IE DNS lookup hijacked by Baidu

4

0

I have a user who went on a trip to China recently. Since they've come back, attempting to navigate to any of their bookmarks takes them to this url:

http://nfdnserror1.wo.com.cn:8080/issueunziped/nf20140811/index.html?UserUrl=<the URL>

The page is basically just the Chinese search engine Baidu, with the search field filled in with the UserUrl query string. The URL looks like it may be supposed to be a custom DNS lookup failure page.

The bookmark doesn't look like it's been modified. Navigating directly to the URLs also redirects to this page. It looks like only the URLs in the bookmarks are affected, as illustrated below:

Not OK (exists in bookmarks)

http://<internal server name>/<subsite name>/

OK

http://<internal server name>/

http://<internal server FQDN>/<subsite name>/

The problem is isolated to IE11 and that specific user account. Chrome and Firefox don't have the issue at all, and IE11 on a separate local account doesn't have the problem either.

OS is Windows 7 Pro x64.

I've checked and done the following:

  • DNS settings are correct
  • Flushed the DNS cache
  • Hosts file is fine
  • There are no additional IE plugins
  • Reset IE (Internet options -> Advanced -> Reset IE)
  • HiJackThis doesn't catch anything related to this
  • Malwarebytes picked up a couple of registry keys that seemed to be left over from some toolbars that were installed accidentally, but quarantining them didn't do anything
  • New bookmarks don't have this issue
  • Deleting the old bookmark and navigating to the URL still produces the issue
  • There aren't any suspicious processes running or any new services installed
  • There's no Baidu folder in either of the Program Files folders
  • Baidu toolbar was never installed at any point
  • Checked that there is no proxy server set
  • Checked MSconfig, no startup programs or services were unexpected
  • Ran Sysinternals' Autoruns, but nothing suspicious was found

The user doesn't have admin rights so they can't have installed anything on their own. Has anyone else encountered something similar to this issue?

I uninstalled IE11, but the issue persists. Oddly, it's now only occurring on one particular URL, which is the single label name of a server in a separate domain which we have a two-way trust with. We use client-side DNS suffixes defined in a GPO for these to resolve. As ever, the problem is still occurring only on IE (albeit, IE10 now), and only on this user's account. I'm probably going to migrate them onto another machine, but it would be nice to solve this mystery first.

Seyren

Posted 2014-08-13T08:42:52.440

Reputation: 338

Malware scans don't guarantee anything. The average detection rates have fallen to 40% or so. Wipe and re-install. It's the only way to be sure. – Jeff-Inventor ChromeOS – 2014-08-13T08:48:55.173

What's the operating system? Can you reproduce the issue using both old and freshly created bookmarks, or by starting Windows in Safe Mode with Networking? – and31415 – 2014-08-13T08:58:42.783

1Whoops. I'll add the details to the question. I'll try safe mode tomorrow, the user doesn't have the time for that anymore today. – Seyren – 2014-08-13T09:22:24.170

1@Jeff-InventorChromeOS Nuke it from orbit! .. I wish I could stop time to do that for every case :( – Seyren – 2014-08-13T09:33:10.290

@Seyren got the reference! – Jeff-Inventor ChromeOS – 2014-08-13T09:45:04.730

I suggest taking the HDD out of the computer and doing malware scans from another computer so that any malware can't be hidden. If you do find anything, you might want to check other computers on the network too. – Andrew Morton – 2014-08-15T17:15:31.560

Also see this KB: How to reset Internet Explorer settings. But I like Seyren's idea - wipe it. In fact, some organizations I know send folks to China with temporary laptops and phones just for the purpose of wiping them afterwards. I believe the FBI or State Department does it (I can't find the article I was reading on the subject).

– jww – 2014-11-13T23:33:51.707

@jww I did that, it didn't help. Anyway, the machine is nuked already... Now I'm just waiting for someone else to encounter the issue, I have a spare machine ready for them this time. – Seyren – 2014-11-14T03:48:50.807

For those who saw the "new information": Okay, I got some hands-on time with the user's PC. It looks like it wasn't the same problem after all. I cleared out cookies and temporary internet files and the problem went away. Oh well... – Seyren – 2014-11-18T06:36:03.763

Answers

2

My Sysadmin did the following to fix the problem:

  1. Kill all the IE processes using Windows Task Manager
  2. Restore IE to the default configurations: Privacy, Security etc.
  3. Restart IE

That's it.

Alexander Mou

Posted 2014-08-13T08:42:52.440

Reputation: 21

2

I answered another question quite similar to yours at Unable to use internet due to suspected DNS malware. There I told my own story of how one of our users had a similar experience. Though the symptons are not 100% the same as yours, there are enough similarities for you to follow the techniques I used in helping my user.

In addition, I see that your user does not have admin rights so I have to consider the possibility that what is causing your issue might not feature in the "Add or remove programs" list. Probably you'll have to disable an auto-start point. Some auto-start points you don't need admin rights for and are specific to the user: that probably explains why the issue doesn't appear for other local users on that machine.

