Browser makes incorrect requests.
November 20, 2007 7:57 AM Subscribe
My browsers frequently try to load the wrong page. They invent web addresses based on other open pages. What's happening? I don't think it's spyware.
For example, in trying to load Ask.Mefi, Firefox tried to load http://www.metafilter.com/content/themes/onion/style/tabber.css (I had recently closed The Onion). I'll sometimes get CSS templates or favicos instead of the page I'm looking for. Generally, the third refresh loads the page properly.
This happens in Firefox 2.0.0.9 (safe mode and normal) and IE 6. I haven't noticed problems with other Internet programs. Multiple spyware scans reveal nothing. Other computers connected to the same router are fine. I've reinstalled Firefox. My system is Windows XP SP2.
For example, in trying to load Ask.Mefi, Firefox tried to load http://www.metafilter.com/content/themes/onion/style/tabber.css (I had recently closed The Onion). I'll sometimes get CSS templates or favicos instead of the page I'm looking for. Generally, the third refresh loads the page properly.
This happens in Firefox 2.0.0.9 (safe mode and normal) and IE 6. I haven't noticed problems with other Internet programs. Multiple spyware scans reveal nothing. Other computers connected to the same router are fine. I've reinstalled Firefox. My system is Windows XP SP2.
Response by poster: Thanks, I'll try Fiddler first. I'm not familiar with NTSD, but I'll see if there are some guides around.
It occurs to me that I haven't tried browsing in Windows' safe mode, which might give more clues. Both browsers would have to pass through a software firewall (Kerio), PeerGuardian and perhaps other stuff I've forgotten. I'll try eliminating some of them, and running more spyware scans too.
posted by Yogurt at 10:26 AM on November 20, 2007
It occurs to me that I haven't tried browsing in Windows' safe mode, which might give more clues. Both browsers would have to pass through a software firewall (Kerio), PeerGuardian and perhaps other stuff I've forgotten. I'll try eliminating some of them, and running more spyware scans too.
posted by Yogurt at 10:26 AM on November 20, 2007
NTSD ain't simple. You'll need to download the win32 sdk and make sure you run the NTSD from there, not the one that comes with windows (because that one sucks).
Before you run it, set this environment variable:
_NT_SYMBOL_PATH=SRV*C:\websymbols*http://msdl.microsoft.com/download/symbols
Then run tasklist and get the PID for ie. Run ntsd -p [pid] to attach the debugger.
Once the debugger window appears, type !symfix and hit enter. Then .reload to load all the symbols from the sympath set above.
Then use the bp command to set the breakpoints:
bp wininet!HttpSendRequestA
bp wininet!HttpSendRequestW
Then type g to get the process running again.
Now navigate the browser. The debugger should break in right away. Type k1000 to get a stack trace.
Good luck!
posted by jeffamaphone at 10:34 AM on November 20, 2007
Before you run it, set this environment variable:
_NT_SYMBOL_PATH=SRV*C:\websymbols*http://msdl.microsoft.com/download/symbols
Then run tasklist and get the PID for ie. Run ntsd -p [pid] to attach the debugger.
Once the debugger window appears, type !symfix and hit enter. Then .reload to load all the symbols from the sympath set above.
Then use the bp command to set the breakpoints:
bp wininet!HttpSendRequestA
bp wininet!HttpSendRequestW
Then type g to get the process running again.
Now navigate the browser. The debugger should break in right away. Type k1000 to get a stack trace.
Good luck!
posted by jeffamaphone at 10:34 AM on November 20, 2007
Of course, if you might not be able to get symbols from microsoft's symbol server over HTTP due to your issue... which would suck.
posted by jeffamaphone at 10:35 AM on November 20, 2007
posted by jeffamaphone at 10:35 AM on November 20, 2007
Another thing you can try is running process explorer and try hunting down spyware yourself. It has a great rightclick->google feature for hunting down nasties.
