I have a user who went on a trip to China recently. Since they've come back, attempting to navigate to any of their bookmarks takes them to this url:
http://nfdnserror1.wo.com.cn:8080/issueunziped/nf20140811/index.html?UserUrl=<the URL>
The page is basically just the Chinese search engine Baidu, with the search field filled in with the UserUrl query string. The URL looks like it may be supposed to be a custom DNS lookup failure page.
The bookmark doesn't look like it's been modified. Navigating directly to the URLs also redirects to this page. It looks like only the URLs in the bookmarks are affected, as illustrated below:
Not OK (exists in bookmarks)
http://<internal server name>/<subsite name>/
OK
http://<internal server name>/
http://<internal server FQDN>/<subsite name>/
The problem is isolated to IE11 and that specific user account. Chrome and Firefox don't have the issue at all, and IE11 on a separate local account doesn't have the problem either.
OS is Windows 7 Pro x64.
I've checked and done the following:
- DNS settings are correct
- Flushed the DNS cache
- Hosts file is fine
- There are no additional IE plugins
- Reset IE (Internet options -> Advanced -> Reset IE)
- HiJackThis doesn't catch anything related to this
- Malwarebytes picked up a couple of registry keys that seemed to be left over from some toolbars that were installed accidentally, but quarantining them didn't do anything
- New bookmarks don't have this issue
- Deleting the old bookmark and navigating to the URL still produces the issue
- There aren't any suspicious processes running or any new services installed
- There's no Baidu folder in either of the Program Files folders
- Baidu toolbar was never installed at any point
- Checked that there is no proxy server set
- Checked MSconfig, no startup programs or services were unexpected
- Ran Sysinternals' Autoruns, but nothing suspicious was found
The user doesn't have admin rights so they can't have installed anything on their own. Has anyone else encountered something similar to this issue?
I uninstalled IE11, but the issue persists. Oddly, it's now only occurring on one particular URL, which is the single label name of a server in a separate domain which we have a two-way trust with. We use client-side DNS suffixes defined in a GPO for these to resolve. As ever, the problem is still occurring only on IE (albeit, IE10 now), and only on this user's account. I'm probably going to migrate them onto another machine, but it would be nice to solve this mystery first.
Best Answer
I answered another question quite similar to yours at Unable to use internet due to suspected DNS malware. There I told my own story of how one of our users had a similar experience. Though the symptons are not 100% the same as yours, there are enough similarities for you to follow the techniques I used in helping my user.
In addition, I see that your user does not have admin rights so I have to consider the possibility that what is causing your issue might not feature in the "Add or remove programs" list. Probably you'll have to disable an auto-start point. Some auto-start points you don't need admin rights for and are specific to the user: that probably explains why the issue doesn't appear for other local users on that machine.
In which case, you can download and run Sysinternals' Autoruns to disable the startup-point. Autoruns is essentially a souped-up verions of msconfig. Once you're in Autoruns's go straight to the Internet Explorer tab and see if IE is loading up anything unusual. Go ahead and untick any unusual entries and hopefully the problem should be gone.