searchportal.information.com <-- Cannot browse, this stops me.
Hello all;
This just started this evening, and the only way I am able to connect to EE is by use of
Our WinNT4 Servers. They seem to be uninfected. All of our Win2k and WinXP System's
Are infected with what ever this thing is.
OK.
I am able to browse onto Google.com. Do a Search.
When I click on a link, the page opens and tries to open the page, it then goes blank
With the Error at the bottom of IE, I click on the error and it states
Line 28
Char 1
Error Object Required
Code 0
URL http://searchportal.information.com/?0_id=60999&domainname=referer_detect
If I type in http://www.msn.com
It also gives me the same problems.
One of the computers is a fresh install, and I am unable to connect to anything outside of Google.com
That means that I am unable to use: MSN, Yahoo Messengers/
I am basically a prisoner on 3 computers in the network at the moment.
Any idea's/suggestions on this issue will be great.
Thank you
carrzkiss
This just started this evening, and the only way I am able to connect to EE is by use of
Our WinNT4 Servers. They seem to be uninfected. All of our Win2k and WinXP System's
Are infected with what ever this thing is.
OK.
I am able to browse onto Google.com. Do a Search.
When I click on a link, the page opens and tries to open the page, it then goes blank
With the Error at the bottom of IE, I click on the error and it states
Line 28
Char 1
Error Object Required
Code 0
URL http://searchportal.information.com/?0_id=60999&domainname=referer_detect
If I type in http://www.msn.com
It also gives me the same problems.
One of the computers is a fresh install, and I am unable to connect to anything outside of Google.com
That means that I am unable to use: MSN, Yahoo Messengers/
I am basically a prisoner on 3 computers in the network at the moment.
Any idea's/suggestions on this issue will be great.
Thank you
carrzkiss
Hi,
You can either run malware scanners like;
1. SUPERANtispyware:
http://www.superantispyware.com/
OR:
2. Show us a hijackthis log.
Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
http://danborg.org/spy/hjt/alternativ.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.
Then upload the logs to any hosting sites, or to the site below:
paste the log to this site:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.
You can either run malware scanners like;
1. SUPERANtispyware:
http://www.superantispyware.com/
OR:
2. Show us a hijackthis log.
Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
http://danborg.org/spy/hjt/alternativ.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.
Then upload the logs to any hosting sites, or to the site below:
paste the log to this site:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.
ASKER
Strange!!!!!!
OK.. I went into the properties, for my NIC Card.
And changed it from "Obtain IP Automatically"
To an assigned IP And DNS Address's.
That FIXED the problem on my Laptop.
So I then went in and changed the IP address's on the other computers as well
And now all the systems are running without any problems.
Very Very strange?
I do not know what to do about this question.
So, I am going to say that it will be: PAQ/Refund
If any comments on this, please make it known when it is done.
Thank you both for your comments.
And "rpggamegirl"
I love how you explain things, you remind me of myself when I explain thing on here.
It was kind-of weird though having someone treat me like a beginner, but none-the-less.
It was like a breath of fresh air.
Later All;
Carrzkiss
OK.. I went into the properties, for my NIC Card.
And changed it from "Obtain IP Automatically"
To an assigned IP And DNS Address's.
That FIXED the problem on my Laptop.
So I then went in and changed the IP address's on the other computers as well
And now all the systems are running without any problems.
Very Very strange?
I do not know what to do about this question.
So, I am going to say that it will be: PAQ/Refund
If any comments on this, please make it known when it is done.
Thank you both for your comments.
And "rpggamegirl"
I love how you explain things, you remind me of myself when I explain thing on here.
It was kind-of weird though having someone treat me like a beginner, but none-the-less.
It was like a breath of fresh air.
Later All;
Carrzkiss
Looks like it was just a hijack of your DNS setup.
It would be interesting to know how it happened - something penetrated your network's defenses.
wb
It would be interesting to know how it happened - something penetrated your network's defenses.
wb
ASKER
Warren = Yes, it would be nice to know how it happened.
I will do some checking in my DNS and see what is going on with it.
And see if there is a problem with it, as I bypassed my DNS all together and
Pointed to our ISP's DNS instead.
I will report back my findings, IF I can find out anything.
Take Care And Thanks.
Carrzkiss
I will do some checking in my DNS and see what is going on with it.
And see if there is a problem with it, as I bypassed my DNS all together and
Pointed to our ISP's DNS instead.
I will report back my findings, IF I can find out anything.
Take Care And Thanks.
Carrzkiss
>>It was kind-of weird though having someone treat me like a beginner, but none-the-less.<<
carrzkiss,
Sorry if my post has offended you somehow. It is my "canned speech" that also suits for anyone who hasn't used hijackthis before. I've been asked many times when I don't post instructions, like; "what do you mean fix? how do I fix entries?"
Yes, a lot of people don't need instructions, but some people also need it, so that's what the canned speech is for. I don't mean to offend anyone, it is JUST a canned speech that I copy and paste, :)
Again, I'm sorry for that.
