& Firefox – Connection of Death Connection MalwareLast week at some point, when using Firefox, a XP machine I’ve got developed an issue when hitting slashdot.org,  theregister.co.uk, and other sites I commonly check out and read on a day to day basis.  When hitting  the sites, the browser would load the header and then attempt to hit, and then just sit there with the status bar reading ‘Waiting for…’.  The browser would sit in this state for minutes before finally timing out on the connection and finally rendering out the page for me.  It was amazingly annoying.  I did a lookup on the IP and it didn’t turn up much, but further browsing seemed to show that the issue would present on ANY site that contained AdSense content.

Now, yes, I might have visited some “suspect” sites in the weeks prior, and yes, I might have installed some suspect software as well.  But, one thing for sure, this needed correcting!

At first I thought it just might be Sprint’s T1 service having some temporary routing issues, but if I used ANY browser other than Firefox, the issue did not present.  Hmmm… It was local to my machine. Investigation began.

I first checked out my HOSTS file.  It was clear and didn’t show anything suspect.  I then checked out my add-ins and plugins in Firefox.  They all looked okay as well.  Regardless, I began to disable most all of them.  This did nothing to clear the issue either.  So, off to Google the problem.

Seems a bunch of people ran into this annoying malware.  It was hard to tell it was malware however as Trend, AVG, Norton, and McAfee turned up nothing.  I finally found a link that pointed me to an AV product called Prevx.  When I ran this, it returned 10 or “infected” files and registry entries.  Eight of these were not “infections” at all.  I use SlimFTP, a small FTP daemon; Prevx identified this as a problem executable along with another few benign apps.

There was two entries that were suspect though.  One, a file called, MicrosoftDocProp.dll that was located in \Common Files\Microsoft.  The file had no version info.  Pulling up a process viewer, I found the file attached to almost every running process on my box!  There was also a registry key that loaded it under HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\.  Using the excellent XP utility Unlocker, I was able to delete the file outside of a PE environment and kill off the reg entry.  Of course, this shut down Explorer, as it was attached it as well.  But, after killing both the file and reg entry and rebooting, all was well.

I’m not sure that if you run into this that the file and/or the reg entry will be the same, but it definitely seems that Prevx will help you identify the culprit and help you kill it.  You can either buy Prevx and have it clean for you, or do the killing yourself, as I did after running their free download (it will scan and ID, but won’t clean until you buy a license).

In any case. . . If you run into this, I hope this helps.

This entry was posted in Internet, Ramblings.


  1. rsa May 12, 2010 at 2:43 pm #

    I have the same issue in xp. Prevx finds nothing just as adaware and avasti find nothing. This is very annoying even when not using firefox download speeds are still slow. I dual boot into ubuntu linux and no problems my download speed max’s out. i guess its time to wipe xp and do a complete reinstall… again… sigh. Hopefully someone will figure out what this rogue ip is.

  2. aris53m May 12, 2010 at 10:02 pm #

    same here.

    i dd all of the above, i dd find some issues and have correct them but the problem ( waiting for… ) did not go away.

    It appears in firefox and on ie 8 (but on the ie8 is just slow without posting the “waiting for”).

    in addition when i discovered this issue google analytics (Dashboard, flash player, isn’t working). This other issue also manifest itself at the same time. I suspect the two may be related.

    reinstalling windows may be the solution but i will wait for a couple days to see if someone else posts a sln.

  3. aris53m May 15, 2010 at 11:05 am #

    just in case anybody has run into this.

    the message waiting for… appears in firefox and

    – does not display google ads on my web site ( http://www.hellaswebnews.com/el ) ONLY FROM MY PC.

    from laptop works fine (have the same version firefox in pc and laptop).

    any help would be highly appreciated.

  4. aris53m May 15, 2010 at 1:00 pm #

    fixed it.

    run malware bytes s/w

    it picked upp 6-7 issues all of them had to do with ASF and MSdownload. e x e

    removed them manually and everything works fine now.

    hope it helps.

Post a Comment

Your email is never published nor shared. Required fields are marked *