cslt
asked on
Virus/worm/spyware, etc... any website will redirect to a GoDaddy page (68.178.232.99)
This started to happen three days ago. every machine on one of my child domains cannot browse to a lot of websites. for an example if i try to go to cnn.com another page will come up showing GoDaddy with an IP address of 68.178.232.99. I scanned for virus with Sophos, and used spybot as well. this is happening on a few servers as well. i used process explorer to see if there was services running that i didn't recognized, but everything is fine. I also used hijackthis and nothing came up either.
the pareant domain is just fine.
the pareant domain is just fine.
cslt--Since this started only three days ago, perhaps try a System Restore.
P.S. If that does not help, where does GoDaddy appear in the HiJackThis log?
Do I understand GoDaddy is a site you do want to access some of the time?
P.S. If that does not help, where does GoDaddy appear in the HiJackThis log?
Do I understand GoDaddy is a site you do want to access some of the time?
ASKER
This is happening on multiple PC and a few servers. We do not want to to go to GoDaddy. Say if i type in www.cnn.com in any web browser; i get redirected to a site that contains an advertisement for goDaddy but it still retains the domain.
cslt--" i get redirected to a site that contains an advertisement for goDaddy "
Can you determine the URL of that site? (Right click|Properties) If so, where does it appear in the HJT log? What happens if you put that into your HOSTS file?
Can you determine the URL of that site? (Right click|Properties) If so, where does it appear in the HJT log? What happens if you put that into your HOSTS file?
ASKER
nothing in the host file; the url is the site i am trying to reach. i will post an example.In HJT there is nothimg in the log that suggests any redirection to any IP or url as well. in the screen shot i tried to go to www.bofa.com but i get the the godaddy ad instaed.
bofa.jpg
bofa.jpg
cslt--Well, I am confused. Your first post says "if i try to go to cnn.com another page will come up showing GoDaddy ". Now you say that you want to reach bofa.com, not cnn.com.
bofa.com seems to be a legitimate site--some sort of derivative for Bank of America. But you are not reaching the real bofa.com site based on the image you posted compared to what I see when I try to reach .bofa.com. That could be phishing. IE has a phishing fllter. (Tools|Phishing Filter). Is that turned on?
All this suggests your scans with antimalware programs should be run again--making sure you are using the most up to date reference definition files.
You can also run online scans.
http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.pandasoftware.com/products/activescan.htm
Or a shortcut to all this could be to run System Restore as I suggested earlier.
bofa.com seems to be a legitimate site--some sort of derivative for Bank of America. But you are not reaching the real bofa.com site based on the image you posted compared to what I see when I try to reach .bofa.com. That could be phishing. IE has a phishing fllter. (Tools|Phishing Filter). Is that turned on?
All this suggests your scans with antimalware programs should be run again--making sure you are using the most up to date reference definition files.
You can also run online scans.
http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.pandasoftware.com/products/activescan.htm
Or a shortcut to all this could be to run System Restore as I suggested earlier.
I should have also mentioned that when I try to access www.bofa.com I first am told the site has certificate problems, but then when I say to ignore that, I am redirected to a SECURE Bank of American site.
ASKER
the two sites that i mention were examples. this is happening to at least 50 different websites in the child domain, including the two urls you suggested. once you type in www.abc.com it does the same thing. it will come up and have the same ad with abc.cokm in the title bar. I am going to try threat fire next to see if that app will "see" something.
I agree with khaledf: this is probably a dns issue. From the command prompt do an nslookup for www.cnn.com:
Non-authoritative answer:
Name: cnn.com
Addresses: 64.236.16.20, 64.236.16.52, 64.236.24.12, 64.236.29.120
If you get the above IP addresses, it's probably not dns, if you get 68.178.232.99 then follow khaledf's advice and change the DNS servers your machines talk to. OpenDNS is a great idea.
What DNS do you currently use?
Non-authoritative answer:
Name: cnn.com
Addresses: 64.236.16.20, 64.236.16.52, 64.236.24.12, 64.236.29.120
If you get the above IP addresses, it's probably not dns, if you get 68.178.232.99 then follow khaledf's advice and change the DNS servers your machines talk to. OpenDNS is a great idea.
What DNS do you currently use?
This is happening to me too as of two days ago. I have a ms windows 2000 server with 5 pcs. server is also dhcp and dns server. isp is comcast via linksys router/gateway. If I bypass my MS 2000 server ad integrated DNS I can get to other sites
ASKER
The redirection has not happen for the last three days. This make me believe that there is a PC on my child domain that is the culprit. I know my DNS is fine because if there were a problem with it then the PCs on the parent domain would be doing the same thing. So once the PC is turned on again and this issue shows up then it is time to check out each individual PC. I have 80 PCs on the child domain so this can take awhile.
jlapalme,
Is you W2K box still not working or you are just bypassing your DNS server still?
jlapalme,
Is you W2K box still not working or you are just bypassing your DNS server still?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
if you are using a router, try to change your dns on your router to use opendns.com their dns ips are
208.67.222.222 and 208.67.220.220
if problem not solved then try to use a different browser.