Jump to content

Web Protection: ERR_CONNECTION_REFUSED


Recommended Posts

To whom it may concern,

Ever since using Malwarebytes 3 Premium, I've never been able to get Web Protection working. Even with the latest 3.1.2.1733 I still can not get it working.

My troubles with Malwarebytes 3 Premium Web Protection:

1. I used to get a DNS error issue along with a lot of other people (Along the lines of DNS Address could not be found)
2. This was fixed in 3.0.6 when either a component package update came out or an update package (I don't remember the number or which one it was but it was specifically released to try to fix the Web Protection DNS error)
3. I updated to the component package/update package and the Web Protection was working perfectly. No DNS issue and I was getting pop ups telling me websites had been blocked etc and excluding/unexcluding websites worked fine.
4. However, I decided to use one of the first versions of MalwareBytes 3 Cleaner (MB-Clean) just to make sure the DNS Error with Web Protection was truly fixed
5. Upon uninstalling and re-installing MalwareBytes 3 back to whatever 3.0.6 with whatever version of component package or update package which fixed the DNS Issue within Web Protection, my Web Protection broke
6. Now whenever Web Protection is turned on and I visited a blocked site or even http://iptest.malwarebytes.org/ I get the following http://prntscr.com/f7d7c4

So in short my problem is:

I uninstalled Malwarebytes 3.0.6 with whatever version of component package or update package which fixed the DNS Issue within Web Protection with an early version of MB-Clean for Malwarebytes 3 and it broke Web Protection giving me the following http://prntscr.com/f7d7c4 when it is enabled.I get no pop ups from MalwareBytes telling me a site has been blocked and I don't get the normal Malwarebytes website overlay to tell me Malwarebytes is blocking the website.

Things I've tried:

Updating Malwarebytes 3 to http://prntscr.com/f7d8ar
Uninstalling Malwarebytes with the numerous MB-Cleans including 3.1.0.1002 and re-installing
Manually uninstalling Malwarebytes 3 with Revo Uninstaller Pro and through the Windows Control Panel 
Resetting my router to try to get Web Protection Working
Turning on and off Early Protection Modules of Malwarebytes 3
Flushing my DNS through Control Panel 
Using an Open DNS such as the Google DNS IP addresses 8.8.8.8 and 8.8.4.4 as my DNS servers (I'm currently obtaining the DNS Server Address Automatically)
I've tried connecting to 
http://iptest.malwarebytes.org through IE 11, Edge, Firefox 54.0b7 (64-bit) and Chrome Version 60.0.3095.5 (Official Build) dev (64-bit) each giving a varied error message version similar to http://prntscr.com/f7d7c4 

*Note: None of these things tried fixed the issue*

Other things that may help determine what is causing this Web Protection issue for me:
I'm running the latest Windows 10 Home x64bit edition (See: http://prntscr.com/f7darw)
I'm running the latest 3.1.2.1733 version of Malwarebytes (See: http://prntscr.com/f7d8ar)
The only virus scanner I am running is Windows Defender Security Centre
The only other security software I run are Windows Firewall (The default firewall that comes with windows), WinPatrol v34.11.2016.27 and Unchecky (Which unticks some bundle software from software installers)

Overall, I can't for the life of me figure out why using an early version of MB-Clean for Malwarebytes 3 caused 3.0.6 with whatever version of component package or update package which fixed the DNS Issue within Web Protection caused Web Protection to break again and never work since. If anyone knows of a solution or has had a similar issue, I would very much like to know a solution.

I have attached my mb-check and will attach FRST.txt and Addition.txt if required (I haven't attached them yet because of privacy concerns, I'm not sure what's included in these logs and don't want to give out anything to could potentially make my computer vulnerable if they got in the wrong hands)

Thanks again to anyone who read this and has/is trying to help, it would be great to get this fixed once and for all,
KidwithSmurf

PS: On a side note I have never had any issue with Web Protect not enabling like most other people.

mb-check-results.zip

Edited by KidwithSmurf
Grammar fixes
Link to post
Share on other sites

18 minutes ago, KidwithSmurf said:

The only virus scanner I am running is Windows Defender Security Centre

Have you added any exceptions yet? Just a precaution.

19 minutes ago, KidwithSmurf said:

(I haven't attached them yet because of privacy concerns, I'm not sure what's included in these logs and don't want to give out anything to could potentially make my computer vulnerable if they got in the wrong hands)

 
 

There is nothing in there but some still are concerned so you can PM those to @dcollins and he can work with you from this point on.

Link to post
Share on other sites

31 minutes ago, Porthos said:

Have you added any exceptions yet? Just a precaution.

There is nothing in there but some still are concerned so you can PM those to @dcollins and he can work with you from this point on.

