Got a challenge/mystery -- browser/website redirect

[Macgyver56]

Greetings!

Let me start by saying that what I am about to describe is NOT a malware/virus problem. It *does* involve a browser being redirected to the wrong website, but we have checked repeatedly and to the best of our abilities, we have ruled out malware or viruses.

Windows 7 desktop. Internet access is through ethernet wired through a router that also provides wireless access to other devices in the house.

What we have is a single computer in the house (out of 2 desktops, 1 laptop, and 1 tablet) that cannot reach a single, specific website (an SMF forum) using Internet Explorer or Chrome. It *CAN* get there using the AOL browser. What happens with IE and Chrome is that the browsers are redirected to another (non-malicious, as far as we can tell) website that resides at the same webhosting service as the website we are trying to reach.

Tracerts and Pings go to the correct site. Other users (as in people all over the country) can reach the correct site. Other computers in the same household go to the correct site using both wired and wireless access.

This appears to be a very computer-specific problem. It does not seem to be an IP problem (because the other computers in the house are not encountering it), and it is not a website or network problem because no one else is running into the problem.

Any thoughts?

The only other piece of information that seems pertinent is that back in July, this same computer suddenly could not reach the "target" website at all, no matter what browser was being used. All browsers would stall and time out, or give a "website can not be found" type of message. Tracerts and pings failed completely. The tracerts said that the website could not be resolved and never generated even a single hop.

At the time, we consulted a number of people and the only explanation that seemed like it might have merit is that it might have something to do with the MAC address. Someone else suggested that it had to do with TCP/IP settings. We never got it fixed. The problem just half-corrected itself about two weeks ago, and then went sideways to the current situation.

What's different between IE & Chrome versus the AOL browser that could explain this?

If you have an idea, please use dummy talk. I'm fairly good with computers, but networking and IP protocols baffle me.

Thanks!

Macgyver56

 

[DelJo63]

Login as a Admin on that system.
Get a command prompt and enter these two commands:

ipconfig /flushdns​

net stop "dns client"​

quit the browser and restart it. Now access a good site (aka this one) and then a site you are having issues with.

What's the results?

 

[Macgyver56]

Result was that IE and Chrome no longer go to the incorrect website. But they also do not make it to the correct "target" website. Both browsers say "waiting for <website>" and never get there.

We did a tracert and a ping, and both reached the correct, intended website that IE and Chrome will not reach. (The AOL browser still gets there.) The tracert goes right to the correct server and IP. The ping showed 4 packets sent and received, 0% lost.

 

[Macgyver56]

And now, several hours later, the browsers are going to the wrong website again. Baffling.

 

[DelJo63]

Empty browser cache and delete all cookies
(again, stop the dns client; it's ok if it reports not started - - that should still be the casue unless you rebooted)

 

[Macgyver56]

Same result as last time. We had rebooted, so we had to stop the DNS client again. Initially it stopped the browsers from going to the 'wrong' site, but they still would not reach the correct target website. After several hours, IE and Chrome began landing on the wrong site again. We've tried clearing caches, cookies, doing DNS flushes a number of times. Restarted everything from the wall to the computer several times.

What baffles me is why a tracert and a ping go to the correct place, but two out of three browsers do not. And the third browser (AOL's) goes to the correct website.

Does AOL's browser use a different set of proxy settings from IE and Chrome? I've been assuming they all use the same settings, since those are usually system-wide.

 

[DelJo63]

What baffles me is why a tracert and a ping go to the correct place, but two out of three browsers do not. And the third browser (AOL's) goes to the correct website.

Does AOL's browser use a different set of proxy settings from IE and Chrome? I've been assuming they all use the same settings, since those are usually system-wide.

You are correct, TCP & DNS are system-wide and the symptom clearly shows IE & Chrome are impacted by something in those browsers. Have you attempted to disable ALL add-ons and extensions?

For grins, try downloading Firefox using AOL, install it and you can easily disable all add-ons there.

 

[St1ckM4n]

Interesting thread, subbing.

Sorry to point out the obvious, but have you checked the hosts file? And is the target website using IPv6 by any chance?

 

[Benmar]

Try to uninstall your browser then install it back hope it works.

 

[DelJo63]

Interesting thread, subbing.

Sorry to point out the obvious, but have you checked the hosts file? And is the target website using IPv6 by any chance?

The stopping of the DNS Client makes the host file irrelavent and unreferenced

 

[Macgyver56]

Verified that all add-ons and extensions were disabled in IE and Chrome. They still go to the wrong site.

Firefox with all add-ons disabled (it's actually a clean, pretty much unused install that we added when all of this started) also gets directed to the wrong site.

Also re-checked the Restricted Sites in Internet Options/Security this morning (because we're having a Grasping-At-Straws kind of morning). That's completely empty.

IPv6 -- Nope.