In which case, you can download and run Sysinternals' Autoruns to disable the startup-point. Autoruns is essentially a souped-up verions of msconfig. Once you're in Autoruns's go straight to the Internet Explorer tab and see if IE is loading up anything unusual. Go ahead and untick any unusual entries and hopefully the problem should be gone.

user319647

Posted 2014-08-13T08:42:52.440

Reputation: 332

Nope, nothing suspicious. There's no proxy server set; I checked it a few times over the course of troubleshooting. I just tried uninstalling IE11, but even on the fallback (IE10) the issue still occurred. I'll add this information to the question, thanks for trying! – Seyren – 2014-08-15T01:35:16.320

2

I had the exact same problem :)

I searched for wo.com.cn in the registry and found something. Deleted it but that wasn't enough (still you may want to remove it) Then gave Google another chance and found these instructions1:

Problem Internet Explorer permanently caches redirects even if they are changed on the server. Symptoms include being sent to an old destination for a short URL or other redirect.

Solution There appears to be no way to purge the redirect from the browser cache by using the standard cache purging functionality in the Internet Options configuration screen. One method that appears to work.These instructions are for IE8, but will work in IE9 as well (and for IE11):

-Clear your browser history and cache.

-Go to the Tools menu and enable InPrivate Browsing (anonymous browsing) mode. This will open a new window.

-Paste the original URL of the page that incorrectly redirects into the URL bar of the new window

-Verify this redirects to the correct page.

-Close and restart Internet Explorer.

Marc

Posted 2014-08-13T08:42:52.440

Reputation: 21

This solved my issue perfectly!!!! I love this post!!! Thank you Marc so much! I hate the malicious website and the stupid IE! – Dexuan – 2016-12-13T12:16:21.653

1

If you suspect Baidu Hijacker 'infection', here is an eHow article reference,
How to Remove Baidu Hijacker on Internet Explorer

Baidu Hijacker is not officially classified as a computer virus. However, it is known in the IT security world as a PUP, or potentially unwanted program, and does pose a serious security threat. The many forms and versions of this browser hijacker make it extremely difficult, but not impossible, to remove.

The final section of the article seem to throw the whole tool box on it though,

Some security and malware websites encourage using several tools in conjunction to completely clean up and restore your system. For example, Kaspersky TDSSKiller removes master boot record infections, RKill terminates malicious processes, Malwarebytes anti-malware removes Trojans and other malicious files, HitmanPro eliminates rootkits, and RogueKiller targets malicious registry keys.

nik

Posted 2014-08-13T08:42:52.440

Reputation: 50 788

Sorry, it's not that. I did check that stuff earlier though, I'll add the details to the question. – Seyren – 2014-08-13T09:25:55.810

0

I got the issue again with IE today.

Here are 2 methods:

Method 1: we can work around the issue temporarily by using InPrivate Browsing mode:

Click Tools -> InPrivate Browsing

Method2: let's fix the issue thoroughly

Click Tools -> Internet Options 1. Click “Delete....“ to remove all the Browsing History

  1. Click Settings: choose “Check for newer versions of stored pages: Every time I start Internet Explorer”.

    2.1 Click “View objects” and remove all the contents in the new windows (e.g. C:\Windows\Downloaded Program Files)

    2.2 Click “View files“ and remove all the contents in the new windows (e.g. C:\Users\\AppData\Local\Microsoft\Windows\INetCache)

I suspect only step 2.2 is a must however.

Dexuan

Posted 2014-08-13T08:42:52.440

Reputation: 101

0

I recently faced the same issue when I came back from China.

The internet was working fine on Chrome and IE-11, except the intranet home page won't load on IE and would redirect it to wo.com.cn (Baidu webpage).

"I deleted all the temporary files including cookies and that solved the issue straight away."

ROCK

Posted 2014-08-13T08:42:52.440

Reputation: 1

0

Based on Troubleshooting you have done, I would recommend you to

Change Default Search Engine.

Step to change default search engine in Internet Explorer .

Step 1:Tools > Manage Add-On

Step 2 :Click on Search Provider

Step 3 : Select Bing as your default search engine.

Step 4 :Right Click and Remove other search engines.

Do let me know if this helped or not.

Sanjeev Dogra

Posted 2014-08-13T08:42:52.440

Reputation: 166

If only it were that easy... The search provider is and has always been set to Google. – Seyren – 2014-08-28T02:33:58.883

0

I have just experienced the same issue with one of our users.

SOLUTION: Check the temporary internet files for a file of the same name as your intranet site and delete the file. Just deleting all temporary internet files will probably work, too.

daykun

Posted 2014-08-13T08:42:52.440

Reputation: 1

I did that. Sounds like you might have had a different issue with the same symptoms, it might be good to put it up as a separate Q&A style question so people can find it easily. – Seyren – 2015-06-09T01:17:53.277

-1

I recently faced the same issue when I came back from China.

The IT team at the China factory made some changes to my DNS server as I was unable to go to my intranet homepage.

The internet was working fine on Chrome and IE-11, except the intranet home page won't load on IE and would redirect it to wo.com.cn (Baidu webpage).

I deleted all the temporary files including cookies and that solved the issue straight away.

Hope it helps.

Thanks

Sidd

Posted 2014-08-13T08:42:52.440

Reputation: 1

The DNS settings were fine and I did try clearing the temporary files. I really wish I'd had a spare machine at the time, I'd have liked to weed this one out =/ – Seyren – 2014-11-14T03:52:16.397

Asked: 2014-08-13T08:42:52.440

Viewed: 8 429 times

Active: 2017-04-05T03:42:15.257