Get it here.
posted by jeffamaphone at 10:37 AM on November 20, 2007
Get it here.
posted by jeffamaphone at 10:37 AM on November 20, 2007
If it were me, I'd check the windows hosts file. I'd try a simpler browser, like lynx, or another browser, like Opera. I'd try booting a linux live disk and try browsing from that. Google or post back if you want more details.
posted by DarkForest at 10:42 AM on November 20, 2007
posted by DarkForest at 10:42 AM on November 20, 2007
Best answer: What Firewall do you use? I had (fairly) similar behaviour plague my machine, until I realised Kerio Sunbelt Personal Firewall was to blame, somehow corrupting my entire internet connection. Instead of a web page loading, I'd get a random image from that page or other weirdness, so the symptoms sound similar to yours. Uninstalling it cured the problem.
posted by chorltonmeateater at 10:45 AM on November 20, 2007
posted by chorltonmeateater at 10:45 AM on November 20, 2007
Response by poster: I've tried Ubuntu just for fun and didn't notice any browsing problems, so it does seem like a Windows problem. I haven't had a chance to try Safe Mode yet, but will very shortly.
I'll try lynx too.
The Windows Hosts.ics and lmhosts.sam file are all commented out.
I have ProcessExplorer. Just checked now and don't see anything unexpected. I have hijackthis too -- are there any automated log-examiners for that program?
NTSD looks pretty advanced for me. I'll save it for a last effort (although I planned on finally doing a clean install in the new year anyway, so maybe THAT's the last resort). How sucky is the built-in NTSD? Would those commands not work on it?
posted by Yogurt at 10:58 AM on November 20, 2007
I'll try lynx too.
The Windows Hosts.ics and lmhosts.sam file are all commented out.
I have ProcessExplorer. Just checked now and don't see anything unexpected. I have hijackthis too -- are there any automated log-examiners for that program?
NTSD looks pretty advanced for me. I'll save it for a last effort (although I planned on finally doing a clean install in the new year anyway, so maybe THAT's the last resort). How sucky is the built-in NTSD? Would those commands not work on it?
posted by Yogurt at 10:58 AM on November 20, 2007
Response by poster: Hmm, chorltonmeateater, I use the same firewall and have the same problem -- random images is another symptom. I'll test that right away.
posted by Yogurt at 10:59 AM on November 20, 2007
posted by Yogurt at 10:59 AM on November 20, 2007
Response by poster: Turning off Kerio Sunbelt Personal Firewall and using the Windows firewall instead seems to have fixed the problem. It's hard to say for sure, but a quick five minute tour of usually problematic sites has produced no errors. I'll try for another fifteen minutes and then mark that as the answer if things check out.
posted by Yogurt at 11:04 AM on November 20, 2007
posted by Yogurt at 11:04 AM on November 20, 2007
@ Yogurt: hope that's helped. By the way, if you end up trying to find an alternative firewall, give Comodo a miss (despite many recommendations all over the web). It freezes every hour or so taking your internet connection with it (well, it did for me at least). Very annoying.
I've had absolutely no hassle or problems with PC Tools Firewall Plus, which is free, so I'd recommend that as a replacement if you decide that that's the answer to your woes.
posted by chorltonmeateater at 11:07 AM on November 20, 2007
I've had absolutely no hassle or problems with PC Tools Firewall Plus, which is free, so I'd recommend that as a replacement if you decide that that's the answer to your woes.
posted by chorltonmeateater at 11:07 AM on November 20, 2007
Response by poster: Turning off Kerio Sunbelt Personal Firewall fixed the problem. What's more, some sites that I used to think were just very slow are now loading normally. Thanks for the help, chorltonmeateater and everyone!
posted by Yogurt at 11:37 AM on November 20, 2007
posted by Yogurt at 11:37 AM on November 20, 2007
This thread is closed to new comments.
I would suggest upgrading to IE7, and then try starting it in No Add-ons mode (Start->Programs->Accessories->System Tools->IE (no add-ons)).
You can also try installing Fiddler and poke around in the http request for clues, but it sounds like stuff is going wrong earlier on.
If you're more advanced, you can run IE under NTSD and set a break-point on wininet!HttpSendRequestA and wininet!HttpSendRequestW and try to navigate IE. When it hits the break point look for suspect DLLs on the stack.
posted by jeffamaphone at 9:56 AM on November 20, 2007