Please post at the Community support and ask the mods to FAQ'ed this question and refund your points.
https://www.experts-exchange.com/Other/Community_Support/
I answered my question myself, what do I do?
https://www.experts-exchange.com/help.jsp#hi70
Closing questions:
https://www.experts-exchange.com/help.jsp#hs5
carrzkiss,
Sorry if my post has offended you somehow. It is my "canned speech" that also suits for anyone who hasn't used hijackthis before. I've been asked many times when I don't post instructions, like; "what do you mean fix? how do I fix entries?"
Yes, a lot of people don't need instructions, but some people also need it, so that's what the canned speech is for. I don't mean to offend anyone, it is JUST a canned speech that I copy and paste, :)
Again, I'm sorry for that.
Please post at the Community support and ask the mods to FAQ'ed this question and refund your points.
https://www.experts-exchange.com/Other/Community_Support/
I answered my question myself, what do I do?
https://www.experts-exchange.com/help.jsp#hi70
Closing questions:
https://www.experts-exchange.com/help.jsp#hs5
ASKER
rpggamergirl.
No, absolutely no offense what so ever, I am sorry that I made it sound like it did.
I have already done a PAQ/Refund Request.
I took care of that right after my post on what I did to fix the issue.
Take Care All
Carrzkiss
No, absolutely no offense what so ever, I am sorry that I made it sound like it did.
I have already done a PAQ/Refund Request.
I took care of that right after my post on what I did to fix the issue.
Take Care All
Carrzkiss
ASKER
Hello Vee_Mod.
Yep, that was one of the first things that I checked as well.
Been nice if that would have been the cause, but infortunantly not, in this case.
Yep, that was one of the first things that I checked as well.
Been nice if that would have been the cause, but infortunantly not, in this case.
This is now happening to me as well. It all started on 4/7. We've been trouble-shooting it since this morning. It comes and goes, but we can't put a finger on it as to where the redirect stems from.
I've checked our internal DNS servers and each and every response is correct. Looking at our local dns cache and server dns cache revealed nothing out of the norm.
I've checked our firewalls \ proxy devices and they are functioning to be expected.
If I type in the IP addresses as they resolve from running nslookup, the correct sites display.
Has anyone figured this out? It seems like DNS or ARP poisoning to some degree, but I can't figure out where.
I've checked our internal DNS servers and each and every response is correct. Looking at our local dns cache and server dns cache revealed nothing out of the norm.
I've checked our firewalls \ proxy devices and they are functioning to be expected.
If I type in the IP addresses as they resolve from running nslookup, the correct sites display.
Has anyone figured this out? It seems like DNS or ARP poisoning to some degree, but I can't figure out where.
I forgot to mention, our hosts files were clean. We've rebooted pc's, dns servers, firewalls, you name it. No dice.
Since we use bandwidth aggregators \ load balancers, I've tried using each of the three internet connections that we have trying to rule out a downstream ISP issue.
It's definitely not a spyware issue - our machines are clean...
Any ideas?
Since we use bandwidth aggregators \ load balancers, I've tried using each of the three internet connections that we have trying to rule out a downstream ISP issue.
It's definitely not a spyware issue - our machines are clean...
Any ideas?
ASKER
There is nothing on our end that would be causing this issue.
The only thing that I can think of is that our ISP's DNS got Hijacked,
Several years ago a friend of mine ran a small ISP, and his DNS Got Hijacked
And when that happened, all of his customers could not browse the Internet.
So, I am thinking that maybe this might have happened to our ISP which is "Charter".
This is just a guess, so up for more guess's.
Carrzkiss
The only thing that I can think of is that our ISP's DNS got Hijacked,
Several years ago a friend of mine ran a small ISP, and his DNS Got Hijacked
And when that happened, all of his customers could not browse the Internet.
So, I am thinking that maybe this might have happened to our ISP which is "Charter".
This is just a guess, so up for more guess's.
Carrzkiss
That was an assumption of mine as well, but being that we have three ISP's I concluded that it just couldn't be possible. New Edge, Verizon, & Lightpath all can't be screwed up.
Furthermore, we host our own internal DNS which answers queries properly... If I go into dos and run "NSLOOKUP www.google.com" it answers back a valid google IP. If I put that IP into a browser, it works. If I put www.google.com into a browser I get searchportal.information.c
Furthermore, we host our own internal DNS which answers queries properly... If I go into dos and run "NSLOOKUP www.google.com" it answers back a valid google IP. If I put that IP into a browser, it works. If I put www.google.com into a browser I get searchportal.information.c
ASKER
I know.
I am not sure what the deal is then. We run our own DNS as well, and everything is working
Properly on this end, so I am at a loss as well.
I really have no other solution in this issue. The only thing that I know to do to by-pass
The issue is too assign a Static Internal IP Address to the machines that are affected by this
And you should no longer see the issue.
Still looking for more suggestions on this issue.
I am not sure what the deal is then. We run our own DNS as well, and everything is working
Properly on this end, so I am at a loss as well.
I really have no other solution in this issue. The only thing that I know to do to by-pass
The issue is too assign a Static Internal IP Address to the machines that are affected by this
And you should no longer see the issue.
Still looking for more suggestions on this issue.
Maybe it is a DHCP issue in the way that it assigns the Netbios search options.
Under DHCP Manager, Under Server Options, what do you have listed under node type 046?
The options are:
0x1 B-Node
0x2 P-Node
0x4 M-Node
0x8 H-Node
We previously always ran M-Node but found that our resolutions for machine names were slow due to the broadcasts... We had changed it to H-Node a few weeks ago. I'll try changing it back and see if it helps things any...
You can google this stuff, but as far as I know - H-node tells the client to try WINS first, if that fails broadcast for the IP address. M-node which means Broadcast first then ask a WINS server for the IP Address. Now whether or not this happens in before of after DNS or what's really happening, I don't know. But I'm willing to try anything at this point in time.
Under DHCP Manager, Under Server Options, what do you have listed under node type 046?
The options are:
0x1 B-Node
0x2 P-Node
0x4 M-Node
0x8 H-Node
We previously always ran M-Node but found that our resolutions for machine names were slow due to the broadcasts... We had changed it to H-Node a few weeks ago. I'll try changing it back and see if it helps things any...
You can google this stuff, but as far as I know - H-node tells the client to try WINS first, if that fails broadcast for the IP address. M-node which means Broadcast first then ask a WINS server for the IP Address. Now whether or not this happens in before of after DNS or what's really happening, I don't know. But I'm willing to try anything at this point in time.
No instant success. I changed the DHCP option back to M-Node and had no luck on my PC... I'll keep it on M and let it settle a bit to see if the user community experiences any improvement. For now, I'll trying going static next...
Here are proper definitions for the node types by the way:
B-node (not recommended)
Multicast queriers and listeners
Listen on both linklocal and local scopes
MUST NOT send DNS queries via unicast
Cannot resolve names outside the scope of multicast DNS
P-node
Use DNS via unicast only
MUST NOT send multicast queries, listen for them or respond to them
Default behavior for clients configured via DHCP but not receiving mDNS configuration option (existing behavior)
M-node
Use multicast queries prior to unicast
Listen on both linklocal and local scopes
H-node
Use unicast queries prior to multicast
Listen on both linklocal and local scopes
Here are proper definitions for the node types by the way:
B-node (not recommended)
Multicast queriers and listeners
Listen on both linklocal and local scopes
MUST NOT send DNS queries via unicast
Cannot resolve names outside the scope of multicast DNS
P-node
Use DNS via unicast only
MUST NOT send multicast queries, listen for them or respond to them
Default behavior for clients configured via DHCP but not receiving mDNS configuration option (existing behavior)
M-node
Use multicast queries prior to unicast
Listen on both linklocal and local scopes
H-node
Use unicast queries prior to multicast
Listen on both linklocal and local scopes
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Take a look at this searchportal redirection here, how his problem was solved:
http://72.14.235.104/search?q=cache:0iM0Na10K74J:www.tek-tips.com/viewthread.cfm%3Fqid%3D1267416%26page%3D2+searchportal.information.com/&hl=en&ct=clnk&cd=5&gl=au
>>I'VE GOT IT!!!
I can't believe this.
Because in work (remember this is a company laptop), we use serveral different internal domains, I have a added them into the "append these dns suffixes" box in the tcpip properties.
The first domain in the list has been registered as a real TLD and goes to a page which contains this searchportal stuff.
So if I was typing wefcwwewdfw.couk it was actually trying to resolve eroergerg.couk.domain.com,
this seems to have solved the problem<<<
http://72.14.235.104/search?q=cache:0iM0Na10K74J:www.tek-tips.com/viewthread.cfm%3Fqid%3D1267416%26page%3D2+searchportal.information.com/&hl=en&ct=clnk&cd=5&gl=au
>>I'VE GOT IT!!!
I can't believe this.
Because in work (remember this is a company laptop), we use serveral different internal domains, I have a added them into the "append these dns suffixes" box in the tcpip properties.
The first domain in the list has been registered as a real TLD and goes to a page which contains this searchportal stuff.
So if I was typing wefcwwewdfw.couk it was actually trying to resolve eroergerg.couk.domain.com,
this seems to have solved the problem<<<
imagin: I've tried clearing the cache on the server and bouncing the services to no avail. I've even went and flushed the cache on both DNS servers and clients that I've been testing with (ipconfig /flushdns).
Vee \ rpggamergirl: I also read that and likewise tested it. We use straight-up DHCP with no extras within our TCP/IP dns properties...
I'm going to reboot the servers as per imagin's recommendation and report back.
Vee \ rpggamergirl: I also read that and likewise tested it. We use straight-up DHCP with no extras within our TCP/IP dns properties...
I'm going to reboot the servers as per imagin's recommendation and report back.
So far, so good with regard to the DNS server reboots. No more redirections... I'll recheck in the morning.
Thanks imagin!
Thanks imagin!
Your network has gotten infected by malware that has hijacked your traffic to searchportal.information.c
I'm not sure how your network is configured but it looks like your internet traffic from the client systems is going out through your servers - I don't know if the infection is there on on the client machines. From the looks of your error it might be in a CSS style sheet but I'm not sure.
I would do a spyware sweep of your systems and network pronto.
wb