KB article: Possible Adware.DoubleD related Crash [@ NPFFAddOn.dll@0x11867][@ NPFFAddOn.dll@0xceb8][@ NPFFAddOn.dll@0x11657][@ NPFFAddOn.dll@0xe707][@ NPFFAddOn.dll@0xe590]

VERIFIED FIXED

Status

P1
major
VERIFIED FIXED
9 years ago
9 years ago

People

(Reporter: cilias, Unassigned)

Tracking

(Blocks: 1 bug, {common-issue+})

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

9 years ago
@NPFFAddOn.dll@0x11867 is now among the top 5 Firefox 3.5.* crashes since the release of 3.5.

I don't see a bug for it yet. Here's a link to a list on crash-stats
http://crash-stats.mozilla.com/report/list?product=Firefox&version=Firefox%3A3.5&version=Firefox%3A3.5.1&version=Firefox%3A3.5.2&query_search=signature&query_type=exact&query=&date=&range_value=8&range_unit=weeks&do_query=1&signature=NPFFAddOn.dll%400x11867
I had one affected person on LiveChat. We found out that it's certainly caused by malware. However, we were not able to locate / delete the crashing file but had to do a malware scan with SpywareTerminator and the malware was found an removed.
Assigning this to myself.
Assignee: nobody → tobbi.bugs
Okay, I was able to do a draft (however, it shows a 404 error page on that site):
https://support.mozilla.com/kb/Crash+signature+-+NPFFAddOn.dll@0x11867
(as well as)
https://support.mozilla.com/kb/Crash+signature+-+NPFFAddOn.dll (by accident)

Comment 4

9 years ago
We haven't fixed the bug where you can periods in article titles on production.

Comment 5

9 years ago
this shows its now at #1 over all

http://crash-stats.mozilla.com/query/query?version=ALL%3AALL&date=&range_value=1&range_unit=weeks&query_search=signature&query_type=exact&query=&do_query=1

I see a huge uptick in reports coming in yesterday for this signature, and it looks like the problem may have ramped sometime over the weekend.

Tons of comments indicating users can no longer start Firefox after being affected by what ever is going on.  It's very unusual for us to get this many comments on a single stack signature.

--     I just had to remove some spyware and trojans with spybot and once they were deleted this message keeps showing up and won't let me back on.
-- i lost norton and my firefox crashed
--   this has been down for over 12 hours what is going on
--  "Since this program crashed, I haven't been able to open the browser.  Every time I try, I wind up getting the ""Mozilla Crash Reporter"" instead."  
--   After i upgraded the Firefox to 3.5.2 version then i can't start the firefox even i went back to this 3.0 version i still can't start the firefox but i could always start firefox(safe mode) ok.
--   Everytime we open a secure Site, it allows other spam site also to get open which eeventually slows down the Firefox.
--   Firefox 3.5.2 crashed and the Crash Reporter now comes up every time I start Firefox, but Firefox won't start when asking to restart Firefox. The Safe Mode works. | I did a complete re-install, s
o all crash report are gone, but the problems remain and Mozilla Crash Reporter comes up when I start Firefox and it won't start Firefox. | How can I remove this problem?
--  I havent had access to Mozilla Firefox on my computer for about 12 hours.
--    firefox has been giving me problems for the last 2 weeks. I have remove Mozilla and dowload back in but the problem still the same. I cant even open any page with mozilla at all...Please fix it,,
thank you.
--         mozilla has been crashed and from last one month pop ups were not being stopped.
--    my whole cumputer rebooted.  I'm not sure why.  I have a fairly new computer running xp media.
-- our computer is not working very well,



This plugin is part of something called Internet Saving Optimizer.

C:\Program Files\Internet Saving Optimizer\3.4.0.4340\FF\components\NPFFAddOn.dll 

A few comments indicate its possible some anti-virus program has flag this .dll 

we should watch this one closely.

