No web access in normal mode Win10

After various malware cleanups this PC has lost web browsing capability in normal mode, although it does work in safe mode - Firefox, Edge, Chrome, IE all the same. Windows “clean boot” (MS only services) is the same.

Port analysis shows that in normal mode the http trafic goes to (and from) 127.0.0.1 rather than the correct IP address :

Process Name : chrome.exe Process ID : 4612 Protocol : TCP Local Port : 49876 Local Port Name : Local Address : 127.0.0.1 Remote Port : 14384 Remote Port Name : Remote Address : 127.0.0.1 Remote Host Name : Medeswell-PC State : Sent

Logs attached. Seems something is diverting most http traffic although some apps work ok eg windows update, some software updates. Help !

Hello,

Do you know how infection started? Is this your PC?

I don’t personally own it, if that’s the question ? It’s in my house and isn’t the one I normally use (which runs Linux).

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[B] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/B]

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
[*]Press the Fix button just once and wait.
[*]If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
[*]When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

Thanks, ran that, it rebooted and I let it do its thing. Rebooted into safe mode to post this. Attached report.

Also attached an older Malwarebytes log from when the browsing stopped working.

What happens when you are in Normal mode?

In Normal mode a web browser will say “Connection refused” or similar. As the port scan shows it’s trying to connect to localhost (see attached) this is perhaps reasonable - like there was a proxy running that is now no longer but the redirection is still in place.

Routing tables are same in both modes.

Some apps do connect OK in normal mode for example Windows Defender would update, windows updates etc. But not the http browers edge, chrome, firefox or internet explorer

ETA: sfc /scannow seems happy with the system files.

Hm. What tool did you use to get these reports?

Please make a new FRST scan from Normal mode.

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
[*]Make sure that Addition option is checked.
[*]Press Scan button and wait.
[*]The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content into your next reply.

http://www.nirsoft.net/utils/cports.html although netstat on the command line and procmon from sysinternals raised my interest in where the traffic was going.

Will re-run and post scan, have to reboot into Normal mode…

here we go…

Let’s try to uninstall Chrome completely:

Uninstall Chrome

Export your bookmarks
https://support.google.com/chrome/answer/96816?hl=en

Close all Chrome windows and tabs.
Go to the Start menu > Control Panel.
Click Programs and Features.
Double-click Google Chrome.
Click Uninstall from the confirmation dialog. Delete your user profile information, like your browser preferences, bookmarks, and history, select the “Also delete your browsing data” checkbox.

Click Start, copy in search [B]%LOCALAPPDATA%[/B] and remove folder Google

Download Chrome
https://www.google.com/intl/en/chrome/browser/desktop/

Chrome remove / reinstall did not change things. I also ran a standalone version of Opera off a CD and it was the same.

I did however try stopping / disabling a couple of services that looked out of place, and subsequently web browsing returned. ;D I re-enabled one and broke it, returning to the port redirection problem, disabled and rebooted and it is now running an Avast boot-time scan I requested some days ago.

So I think I’ve located a fix, if not a good understanding of what fixed, will update in the morning. One of the services/drivers I blocked was an AVG named file that I assume was a hangover from the (removed) AVG antivirus or safe browsing stuff. The other caught my eye for not being a Microsoft produced file. Bed time…

ETA:

This was the offending item :-

==================================================
Name : niwfp
Display Name : niwfp
Status : Stopped
Startup Type : Disabled
ErrorControl : Normal
Group : networkprovider
Dependencies : BFE
File Description : Netintelligence WFP driver
File Version : 3.2.2.6
Company : Netintelligence Ltd
Product Name : Netintelligence
Description :
Filename : C:\WINDOWS\system32\Drivers\niwfp.sys
Last Error :
Last Write Time : 27/12/2015 23:33:23
Command-Line : ??\C:\WINDOWS\system32\Drivers\niwfp.sys

http://kb.netintelligence.com/pages/How_do_I_uninstall_Netintelligence_(Home_Access)

yeah, except it wasn’t visibly present apart from that one driver hangover. Must have been present some time in the past.

Hat tip to http://www.nirsoft.net/utils/cports.html for helping spot the ports issue and http://www.nirsoft.net/utils/serviwin.html for listing drivers & services and allowing me to spot the offending item.

See if you can find niwfp.sys or netintelligence in the registry.
Delete the key(s) to it.
Ofcourse make a backup of the registry first, just in case.

Personally I find RegTools handy.
http://www.nirsoft.net/windows_registry_tools.html

Deleted them, and the file.

Resolved.

Everything is working fine again ?

You did a reboot ?
Windows will see some changes only after a reboot.

Yes, rebooted - all sorted. Browsers now OK and everything appears to be fine.

That is good to hear :smiley: