<-- Cannot browse, this stops me.

Hello all;

    This just started this evening, and the only way I am able to connect to EE is by use of
Our WinNT4 Servers. They seem to be uninfected. All of our Win2k and WinXP System's
Are infected with what ever this thing is.

   I am able to browse onto Do a Search.
When I click on a link, the page opens and tries to open the page, it then goes blank
With the Error at the bottom of IE, I click on the error and it states

Line   28
Char   1
Error   Object Required
Code  0

If I type in
It also gives me the same problems.

One of the computers is a fresh install, and I am unable to connect to anything outside of
That means that I am unable to use: MSN, Yahoo Messengers/
I am basically a prisoner on 3 computers in the network at the moment.

Any idea's/suggestions on this issue will be great.
Thank you
LVL 31
Wayne BarronAuthor, Web DeveloperAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hello carrzkiss:

Your network has gotten infected by malware  that has hijacked your traffic to

I'm not sure how your network is configured but it looks like your internet traffic from the client systems is going out through your servers - I don't know if the infection is there on on the client machines.  From the looks of your error it might be in a CSS style sheet but I'm not sure.

I would do a spyware sweep of your systems and network pronto.

You can either run malware scanners like;
1. SUPERANtispyware:

2.  Show us a hijackthis log.
Please download HijackThis 1.99.1
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

Then upload the logs to any hosting sites, or to the site below:
paste the log to this site:
then at the bottom left corner click "paste"
Copy the address/url and post it here.
Wayne BarronAuthor, Web DeveloperAuthor Commented:

  OK.. I went into the properties, for my NIC Card.
And changed it from "Obtain IP Automatically"
To an assigned IP And DNS Address's.
That FIXED the problem on my Laptop.
So I then went in and changed the IP address's on the other computers as well
And now all the systems are running without any problems.

Very Very strange?

I do not know what to do about this question.
So, I am going to say that it will be:  PAQ/Refund

If any comments on this, please make it known when it is done.

Thank you both for your comments.
And "rpggamegirl"
I love how you explain things, you remind me of myself when I explain thing on here.
It was kind-of weird though having someone treat me like a beginner, but none-the-less.
It was like a breath of fresh air.

Later All;
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Looks like it was just a hijack of your DNS setup.

It would be interesting to know how it happened - something penetrated your network's defenses.

Wayne BarronAuthor, Web DeveloperAuthor Commented:
Warren = Yes, it would be nice to know how it happened.
I will do some checking in my DNS and see what is going on with it.
And see if there is a problem with it, as I bypassed my DNS all together and
Pointed to our ISP's DNS instead.

I will report back my findings, IF I can find out anything.

Take Care And Thanks.
>>It was kind-of weird though having someone treat me like a beginner, but none-the-less.<<

Sorry if my post has offended you somehow. It is my "canned speech" that also suits for anyone who hasn't used hijackthis before. I've been asked many times when I don't post instructions, like; "what do you mean fix? how do I fix entries?"

Yes, a lot of people don't need instructions, but some people also need it, so that's what the canned speech is for. I don't mean to offend anyone, it is JUST a canned speech that I copy and paste, :)
Again, I'm sorry for that.

Please post at the Community support and ask the mods to FAQ'ed this question and refund your points.

I answered my question myself, what do I do?

Closing questions:
Wayne BarronAuthor, Web DeveloperAuthor Commented:

  No, absolutely no offense what so ever, I am sorry that I made it sound like it did.

I have already done a PAQ/Refund Request.
I took care of that right after my post on what I did to fix the issue.

Take Care All
Wayne BarronAuthor, Web DeveloperAuthor Commented:
Hello Vee_Mod.

  Yep, that was one of the first things that I checked as well.
Been nice if that would have been the cause, but infortunantly not, in this case.
This is now happening to me as well.  It all started on 4/7.  We've been trouble-shooting it since this morning.  It comes and goes, but we can't put a finger on it as to where the redirect stems from.

I've checked our internal DNS servers and each and every response is correct.  Looking at our local dns cache and server dns cache revealed nothing out of the norm.
I've checked our firewalls \ proxy devices and they are functioning to be expected.
If I type in the IP addresses as they resolve from running nslookup, the correct sites display.
Has anyone figured this out?  It seems like DNS or ARP poisoning to some degree, but I can't figure out where.
I forgot to mention, our hosts files were clean.  We've rebooted pc's, dns servers, firewalls, you name it.  No dice.