Comment 6

9 years ago
164 total crashes for NPFFAddOn.dll on 20090818-crashdata.csv
115 total crashes for NPFFAddOn.dll on 20090819-crashdata.csv
156 total crashes for NPFFAddOn.dll on 20090820-crashdata.csv
118 total crashes for NPFFAddOn.dll on 20090821-crashdata.csv

11191 total crashes for NPFFAddOn.dll on 20090822-crashdata.csv
7300 start up crashes inside 3 minutes

3755 NPFFAddOn.dll@0x11867 Windows NT 6.0.6001 Service Pack 1
3290 NPFFAddOn.dll@0x11867 Windows NT 5.1.2600 Service Pack 3
1475 NPFFAddOn.dll@0x11867 Windows NT 5.1.2600 Service Pack 2
1325 NPFFAddOn.dll@0x11867 Windows NT 6.0.6002 Service Pack 2
 403 NPFFAddOn.dll@0x11867 Windows NT 6.0.6000
... and more

distribution of versions where the crash was found on 20090822-crashdata.csv
6430 Firefox 3.5.2
3642 Firefox 3.0.13
 210 Firefox 3.0.11
 169 Firefox 3.0.12
 152 Firefox 3.5.1
 115 Firefox 3.0.10
  92 Firefox 3.0.5
  84 Firefox 3.5
  72 Firefox 3.0.1
  69 Firefox 3.0.8
  41 Firefox 3.0.6
... and more

possible related signatures

10178 NPFFAddOn.dll@0x11867 
 336 NPFFAddOn.dll@0xceb8 
 289 NPFFAddOn.dll@0x11657 
 155 NPFFAddOn.dll@0x11867 \N
 137 NPFFAddOn.dll@0xe707 
  81 NPFFAddOn.dll@0xe590 
   7 NPFFAddOn.dll@0xe707 \N
   4 NPFFAddOn.dll@0x11657 \N
   2 NPFFAddOn.dll@0xceb8 \N
   2 NPFFAddOn.dll@0x151b1

Comment 7

9 years ago
I wonder if blocking this plugin is a possibility?

Comment 8

9 years ago
18157 total crashes for NPFFAddOn.dll on 20090823-crashdata.csv
11073 start up crashes inside 3 minutes

Comment 9

9 years ago
http://support.mozilla.com/tiki-view_forum_thread.php?comments_parentId=418045&forumId=1  has a suggestion to resolve

 had the same problem (firefox 3.5.2 crashed with Signature: NPFFAddOn.dll@0x11867)

I resolved that problem by uninstalling the FF, and deleting following 3 files that located in:
C:\Program Files (x86)\Internet Saving Optimizer\3.4.0.4340\FF\components

NPFFAddOn.dll
NPFFAddOn.xpt
NPFFHelperComponent.js

After that I reboot the windows (vista sp2) and reinstalled the FF.

Alex
Looks like quite a few reports also have "HPFFAddOn.dll" which is also adware/malware, afaict. If we blocklist, we might just move the crash to this dll, but we should do it anyway.

You can remove that one from here: C:\Program Files\Media Access Startup\1.5.0.850\FF\components\HPFFAddOn.dll

I'd just kill "Media Access Startup" entirely, since I'm pretty sure the entire directory is bad. Users should do a virus/adware scan asap if they're seeing this crash.

Comment 12

9 years ago
a few references indicate some virus checkers are removing these files to
combat Adware-DoubleD

http://www.computerforum.com/155336-please-take-look-malwarebytes-hjthis-log.html

Adware-DoubleD is a potentially unwanted program that can be installed on
computers without users consent via trojan infection. Adware-DoubleD can 
display excessive popup advertisements on the compromised computer.

 http://www.precisesecurity.com/threats/adware/adware-doubled/
Depends on: 512412
No longer depends on: 512412
(Reporter)

Comment 13

9 years ago
Tobbi, I couldn't rename the article, but I could open in the editor and copy/paste the contents into a new article (without the decimal in the title):
https://support.mozilla.com/en-US/kb/Crash+signature+-+%40NPFFAddOndll%400x11867?bl=n

Given all the recent comments, I think the article can be more specific.

