Pocketables

News and reviews for the hype weary

TCP-IP settings
MicrosoftTutorials

Windows: Fixing your internet connection after an infection

Paul E King 1 Comment

Sad computerI got a call from my little brother whose Windows system was shot. He’d evidently installed a game, that game installed a toolbar, that toolbar installed an ad-replacing software, and that ad replacing software installed something else that crashed and relaunched 20 times a minute, etc. etc. etc.

All said and done, there were several thousand things detected, although I only counted sixteen different items.

As part of my day job, I have spent considerable time removing garbage from Windows systems (and the occasional Mac), so I told his mother to drop it by and I’d set it up on my desk and see if I couldn’t defeat it.

The system came in and took 22 minutes to boot to the desktop. I could ping by name and FTP, but all browsers refused to work.

1. Remove the infections/malware

After cleaning off the garbage using MalwareBytes, SpyBot, and a couple of mostly useless pieces of software my company paid for that didn’t detect anything, I was left with a clean computer that I could ping and resolve DNS with no problem but no browser worked.

2. Remove any proxy entries in Internet Explorer (even if you use other browsers)

Proxy removalI checked to see in Internet Explorer whether there was a proxy server defined, and there wasn’t. This is generally the first thing I check, as that’s generally what these BS apps change. They set up a proxy server so if you request page X they can serve up page Y. Eh, whatever, this wasn’t the case with this set of infections.

Proxy settings can be found in Tools (which you may have to tap the alt key to see) > Internet options > Connections > LAN settings.

Uncheck everything. You can leave Automatically detect settings checked if you want, but that causes a few seconds lag on startup.

Last time I checked, Chrome used the proxy settings from Internet Explorer, so if it was messed up Chrome didn’t work.

3. Check the hosts file

I checked the hosts file to ensure there wasn’t some sort of weird setup in there to block every website I could think of. I’ve never seen a hosts file compromised, but there’s a first time for everything. This one was just the standard hosts file sitting at %systemroot%\System32\drivers\etc.

hosts

Generally it shouldn’t contain anything other than some comments (such as the above picture).

4. Kill the network adapter / redetect

Uninstall a network adapterThis is a bit of a destructive test, so you might want to skip it until last. It has the potential to really mess things up and I only list it here because this is the order I went in.

On a whim I deleted the network card in the device manager to see if redetecting and reinstalling it would fix things. This has worked once for me before, but did not this time.

I was still left with the ability to ping by name, but all browsers on his machine were shot (Opera, Explorer, Firefox, etc).

Sometimes killing the adapter and letting it redetect fixes things, but sometimes not.

5. Verify DNS entries are correct

TCP-IP settingsCheck and make sure your IPv4 settings are set to use the right DNS servers. Generally most home computers attached to a cable modem or router are going to use DHCP for DNS and IP, but sometimes crappy software will set up to use a third party DNS server.

If you’ve got something defined in your DNS entries that you don’t recognize you can always set your first two DNS servers as 8.8.8.8 and 8.8.4.4 if you’d like to use Google’s public DNS servers.

There should be no harm in changing your DNS to that, although you might want to write down whatever you’re replacing in case something goes wrong. You can always change it back.

6. Reset Winsock / internet routing

What netsh looks like

Finally, the fix ended up being to reset the TCP/IP stack and clear the Winsock entries. This was accomplished by opening up a cmd prompt as administrator (Start > cmd, right click it and run as administrator), and entering the following:

netsh winsock reset catalog

netsh int ip reset

Alternately, you can run netsh as an administrator and navigate the prompts.

Another potential fix – restore to a previous point

Windows keeps restore points of the operating system on your hard drive. Generally you’ll find these suddenly have been turned off and restore points deleted by malware, but if they weren’t you can restore to a previous point by going to the control panel and choosing to restore your computer to an earlier time. It’s so rare to see this working post infection I generally don’t even check it, though.

Restoring to an earlier point doesn’t damage your documents created at a later time, only the operating system and registry should get changed.

Pocketables does not accept targeted advertising, phony guest posts, paid reviews, etc. Help us keep this way with support on Patreon!
Become a patron at Patreon!

Paul E King

Paul King started with GoodAndEVO in 2011, which merged with Pocketables, and as of 2018 he's evidently the owner. He lives in Nashville, works at a film production company, is married with two kids. Facebook | Twitter | Donate | More posts by Paul | Subscribe to Paul's posts

Avatar of Paul E King