On Windows 11, a Python script from extracted folder shows HTTPSConnectionPool Max retries exceeded NameResolutionError for erik22cbmj11.carrd.co, retries indefinitely, then uses hard-coded IP 195.24.236.116. How to stop it, prevent auto-launch, and check for malware?

DNS errors from urllib3/requests due to failed resolution trigger retries. Malware pivots to IP fallback. Stop with Ctrl+C or Task Manager, check startup folders/registry/Task Scheduler, scan with Defender, decompile for analysis.

Stop Malicious Python Script DNS Errors on Windows 11

Fix endless 'Max retries exceeded' DNS resolution errors in Python scripts on Windows 11. Stop auto-launching malware, kill processes via Task Manager, check startup programs, and safely investigate with Defender scans.

1 answer• 1 view

01/10/2026, 10:19 AM

On Windows 11 I downloaded and extracted a compressed folder from a shortened link. After extraction a command prompt opened automatically and a Python script started printing network-related errors and retrying outbound HTTPS/HTTP connections indefinitely. Observed console output:

HTTPSConnectionPool(host='erik22cbmj11.carrd.co', port=443):
Max retries exceeded with url: /
(Caused by NameResolutionError: Failed to resolve host)

The script then attempts to contact a hard-coded IP (http://195.24.236.116:8080/recover/getlink?id=sunset and /recover/links/sunset.txt). It appears to be using urllib3/requests and never exits.

Questions:

Why would a Python script fall back from resolving a domain (erik22cbmj11.carrd.co) to using a hard-coded IP (195.24.236.116)?
What causes continuous “Max retries exceeded” / NameResolutionError and automatic retry loops in requests/urllib3?
How can I immediately stop the running script, prevent it from auto-launching after extraction, and safely investigate or remove it if it’s malicious?

A Python script showing endless “Max retries exceeded” DNS resolution errors for domains like erik22cbmj11.carrd.co before falling back to hard-coded IPs (195.24.236.116) screams potential malware—common in attacks to phone home despite DNS blocks. These urllib3/requests errors stem from failed name resolution, often with built-in retry logic from libraries like dnspython that loop until success or timeout. Hit Ctrl+C if visible, or Task Manager to kill it; then hunt Windows startup programs, scan with Defender, and dig into the code for python security.

DNS Resolution Errors and Retries in Python Requests
Why Fallback to Hard-Coded IPs Happens
Stopping the Script Right Now
Blocking Auto-Launch on Windows 11
Investigating and Cleaning Up Malicious Python Scripts
Sources
Conclusion

DNS Resolution Errors and Retries in Python Requests

Ever downloaded something sketchy and watched a console spam errors like yours? That “HTTPSConnectionPool… Max retries exceeded with url: / (Caused by NameResolutionError)” is urllib3’s polite way of saying DNS failed hard. On Windows, it might show as [Errno 11001] getaddrinfo failed, while Linux spits [Errno -2] Name or service not known. But why the endless loop?

Python’s requests library leans on urllib3, which wraps socket-level DNS lookups. When erik22cbmj11.carrd.co won’t resolve—maybe your DNS server is down, blocked, or the domain’s dead—urllib3 kicks in retries. By default, it tries 3 times, but custom code or libraries like dnspython amp that up. Check the dnspython resolver docs: it calls next_request() and next_nameserver() in a loop, hammering configured DNS servers (like 8.8.8.8 or your ISP’s) until it gives up or succeeds.

Common Triggers for NameResolutionError

Network glitches: Firewall, VPN, or flaky Wi-Fi blocking UDP port 53 (DNS).
DNS poisoning/blocking: Antivirus or Windows Defender flagging the domain.
No internet? Obvious, but scripts don’t care—they retry anyway.
Malformed domains: Typos or expired Carrd.co pages (carrd.co hosts quick sites, often disposable for phishing).

The dnspython exceptions page nails it: NoAnswer or NoNameservers exceptions bubble up, but bad scripts catch and retry silently. Your loop? Probably a while True with try/except around requests.get(), ignoring MaxRetryError. Annoying. Persistent. Malware hallmark.

