I got a call from my little brother whose Windows system was shot. He’d evidently installed a game, that game installed a toolbar, that toolbar installed an ad-replacing software, and that ad replacing software installed something else that crashed and relaunched 20 times a minute, etc. etc. etc.
All said and done, there were several thousand things detected, although I only counted sixteen different items.
As part of my day job, I have spent considerable time removing garbage from Windows systems (and the occasional Mac), so I told his mother to drop it by and I’d set it up on my desk and see if I couldn’t defeat it.
The system came in and took 22 minutes to boot to the desktop. I could ping by name and FTP, but all browsers refused to work.
1. Remove the infections/malware
After cleaning off the garbage using MalwareBytes, SpyBot, and a couple of mostly useless pieces of software my company paid for that didn’t detect anything, I was left with a clean computer that I could ping and resolve DNS with no problem but no browser worked.
2. Remove any proxy entries in Internet Explorer (even if you use other browsers)
I checked to see in Internet Explorer whether there was a proxy server defined, and there wasn’t. This is generally the first thing I check, as that’s generally what these BS apps change. They set up a proxy server so if you request page X they can serve up page Y. Eh, whatever, this wasn’t the case with this set of infections.
Proxy settings can be found in Tools (which you may have to tap the alt key to see) > Internet options > Connections > LAN settings.
Uncheck everything. You can leave Automatically detect settings checked if you want, but that causes a few seconds lag on startup.
Last time I checked, Chrome used the proxy settings from Internet Explorer, so if it was messed up Chrome didn’t work.
3. Check the hosts file
I checked the hosts file to ensure there wasn’t some sort of weird setup in there to block every website I could think of. I’ve never seen a hosts file compromised, but there’s a first time for everything. This one was just the standard hosts file sitting at %systemroot%\System32\drivers\etc.
Generally it shouldn’t contain anything other than some comments (such as the above picture).
4. Kill the network adapter / redetect
On a whim I deleted the network card in the device manager to see if redetecting and reinstalling it would fix things. This has worked once for me before, but did not this time.
I was still left with the ability to ping by name, but all browsers on his machine were shot (Opera, Explorer, Firefox, etc).
Sometimes killing the adapter and letting it redetect fixes things, but sometimes not.
5. Verify DNS entries are correct
Check and make sure your IPv4 settings are set to use the right DNS servers. Generally most home computers attached to a cable modem or router are going to use DHCP for DNS and IP, but sometimes crappy software will set up to use a third party DNS server.
If you’ve got something defined in your DNS entries that you don’t recognize you can always set your first two DNS servers as 220.127.116.11 and 18.104.22.168 if you’d like to use Google’s public DNS servers.
There should be no harm in changing your DNS to that, although you might want to write down whatever you’re replacing in case something goes wrong. You can always change it back.
6. Reset Winsock / internet routing
Finally, the fix ended up being to reset the TCP/IP stack and clear the Winsock entries. This was accomplished by opening up a cmd prompt as administrator (Start > cmd, right click it and run as administrator), and entering the following:
netsh winsock reset catalog
netsh int ip reset
Alternately, you can run netsh as an administrator and navigate the prompts.
Another potential fix – restore to a previous point
Windows keeps restore points of the operating system on your hard drive. Generally you’ll find these suddenly have been turned off and restore points deleted by malware, but if they weren’t you can restore to a previous point by going to the control panel and choosing to restore your computer to an earlier time. It’s so rare to see this working post infection I generally don’t even check it, though.
Restoring to an earlier point doesn’t damage your documents created at a later time, only the operating system and registry should get changed.