google web site.

Then try the same to reach one of the sites you are having difficulty reaching.

If you aren't sure of what the results are telling you, you can post the result here.


----------



## parabola50 (Feb 9, 2007)

Thanks. Here are the results, firstly from google and then from a site I can't access.

C:\Documents and Settings\dave>tracert -d www.google.com

Tracing route to www.l.google.com [66.102.9.99]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.2.1
2 15 ms 11 ms 7 ms 10.156.144.1
3 14 ms 10 ms 10 ms 213.106.239.229
4 11 ms 12 ms 38 ms 195.182.176.121
5 21 ms 20 ms 19 ms 213.105.75.49
6 25 ms 23 ms 22 ms 213.105.64.21
7 20 ms 22 ms 21 ms 213.105.64.18
8 26 ms 30 ms 30 ms 62.253.184.6
9 20 ms 22 ms 20 ms 212.250.14.138
10 20 ms 27 ms 23 ms 209.85.255.175
11 42 ms 37 ms 41 ms 209.85.251.190
12 32 ms 34 ms 33 ms 72.14.232.237
13 38 ms 36 ms 35 ms 64.233.174.14
14 34 ms 32 ms 30 ms 66.102.9.99

Trace complete.

C:\Documents and Settings\dave>tracert -d www.natwest.com

Tracing route to www.natwest.com [155.136.80.213]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.2.1
2 10 ms 10 ms 38 ms 10.156.144.1
3 10 ms 28 ms 7 ms 213.106.239.169
4 12 ms 9 ms 11 ms 195.182.176.105
5 8 ms 13 ms 8 ms 213.105.75.45
6 23 ms 16 ms 16 ms 62.253.185.238
7 13 ms 14 ms 27 ms 62.253.184.6
8 16 ms 13 ms 29 ms 195.66.226.12
9 42 ms 16 ms 17 ms 194.70.98.94
10 27 ms 26 ms 61 ms 194.70.48.134
11 45 ms 43 ms 48 ms 155.136.65.4
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * *


----------



## grue155 (May 29, 2008)

Thank you. The traceroute looks normal. The 155.136.x.x address is the bank firewall. That is why nothing showed after that.

I tried www.natwest.com myself, and got a normal web access on port 80 (the http: connection). However, with an https: (port 443) I got a redirect, and my lynx browser complained about being unable to retrieve the site certificate.

That suggests to me that natwest.com might have a dodgy TLS/SSL setup. Trying IE 7 and Firefox 3 did make connection, but went to port 80, and not 443, even with the https: prefix.

You said in an earlier post that you were using IE. Which version?

There's a chance that your SSL certification verification stuff has somehow gotten out-of-sync, and the browser simply won't display secured pages with what it considers improper signatures.


----------



## grue155 (May 29, 2008)

A thought occured to me, that all this could be some recent change in bank security policy.

Try this: just a regular, straight to the web site home page with http: prefix. Select the login, and see what happens. 

I'm thinking that their security policy now requires https: web pages to have a proper session cookie, which can be set only by going thru the normal home page/login sequence. A direct path (like a bookmark) wouldn't work, as the proper cookie values aren't established.


----------



## parabola50 (Feb 9, 2007)

That didn't work either, sorry. I origianlly thought it could be something to do with https as it was Natwest and Halifax which I couldn't access at first. I've gradually discovered more that I can't access though that don't use a secure connection, e.g. www.schuhstore.co.uk and www.zavvi.co.uk

Thanks.


----------



## grue155 (May 29, 2008)

Let's try something a little different. Rather than a web browser, use telnet to see what happens.

Open a command prompt window, and enter

```
telnet www.schuhstore.co.uk 80
```
 and after you get a connection message, and then type

```
GET /
```
 and press the enter-key twice. You should get back a screen of raw HTML that a web browser would make sense of.

Try that with each of the sites you are having problems contacting.

If that doesn't work, then try with the IP address of each site. You can get the IP address of each, again from a command prompt, by entering this: 


```
nslookup -type=a www.schuhstore.co.uk.
```
Note the trailing dot after the .uk. Leave that trailing dot off, and you'll get really strange answers.

The IP address lookup for www.schuhstore.co.uk comes back with a bunch of addresses. You can pick any one to use. I tried this:


```
telnet 81.89.142.171  80
```
What this should tell us, is whether the problem is a network routing problem, or some kind of local machine browser configuration problem. Using telnet is being just above the hardware, and almost, but not quite, watching the bits flow directly.