Comment 14

9 years ago
I wonder if there is a way to test the net effect of the blocklisting?

Does the blocklisting happen early enough in the start up process so that existing users that can't start will now be able to?

we should have some stats after midnight tonight that will tell us if the crashes are reduced.  I also have some contact names that were in the comment data that we can reach out to for gathering additional information.  I'll send that info to cww.

12519 total crashes for NPFFAddOn.dll on 20090824-crashdata.csv
7081 start up crashes inside 3 minutes

Comment 15

9 years ago
Maybe a section of the article can provide general caution about how to avoid
problems.  One item in the caution list is a reminder against downloading any
kind of software from unverified/untrusted sources.

This article suggest rash of recent infections when installing free celeb
screen savers and desktop 

http://newsok.com/searching-web-for-celebs-might-infect-pc/article/3395153

this site offers such a jessica-beil screen saver.

http://www.flash-screen.com/free-wallpaper/jessica-beil-sexy-wallpaper.html

it also offers a similar firefox screen saver, so we might be a similar target.

http://www.flash-screen.com/free-wallpaper/category,firefox,1.html

Comment 16

9 years ago
ss has been checking hourly decline in crash submissions.  they indicate good progress in shutting down the loading of the plugin.

9:00a PDT ss>	I'm still showing 120 crashes in the last hour.
11:00a PDT ss>	chofmann: 50 in the last hour

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/406100-annoying-pop-up-firefox.html  reports virus checkers also removing the suspect files so maybe some of that is kicking in.

C:\Program Files\Media Access Startup\1.5.0.850\FF\components\HPFFAddOn.dll (Adware.DoubleD) -> Delete on reboot.
	<chofmann>	C:\Program Files\Internet Saving Optimizer\3.4.0.4340\FF\components\NPFFAddOn.dll (Adware.DoubleD) -> Delete on reboot.
	=-=	griswolf is now known as griswolf-lunch
	<chofmann>	c:\program files\internet saving optimizer\3.4.0.4340\FF\components\NPFFHelperComponent.js (Adware.DoubleD) -> Quarantined and deleted successfully.

We aren't doing any blocking of some of the other files indicated in the list above but should keep an eye out for what these files are doing.   very low crash volume on HPFFAddOn.dll but we should keep an eye on it.
Blacklisting this extension isn't going to help users that already have this program installed, since we can't update the blacklist if we can't start Firefox, right? We probably should restart in safe mode if we crash on startup more than once.

Comment 18

9 years ago
Bug 502958 - Automatically start in Safe Mode when Firefox crashes at startup
(In reply to comment #17)
> Blacklisting this extension isn't going to help users that already have this
> program installed, since we can't update the blacklist if we can't start
> Firefox, right? We probably should restart in safe mode if we crash on startup
> more than once.

In this case, I think it's helping since, from what chofmann was saying, a number of these users are actually getting their browser up for a minute or so, which should be enough time for us to check the blocklist.

At ~1:15pm PDT, we were down to 19 crashes in the last hour.

Comment 20

9 years ago
re: comment 17

I was worried about the effectiveness of blocklisting this too.  but it looks like we check the blocklist before trying to load that bad plugin and crash,  or at least the huge drop in crash reports today would indicate that.

the other explaination for the big drop in crash bugs is that anti-virus programs are beating us to the punch and removing the files.  that would also explain the bug drop in crashes.

I guess we would really need the files and an installation set up to test that.

Comment 21

9 years ago
>  that would also explain the bug drop in crashes.

it would also explain a *big* drop in crashes ;-)

Comment 22

9 years ago
periodically checking the hourly rate from time to time shows great progress, but progress over the 24 hour period is less than I would have expected.

So here is a recap of the profile of crash activity for the few days.

