IE displaying incorrect Web site

[Guest]

For the past two weeks, if I type in a certain website, in this case
chase.com, it displays cox.net. There are a few things I have tried and have
not been successful with. I have of course dumped my cookies and temp files.
I have done checks for a hijacker. At first I thought it might be that it was
just sending me back to my homepage, but I changed my homepage and it still
will direct me to cox.net when I type in chase.com in the address bar. What
further confounds me is that clicking on a link to chase.com works, accessing
my history will also allow me to get to chase.com from a prior visit. Even my
favorite works normally. It only occurs when I type the address into my
address bar and press either Go or hit the enter key. Any suggestions?

 

[Robert Aldwinckle]

For the past two weeks, if I type in a certain website, in this case
chase.com, it displays cox.net. There are a few things I have tried and have
not been successful with. I have of course dumped my cookies and temp files.
I have done checks for a hijacker. At first I thought it might be that it was
just sending me back to my homepage, but I changed my homepage and it still
will direct me to cox.net when I type in chase.com in the address bar. What
further confounds me is that clicking on a link to chase.com works, accessing
my history will also allow me to get to chase.com from a prior visit. Even my
favorite works normally. It only occurs when I type the address into my
address bar and press either Go or hit the enter key. Any suggestions?

Does it also work as expected if you enter the full URL
e.g. use AutoComplete for web addresses to match
a previous use of it?

If so, that could be a symptom of a searchbar hijacking.
You may not be aware of it but by not using a protocol prefix
you are using AutoSearch (unless you disable it)
in which case what you enter may or may not be interpreted
the way you expect.


HTH

Robert Aldwinckle
---

 

[Guest]

Does it also work as expected if you enter the full URL
e.g. use AutoComplete for web addresses to match
a previous use of it?

If so, that could be a symptom of a searchbar hijacking.
You may not be aware of it but by not using a protocol prefix
you are using AutoSearch (unless you disable it)
in which case what you enter may or may not be interpreted
the way you expect.


HTH

Robert Aldwinckle
---

If I use the autocomplete, it is successful in going to the correct web
address. If I type in the complete web address without utilizing the
autocomplete, then it sends me to the pheonix.cox.net. I had originally
thought it could be a hijacker as well but it only happens to this one web
address. I tried several other banks and many other web sites. And taking a
look over it with Hijackthis showed nothing out of the ordinary. I also ran
full tests with Ad-Aware and Spybot and found only 23 Tracking Cookies. I had
noticed as well and should have probably posted it earlier that when I took a
look back at Items to Sychronize, one item was listed as "www.chase.com" with
the actual web address listed in properties as "phoenix.cox.net". I deleted
that entry hoping that maybe that was to blame but no dice. I also turned off
all plug-ins in IE but that also seemed not to work with it. I'll try running
another HiJackThis log and go over it indepth and maybe another couple
Anti-Spyware programs and keep you informed. In the meantime, any other
suggestions?

 

[Robert Aldwinckle]

....

If I use the autocomplete, it is successful in going to the correct web
address. If I type in the complete web address without utilizing the
autocomplete,

This is still ambiguous which makes me wonder if you understood
what I wrote about protocol prefix. "Complete web address" without
a protocol prefix AND AutoSearch active implies AutoSearch data.

then it sends me to the pheonix.cox.net. I had originally
thought it could be a hijacker as well but it only happens to this one web
address. I tried several other banks and many other web sites. And taking a
look over it with Hijackthis showed nothing out of the ordinary. I also ran
full tests with Ad-Aware and Spybot and found only 23 Tracking Cookies. I had
noticed as well and should have probably posted it earlier that when I took a
look back at Items to Sychronize, one item was listed as "www.chase.com" with
the actual web address listed in properties as "phoenix.cox.net". I deleted
that entry hoping that maybe that was to blame but no dice.

More ambiguity possible there. Make sure that your typing isn't matching
a Favorite. E.g. a file named www.chase.com.URL in your Favorites
which could be redirecting you to the unwanted site. This is another
ambiguity which could be resolved by using a protocol prefix with your
URLs. You can also use Folder Options File Types dialog
and check that you always want to see that .URL extension
(e.g. especially when Favorites are shown via AutoSuggest.)

I also turned off
all plug-ins in IE but that also seemed not to work with it. I'll try running
another HiJackThis log and go over it indepth and maybe another couple
Anti-Spyware programs and keep you informed. In the meantime, any other
suggestions?

You could try using FiddlerTool or netcap to find out what the request is.
That might answer my continuing question: if a searchbar hijacker is active
does activating a packet trace make it stop working? (Hence, does using
a packet trace work as a circumvention of the problem?) <w>


Also test the lookups with nslookup and ping -n 1

Hmm... I just noticed that www.chase.com is an alias.

<example>
Non-authoritative answer:
Name: wwwchase.gslb.bankone.com
Address: 159.53.64.105
Aliases: www.chase.com
</example>

Is that what your nslookup shows too?

BTW I just tried that canonical name instead of the alias
while tracing with FiddlerTool and found that it works
without any reference to the alias.
So you could try that as a workaround.


You could use ping -n 1 www.chase.com
to verify that the address being used by ping
(and presumably by iexplore.exe) is the same.
If not you might have an overriding entry in your HOSTS file
or in your dnscache which could be causing the bad lookup.

Etc.


Good luck

Robert
---