4

I have a user who went on a trip to China recently. Since they've come back, attempting to navigate to any of their bookmarks takes them to this url:

http://nfdnserror1.wo.com.cn:8080/issueunziped/nf20140811/index.html?UserUrl=<the URL>

The page is basically just the Chinese search engine Baidu, with the search field filled in with the UserUrl query string. The URL looks like it may be supposed to be a custom DNS lookup failure page.

The bookmark doesn't look like it's been modified. Navigating directly to the URLs also redirects to this page. It looks like only the URLs in the bookmarks are affected, as illustrated below:

Not OK (exists in bookmarks)

http://<internal server name>/<subsite name>/

OK

http://<internal server name>/

http://<internal server FQDN>/<subsite name>/

The problem is isolated to IE11 and that specific user account. Chrome and Firefox don't have the issue at all, and IE11 on a separate local account doesn't have the problem either.

OS is Windows 7 Pro x64.

I've checked and done the following:

  • DNS settings are correct
  • Flushed the DNS cache
  • Hosts file is fine
  • There are no additional IE plugins
  • Reset IE (Internet options -> Advanced -> Reset IE)
  • HiJackThis doesn't catch anything related to this
  • Malwarebytes picked up a couple of registry keys that seemed to be left over from some toolbars that were installed accidentally, but quarantining them didn't do anything
  • New bookmarks don't have this issue
  • Deleting the old bookmark and navigating to the URL still produces the issue
  • There aren't any suspicious processes running or any new services installed
  • There's no Baidu folder in either of the Program Files folders
  • Baidu toolbar was never installed at any point
  • Checked that there is no proxy server set
  • Checked MSconfig, no startup programs or services were unexpected
  • Ran Sysinternals' Autoruns, but nothing suspicious was found

The user doesn't have admin rights so they can't have installed anything on their own. Has anyone else encountered something similar to this issue?

I uninstalled IE11, but the issue persists. Oddly, it's now only occurring on one particular URL, which is the single label name of a server in a separate domain which we have a two-way trust with. We use client-side DNS suffixes defined in a GPO for these to resolve. As ever, the problem is still occurring only on IE (albeit, IE10 now), and only on this user's account. I'm probably going to migrate them onto another machine, but it would be nice to solve this mystery first.

Seyren
  • 358
  • 1
  • 3
  • 13

9 Answers9

2

My Sysadmin did the following to fix the problem:

  1. Kill all the IE processes using Windows Task Manager
  2. Restore IE to the default configurations: Privacy, Security etc.
  3. Restart IE

That's it.

Alexander Mou
  • 21
  • 1
2

I answered another question quite similar to yours at Unable to use internet due to suspected DNS malware. There I told my own story of how one of our users had a similar experience. Though the symptons are not 100% the same as yours, there are enough similarities for you to follow the techniques I used in helping my user.

In addition, I see that your user does not have admin rights so I have to consider the possibility that what is causing your issue might not feature in the "Add or remove programs" list. Probably you'll have to disable an auto-start point. Some auto-start points you don't need admin rights for and are specific to the user: that probably explains why the issue doesn't appear for other local users on that machine.

In which case, you can download and run Sysinternals' Autoruns to disable the startup-point. Autoruns is essentially a souped-up verions of msconfig. Once you're in Autoruns's go straight to the Internet Explorer tab and see if IE is loading up anything unusual. Go ahead and untick any unusual entries and hopefully the problem should be gone.

Community
  • 1
user319647
  • 355
  • 2
  • 10
2

I had the exact same problem :)

I searched for wo.com.cn in the registry and found something. Deleted it but that wasn't enough (still you may want to remove it) Then gave Google another chance and found these instructions1:

Problem Internet Explorer permanently caches redirects even if they are changed on the server. Symptoms include being sent to an old destination for a short URL or other redirect.

Solution There appears to be no way to purge the redirect from the browser cache by using the standard cache purging functionality in the Internet Options configuration screen. One method that appears to work.These instructions are for IE8, but will work in IE9 as well (and for IE11):

-Clear your browser history and cache.

-Go to the Tools menu and enable InPrivate Browsing (anonymous browsing) mode. This will open a new window.

-Paste the original URL of the page that incorrectly redirects into the URL bar of the new window

-Verify this redirects to the correct page.

-Close and restart Internet Explorer.

Marc
  • 21
1

If you suspect Baidu Hijacker 'infection', here is an eHow article reference,
How to Remove Baidu Hijacker on Internet Explorer

Baidu Hijacker is not officially classified as a computer virus. However, it is known in the IT security world as a PUP, or potentially unwanted program, and does pose a serious security threat. The many forms and versions of this browser hijacker make it extremely difficult, but not impossible, to remove.

The final section of the article seem to throw the whole tool box on it though,

Some security and malware websites encourage using several tools in conjunction to completely clean up and restore your system. For example, Kaspersky TDSSKiller removes master boot record infections, RKill terminates malicious processes, Malwarebytes anti-malware removes Trojans and other malicious files, HitmanPro eliminates rootkits, and RogueKiller targets malicious registry keys.

nik
  • 57,042
0

I got the issue again with IE today.

Here are 2 methods:

Method 1: we can work around the issue temporarily by using InPrivate Browsing mode:

Click Tools -> InPrivate Browsing

Method2: let's fix the issue thoroughly

Click Tools -> Internet Options 1. Click “Delete....“ to remove all the Browsing History

  1. Click Settings: choose “Check for newer versions of stored pages: Every time I start Internet Explorer”.

    2.1 Click “View objects” and remove all the contents in the new windows (e.g. C:\Windows\Downloaded Program Files)

    2.2 Click “View files“ and remove all the contents in the new windows (e.g. C:\Users\\AppData\Local\Microsoft\Windows\INetCache)

I suspect only step 2.2 is a must however.

Dexuan
  • 101
0

I recently faced the same issue when I came back from China.

The internet was working fine on Chrome and IE-11, except the intranet home page won't load on IE and would redirect it to wo.com.cn (Baidu webpage).

"I deleted all the temporary files including cookies and that solved the issue straight away."

Stephen Rauch
  • 3,296
ROCK
  • 1
0

Based on Troubleshooting you have done, I would recommend you to

Change Default Search Engine.

Step to change default search engine in Internet Explorer .

Step 1:Tools > Manage Add-On

Step 2 :Click on Search Provider

Step 3 : Select Bing as your default search engine.

Step 4 :Right Click and Remove other search engines.

Do let me know if this helped or not.

Sanjeev Dogra
  • 166
0

I have just experienced the same issue with one of our users.

SOLUTION: Check the temporary internet files for a file of the same name as your intranet site and delete the file. Just deleting all temporary internet files will probably work, too.

daykun
  • 1
-1

I recently faced the same issue when I came back from China.

The IT team at the China factory made some changes to my DNS server as I was unable to go to my intranet homepage.

The internet was working fine on Chrome and IE-11, except the intranet home page won't load on IE and would redirect it to wo.com.cn (Baidu webpage).

I deleted all the temporary files including cookies and that solved the issue straight away.

Hope it helps.

Thanks

Sidd
  • 1