164 total crashes for NPFFAddOn.dll on 20090818-crashdata.csv
115 total crashes for NPFFAddOn.dll on 20090819-crashdata.csv
156 total crashes for NPFFAddOn.dll on 20090820-crashdata.csv
118 total crashes for NPFFAddOn.dll on 20090821-crashdata.csv
11191 total crashes for NPFFAddOn.dll on 20090822-crashdata.csv
18157 total crashes for NPFFAddOn.dll on 20090823-crashdata.csv
12519 total crashes for NPFFAddOn.dll on 20090824-crashdata.csv

10164 total crashes for NPFFAddOn on 20090825-crashdata.csv
5778 start up crashes inside 3 minutes

Updated

9 years ago
Blocks: 512788

Updated

9 years ago
Summary: KB article: Crash signature - @NPFFAddOn.dll@0x11867 → KB article: Possible Possible Adware.DoubleD related Crash [@NPFFAddOn.dll@0x11867

Updated

9 years ago
Summary: KB article: Possible Possible Adware.DoubleD related Crash [@NPFFAddOn.dll@0x11867 → KB article: Possible Adware.DoubleD related Crash [@NPFFAddOn.dll@0x11867

Comment 23

9 years ago
Shouldn't someone add this Bug Id to the Crash report Query Results? -So perhaps at least some would find this Bug easier and know they are Malware infected.

Also, if Bug 411425 - "Email or tell users how to fix the crash they just encountered" would have been fixed, I think a mass-mail with detailed Explanation (and Tips how to desinfect) would have been really appreciated by Firefox Users.

Comment 24

9 years ago
Is this bug report for fixing/mitigating the crash or writing and article on it?

Comment 25

9 years ago
> re: comment 23:

I just fixed the title so crash-reporter should start showing this bug number in crash reports soon.

> re: comment 24:

we can't fix the crash.  it appears in the code of the rouge plugin.  we don't have that code.  all we can do is block its execution.


crash numbers continue to come down as more people get the updated blocklist and/or virus checkers remove the malware from the systems of firefox users.

7260 total crashes for NPFFAddOn on 20090826-crashdata.csv
3983 start up crashes inside 3 minutes
Summary: KB article: Possible Adware.DoubleD related Crash [@NPFFAddOn.dll@0x11867 → KB article: Possible Adware.DoubleD related Crash [@ NPFFAddOn.dll@0x11867 ]

Updated

9 years ago
Summary: KB article: Possible Adware.DoubleD related Crash [@ NPFFAddOn.dll@0x11867 ] → KB article: Possible Adware.DoubleD related Crash [@ NPFFAddOn.dll@0x11867, NPFFAddOn.dll@0xceb8, NPFFAddOn.dll@0x11657, PFFAddOn.dll@0xe707, NPFFAddOn.dll@0xe590 ]
(Reporter)

Comment 26

9 years ago
Are there any crashes with 'NPFFAddOn.dll' not included in this? We may as well not include the '@0x11867' in the article name.

Comment 27

9 years ago
It's all evil and must be removed from this earth!  ;-)

Comment 28

9 years ago
(In reply to comment #24)
This bug is about writing an article about it... it's been somewhat hijacked because bug 512406 which was about mitigating has been fixed.

Chris, we should have the @(address) part in the article at least because that's what we're being passed from socorro

Comment 29

9 years ago
numbers are still coming down, but only slowly now.  The crash still represents about 2.7% of all crashes and that ranks it 4th behind these general areas.

0.0372	total	178950	Flash	6649
0.0676	total	178950	@0x	12096
0.1571	total	178950	NPSWF32.dll	28109

here is the ramp down trend

0.1063	total	170777	NPFFAddon	18157 on 20090823
0.0711	total	175972	NPFFAddon	12519 on 20090824
0.0538	total	188760	NPFFAddon	10164 on 20090825
0.0385	total	188483	NPFFAddon	7260  on 20090826
0.0318	total	184066	NPFFAddon	5849  on 20090827
0.0277	total	178950	NPFFAddon	4962  on 20090828

It might take another week or two before we see the number of crashes to bounce off zero,  tells us something about the number of users that have turned off blocklist updates, or that we can't reach with similar kinds of blocking of start up crashes.
(Reporter)

Updated

9 years ago
Priority: -- → P1

Comment 30

9 years ago
Hey cww,

that comment you made over in Bug 512406 might make for some interesting analysis...  