And those retries? Exponential backoff by default, but overridden to “forever” in shady code. Baeldung’s Docker DNS troubleshooting guide applies here too—test with nslookup erik22cbmj11.carrd.co in cmd. No response? There’s your culprit.

Why Fallback to Hard-Coded IPs Happens

Smart malware doesn’t quit on DNS fails. It pivots. Notice the script hitting http://195.24.236.116:8080/recover/getlink?id=sunset after the domain flop? That’s a classic redundancy trick.

Developers (or attackers) hard-code IPs as backup when dynamic DNS flakes. Why erik22cbmj11.carrd.co first? Legit sites rotate IPs; Carrd.co uses CDNs. But if blocked, boom—fallback to a static server (195.24.236.116 looks Eastern European, per quick whois checks). Stack Overflow threads on catching DNS errors precisely show devs doing exactly this: try: requests.get(domain) except NameResolutionError: requests.get(ip_fallback).

In malicious Python scripts, this evades detection. DNS blocks stop domains, but IPs slip through. Fortinet’s malware analysis flags outbound C2 (command-and-control) like yours—/recover/getlink reeks of data exfil or loader fetches. Sunset.txt? Probably payload or config.

Async alternatives like aiodnsresolver exist for robust resolution, but attackers stick to stock requests for stealth. Your script? Designed to persist.

Stopping the Script Right Now

Console open and looping? Smash Ctrl+C. It raises KeyboardInterrupt, usually halting polite scripts. No dice? It’s ignoring signals—malware trait.

Fire up Task Manager (Ctrl+Shift+Esc). Hunt “python.exe” or “py.exe” under Processes. Right-click > End task. Multiple? Kill 'em all. Background no console? Processes tab shows CPU/network hogs.

Stack Overflow’s terminate Python guide confirms: Task Manager for the win. PowerShell pros: Get-Process python* | Stop-Process -Force.

Stuck in limbo? Reboot. But first, note PID or path for later.

Blocking Auto-Launch on Windows 11

Extracted folder auto-runs Python? Sneaky persistence. Windows startup programs love Python scripts via folders, registry, tasks.

Quick Checks for Windows Startup Programs

Startup Folder: Win+R > shell:startup. Delete .bat/.lnk/.py pointing to your script.
Task Manager: Startup apps tab. Disable suspects.
Task Scheduler: Search “Task Scheduler” > check folders for Python triggers.
Registry: regedit > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Nuke entries.
Group Policy: Rare but nasty—Stack Overflow details scripts in C:\Windows\System32\GroupPolicy\Machine\Scripts\Startup.

Reddit’s learnpython thread adds: msconfig > Startup. Disable all Python-ish.

File associations? VS Code auto-opening .py? Fix here. But yours ran directly—likely .bat wrapper.

Run autoruns from Sysinternals (free Microsoft tool). Scans everything. Gold for python security.

Investigating and Cleaning Up Malicious Python Scripts

Suspicious? Assume malware. Sonatype’s Python malware guide says: decompile .pyc to .py with uncompyle6 (pip install uncompyle6). Read the source.

Network tells all. Wireshark or netstat -b during run—tracks connections. Reddit’s Python malware post flags odd imports, C2 hits.

Safety Steps:

Isolate: Disconnect net.
Scan: Windows Defender full scan + Malwarebytes.
Delete: Folder + temps. Empty Recycle Bin.
Check packages: pip list for weirdos. pip uninstall sketchy.
Security StackExchange checks: Unknown source? Trash it.

Python.org discusses detection—supply chain attacks rise. Yours from shortened link? Phishing 101.

Post-clean: Change passwords, monitor accounts. WhoIs 195.24.236.116? Report to abuse@.

Sources

Conclusion

DNS resolution errors looping into IP fallbacks like yours signal python security risks—stop via Task Manager, purge windows startup programs, and dissect with decompilers. Quick action keeps systems clean; tools like Autoruns and Defender handle most. Stay vigilant on shortened links—better safe than scripted.

Authors

NeuroAnswers

Author

Verified by moderation