----------



## parabola50 (Feb 9, 2007)

Entering the web address didn't work, the connection just failed. I was able to get the IP address though but when I tried to connect to it, the command prompt just clears itself and the white line flashes at the top of the blank screen. When trying one of them I pressed enter while it was doing this and I did get a bit of HTML, but it only happened the one time. Now everytime I try with different IP's, the screen doesn't clear it just tries to connect for a minute and then fails. Seems like there's no consistency with what it's doing :4-dontkno

Thanks


----------



## grue155 (May 29, 2008)

Telnet being unable to connect, and just timing out, is consistent with a network routing problem. 

In reading back over this topic from the beginning, just to check my assumptions and the details of what has been tried, I note you mention that you're using a Belkin Wireless G-Plus router. No problems when you connect at a friend's location, but problems at, I presume, home.

Are you connecting via wireless? If so, are you sure that you are connecting to your router? If you're running the router defaults out-of-the-box, you could very well be connecting to someone else's wireless box.

The routers also have DNS settings which they should get from the ISP. What are the DNS settings on your router? The details should be listed on the router status page, which on Belkin routers is at http://192.168.2.1/


----------



## parabola50 (Feb 9, 2007)

My PC is actually connected to the router, I only use the wireless for my PS3. The DNS settings say:
DNS address 194.168.4.100
Secondary 194.168.8.100
And the box for "automatic from ISP" is checked.


----------



## grue155 (May 29, 2008)

Those are the expected IP addresses for the DNS servers.

A couple more things to check. From a command prompt, enter these two commands:

```
netsh interface ip show config

netsh interface portproxy show all
```
The portproxy one may not give any result if nothing is defined. If something is defined, it'll say something.

If nothing obvious shows up in those two command outputs, then the only thing I'm able to think of that remains to try is a TCP stack reset.


----------



## parabola50 (Feb 9, 2007)

The second one didn't show anything. Here's what it said...

C:\Documents and Settings\dave>netsh interface ip show config

Configuration for interface "Local Area Connection"
DHCP enabled: Yes
InterfaceMetric: 0
DNS servers configured through DHCP: 192.168.2.1
WINS servers configured through DHCP: None
Register with which suffix: Primary only


C:\Documents and Settings\dave>netsh interface portproxy show all


C:\Documents and Settings\dave>


----------



## grue155 (May 29, 2008)

That was expected output for portproxy. The config is reporting that your DNS is using the router only, rather than the ISP DNS servers. That's interesting. Let's try the ISP servers. More command line stuff:


```
netsh interface ip set dns "Local Area Connection" dhcp clear none
netsh interface ip set dns "Local Area Connection" static 194.168.4.100 none
netsh interface ip set dns "Local Area Connection" static 194.168.8.100 none
ipconfig /flushdns
```
What all that does: first line removes your existing DNS reference (the 192.168.2.1). Next two lines say to use the IP addresses of your ISP DNS servers. And finally, flush the address cache that your PC has been using.

To check to make sure all that has happened, you can use the config report again, and see if the DNS servers have changed.

```
netsh interface ip show config
```
Now, something else to check, is the "hosts" file. The normal Windows hosts file is pretty much empty except for one line that says "127.0.0.1 localhost", and a lot of comments. On XP machines the hosts file is located at %windir%\system32\drivers\etc\hosts

Eyeball the file, and see if it is just the one line that is not a comment. Any extra lines could be causing addressing problems.

After all that, try the telnet testing again.

One more thing to take a look at, is the Windows "router table". Another command line:


```
netstat -nr
```
The line "default gateway" should have the IP address of your router.

You mentioned earlier that you are running BitDefender firewall. If the telnet test doesn't work. Switch over to the Windows firewall, and try the telnet again.

I'm starting to run out of things to check. The next major test is a TCP stack reset, and that is something of a major impact on your machine. I'm trying to avoid that, as if the reset doesn't work completely, then you're up for a system reinstall.


----------



## parabola50 (Feb 9, 2007)

Tried all that and still no luck. Are you sure it couldn't be a problem on the ISP's end? I tried a system reinstall a few times at first and it didn't work. I tried an old XP SP1, Vista that came with my computer, and XP SP3 that I'm using now, and I had the same issue with them all.

Thanks again for your help.


----------



## grue155 (May 29, 2008)

It very well could be an ISP problem. Determining that is a process of elimination.

If you've done reinstalls, and different machines, with no change, then a TCP stack reset isn't going to be useful. No point in potentially breaking things unnecessarily.

The only next thing to try, is to see what's on the wire itself as the packets go out, and what if anything is coming back. That calls for installing a network monitor.

The network monitor that I'm familiar with is Wireshark (wireshark.org).

Download Wireshark and install it. Be aware that it will install a packet capture service, which some of the anti-virus and security packages will complain about. That's expected. To start, from the command tool bar at the top, select Capture -> Interfaces, and the Start on the interface that is connected to the Internet. To stop the capture, from the tool bar, select Capture -> Stop.

This will show you packet by packet what is on the wire. You can save the capture file for later posting here, or if need be, forwarding to your ISP as documentation of a problem.


----------



## parabola50 (Feb 9, 2007)

Don't know if I've done this right, but here's a saved file from when I tried to access natwest. I saved it as a .txt file but the content didn't make sense. Just let me know if there's anything that I haven't done right

http://rapidshare.com/files/143825091/natwest.pcap

Thanks.


----------



## grue155 (May 29, 2008)

Got it. Thank you, and the pcap file format is the correct one.

I've loaded your capture file into my installed version of Wireshark, and have been digging into the details. There is definitely a problem. The first thing that stands out is that Wireshark is complaining about the packet structure of almost all outbound TCP traffic. The checksums don't match what the expected values should be.

A bad checksum on TCP traffic is almost always considered a corrupted packet, and many (most? all?) sites will ignore the packets. Your machine is sending out, but the receiving site is ignoring it.

Wireshark is suggesting a driver "checksum offload" function being the cause. Which it often is. While many things can be said about Windows, one thing it can do is compute checksums properly.

So, it's time to check a network driver setting.

Click Start, and then right click on "My Computer", and select Properties. Choose the Hardware tab, and click Device Manager. Expand the tree for Network Adapters, and then right click on your LAN adapter. If the adapter has configurable settings, there will be an Advanced tab, and one of those settings will be for "checksum offload". Right now, it seems to be enabled. We want it to be disabled. Or at least, the opposite of whatever the current setting is.

If you do make changes, it may be necessary to reboot to make sure the change sticks.

Then try another Wireshark capture. Wireshark helpfully color codes things, and good TCP traffic shows in green, with problem packets in black. The capture you posted had a lot of black, and very little green.


----------



## parabola50 (Feb 9, 2007)

there are 4 options, they are:
offload receive IP checksum
offload receive TCP checksum
offload transmit IP checksum
offload transmit TCP checksum

Should I turn them all off? Also, I said earlier that I took my PC to someone elses house and it worked fine when connected to their network. Could this checksum thing still be the cause of them problem? Just checking as you might have missed what I said at the start of the thread.

Thanks!


----------



## grue155 (May 29, 2008)

It'd be best to turn off all of the checksum offload stuff. Let Windows do all the work, and not rely on the hardware in this instance.

I had not forgotten about things working elsewhere. That has been something of a puzzle, but doesn't change the current Wireshark report. The packet checksums get recomputed by the NAT/router, so it could be that your router (a Belkin) is ignoring your PC, and the router elsewhere was taking the packets and accepting the traffic. It also depends on the adapter being used. If your PC is both wired and wireless, one would work and the other likely won't.

Or, this could be something else entirely. Wireshark did complain about the checksums. Whether this is 'the' problem, or 'a' problem (one of several), remains to be determined.


----------



## parabola50 (Feb 9, 2007)

here it is:

http://rapidshare.com/files/144307182/natwest2.pcap

Thanks


----------



## grue155 (May 29, 2008)

Thank you. That looks much better. It seems that a bunch of stuff is now working in some form. Natwest is still a problem. Capture had 3 packets outbound and no answer.

You have a Belkin Wireless G+ router. It is plugged into some kind of modem. What's the make and model of the modem? 

I've looked into the Belkin manual. Just to confirm, it is a model F5D7231. There don't seem to be any other configurable bells and whistles beyond what have already been tried.

So, the next thing to try, is migrate your PC connection outward toward the Internet.

The limit case to try, is to plug your PC directly into the modem, but that might take some configuring on your PC depending on what kind of modem you have. Whatever connection parameters are set on your Belkin, you'll need to duplicate on your PC.

And then, with your PC firewall turned on, unplug the Belkin from the modem, and plug in your PC, and establish an Internet connection.

Then do the Wireshark bit again. If it is an ISP problem, this is the packet capture that may prove it to their satisfaction.


----------



## parabola50 (Feb 9, 2007)

The modem is a standard Virgin Media one, and the router is a F5D9230-4.

Attached is the new report with the router removed. If you want me to try any other sites, off the top of my head the ones that I can't access are:

www.schuhstore.co.uk
www.halifax.co.uk
www.ufc.com
www.nationwideautocentres.co.uk
www.ecarinsurance.co.uk

Thanks


----------



## grue155 (May 29, 2008)

I'm not complaining, as 'days like this' happen. I don't see the report listed in your posting. And, as Virgin Media doesn't exist on my part of the planet, a google search turns up that their standard kit is either a Thomson Speedtouch ST510 (or 516), or a Netgear DG834 (or variant). Since the Netgear kit is a wireless router package, and you are using a Belkin for wireless, I would presume that you have the Speedtouch kit.

If that is the case, you should be able to access the Speedtouch on http://192.168.1.254/ From the documentation that I've found, the Speedtouch does have an internal logging facility that might prove informative.

If you have the Netgear kit, it should be accessible on http://192.168.0.1/ It also has an internal logging facility.

If you have something other than a Speedtouch or a Netgear, then I'll have to ask for the make and model as given on the label of the kit. :smile:


----------



## parabola50 (Feb 9, 2007)

Sorry, I think I must have still been asleep when I posted that cos I don't even remember doing it . Anyway, here is the new report:

http://rapidshare.com/files/144999507/natwest3.pcap

I can't access either of those IP addresses. The model number on the modem is E08C007, that's the only information that's on it though.

Thanks again!


----------



## grue155 (May 29, 2008)

Got it. Thank you. Wireshark is showing all green, but again no packets back from natwest. Hmmm...

A google search on the modem shows it to be a rebranded Ambit cable modem. It should be accessible on http://192.168.100.1/ Cable modems like this really don't do much other than electrical signal translation. Ethernet on one side, and network tone-pulses on the other side. If you can access the modem on that IP address, that will confirm that piece of hardware.

So what this is coming down to now, is some manner of ISP problem.

One more thing to check. I noticed in the capture file that your Internet address ends in 82.255. The x.255 is often considered to be a LAN broadcast address, and on private LANs isn't propagated outward. You have a live Internet address, so that shouldn't be blocked. But I have encountered some 'less than properly configured' firewalls that blocked all x.255 addresses.

So this next check, is to somehow force getting a different IP address. The easy way to do that, is to turn both the modem and the PC off for a while (like, overnight). Then power up the modem, and a minute or so later, power up the PC. You should still have your PC connected directly to the modem. You can use 'ipconfig /all' to see what Internet IP address you've got when you power up.

One thing I've noticed in your capture files, is the follow on test after the natwest packets fail. That is going to an ISP local web server cache, provided by Akamai. A better check would be to access some site that is not cached by Akamai. Local government sites are usually good test cases, as these usually don't get that much traffic (relatively speaking, to say msn.com or yahoo.com), and they certainly won't pay Akamai any fees for the web caching. If it is an ISP filtering problem, this is a real good test case, as it should be 'local' both physically and in the network sense.


----------



## parabola50 (Feb 9, 2007)

Sorry it took me so long to reply. I've had a lot of personal problems. I left it turned off overnight to try getting a new IP address. I wasn't able to find any local sites that I can't access though.


----------



## grue155 (May 29, 2008)

As the old saying goes, "life happens". I've had my own experiences this year that kept me offline for a couple of months.

Did you get a change in IP address? If so, did it change any of the observed connection problems?

Connecting directly to your modem, and still running into the connection problems, as confirmed by the packet capture, is pointing to an ISP problem. If you can get the ISP support folks to eyeball the capture file, they'll have a much better idea of what the problem is.


----------



## parabola50 (Feb 9, 2007)

When I check the IP config, specifically which IP address is it that needs to have changed?


----------



## grue155 (May 29, 2008)

Your Internet address, per my earlier post:



> One more thing to check. I noticed in the capture file that your Internet address ends in 82.255. The x.255 is often considered to be a LAN broadcast address, and on private LANs isn't propagated outward. You have a live Internet address, so that shouldn't be blocked. But I have encountered some 'less than properly configured' firewalls that blocked all x.255 addresses.
> 
> So this next check, is to somehow force getting a different IP address. The easy way to do that, is to turn both the modem and the PC off for a while (like, overnight). Then power up the modem, and a minute or so later, power up the PC. You should still have your PC connected directly to the modem. You can use 'ipconfig /all' to see what Internet IP address you've got when you power up.


----------