> FWIW, there's been a huge drop (from ~ 5% of reports to just one) in people
> reporting popup ads that they can't get rid of over the past week.

Here is an interesting way to look at what is going on.

So there are other reasons why people might get popup ads, but in this case it seems like it might take over 5% of the user base to be affected by a bug before users start taking the time to visit SUMO and report or view information on the problem.

The crash chart below show 2-3% of users might still be affected by the bug.

0.0010	  total	   171723    NPFFAddon	  164   on 20090818
0.0007	  total	   171843    NPFFAddon	  115   on 20090819
0.0009	  total	   170241    NPFFAddon	  156   on 20090820
0.0007	  total	   169518    NPFFAddon	  118   on 20090821
0.0641	  total	   174606    NPFFAddon	  11191 on 20090822
0.1063    total    170777    NPFFAddon    18157 on 20090823
0.0711    total    175972    NPFFAddon    12519 on 20090824
0.0538    total    188760    NPFFAddon    10164 on 20090825
0.0385    total    188483    NPFFAddon    7260  on 20090826
0.0318    total    184066    NPFFAddon    5849  on 20090827
0.0277    total    178950    NPFFAddon    4962  on 20090828
0.0288	  total	   176072    NPFFAddon	  5072  on 20090829
0.0317	  total	   164971    NPFFAddon	  5229  on 20090830
0.0258	  total	   172253    NPFFAddon	  4445  on 20090831

It would also be interesting to see the trend of KB NPFFAddon/"popup ad" article page views and "popup ad" search counts mixed in for the dates above. 

Maybe forum posts are down, but if people are searching and using the KB to read about this that would also be an interesting measure of the steps that were taken in this case.

Comment 31

9 years ago
My hypothesis is that this has been generating popups for a while now but only recently became crashy (perhaps updated in the background or released a new version.)  A blocklist managed to hit the people with the version that was causing popups but not the one that was doing most of the crashing.

Comment 32

9 years ago
we should make sure woutput_l is also a crash signature in this article

Comment 33

9 years ago
top reported crash on SUMO forums/livechat
Keywords: common-issue+
(Reporter)

Comment 34

9 years ago
Tobbi,
So basically, in addition to what we have in the article now:
* specify the name of the adware that causes this crash (Adware-DoubleD)
* add a section reminding users not to download software like celebrity screen savers from unfamiliar websites

Updated

9 years ago
Assignee: tobbi.bugs → nobody

Comment 35

9 years ago
I added the things from comment 34, marking FIXED for review.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
(Reporter)

Comment 36

9 years ago
Reviewed and moved to KB at:
Sat 12 of Sep, 2009 23:45 EST

Notes from review:
- I added all the crash sigs from the bug summary
- added some space between the crash sigs and the first paragraph
- rather than repeating all the crash sigs again, I changed it to "Crashes with any of the above signatures are..."
- put the section about downloading from unfamiliar sites in a note.
Status: RESOLVED → VERIFIED
Summary: KB article: Possible Adware.DoubleD related Crash [@ NPFFAddOn.dll@0x11867, NPFFAddOn.dll@0xceb8, NPFFAddOn.dll@0x11657, PFFAddOn.dll@0xe707, NPFFAddOn.dll@0xe590 ] → KB article: Possible Adware.DoubleD related Crash [@ NPFFAddOn.dll@0x11867][@ NPFFAddOn.dll@0xceb8][@ NPFFAddOn.dll@0x11657][@ NPFFAddOn.dll@0xe707][@ NPFFAddOn.dll@0xe590]
You need to log in before you can comment on or make changes to this bug.