Random page change?

Discussion in 'adware, spyware & hijack cleaning' started by H, Jan 8, 2004.

Thread Status:
Not open for further replies.
  1. H

    H Registered Member

    Joined:
    Jan 8, 2004
    Posts:
    11
    Hi,
    I am experiencing some serious issues with my browser, Internet Explorer 6.0.2 on Windows XP.

    When browsing, I will click a link, and I will receive either a 404 page from windows, or a page from what seems like something in my cache. e.g. if in my cache a picture from server2.com exists, and I click a link to server1.com/pages/page1.html it will try loading server2.com/pages/page1.html and thus I get a 404 redirect. It is VERY weird, and seems to happen on completely random links. THe longer the browser is open for, the more likely it is to happen it seems.

    Any ideas of what to do, or where to head I would be VERY appreciative.....

    Thanks for your help and time.
    H
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi H,

    Welcome at Wilders. :)

    Could you please follow the instructions in this post:
    http://www.wilderssecurity.com/showthread.php?t=15913
    Someone will be happy to help you analyze the results.

    Regards,

    Pieter
     
  3. H

    H Registered Member

    Joined:
    Jan 8, 2004
    Posts:
    11
    Hi
    I have been having problems which seem to occur at random yet consistent intervals i.e. the initial problem will be at a random point, but will then continue for a few link clicks.
    If I click links, they will normally be fine within my browser, but recently I have had problems where I would be on server1.com and click a link to server1.com/pages/page1.html and it would load up the same page on a different root i.e. server2.com/pages/page1.html where server2.com will be the domain of something like an image (I frequently get reidrected to an Imagestation.com address) that was found on server1? Did you get that! ;)

    Anyway, i have also noticed that on PHP based sites, where the functions include(""); and require(""); are used, sometimes these just don't work, and for example, I would be left without the header file being included, and many of the images on the site being broken. If I quickly click the link after this, I get the above problem where my browser will try and locate the linked page on a different server, and therefore be re-directed to their 404 page. Before I am redirected to their 404 page, the address in the bar is still pointing to server1.com/pages/page.html which is confusing me even more, and the rollover text on all of the links at whatever point is always correct.

    When the problem occurs, it will continue from 5 seconds to 30 seconds, where refreshing or typing in any URL will simply give me a 404, or some other site, still looking for the correct page, it is weird! The longer my browser remains open, the more frequent this seems to occur, or that could just be my brain picking it u more as I become more and more infuriated with not being able to visit pages!!!!

    Anyway, enough rambling, here is my HiJackThis log, after running and fixing the problems with SpyBot S&D.

    Your help is very much appreciated, believe me, whoever gets this fixed will have made my good books!!!!!!!

    Cheers,
    H

    Logfile of HijackThis v1.97.7
    Scan saved at 12:51:06, on 1/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINNT\System32\rundll32.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\WINNT\System32\internat.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
    C:\Program Files\Motorola\A920 Desktop Suite\ConnMngmntBox.exe
    C:\Program Files\Motorola\A920 Desktop Suite\ECTaskScheduler.exe
    C:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\mRouterRuntime.exe
    C:\PROGRA~1\Motorola\A920DE~1\Elogerr.exe
    C:\PROGRA~1\Motorola\A920DE~1\BROADC~1.EXE
    C:\PROGRA~1\Motorola\A920DE~1\SCRFS.exe
    C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Winamp3\Studio.exe
    C:\DOCUME~1\HOWARD~1\LOCALS~1\Temp\Rar$EX00.484\HijackThis.exe

    O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRA~1\DAP\dapiebar.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
    O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [CrazyTalk Serve] rundll32.exe C:\WINNT\System32\CrazyTalk.dll,DllServeMediaFile
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft Hardware\Mouse\point32.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: A920 Connection Manager.lnk = ?
    O4 - Global Startup: A920 Task Scheduler.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {1CC506A7-1B8D-11D4-BDD5-0060977007E0} (CrazyTalk Player) - http://plug-in.reallusion.com/CrazyTalk.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37980.2931134259
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F6D7C661-9976-4CFE-9C27-F374C057EDCE}: NameServer = 213.1.119.97 213.1.119.98
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi H,

    This is a bit of a long shot, so please unzip HijackThis to a sepzarate folder where it will be able to make backups, before you start.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRA~1\DAP\dapiebar.dll

    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

    O4 - HKLM\..\Run: [CrazyTalk Serve] rundll32.exe C:\WINNT\System32\CrazyTalk.dll,DllServeMediaFile
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm

    O16 - DPF: {1CC506A7-1B8D-11D4-BDD5-0060977007E0} (CrazyTalk Player) - http://plug-in.reallusion.com/CrazyTalk.cab

    Then reboot, empty your temporary internet files and let me know if that was an improvement.

    Regards,

    Pieter
     
  5. H

    H Registered Member

    Joined:
    Jan 8, 2004
    Posts:
    11
    I'll get onthat now, It'll take a while, but I'll browse as much as I can, if I get the problem I'll be hot on your heels :p

    Cheers for the help, I'll let yo uknow how I get on.
     
  6. H

    H Registered Member

    Joined:
    Jan 8, 2004
    Posts:
    11
    It seems to have done the job, can I just ask what you think it was, and by doing those steps what has it fixed?

