4

I'm having a really, really weird issue with one of the Windows 7 laptops in our office.

When it connected to our office network (either by WiFi or cabled connection), everything except browsing the web works fine. It can receive emails via Exchange, initiate VPNs, copy files, connect to network resources, it can ping websites (like google, etc), nslookupis fine. But if you open up a web browser, forget about it. Everything just times out.

If I connect the laptop to our guest network (which sits on an isolated vlan, but uses the same gateway as the office network), everything is fine (except obviously you can't access office network resources).

Sometimes the problem goes away after a restart, sometimes it doesn't. Sometimes it goes away on its own after 24 hours, sometimes it doesn't.

A wireshark trace looks like this:

enter image description here

A firewall trace looks like this:

enter image description here

The interesting thing here is that I'm attempting to connect to http://www.google.com.au directly (which is the home page of the browser). Its IP addresses are:

Name:    google.com.au
Addresses:  74.125.237.159
            74.125.237.152
            74.125.237.151

These are not the IP addresses showing up in the firewall. The IP addresses in the firewall line up with www.google.com:

Name:    google.com
Addresses:  74.125.237.128
            74.125.237.137
            74.125.237.132
            74.125.237.134
            74.125.237.133
            74.125.237.135
            74.125.237.131
            74.125.237.129
            74.125.237.142
            74.125.237.130
            74.125.237.136

wget looks like this:

C:\Users\mark.henderson>wget google.com.au
--2012-05-18 08:49:39--  http://google.com.au/
Resolving google.com.au... 74.125.237.159, 74.125.237.152, 74.125.237.151
Connecting to google.com.au|74.125.237.159|:80... failed: Connection timed out.
Connecting to google.com.au|74.125.237.152|:80... failed: Connection timed out.
Connecting to google.com.au|74.125.237.151|:80... failed: Connection timed out.
Retrying.

This is just really, really weird. It's isolated (at the moment) to just this machine, regardless of which network port or IP address it has. Any ideas?

Mark Henderson
  • 69,083
  • Is everything slow however (your emails, etc.)? – George May 17 '12 at 22:29
  • 1
    Which browser is used? Does it also happen with a wget-like tool? – Sašo May 17 '12 at 22:35
  • @Sašo - even wget times out; I've updated the question with the output. – Mark Henderson May 17 '12 at 22:50
  • @George - not that I've noticed, but it is possible – Mark Henderson May 17 '12 at 22:51
  • The reason I was asking is sometime the simplest solution is to run Malwarebytes and/or Spybot. That's why I was asking. – George May 17 '12 at 22:54
  • @George - certainly a valid suggestion. I don't know why i didn't think of it myself. – Mark Henderson May 17 '12 at 23:01
  • Is the IP assigned or static? Does disabling Windows Firewall help? Also, as an addition to George's suggestion: If it's malware, Combofix is likely to solve the issue - but do note that it's extremely aggressive and can result things getting broken. – Sašo May 17 '12 at 23:08
  • While I've ran ComboFix about 50 times on machines with differing configurations with no actual problems caused by it, it's still a fair warning. Might as well give it a try before you'll decide to wipe the whole system. – Sašo May 17 '12 at 23:24
  • Sure it's not a hardware router / firewall doing this to you? –  May 18 '12 at 00:03
  • @RandolphWest - no, not sure at all to be honest. I'm currently going through historical firewall logs for the machine in question. The edge firewall is Microsoft TMG, which has very good reporting. – Mark Henderson May 18 '12 at 00:10
  • I had a very odd thing at two clients this week, where a firewall was overreacting to certain websites that did browser version probing. It delivered a timeout to the browsers, but because the firewall was blackholing the packets. Just a thought to consider. –  May 18 '12 at 00:36
  • Which antivirus are you running (if any?) I've run across this same issue and tracked it down to my AV package, which normally intercepts port 80 traffic to detect javascript-based badness on potentially infected sites). In this case, that component of the AV had somehow crashed. – Derek Pressnall May 19 '12 at 01:57
  • @DerekPressnall - This office uses Windows Security Essentials as they qualify for the SMB usage. The problem has gone away as of now, but next time it comes back I will try disabling the A/V – Mark Henderson May 19 '12 at 06:30
  • @Sašo - if you post your malware comment as an answer, I will accept it. It turns out it was the anti-malware inspector at the firewall triggering some false-positives! – Mark Henderson May 21 '12 at 06:12

1 Answers1

2

If the problem is malware related, the simplest way to solve it is to run ComboFix, which is basically just a bunch of malware removal programs bundled into one. It's pretty much the antimalware equivalent of carpet bombing everything.

Note: While I personally have no bad experiences with it, ComboFix is extremely aggressive and can end up making things worse. Generally I only use it when other software fails me.

Sašo
  • 1,494
  • 1
    This put me on the right track. A malware search returned nothing, but the edge firewall was reporting false positives on some AJAX sessions and blocking all HTTP outbound connections. – Mark Henderson May 21 '12 at 07:53