After various malware cleanups this PC has lost web browsing capability in normal mode, although it does work in safe mode - Firefox, Edge, Chrome, IE all the same. Windows “clean boot” (MS only services) is the same.
Port analysis shows that in normal mode the http trafic goes to (and from) 127.0.0.1 rather than the correct IP address :
Process Name : chrome.exe
Process ID : 4612
Protocol : TCP
Local Port : 49876
Local Port Name :
Local Address : 127.0.0.1
Remote Port : 14384
Remote Port Name :
Remote Address : 127.0.0.1
Remote Host Name : Medeswell-PC
State : Sent
Logs attached. Seems something is diverting most http traffic although some apps work ok eg windows update, some software updates. Help !
In Normal mode a web browser will say “Connection refused” or similar. As the port scan shows it’s trying to connect to localhost (see attached) this is perhaps reasonable - like there was a proxy running that is now no longer but the redirection is still in place.
Routing tables are same in both modes.
Some apps do connect OK in normal mode for example Windows Defender would update, windows updates etc. But not the http browers edge, chrome, firefox or internet explorer
ETA: sfc /scannow seems happy with the system files.
Close all Chrome windows and tabs.
Go to the Start menu > Control Panel.
Click Programs and Features.
Double-click Google Chrome.
Click Uninstall from the confirmation dialog. Delete your user profile information, like your browser preferences, bookmarks, and history, select the “Also delete your browsing data” checkbox.
Click Start, copy in search [B]%LOCALAPPDATA%[/B] and remove folder Google
Chrome remove / reinstall did not change things. I also ran a standalone version of Opera off a CD and it was the same.
I did however try stopping / disabling a couple of services that looked out of place, and subsequently web browsing returned. ;D I re-enabled one and broke it, returning to the port redirection problem, disabled and rebooted and it is now running an Avast boot-time scan I requested some days ago.
So I think I’ve located a fix, if not a good understanding of what fixed, will update in the morning. One of the services/drivers I blocked was an AVG named file that I assume was a hangover from the (removed) AVG antivirus or safe browsing stuff. The other caught my eye for not being a Microsoft produced file. Bed time…
ETA:
This was the offending item :-
==================================================
Name : niwfp
Display Name : niwfp
Status : Stopped
Startup Type : Disabled
ErrorControl : Normal
Group : networkprovider
Dependencies : BFE
File Description : Netintelligence WFP driver
File Version : 3.2.2.6
Company : Netintelligence Ltd
Product Name : Netintelligence
Description :
Filename : C:\WINDOWS\system32\Drivers\niwfp.sys
Last Error :
Last Write Time : 27/12/2015 23:33:23
Command-Line : ??\C:\WINDOWS\system32\Drivers\niwfp.sys