Browser makes incorrect requests.
November 20, 2007 7:57 AM   Subscribe

My browsers frequently try to load the wrong page. They invent web addresses based on other open pages. What's happening? I don't think it's spyware.

For example, in trying to load Ask.Mefi, Firefox tried to load http://www.metafilter.com/content/themes/onion/style/tabber.css (I had recently closed The Onion). I'll sometimes get CSS templates or favicos instead of the page I'm looking for. Generally, the third refresh loads the page properly.

This happens in Firefox 2.0.0.9 (safe mode and normal) and IE 6. I haven't noticed problems with other Internet programs. Multiple spyware scans reveal nothing. Other computers connected to the same router are fine. I've reinstalled Firefox. My system is Windows XP SP2.
posted by Yogurt to Computers & Internet (13 answers total) 1 user marked this as a favorite
 
FireFox and IE use two completely different http stacks. IE using wininet.dll and, well, I dunno what FF uses but it uses something else. They share virtually no components, so I can't really think of anything that would be a common cause here other than spyware of some sort.

I would suggest upgrading to IE7, and then try starting it in No Add-ons mode (Start->Programs->Accessories->System Tools->IE (no add-ons)).

You can also try installing Fiddler and poke around in the http request for clues, but it sounds like stuff is going wrong earlier on.

If you're more advanced, you can run IE under NTSD and set a break-point on wininet!HttpSendRequestA and wininet!HttpSendRequestW and try to navigate IE. When it hits the break point look for suspect DLLs on the stack.
posted by jeffamaphone at 9:56 AM on November 20, 2007


Response by poster: Thanks, I'll try Fiddler first. I'm not familiar with NTSD, but I'll see if there are some guides around.

It occurs to me that I haven't tried browsing in Windows' safe mode, which might give more clues. Both browsers would have to pass through a software firewall (Kerio), PeerGuardian and perhaps other stuff I've forgotten. I'll try eliminating some of them, and running more spyware scans too.
posted by Yogurt at 10:26 AM on November 20, 2007


NTSD ain't simple. You'll need to download the win32 sdk and make sure you run the NTSD from there, not the one that comes with windows (because that one sucks).

Before you run it, set this environment variable:
_NT_SYMBOL_PATH=SRV*C:\websymbols*http://msdl.microsoft.com/download/symbols

Then run tasklist and get the PID for ie. Run ntsd -p [pid] to attach the debugger.

Once the debugger window appears, type !symfix and hit enter. Then .reload to load all the symbols from the sympath set above.

Then use the bp command to set the breakpoints:

bp wininet!HttpSendRequestA
bp wininet!HttpSendRequestW

Then type g to get the process running again.

Now navigate the browser. The debugger should break in right away. Type k1000 to get a stack trace.

Good luck!
posted by jeffamaphone at 10:34 AM on November 20, 2007


Of course, if you might not be able to get symbols from microsoft's symbol server over HTTP due to your issue... which would suck.
posted by jeffamaphone at 10:35 AM on November 20, 2007


Another thing you can try is running process explorer and try hunting down spyware yourself. It has a great rightclick->google feature for hunting down nasties.

Get it here.
posted by jeffamaphone at 10:37 AM on November 20, 2007


If it were me, I'd check the windows hosts file. I'd try a simpler browser, like lynx, or another browser, like Opera. I'd try booting a linux live disk and try browsing from that. Google or post back if you want more details.
posted by DarkForest at 10:42 AM on November 20, 2007


Best answer: What Firewall do you use? I had (fairly) similar behaviour plague my machine, until I realised Kerio Sunbelt Personal Firewall was to blame, somehow corrupting my entire internet connection. Instead of a web page loading, I'd get a random image from that page or other weirdness, so the symptoms sound similar to yours. Uninstalling it cured the problem.
posted by chorltonmeateater at 10:45 AM on November 20, 2007


Response by poster: I've tried Ubuntu just for fun and didn't notice any browsing problems, so it does seem like a Windows problem. I haven't had a chance to try Safe Mode yet, but will very shortly.

I'll try lynx too.

The Windows Hosts.ics and lmhosts.sam file are all commented out.

I have ProcessExplorer. Just checked now and don't see anything unexpected. I have hijackthis too -- are there any automated log-examiners for that program?

NTSD looks pretty advanced for me. I'll save it for a last effort (although I planned on finally doing a clean install in the new year anyway, so maybe THAT's the last resort). How sucky is the built-in NTSD? Would those commands not work on it?
posted by Yogurt at 10:58 AM on November 20, 2007


Response by poster: Hmm, chorltonmeateater, I use the same firewall and have the same problem -- random images is another symptom. I'll test that right away.
posted by Yogurt at 10:59 AM on November 20, 2007


Response by poster: Turning off Kerio Sunbelt Personal Firewall and using the Windows firewall instead seems to have fixed the problem. It's hard to say for sure, but a quick five minute tour of usually problematic sites has produced no errors. I'll try for another fifteen minutes and then mark that as the answer if things check out.
posted by Yogurt at 11:04 AM on November 20, 2007


@ Yogurt: hope that's helped. By the way, if you end up trying to find an alternative firewall, give Comodo a miss (despite many recommendations all over the web). It freezes every hour or so taking your internet connection with it (well, it did for me at least). Very annoying.

I've had absolutely no hassle or problems with PC Tools Firewall Plus, which is free, so I'd recommend that as a replacement if you decide that that's the answer to your woes.
posted by chorltonmeateater at 11:07 AM on November 20, 2007


Response by poster: Turning off Kerio Sunbelt Personal Firewall fixed the problem. What's more, some sites that I used to think were just very slow are now loading normally. Thanks for the help, chorltonmeateater and everyone!
posted by Yogurt at 11:37 AM on November 20, 2007


The "Sunbelt" is pronounced "Scientology".
posted by evariste at 5:32 PM on November 20, 2007


« Older Multi-dose vaccinations - what happens if you miss...   |   IKEA vs. DIY Newer »
This thread is closed to new comments.