Thank-you for the quick reply Porthos. I had followed a similar guide previously that I saw on another thread that you posted on about setting up exclusions for Windows Defender Users. This didn't fix the issue either, so I removed the exclusions from Windows Defender. However, I have just followed the thread you linked and have re-setup the exclusions again and unfortunately the Web Protection ERR_CONNECTION_REFUSED is still present when connecting to http://iptest.malwarebytes.org/

Also, I'm not too concerned that the Web Protection doesn't work as it isn't a major part of Malwarebytes 3 and every other feature as far as I can tell seems to be working and running as intended. It just would be nice to have every feature offered working. 

With that said thank-you again for taking the time reply and I will PM the FRTS and Addition.txt logs to dcollins and see if he can further help me.

Edited by KidwithSmurf
Grammar fixes
Link to post
Share on other sites

22 minutes ago, Porthos said:

It is blocking the site but not showing the proper page. Look at the logs.

What I meant to say before was that I'm not too concerned that Web Protection doesn't work properly/fully. But yes, I know that Malwarebytes Web Protection is blocking the website/page but not showing the proper Malwarebytes Web Protection blocked website page. However, it also doesn't show the 'Website Blocked' notification message popup from Malwarebytes to say that Malwarebytes has blocked x website/page. Therefore, when Web Protection is enabled, I'd have no idea if it is Malwarebytes blocking a page or not because I'm not getting any notification to tell me that it is and nor am I getting redirected or whatever happens to the correct Malwarebytes Web Protection blocked website page.

Although I have sent dcollins my FRST and Addition.txt files and hopefully this can easily be resolved. In the meantime whilst I wait for a reply from dcollins, if you or anyone has any other suggestions I'd be more than happy to try them.

Edited by KidwithSmurf
Minor Sentence Edits
Link to post
Share on other sites

Thanks for this information. Can you try two more things for me while I'm digging through the logs?

Ping Results

  1. Turn off Web Protection
  2. Ping iptest.malwarebytes.com
  3. Take a screenshot of the results
    • The request may time out, but that's ok
  4. Turn on Web Protection
  5. Ping iptest.malwarebytes.com
  6. Take a screenshot of the results
  7. Also take note if you get a notification from MB3 saying the site was blocked
  8. Please upload the screenshots taken in steps 3 and 6

ProcMon Log

  1. Turn off Web Protection
  2. Download procmon from https://live.sysinternals.com/procmon.exe
  3. Launch Procmon
    • If you've ran this tool before, you may get a prompt about filters. Please choose reset and then click ok
  4. Make sure ProcMon is capturing
    • You'll know because it will show a lot of stuff in the window. If it's not capturing, the window should be blank
    • If ProcMon is not capturing anything, please click the magnifying glass icon near the top to start capturing
  5. Navigate to http://iptest.malwarebytes.com in Firefox
  6. Verify the page loads properly
  7. Turn on Web Protection
  8. Navigate to http://iptest.malwarebytes.com in Firefox
  9. Verify the page doesn't load properly (you get the connection_refused error)
  10. Stop capturing in ProcMon by clicking the magnifying glass
  11. Save the ProcMon log and either upload it here, or if it's too big, use wetransfer.com to have it sent to dcollins@malwarebytes.com

Thanks!

Link to post
Share on other sites

On 5/15/2017 at 6:37 AM, dcollins said:

Thanks for this information. Can you try two more things for me while I'm digging through the logs?

Ping Results

  1. Turn off Web Protection
  2. Ping iptest.malwarebytes.com
  3. Take a screenshot of the results
    • The request may time out, but that's ok
  4. Turn on Web Protection
  5. Ping iptest.malwarebytes.com
  6. Take a screenshot of the results
  7. Also take note if you get a notification from MB3 saying the site was blocked
  8. Please upload the screenshots taken in steps 3 and 6

ProcMon Log

  1. Turn off Web Protection
  2. Download procmon from https://live.sysinternals.com/procmon.exe
  3. Launch Procmon
    • If you've ran this tool before, you may get a prompt about filters. Please choose reset and then click ok
  4. Make sure ProcMon is capturing
    • You'll know because it will show a lot of stuff in the window. If it's not capturing, the window should be blank
    • If ProcMon is not capturing anything, please click the magnifying glass icon near the top to start capturing
  5. Navigate to http://iptest.malwarebytes.com in Firefox
  6. Verify the page loads properly
  7. Turn on Web Protection
  8. Navigate to http://iptest.malwarebytes.com in Firefox
  9. Verify the page doesn't load properly (you get the connection_refused error)
  10. Stop capturing in ProcMon by clicking the magnifying glass
  11. Save the ProcMon log and either upload it here, or if it's too big, use wetransfer.com to have it sent to dcollins@malwarebytes.com

Thanks!

Thanks for the reply, appreciate it. I'm sorry it took me so long to get back to this. However, I have done the steps mentioned above as follows:

1. Ping iptest.malwarebytes.com with Web Protection off. Here is the result: http://prntscr.com/f8il3b
2. Ping iptest.malwarebytes.com with Web Protection on. Here is the result: http://prntscr.com/f8imf5 and I also got this notification from MB3: http://prntscr.com/f8im6w

I have emailed you the said ProcMon Log as the filesize was too big to attach here. Also, was I supposed to let it finish showing all the events before uploading? If so I will have to redo it.

