I am seeing something strange I can't explain.  I am getting pairs of log entries that come in at the same time and are very similar and are for the same request, but come in from different IP addresses.  The request is being driven by me, and so one of the IP addresses is mine, but the other is an unknown IP address.  The unknown IP address is not always the same.  Because of the nature of the request (it isn't public), it is not really possible that it could be coming in from somebody else doing the function.   Here is an example:

First entry from my IP address
xx.xxx.xxx.xx - - [02/Sep/2011:12:11:07 -0700] "GET /cgi-bin/xxxxxx.cgi?parm=test HTTP/1.1" 200 299 "http://www.xxxxxx.com/" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"

Second entry from the unknown IP address
64.184.179.70 - - [02/Sep/2011:12:11:07 -0700] "GET /cgi-bin/xxxxxx.cgi?parm=test HTTP/1.1" 200 299 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3)"

Notice that the 2nd request comes in at the same time, but from a different IP, without the referring page, and using a different agent (browser) and on a different Operating System.  The cgi script is actually running twice - it is not simply a log entry error.  

Some of the unknown IP addresses are:
64.184.179.xxx - These are from Northwest Open Access Network
207.138.120.xxx - These are from Global Crossing

The really strange thing is that this is something I use to log activity from my kids laptops.  It happens consistently on one laptop, and works correctly (just the one log entry) from the other kids laptop, both connected to my local network.  When I do the same thing from my PC, it works correctly as well.

Final difference is that the problem occurs only when using IE, but not with Firefox.  

My main concern is that the kids laptop that has the problem has some kind of virus/spyware/malware that affects only IE that is sending the requests somewhere else in addtion to my website, and then the request is being driven from that unknown server back to my site.  But after running an HTTP trace on her laptop, it does not APPEAR to be sending the request anywhere but to my website, although I guess the malware could be bypassing the HTTP trace.  But I would think that even if it was being sent to another server, that when it redrove the 2nd request it would come in at least 1 second later.

So the question is, is there anything at Lunarpages that could cause some other server to redrive the cgi request from a different machine/IP address?  Under what conditions?  Or does she have something wrong with her laptop.  I have scanned with 2 different sets of antivirus/antispyware software and nothing shows up as a virus or spyware, but it is possible they both missed it.  I have also disabled or removed all toolbars, accelerators, and addons that IE is aware of.

Has anybody else seen anything like this??

Thanks!
(modified subject at 2:27 CDT)

Thanks for the feedback!

I didn't check for a proxy directly, but the HTTP trace tool I installed was called Fiddler2, which goes in as a proxy.  It installed itself into IE as a proxy, but  if it was smart enough (or dumb enough?) to piggyback on to any existing proxy in IE, I guess that could still be something to check.  You would hope if it did do that it would do it in a way so that the other proxy couldn't bypass the trace, but you never know.

Also, the thing that started this investigation was a quick logging tool I wrote in vb.net, and I believe that in order to use a proxy with that I would have to point to the proxy from within the vb.net program.  But I am not exactly sure of that since I switched to vb.net after I left the corporate environment where I had to supply the proxy inside the app.  Maybe the vb.net method of doing things would detect a proxy specified in the IE/System proxy settings where my old vb6 app would not. 

I can also compare response times which I hadn't thought of.

I have also been looking into a better way to trace network activity, since I am not convinced that Fiddler2 would catch everything since it goes in as a proxy.  So I have been doing some research and will probably install either "Wireshark" or Microsoft's "Network Monitor".  I saw a demo video of Wireshark that looked great, but I also am inclined to go with the Microsoft tool under the theory that they should know their own OS better.  But I won't have access to the laptop for several days now, so I have time to do some more research on that.  Any thoughts?