    Thanks very much indeed!!!
    H
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi H,

    I had you disable everything that was booting up unnecessary and remove some orphaned entries.

    From the things I had you disable, I would be inclined to blame DAP or CrazyTalk, but I can't be sure.

    Anyway, glad we could help.

    Regards,

    Pieter
     
  8. H

    H Registered Member

    Joined:
    Jan 8, 2004
    Posts:
    11
    Ok, bad news, this is still happening.

    My current HijackLog is below. I also took a screenshot of the problem, blanked out my server but basically I clicked on the link, the url bar is showing my server, but its looking for the pages in the main window on the server three.co.uk, a server which I accessed this morning? This is weird, seriously weird.

    Logfile of HijackThis v1.97.7
    Scan saved at 15:09:39, on 1/10/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINNT\System32\rundll32.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\WINNT\System32\internat.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
    C:\Program Files\Motorola\A920 Desktop Suite\ConnMngmntBox.exe
    C:\Program Files\Motorola\A920 Desktop Suite\ECTaskScheduler.exe
    C:\PROGRA~1\Motorola\A920DE~1\Elogerr.exe
    C:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\mRouterRuntime.exe
    C:\PROGRA~1\Motorola\A920DE~1\BROADC~1.EXE
    C:\PROGRA~1\Motorola\A920DE~1\SCRFS.exe
    D:\Dev-C++\devcpp.exe
    C:\Program Files\Winamp3\Studio.exe
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\Motorola\A920DE~1\Ecfmserv.exe
    C:\WINNT\explorer.exe
    C:\PROGRA~1\Motorola\A920DE~1\CAPMAN.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    D:\Update\Applications\Maintenance and Protection\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
    O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft Hardware\Mouse\point32.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: A920 Connection Manager.lnk = ?
    O4 - Global Startup: A920 Task Scheduler.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37980.2931134259
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F6D7C661-9976-4CFE-9C27-F374C057EDCE}: NameServer = 213.1.119.97 213.1.119.98

    :mad:

    Again, all your help would be fantastic!!!!!!!!! Cheers for helping so far :)

    H
     

    Attached Files:

  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi H,

    Can you try following the advice given here in reply #2 ?

    Keep us posted,

    Pieter
     
  10. H

    H Registered Member

    Joined:
    Jan 8, 2004
    Posts:
    11
    I've changed the DNS servers (primary and alternate) in my connection settings fromo Automatically obtained to the Pipex ones given. So far, all is well ;)

    What exactly has that done when I changed those DNS settings?
     
  11. H

    H Registered Member

    Joined:
    Jan 8, 2004
    Posts:
    11
    Still happening. See attached screenshot. On going to google.com it loaded up the root ICQ.com page.
    About 10 seconds before loading google, I was getting 404's on any links I was clicking on any site.

    :eek:
     

    Attached Files:

  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi H,

    In words that I can understand DNS servers are like a phonebook. Your computer sends a request asking what the IP number for server1 is and gets a reply from the DNS server. Accordingly it goes to the IP number it receives from that server.

    So what you did, was get a new phonebook.

    Now that we have established that the problem is not with the servers, please read this: http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q245/4/37.ASP&NoWebContent=1

    Hope that helps.

    Regards,

    Pieter
     
  13. H

    H Registered Member

    Joined:
    Jan 8, 2004
    Posts:
    11
    Ok, I've done that, I'll continue browsing, I'll see what happens. Cheers for the continued support with this, I hope its not stretching you too much!!!!!!!!

    Cheers
    H
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Well, we're getting to the point where it is a learning experience for me too. ;)

    When it start happening again use the ipconfig /flushdns command.

    Regards,

    Pieter
     
  15. H

    H Registered Member

    Joined:
    Jan 8, 2004
    Posts:
    11
    It happened again, I flushed my DNS.........

    Unluckily for me it didn't work, I enclose an intriguing screenshot whic much conflicting information!!!!!

    The Title Bar = ICQ
    The URL Bar = phgame.com
    Main Page = ICQ.com
    URLs mentioned in page = phgame.com

    This is crazy.
     

    Attached Files:

  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi H,

    Would you be interested to try a different browser?
    I am curious to find out if that will make a difference.

    Examples:
    http://www.opera.com/download/
    http://www.mozilla.org/products/firebird/

    Regards,

    Pieter
     
  17. H

    H Registered Member

    Joined:
    Jan 8, 2004
    Posts:
    11
    I'll download Opera today, and let you know how I get on :)

    Cheers once more
    H
     
  18. H

    H Registered Member

    Joined:
    Jan 8, 2004
    Posts:
    11
    At the same time as the problem occurring in IE6, I loaded Opera and looked at the requested page, and it was fine. So it's an IE problem, any ideas on where to turn now?
     
  19. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi H,

    Please try this, but make a manula Restore Point or another backup of the registry, before you do.
    Copy the part in bold below into notepad and save it as IEDNSCache.reg
    Then doubleclick the file and confirm you want to merge it with the registry.


    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache]
    "Type"=dword:00000020
    "Start"=dword:00000002
    "ErrorControl"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters]
    "CacheHashTableBucketSize"=dword:00000001
    "CacheHashTableSize"=dword:00000180
    "MaxCacheEntryTtlLimit"=dword:0000fa00
    "MaxSOACacheEntryTtlLimit"=dword:0000012d


    It may take a reboot for the changes to take effect.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.