Last week at some point, when using Firefox, a XP machine I’ve got developed an issue when hitting slashdot.org, theregister.co.uk, and other sites I commonly check out and read on a day to day basis. When hitting the sites, the browser would load the header and then attempt to hit 220.127.116.11, and then just sit there with the status bar reading ‘Waiting for 18.104.22.168…’. The browser would sit in this state for minutes before finally timing out on the connection and finally rendering out the page for me. It was amazingly annoying. I did a lookup on the IP and it didn’t turn up much, but further browsing seemed to show that the issue would present on ANY site that contained AdSense content.
Now, yes, I might have visited some “suspect” sites in the weeks prior, and yes, I might have installed some suspect software as well. But, one thing for sure, this needed correcting!
At first I thought it just might be Sprint’s T1 service having some temporary routing issues, but if I used ANY browser other than Firefox, the issue did not present. Hmmm… It was local to my machine. Investigation began.
I first checked out my HOSTS file. It was clear and didn’t show anything suspect. I then checked out my add-ins and plugins in Firefox. They all looked okay as well. Regardless, I began to disable most all of them. This did nothing to clear the issue either. So, off to Google the problem.
Seems a bunch of people ran into this annoying malware. It was hard to tell it was malware however as Trend, AVG, Norton, and McAfee turned up nothing. I finally found a link that pointed me to an AV product called Prevx. When I ran this, it returned 10 or “infected” files and registry entries. Eight of these were not “infections” at all. I use SlimFTP, a small FTP daemon; Prevx identified this as a problem executable along with another few benign apps.
There was two entries that were suspect though. One, a file called, MicrosoftDocProp.dll that was located in \Common Files\Microsoft. The file had no version info. Pulling up a process viewer, I found the file attached to almost every running process on my box! There was also a registry key that loaded it under HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\. Using the excellent XP utility Unlocker, I was able to delete the file outside of a PE environment and kill off the reg entry. Of course, this shut down Explorer, as it was attached it as well. But, after killing both the file and reg entry and rebooting, all was well.
I’m not sure that if you run into this that the file and/or the reg entry will be the same, but it definitely seems that Prevx will help you identify the culprit and help you kill it. You can either buy Prevx and have it clean for you, or do the killing yourself, as I did after running their free download (it will scan and ID, but won’t clean until you buy a license).
In any case. . . If you run into this, I hope this helps.