4
0
I have a user who went on a trip to China recently. Since they've come back, attempting to navigate to any of their bookmarks takes them to this url:
http://nfdnserror1.wo.com.cn:8080/issueunziped/nf20140811/index.html?UserUrl=<the URL>
The page is basically just the Chinese search engine Baidu, with the search field filled in with the UserUrl query string. The URL looks like it may be supposed to be a custom DNS lookup failure page.
The bookmark doesn't look like it's been modified. Navigating directly to the URLs also redirects to this page. It looks like only the URLs in the bookmarks are affected, as illustrated below:
Not OK (exists in bookmarks)
http://<internal server name>/<subsite name>/
OK
http://<internal server name>/
http://<internal server FQDN>/<subsite name>/
The problem is isolated to IE11 and that specific user account. Chrome and Firefox don't have the issue at all, and IE11 on a separate local account doesn't have the problem either.
OS is Windows 7 Pro x64.
I've checked and done the following:
- DNS settings are correct
- Flushed the DNS cache
- Hosts file is fine
- There are no additional IE plugins
- Reset IE (Internet options -> Advanced -> Reset IE)
- HiJackThis doesn't catch anything related to this
- Malwarebytes picked up a couple of registry keys that seemed to be left over from some toolbars that were installed accidentally, but quarantining them didn't do anything
- New bookmarks don't have this issue
- Deleting the old bookmark and navigating to the URL still produces the issue
- There aren't any suspicious processes running or any new services installed
- There's no Baidu folder in either of the Program Files folders
- Baidu toolbar was never installed at any point
- Checked that there is no proxy server set
- Checked MSconfig, no startup programs or services were unexpected
- Ran Sysinternals' Autoruns, but nothing suspicious was found
The user doesn't have admin rights so they can't have installed anything on their own. Has anyone else encountered something similar to this issue?
I uninstalled IE11, but the issue persists. Oddly, it's now only occurring on one particular URL, which is the single label name of a server in a separate domain which we have a two-way trust with. We use client-side DNS suffixes defined in a GPO for these to resolve. As ever, the problem is still occurring only on IE (albeit, IE10 now), and only on this user's account. I'm probably going to migrate them onto another machine, but it would be nice to solve this mystery first.
Malware scans don't guarantee anything. The average detection rates have fallen to 40% or so. Wipe and re-install. It's the only way to be sure. – Jeff-Inventor ChromeOS – 2014-08-13T08:48:55.173
What's the operating system? Can you reproduce the issue using both old and freshly created bookmarks, or by starting Windows in Safe Mode with Networking? – and31415 – 2014-08-13T08:58:42.783
1Whoops. I'll add the details to the question. I'll try safe mode tomorrow, the user doesn't have the time for that anymore today. – Seyren – 2014-08-13T09:22:24.170
1@Jeff-InventorChromeOS Nuke it from orbit! .. I wish I could stop time to do that for every case :( – Seyren – 2014-08-13T09:33:10.290
@Seyren got the reference! – Jeff-Inventor ChromeOS – 2014-08-13T09:45:04.730
I suggest taking the HDD out of the computer and doing malware scans from another computer so that any malware can't be hidden. If you do find anything, you might want to check other computers on the network too. – Andrew Morton – 2014-08-15T17:15:31.560
Also see this KB: How to reset Internet Explorer settings. But I like Seyren's idea - wipe it. In fact, some organizations I know send folks to China with temporary laptops and phones just for the purpose of wiping them afterwards. I believe the FBI or State Department does it (I can't find the article I was reading on the subject).
– jww – 2014-11-13T23:33:51.707@jww I did that, it didn't help. Anyway, the machine is nuked already... Now I'm just waiting for someone else to encounter the issue, I have a spare machine ready for them this time. – Seyren – 2014-11-14T03:48:50.807
For those who saw the "new information": Okay, I got some hands-on time with the user's PC. It looks like it wasn't the same problem after all. I cleared out cookies and temporary internet files and the problem went away. Oh well... – Seyren – 2014-11-18T06:36:03.763