Random page change?

Hi,
I am experiencing some serious issues with my browser, Internet Explorer 6.0.2 on Windows XP.

When browsing, I will click a link, and I will receive either a 404 page from windows, or a page from what seems like something in my cache. e.g. if in my cache a picture from server2.com exists, and I click a link to server1.com/pages/page1.html it will try loading server2.com/pages/page1.html and thus I get a 404 redirect. It is VERY weird, and seems to happen on completely random links. THe longer the browser is open for, the more likely it is to happen it seems.

Any ideas of what to do, or where to head I would be VERY appreciative.....

Thanks for your help and time.
H

 

Hi H,

Welcome at Wilders.

Could you please follow the instructions in this post:
http://www.wilderssecurity.com/showthread.php?t=15913
Someone will be happy to help you analyze the results.

Regards,

Pieter

 

Hi
I have been having problems which seem to occur at random yet consistent intervals i.e. the initial problem will be at a random point, but will then continue for a few link clicks.
If I click links, they will normally be fine within my browser, but recently I have had problems where I would be on server1.com and click a link to server1.com/pages/page1.html and it would load up the same page on a different root i.e. server2.com/pages/page1.html where server2.com will be the domain of something like an image (I frequently get reidrected to an Imagestation.com address) that was found on server1? Did you get that!

Anyway, i have also noticed that on PHP based sites, where the functions include(""); and require(""); are used, sometimes these just don't work, and for example, I would be left without the header file being included, and many of the images on the site being broken. If I quickly click the link after this, I get the above problem where my browser will try and locate the linked page on a different server, and therefore be re-directed to their 404 page. Before I am redirected to their 404 page, the address in the bar is still pointing to server1.com/pages/page.html which is confusing me even more, and the rollover text on all of the links at whatever point is always correct.

When the problem occurs, it will continue from 5 seconds to 30 seconds, where refreshing or typing in any URL will simply give me a 404, or some other site, still looking for the correct page, it is weird! The longer my browser remains open, the more frequent this seems to occur, or that could just be my brain picking it u more as I become more and more infuriated with not being able to visit pages!!!!

Anyway, enough rambling, here is my HiJackThis log, after running and fixing the problems with SpyBot S&D.

Your help is very much appreciated, believe me, whoever gets this fixed will have made my good books!!!!!!!

Cheers,
H

Logfile of HijackThis v1.97.7
Scan saved at 12:51:06, on 1/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\System32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\Motorola\A920 Desktop Suite\ConnMngmntBox.exe
C:\Program Files\Motorola\A920 Desktop Suite\ECTaskScheduler.exe
C:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\mRouterRuntime.exe
C:\PROGRA~1\Motorola\A920DE~1\Elogerr.exe
C:\PROGRA~1\Motorola\A920DE~1\BROADC~1.EXE
C:\PROGRA~1\Motorola\A920DE~1\SCRFS.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Winamp3\Studio.exe
C:\DOCUME~1\HOWARD~1\LOCALS~1\Temp\Rar$EX00.484\HijackThis.exe

O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRA~1\DAP\dapiebar.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CrazyTalk Serve] rundll32.exe C:\WINNT\System32\CrazyTalk.dll,DllServeMediaFile
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft Hardware\Mouse\point32.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: A920 Connection Manager.lnk = ?
O4 - Global Startup: A920 Task Scheduler.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1CC506A7-1B8D-11D4-BDD5-0060977007E0} (CrazyTalk Player) - http://plug-in.reallusion.com/CrazyTalk.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37980.2931134259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6D7C661-9976-4CFE-9C27-F374C057EDCE}: NameServer = 213.1.119.97 213.1.119.98

 

Hi H,

This is a bit of a long shot, so please unzip HijackThis to a sepzarate folder where it will be able to make backups, before you start.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRA~1\DAP\dapiebar.dll

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

O4 - HKLM\..\Run: [CrazyTalk Serve] rundll32.exe C:\WINNT\System32\CrazyTalk.dll,DllServeMediaFile
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm

O16 - DPF: {1CC506A7-1B8D-11D4-BDD5-0060977007E0} (CrazyTalk Player) - http://plug-in.reallusion.com/CrazyTalk.cab

Then reboot, empty your temporary internet files and let me know if that was an improvement.

Regards,

Pieter

 

I'll get onthat now, It'll take a while, but I'll browse as much as I can, if I get the problem I'll be hot on your heels

Cheers for the help, I'll let yo uknow how I get on.

 

It seems to have done the job, can I just ask what you think it was, and by doing those steps what has it fixed?

Thanks very much indeed!!!
H

 

Hi H,

I had you disable everything that was booting up unnecessary and remove some orphaned entries.

From the things I had you disable, I would be inclined to blame DAP or CrazyTalk, but I can't be sure.

Anyway, glad we could help.

Regards,

Pieter

 

Ok, bad news, this is still happening.

My current HijackLog is below. I also took a screenshot of the problem, blanked out my server but basically I clicked on the link, the url bar is showing my server, but its looking for the pages in the main window on the server three.co.uk, a server which I accessed this morning? This is weird, seriously weird.

Logfile of HijackThis v1.97.7
Scan saved at 15:09:39, on 1/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\System32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\Motorola\A920 Desktop Suite\ConnMngmntBox.exe
C:\Program Files\Motorola\A920 Desktop Suite\ECTaskScheduler.exe
C:\PROGRA~1\Motorola\A920DE~1\Elogerr.exe
C:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\mRouterRuntime.exe
C:\PROGRA~1\Motorola\A920DE~1\BROADC~1.EXE
C:\PROGRA~1\Motorola\A920DE~1\SCRFS.exe
D:\Dev-C++\devcpp.exe
C:\Program Files\Winamp3\Studio.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Motorola\A920DE~1\Ecfmserv.exe
C:\WINNT\explorer.exe
C:\PROGRA~1\Motorola\A920DE~1\CAPMAN.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Update\Applications\Maintenance and Protection\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft Hardware\Mouse\point32.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: A920 Connection Manager.lnk = ?
O4 - Global Startup: A920 Task Scheduler.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37980.2931134259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6D7C661-9976-4CFE-9C27-F374C057EDCE}: NameServer = 213.1.119.97 213.1.119.98



Again, all your help would be fantastic!!!!!!!!! Cheers for helping so far

H

 

Hi H,

Can you try following the advice given here in reply #2 ?

Keep us posted,

Pieter

 

I've changed the DNS servers (primary and alternate) in my connection settings fromo Automatically obtained to the Pipex ones given. So far, all is well

What exactly has that done when I changed those DNS settings?

 

Still happening. See attached screenshot. On going to google.com it loaded up the root ICQ.com page.
About 10 seconds before loading google, I was getting 404's on any links I was clicking on any site.

 

Hi H,

In words that I can understand DNS servers are like a phonebook. Your computer sends a request asking what the IP number for server1 is and gets a reply from the DNS server. Accordingly it goes to the IP number it receives from that server.

So what you did, was get a new phonebook.

Now that we have established that the problem is not with the servers, please read this: http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q245/4/37.ASP&NoWebContent=1

Hope that helps.

Regards,

Pieter

 

Ok, I've done that, I'll continue browsing, I'll see what happens. Cheers for the continued support with this, I hope its not stretching you too much!!!!!!!!

Cheers
H

 

Well, we're getting to the point where it is a learning experience for me too.

When it start happening again use the ipconfig /flushdns command.

Regards,

Pieter

 

It happened again, I flushed my DNS.........

Unluckily for me it didn't work, I enclose an intriguing screenshot whic much conflicting information!!!!!

The Title Bar = ICQ
The URL Bar = phgame.com
Main Page = ICQ.com
URLs mentioned in page = phgame.com

This is crazy.

 

Hi H,

Would you be interested to try a different browser?
I am curious to find out if that will make a difference.

Examples:
http://www.opera.com/download/
http://www.mozilla.org/products/firebird/

Regards,

Pieter

 

I'll download Opera today, and let you know how I get on

Cheers once more
H

 

At the same time as the problem occurring in IE6, I loaded Opera and looked at the requested page, and it was fine. So it's an IE problem, any ideas on where to turn now?

 

Hi H,

Please try this, but make a manula Restore Point or another backup of the registry, before you do.
Copy the part in bold below into notepad and save it as IEDNSCache.reg
Then doubleclick the file and confirm you want to merge it with the registry.


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters]
"CacheHashTableBucketSize"=dword:00000001
"CacheHashTableSize"=dword:00000180
"MaxCacheEntryTtlLimit"=dword:0000fa00
"MaxSOACacheEntryTtlLimit"=dword:0000012d


It may take a reboot for the changes to take effect.

Regards,

Pieter