Note for users: If you experience this crash, it is likely because you have malware installed. Among the (early) top crashers for 115 release we have signatures that have no symbols because we crash in dynamic code. In all the crash reports, there is a suspicious loaded module, likely malware. The DLL name and path vary, but possibly not the version (version 1.0.0.29915) nor the timestamp (Sun Nov 19 11:31:29 2017 (5A115D81)) looking at a few examples. Here are some paths: `C:\ProgramData\Voyasollam\Flex-Find.dll`, `C:\ProgramData\Quoteex\Biofan.dll`, `C:\ProgramData\Quoteex\Kontop.dll`. `Quoteex` name seems to be a known adware. The crashes possibly occur because the dynamic code triggered from the malicious DLL would be enumerating sections in loaded modules to look for a particular section of interest, and consequently trying to read the `.retplne` section, which [has `PAGE_NOACCESS` protection](https://bugzilla.mozilla.org/show_bug.cgi?id=1546498#c14). I am not sure what changed in 115 that explains that this crash was not occurring before.
Bug 1841751 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Note for users: If you experience this crash, it is likely because you have malware installed. Among the (early) top crashers for 115 release we have signatures that have no symbols because we crash in dynamic code. In all the crash reports, there is a suspicious loaded module, likely malware. The DLL name and path vary, but possibly not the version (version 1.0.0.29915) nor the timestamp (Sun Nov 19 11:31:29 2017 (5A115D81)) looking at a few examples. Here are some paths: `C:\ProgramData\Voyasollam\Flex-Find.dll`, `C:\ProgramData\Quoteex\Biofan.dll`, `C:\ProgramData\Quoteex\Kontop.dll`. `Quoteex` seems to be a known adware. The crashes possibly occur because the dynamic code triggered from the malicious DLL would be enumerating sections in loaded modules to look for a particular section of interest, and consequently trying to read the `.retplne` section, which [has `PAGE_NOACCESS` protection](https://bugzilla.mozilla.org/show_bug.cgi?id=1546498#c14). I am not sure what changed in 115 that explains that this crash was not occurring before.
Note for users: If you experience this crash, it is likely because you have malware installed. Among the (early) top crashers for 115 release we have signatures that have no symbols because we crash in dynamic code. In all the crash reports, there is a suspicious loaded module, likely malware. The DLL name and path vary, but possibly not the version (version 1.0.0.29915) nor the timestamp (Sun Nov 19 11:31:29 2017 (5A115D81)) looking at a few examples. Here are some paths: `C:\ProgramData\Voyasollam\Flex-Find.dll`, `C:\ProgramData\Quoteex\Biofan.dll`, `C:\ProgramData\Quoteex\Kontop.dll`. `Quoteex` seems to be a known adware. The crashes possibly occur because the dynamic code triggered from the malicious DLL would be reading `xul.dll` to search for patterns of interest, and consequently trying to read the `.retplne` section, which [has `PAGE_NOACCESS` protection](https://bugzilla.mozilla.org/show_bug.cgi?id=1546498#c14). I am not sure what changed in 115 that explains that this crash was not occurring before.
Note for users: If you experience this crash, it is likely because you have malware installed. Among the (early) top crashers for 115 release we have signatures that have no symbols because we crash in dynamic code. In all the crash reports, there is a suspicious loaded module, likely malware. The DLL name and path vary, but possibly not the version (version 1.0.0.29915) nor the timestamp (Sun Nov 19 11:31:29 2017 (5A115D81)) looking at a few examples. Here are some paths: `C:\ProgramData\Voyasollam\Flex-Find.dll`, `C:\ProgramData\Quoteex\Biofan.dll`, `C:\ProgramData\Quoteex\Kontop.dll`. `Quoteex` seems to be a known adware. The crashes possibly occur because the dynamic code triggered from the malicious DLL would be reading `xul.dll` entirely in memory to search for patterns of interest, and consequently trying to read the `.retplne` section, which [has `PAGE_NOACCESS` protection](https://bugzilla.mozilla.org/show_bug.cgi?id=1546498#c14). I am not sure what changed in 115 that explains that this crash was not occurring before.