[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now


searchportal.information.com   <-- Cannot browse, this stops me.

Posted on 2007-04-04
Medium Priority
Last Modified: 2013-11-16
Hello all;

    This just started this evening, and the only way I am able to connect to EE is by use of
Our WinNT4 Servers. They seem to be uninfected. All of our Win2k and WinXP System's
Are infected with what ever this thing is.

   I am able to browse onto Google.com. Do a Search.
When I click on a link, the page opens and tries to open the page, it then goes blank
With the Error at the bottom of IE, I click on the error and it states

Line   28
Char   1
Error   Object Required
Code  0
URL  http://searchportal.information.com/?0_id=60999&domainname=referer_detect

If I type in    http://www.msn.com
It also gives me the same problems.

One of the computers is a fresh install, and I am unable to connect to anything outside of Google.com
That means that I am unable to use: MSN, Yahoo Messengers/
I am basically a prisoner on 3 computers in the network at the moment.

Any idea's/suggestions on this issue will be great.
Thank you
Question by:Wayne Barron
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 3
  • +2
LVL 14

Expert Comment

ID: 18855772
Hello carrzkiss:

Your network has gotten infected by malware  that has hijacked your traffic to searchportal.information.com.

I'm not sure how your network is configured but it looks like your internet traffic from the client systems is going out through your servers - I don't know if the infection is there on on the client machines.  From the looks of your error it might be in a CSS style sheet but I'm not sure.

I would do a spyware sweep of your systems and network pronto.

LVL 47

Expert Comment

ID: 18855940
You can either run malware scanners like;
1. SUPERANtispyware:

2.  Show us a hijackthis log.
Please download HijackThis 1.99.1
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

Then upload the logs to any hosting sites, or to the site below:
paste the log to this site:
then at the bottom left corner click "paste"
Copy the address/url and post it here.
LVL 31

Author Comment

by:Wayne Barron
ID: 18857137

  OK.. I went into the properties, for my NIC Card.
And changed it from "Obtain IP Automatically"
To an assigned IP And DNS Address's.
That FIXED the problem on my Laptop.
So I then went in and changed the IP address's on the other computers as well
And now all the systems are running without any problems.

Very Very strange?

I do not know what to do about this question.
So, I am going to say that it will be:  PAQ/Refund

If any comments on this, please make it known when it is done.

Thank you both for your comments.
And "rpggamegirl"
I love how you explain things, you remind me of myself when I explain thing on here.
It was kind-of weird though having someone treat me like a beginner, but none-the-less.
It was like a breath of fresh air.

Later All;
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

LVL 14

Expert Comment

ID: 18858025
Looks like it was just a hijack of your DNS setup.

It would be interesting to know how it happened - something penetrated your network's defenses.

LVL 31

Author Comment

by:Wayne Barron
ID: 18858667
Warren = Yes, it would be nice to know how it happened.
I will do some checking in my DNS and see what is going on with it.
And see if there is a problem with it, as I bypassed my DNS all together and
Pointed to our ISP's DNS instead.

I will report back my findings, IF I can find out anything.

Take Care And Thanks.
LVL 47

Expert Comment

ID: 18861696
>>It was kind-of weird though having someone treat me like a beginner, but none-the-less.<<

Sorry if my post has offended you somehow. It is my "canned speech" that also suits for anyone who hasn't used hijackthis before. I've been asked many times when I don't post instructions, like; "what do you mean fix? how do I fix entries?"

Yes, a lot of people don't need instructions, but some people also need it, so that's what the canned speech is for. I don't mean to offend anyone, it is JUST a canned speech that I copy and paste, :)
Again, I'm sorry for that.

Please post at the Community support and ask the mods to FAQ'ed this question and refund your points.

I answered my question myself, what do I do?

Closing questions:
LVL 31

Author Comment

by:Wayne Barron
ID: 18861926

  No, absolutely no offense what so ever, I am sorry that I made it sound like it did.

I have already done a PAQ/Refund Request.
I took care of that right after my post on what I did to fix the issue.

Take Care All
LVL 31

Author Comment

by:Wayne Barron
ID: 18870724
Hello Vee_Mod.

  Yep, that was one of the first things that I checked as well.
Been nice if that would have been the cause, but infortunantly not, in this case.

Expert Comment

ID: 18879329
This is now happening to me as well.  It all started on 4/7.  We've been trouble-shooting it since this morning.  It comes and goes, but we can't put a finger on it as to where the redirect stems from.

I've checked our internal DNS servers and each and every response is correct.  Looking at our local dns cache and server dns cache revealed nothing out of the norm.
I've checked our firewalls \ proxy devices and they are functioning to be expected.
If I type in the IP addresses as they resolve from running nslookup, the correct sites display.
Has anyone figured this out?  It seems like DNS or ARP poisoning to some degree, but I can't figure out where.

Expert Comment

ID: 18879349
I forgot to mention, our hosts files were clean.  We've rebooted pc's, dns servers, firewalls, you name it.  No dice.

