1

I got a problem that I can't fix on my Mac's Microsoft Edge 107.0.1418.52. I asked the Microsoft Community but they were helpless.

They guide me to ask on Microsoft Learn, but the forum showed "Access Denied" when I tried to post in a couple of times.

The problem is:

When I enter an address that didn't exist on my Mac Edge, it redirects to an Adware hijack address.

Screenshot of Microsoft Edge DNS lookup for 'pperleemeat.com' as 45.11.104.33 or 45.11.104.104

But I try this address on my Mac zsh, it returns right.

Screenshot of a Terminal window showing the results of 'nslookup pperleemeat.com'

And Firefox returns right, too

Screenshot of Firefox DNS lookup

I'm on macOS 10.15.7 and have tried many ways to dig it out but failed:

  1. Deeply clean Edge and reinstall. (All the related files under /Library, ~/Library)
  2. Change Microsoft profile or without a profile.
  3. Block all msn.com-related domains that make URLs redirect.
  4. InPrivate mode.
  5. Make some preferences change with Microsoft Community's suggestion.

What I find out:

  1. Change Preferences won't change the DNS resolver. I use a VS Code open "Preferences" via ~/Library/Application Support/Microsoft Edge/Default/ when doing nslookup, this file has never been changed, it won't reload to new.
  2. I use the same installer (use Firefox download from Microsoft) to install Edge on another computer, it creates the same problem, and I know I never visit the Adware address on that machine before.
  3. Why I define it as a hijack: when I enter a different address that didn't exist, it still points to 45.11.104.33 or 45.11.104.104.

Screenshot of Microsoft Edge DNS lookup for 'meatpperlee.com.com' as 45.11.104.33 or 45.11.104.104

  1. I tried to use Dev Tools on Edge, and I noticed that when I enter an address, Edge responded "Not found" correctly. Then there's a 301 rewrite that happened. It says "301 Moved Permanently (from disk cache)" at the moment. Then the address redirects to 45.11.104.33 or 45.11.104.104.

Screenshot of redirect of network traffic to 45.11.104.104

  1. All invalid domain has been rewritten to 45.11.104.33 or 45.11.104.104, then point to ermin-oxj.info then the tripledeliveryinstance.com loads the Adware website.
  2. I have VM on the same Mac, it is Windows 11 VM using Parallels Desktop. When I tried to do nslookup on it, it responded correctly.

Screenshot of Microsoft Edge DNS lookup for 'pperleemeat.com' as an error in trying to resolve the DNS lookup

What happened to my Mac Edge?

agarza
  • 2,274
pperlee
  • 11

2 Answers2

0

your question is a problem with the Mac computer search domain.:

networksetup -listallnetworkservices

Then delete all search domains. The main culprit is the HOST search domain, which will be added to your empty domain name as a suffix, so that it can be resolved to the DNS server specified by the hacker, and then it will be jumped many times.

networksetup -setsearchdomains <yournetworkservice> Empty

If there is still a search domain that cannot be deleted by default, then change your LAN IP address and the search domain will be emptied. At this time, all the problems will be solved!

nohillside
  • 100,768
kain
  • 1
  • 1
    Since the main language of the site is English, it would be preferable and beneficial for others that answers be posted in English as well. – agarza Nov 25 '22 at 03:00
  • I auto-translated the Chinese text, but the answer still would benefit from an edit which adds details about the actual steps required to clear the search list. – nohillside Nov 25 '22 at 06:52
  • Thanks for reply. When I use static IP address, the problem what I post was resolved, but when I use DHCP, the HOST search domain still there. I've tried reset my router, but no help. I think I cannot reset my ISP's GPON modem. Is there any way to remove the HOST search domain? – pperlee Dec 02 '22 at 05:57
0

Finally, I found out it maybe a TP-LINK router settings problem. A TP-LINK router while make settings for the first time, it needs you type "https://tplogin.cn" to the browser. It is not a DNS address, but a search domain address depends on DHCP/HOST search domain. When I disable DHCP/HOST search domain, I cannot login the router by typing that address, but I still can use IP address login. When I use default DHCP/HOST search domain, Microsoft Edge DNS hijack happened, so maybe the TP-LINK DHCP/HOST has been hijacked. When I use static IP, Microsoft Edge DNS become safe. I reset the router but no help, it is a default settings by TP-LINK, maybe I should replace my TP-LINK router.

pperlee
  • 11