Also on a side note, I have tested the latest Malwarebytes v3.1.2.1733 on a different computer running Windows 10 Pro x64bit fully updated and Malwarebytes Web Protection seemed to work perfectly fine.

Thanks again for checking this, appreciate it.

PS: The upload of the Logfile is going to take 3hours to email to you using wetransfer.com from when I made this post.

Edited by KidwithSmurf
Made a website link into a URL
Link to post
Share on other sites

Can you provide FRST logs as well please?

Create and obtain Farbar Recovery Scan Tool (FRST) logs

  1. Download FRST and save it to your desktop
    1. Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit
  2. Double-click to run and when the tool opens click Yes to the disclaimer
  3. Press Scan button
  4. This will product two files in the same location (directory) as FRST: FRST.txt and Addition.txt
    1. Attach both of these logs to your post by clicking on the "Drag files here to attach, or choose files..." or simply drag the files to the attachment area
Link to post
Share on other sites

9 minutes ago, dcollins said:

Can you provide FRST logs as well please?

Create and obtain Farbar Recovery Scan Tool (FRST) logs

  1. Download FRST and save it to your desktop
    1. Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit
  2. Double-click to run and when the tool opens click Yes to the disclaimer
  3. Press Scan button
  4. This will product two files in the same location (directory) as FRST: FRST.txt and Addition.txt
    1. Attach both of these logs to your post by clicking on the "Drag files here to attach, or choose files..." or simply drag the files to the attachment area

I had sent you these via inbox when I made the thread. But anyhow I have just re-scanned with the latest version of FRST64 and have attached both FRST.txt and Addition.txt.

FRST.txt

Addition.txt

Edited by KidwithSmurf
Link to post
Share on other sites

1 minute ago, dcollins said:

Thanks, sorry I forgot you messaged them to me.

All good, if you need anything else let me know. Also a heads up, the ProcMon Logfile now says 6 hours remaining to transfer (Not sure if the site is slow or if Australian internet is just terrible or a combination of both). The file is around 860MB. Hence, you may have to wait a whilst for it to transfer. 

Thanks again for everything.

Link to post
Share on other sites

8 minutes ago, dcollins said:

Thanks. Does this happen when you're on your GhostVPN? What about if you're not using the VPN?

Malwarebytes Web Protection doesn't fully work when I'm off the VPN. Although, I have never tested going to http://iptest.malwarebytes.com/ with VPN as I hardly use the VPN. I shall try connecting to http://iptest.malwarebytes.com/ with the VPN after the wetransfer has completed and reply back with what happens. 

 

Edited by KidwithSmurf
Reworded
Link to post
Share on other sites

Just a small update, sorry for posting twice in a row.

1. The ProcMon Log should have been transferred 

2. I tested using my VPN and opening http://iptest.malwarebytes.com/ with Firefox. The same thing happened. I could connect to http://iptest.malwarebytes.com/ with Web Protection off  with VPN but still got the Error Message when Web Protection was On with VPN.

Therefore, the issue happens with and without VPN.

Link to post
Share on other sites

  • 4 weeks later...
On 5/17/2017 at 11:47 PM, dcollins said:

Thanks, I received the ProcMon log and we'll start looking it over now

Thanks for looking at the ProcMon log, just wondering if there has been any progress on the ProcMon Log or my issue in general? 

Also, just a small update as it's been a month since I made this thread. I am now running the latest component package and update package versions as seen here: http://prntscr.com/fjyptb and the Web Protection issue is still happening exactly as reported in the first post of this thread.

Link to post
Share on other sites

32 minutes ago, dcollins said:

We are still researching this, but unfortunately have no news. I'm looking over the logs again though, and see you have some proxy settings configured. Can you try removing your proxy settings to see if that makes any impact?

Thanks for the reply, appreciate it. I Never knew I had proxy settings configured, but I have disabled them to the best of my knowledge. However, even with them disabled the issue seems to still be persisting. 

Let me know if there is anything you want me to try and if not then I will keep waiting a solution and will let you know if the issue fixes or if Web Protection starts functioning properly again at any point. 

 

Link to post
Share on other sites

  • 2 weeks later...

Looks like this thread can now be closed! Web Protection seems to be functioning properly and iptest.malwarebytes.com seems to be re-directing back to the Malwarebytes blocked logo page and popping up the notification correctly showing me the website has been blocked as seen here: http://prntscr.com/fpl1zk

Not entirely sure what fixed it, but it's working which is great news. This means it was probably an application that updated on my PC which was interfering with Web Protection function of Malwarebytes.

Thanks again for your time and effort looking into this dcollins and anyone else that looked into it. Much appreciated :D

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.