Since we use bandwidth aggregators \ load balancers, I've tried using each of the three internet connections that we have trying to rule out a downstream ISP issue.

It's definitely not a spyware issue - our machines are clean...

Any ideas?
LVL 31

Author Comment

by:Wayne Barron
ID: 18879897
There is nothing on our end that would be causing this issue.
The only thing that I can think of is that our ISP's DNS got Hijacked,
Several years ago a friend of mine ran a small ISP, and his DNS Got Hijacked
And when that happened, all of his customers could not browse the Internet.
So, I am thinking that maybe this might have happened to our ISP which is "Charter".

This is just a guess, so up for more guess's.


Expert Comment

ID: 18882656
That was an assumption of mine as well, but being that we have three ISP's I concluded that it just couldn't be possible.  New Edge, Verizon, & Lightpath all can't be screwed up.  

Furthermore, we host our own internal DNS which answers queries properly...  If I go into dos and run "NSLOOKUP www.google.com" it answers back a valid google IP.  If I put that IP into a browser, it works.  If I put www.google.com into a browser I get searchportal.information.com - this is crazy...
LVL 31

Author Comment

by:Wayne Barron
ID: 18883807
I know.
I am not sure what the deal is then. We run our own DNS as well, and everything is working
Properly on this end, so I am at a loss as well.
I really have no other solution in this issue. The only thing that I know to do to by-pass
The issue is too assign a Static Internal IP Address to the machines that are affected by this
And you should no longer see the issue.

Still looking for more suggestions on this issue.

Expert Comment

ID: 18884327
Maybe it is a DHCP issue in the way that it assigns the Netbios search options.

Under DHCP Manager, Under Server Options, what do you have listed under node type 046?

The options are:
0x1  B-Node
0x2  P-Node
0x4  M-Node
0x8  H-Node

We previously always ran M-Node but found that our resolutions for machine names were slow due to the broadcasts...  We had changed it to H-Node a few weeks ago.  I'll try changing it back and see if it helps things any...

You can google this stuff, but as far as I know - H-node tells the client to try WINS first, if that fails broadcast for the IP address.  M-node which means Broadcast first then ask a WINS server for the IP Address.  Now whether or not this happens in before of after DNS or what's really happening, I don't know.  But I'm willing to try anything at this point in time.


Expert Comment

ID: 18884394
No instant success.  I changed the DHCP option back to M-Node and had no luck on my PC...  I'll keep it on M and let it settle a bit to see if the user community experiences any improvement.  For now, I'll trying going static next...  

Here are proper definitions for the node types by the way:

B-node (not recommended)
Multicast queriers and listeners
Listen on both linklocal and local scopes
MUST NOT send DNS queries via unicast
Cannot resolve names outside the scope of multicast DNS

Use DNS via unicast only
MUST NOT send multicast queries, listen for them or respond to them
Default behavior for clients configured via DHCP but not receiving mDNS configuration option (existing behavior)

Use multicast queries prior to unicast
Listen on both linklocal and local scopes

Use unicast queries prior to multicast
Listen on both linklocal and local scopes

Accepted Solution

imagin earned 1000 total points
ID: 18885146
This same "searchportal.information.com" just appeared on our network sometime around April 7th or 8th.  We have also been perplexed while trying to find how it happened.
We had decided it must have something to do with DNS so we flushed the DNS cache and rebooted the server and it started working properly.  However, the other servers still did not work properly until we rebooted each server individually.  Each started working properly after the reboot.  This leads us to believe that it was somehow hijacked into the DNS cache.

What puzzles us it that an NSLOOKUP would always return proper IP's, but the browsers would not.

If this helps or anyone finds how this happened, we are anxious to figure this out.
LVL 47

Expert Comment

ID: 18885894
Take a look at this searchportal redirection here, how his problem was solved:

>>I'VE GOT IT!!!

I can't believe this.
Because in work (remember this is a company laptop), we use serveral different internal domains, I have a added them into the "append these dns suffixes" box in the tcpip properties.
The first domain in the list has been registered as a real TLD and goes to a page which contains this searchportal stuff.
So if I was typing wefcwwewdfw.couk it was actually trying to resolve eroergerg.couk.domain.com, and ending up there.
this seems to have solved the problem<<<

Expert Comment

ID: 18887939
imagin:  I've tried clearing the cache on the server and bouncing the services to no avail.  I've even went and flushed the cache on both DNS servers and clients that I've been testing with (ipconfig /flushdns).

Vee \ rpggamergirl:  I also read that and likewise tested it.  We use straight-up DHCP with no extras within our TCP/IP dns properties...  

I'm going to reboot the servers as per imagin's recommendation and report back.

Expert Comment

ID: 18887980
So far, so good with regard to the DNS server reboots.  No more redirections...  I'll recheck in the morning.

Thanks imagin!

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Step by step guide to Clean and Sort your windows registry! Introduction: Always remember: A Clean registry = Better performance = Save your invaluable time In this article we're going to clear our registry manually! Yes, manually! The e…
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question