Part of what makes all of this interesting is that the correct target site and the incorrect "misdirect" site are both hosted by the same webhosting company, in the same data center, using identical hardware. They're on different cloud servers, but the tracert for each one is identical until the very last hop which takes it to the server.

And no, the computer's IP is not banned by the server. First thing I checked.

Does Safari (for Windows) handle TCP and DNS any differently than other browsers? Would it yield any interesting results to install that, or is it just going to duplicate using Firefox?

 

[DelJo63]

No, Safari is just like every other browser in this respect.
BTW: Last I looked, it was discontinued.

your comment " incorrect 'misdirect' site are both hosted by the same webhosting company," is interesting. Is that the only site that is misdirecting from your PC? Try some of these:

• https://news.google.com/
• http://news.yahoo.com/
• http://www.websense.com/

 

[Macgyver56]

Yes, it is a single website that is the problem. The computer can reach every other website (that we've ever tried to visit) without a problem.

When it is not being misdirected (for instance, when we flushed the DNS cache and then stopped the DNS client), it just stalls and never reaches the correct website. Three browsers out of four can't seem to find the website ... and yet a tracert and a ping get there okay, and the AOL browser can get there.

It is computer specific, and website specific. Other computers in the house, using the same IP and same router are not having a problem.

Network card? Something with the MAC address?

 

[DelJo63]

It is computer specific, and website specific. Other computers in the house, using the same IP and same router are not having a problem.

Network card? Something with the MAC address?

No, not hardware (else could not access anything).

Site+System pair have a specific problem. Could you share the site URL causing this symptom?

 

[Macgyver56]

Website we are trying to reach: www(dot)terrafirmascapers(dot)com

Website the browsers reach: www(dot)red-rubber-digitals(dot)com

 

[DelJo63]

Those are VERY different domains (from the standpoint of DNS/TCP; not just web content)

Name:		terrafirmascapers.com
IP:		69.194.130.140
Domain:	terrafirmascapers.com
 
Name:		red-rubber-digitals.com
IP:		208.94.39.217
Aliases:	www.red-rubber-digitals.com
Domain:	red-rubber-digitals.com

and my {IE, Chrome, Opera & FF} browsers have no issues
(even with multiple cycles of: launch, access, quit, ... repeat} showing cookies and site are not the issue.

The infamous hosts file is located at:

• \windows\system\drivers\etc hosts

dbl-click on hosts and use the notepad to open it

you can use "find" to look for terrafirmascapers but I doubt it will be present.
If it is, you will need to get out of notpad; use attrib -r hosts and then re-edit the file.
After you modify the hosts, you must do this (under and admin login) to make the changes effective:

• ipconfig /flushdns
• net stop "dns client"
• net start "dns client"

quit any existing browser and try again

Frankly, I doubt hosts or DNS have anything to do with your issue and would begin to suspect
malware in your browser (eg toolbars).

Have you installed anything lately and just click ACCEPT without looking to see if there were any extra software being installed?

 

[Macgyver56]

We've been through the computer repeatedly, trying to find some kind of malware that would do this. We haven't found anything yet. I'm not saying there definitely isn't anything there ... only that we've scanned with a number of good malware detectors and haven't found anything. And this is the ONLY redirect that we are encountering. It seems like malware would be affecting more than a single website.

We'll try this latest.

Thanks for all your brainstorming and help. I'd absolutely hit the wall with this. Like I said ... totally baffled.

 

[Macgyver56]

We're abandoning the DNS/TCP/network line of investigation. We decided to assume that there's a browser redirection virus percolating in there somewhere, even though it hasn't shown itself in any overt way, and we're going to go after that.

jobeard, thank you so much for your time and advice.

 

[Macgyver56]

Came back to say that it was the host file.

We both could have sworn we checked that early in the process, so when we got your last recommendation, jobeard, we decided to go in search of some kind of virus or malware instead. (Silly us.) We spent an entire day running scans, and came up with nothing. The good news is, we know the computer is clean as whistle, inside and out.

Finally, when that failed, we came back to this discussion and went back to the host file. Ta da! There it was. A bad entry.

Thanks again. We never would have solved it without your help.

 

[DelJo63]

Guess we should have started there, sigh.

 

[Macgyver56]

I'm the one who led us very firmly down the path of not looking for the more obvious answer. I really thought we had checked the host file. In fact, I still think we checked it at some point in the process. I don't know if we missed something or if the host file changed at some point, but I *know* that at some point in this we were in there looking for a bad entry.

On the bright side, I learned some new stuff. Thanks again.

 

[DelJo63]

Set attrib -r hosts
to keep it safe

 

[St1ckM4n]

* Points at post #8*

But I wonder why the stopping of DNS client didn't make it obsolete? Perhaps it was just a mix of lots of variables while testing.

 

[DelJo63]

ME TOO!