Since we use bandwidth aggregators \ load balancers, I've tried using each of the three internet connections that we have trying to rule out a downstream ISP issue.

It's definitely not a spyware issue - our machines are clean...

Any ideas?
Wayne BarronAuthor, Web DeveloperAuthor Commented:
There is nothing on our end that would be causing this issue.
The only thing that I can think of is that our ISP's DNS got Hijacked,
Several years ago a friend of mine ran a small ISP, and his DNS Got Hijacked
And when that happened, all of his customers could not browse the Internet.
So, I am thinking that maybe this might have happened to our ISP which is "Charter".

This is just a guess, so up for more guess's.

That was an assumption of mine as well, but being that we have three ISP's I concluded that it just couldn't be possible.  New Edge, Verizon, & Lightpath all can't be screwed up.  

Furthermore, we host our own internal DNS which answers queries properly...  If I go into dos and run "NSLOOKUP" it answers back a valid google IP.  If I put that IP into a browser, it works.  If I put into a browser I get - this is crazy...
Wayne BarronAuthor, Web DeveloperAuthor Commented:
I know.
I am not sure what the deal is then. We run our own DNS as well, and everything is working
Properly on this end, so I am at a loss as well.
I really have no other solution in this issue. The only thing that I know to do to by-pass
The issue is too assign a Static Internal IP Address to the machines that are affected by this
And you should no longer see the issue.

Still looking for more suggestions on this issue.
Maybe it is a DHCP issue in the way that it assigns the Netbios search options.

Under DHCP Manager, Under Server Options, what do you have listed under node type 046?

The options are:
0x1  B-Node
0x2  P-Node
0x4  M-Node
0x8  H-Node

We previously always ran M-Node but found that our resolutions for machine names were slow due to the broadcasts...  We had changed it to H-Node a few weeks ago.  I'll try changing it back and see if it helps things any...

You can google this stuff, but as far as I know - H-node tells the client to try WINS first, if that fails broadcast for the IP address.  M-node which means Broadcast first then ask a WINS server for the IP Address.  Now whether or not this happens in before of after DNS or what's really happening, I don't know.  But I'm willing to try anything at this point in time.

No instant success.  I changed the DHCP option back to M-Node and had no luck on my PC...  I'll keep it on M and let it settle a bit to see if the user community experiences any improvement.  For now, I'll trying going static next...  

Here are proper definitions for the node types by the way:

B-node (not recommended)
Multicast queriers and listeners
Listen on both linklocal and local scopes
MUST NOT send DNS queries via unicast
Cannot resolve names outside the scope of multicast DNS

Use DNS via unicast only
MUST NOT send multicast queries, listen for them or respond to them
Default behavior for clients configured via DHCP but not receiving mDNS configuration option (existing behavior)

Use multicast queries prior to unicast
Listen on both linklocal and local scopes

Use unicast queries prior to multicast
Listen on both linklocal and local scopes
This same "" just appeared on our network sometime around April 7th or 8th.  We have also been perplexed while trying to find how it happened.
We had decided it must have something to do with DNS so we flushed the DNS cache and rebooted the server and it started working properly.  However, the other servers still did not work properly until we rebooted each server individually.  Each started working properly after the reboot.  This leads us to believe that it was somehow hijacked into the DNS cache.

What puzzles us it that an NSLOOKUP would always return proper IP's, but the browsers would not.

If this helps or anyone finds how this happened, we are anxious to figure this out.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Take a look at this searchportal redirection here, how his problem was solved:

>>I'VE GOT IT!!!

I can't believe this.
Because in work (remember this is a company laptop), we use serveral different internal domains, I have a added them into the "append these dns suffixes" box in the tcpip properties.
The first domain in the list has been registered as a real TLD and goes to a page which contains this searchportal stuff.
So if I was typing wefcwwewdfw.couk it was actually trying to resolve, and ending up there.
this seems to have solved the problem<<<
imagin:  I've tried clearing the cache on the server and bouncing the services to no avail.  I've even went and flushed the cache on both DNS servers and clients that I've been testing with (ipconfig /flushdns).

Vee \ rpggamergirl:  I also read that and likewise tested it.  We use straight-up DHCP with no extras within our TCP/IP dns properties...  

I'm going to reboot the servers as per imagin's recommendation and report back.
So far, so good with regard to the DNS server reboots.  No more redirections...  I'll recheck in the morning.

Thanks imagin!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.