Closed Bug 512122 Opened 10 years ago Closed 10 years ago
KB article: Possible Adware
.Double D related Crash [@ NPFFAdd On .dll@0x11867][@ NPFFAdd On .dll@0xceb8][@ NPFFAdd On .dll@0x11657][@ NPFFAdd On .dll@0xe707][@ NPFFAdd On .dll@0xe590]
@NPFFAddOn.dll@0x11867 is now among the top 5 Firefox 3.5.* crashes since the release of 3.5. I don't see a bug for it yet. Here's a link to a list on crash-stats http://crash-stats.mozilla.com/report/list?product=Firefox&version=Firefox%3A3.5&version=Firefox%3A3.5.1&version=Firefox%3A3.5.2&query_search=signature&query_type=exact&query=&date=&range_value=8&range_unit=weeks&do_query=1&signature=NPFFAddOn.dll%400x11867
I had one affected person on LiveChat. We found out that it's certainly caused by malware. However, we were not able to locate / delete the crashing file but had to do a malware scan with SpywareTerminator and the malware was found an removed.
Assigning this to myself.
Assignee: nobody → tobbi.bugs
Okay, I was able to do a draft (however, it shows a 404 error page on that site): https://support.mozilla.com/kb/Crash+signature+-+NPFFAddOn.dll@0x11867 (as well as) https://support.mozilla.com/kb/Crash+signature+-+NPFFAddOn.dll (by accident)
We haven't fixed the bug where you can periods in article titles on production.
this shows its now at #1 over all http://crash-stats.mozilla.com/query/query?version=ALL%3AALL&date=&range_value=1&range_unit=weeks&query_search=signature&query_type=exact&query=&do_query=1 I see a huge uptick in reports coming in yesterday for this signature, and it looks like the problem may have ramped sometime over the weekend. Tons of comments indicating users can no longer start Firefox after being affected by what ever is going on. It's very unusual for us to get this many comments on a single stack signature. -- I just had to remove some spyware and trojans with spybot and once they were deleted this message keeps showing up and won't let me back on. -- i lost norton and my firefox crashed -- this has been down for over 12 hours what is going on -- "Since this program crashed, I haven't been able to open the browser. Every time I try, I wind up getting the ""Mozilla Crash Reporter"" instead." -- After i upgraded the Firefox to 3.5.2 version then i can't start the firefox even i went back to this 3.0 version i still can't start the firefox but i could always start firefox(safe mode) ok. -- Everytime we open a secure Site, it allows other spam site also to get open which eeventually slows down the Firefox. -- Firefox 3.5.2 crashed and the Crash Reporter now comes up every time I start Firefox, but Firefox won't start when asking to restart Firefox. The Safe Mode works. | I did a complete re-install, s o all crash report are gone, but the problems remain and Mozilla Crash Reporter comes up when I start Firefox and it won't start Firefox. | How can I remove this problem? -- I havent had access to Mozilla Firefox on my computer for about 12 hours. -- firefox has been giving me problems for the last 2 weeks. I have remove Mozilla and dowload back in but the problem still the same. I cant even open any page with mozilla at all...Please fix it,, thank you. -- mozilla has been crashed and from last one month pop ups were not being stopped. -- my whole cumputer rebooted. I'm not sure why. I have a fairly new computer running xp media. -- our computer is not working very well, This plugin is part of something called Internet Saving Optimizer. C:\Program Files\Internet Saving Optimizer\22.214.171.12440\FF\components\NPFFAddOn.dll A few comments indicate its possible some anti-virus program has flag this .dll we should watch this one closely.
164 total crashes for NPFFAddOn.dll on 20090818-crashdata.csv 115 total crashes for NPFFAddOn.dll on 20090819-crashdata.csv 156 total crashes for NPFFAddOn.dll on 20090820-crashdata.csv 118 total crashes for NPFFAddOn.dll on 20090821-crashdata.csv 11191 total crashes for NPFFAddOn.dll on 20090822-crashdata.csv 7300 start up crashes inside 3 minutes 3755 NPFFAddOn.dll@0x11867 Windows NT 6.0.6001 Service Pack 1 3290 NPFFAddOn.dll@0x11867 Windows NT 5.1.2600 Service Pack 3 1475 NPFFAddOn.dll@0x11867 Windows NT 5.1.2600 Service Pack 2 1325 NPFFAddOn.dll@0x11867 Windows NT 6.0.6002 Service Pack 2 403 NPFFAddOn.dll@0x11867 Windows NT 6.0.6000 ... and more distribution of versions where the crash was found on 20090822-crashdata.csv 6430 Firefox 3.5.2 3642 Firefox 3.0.13 210 Firefox 3.0.11 169 Firefox 3.0.12 152 Firefox 3.5.1 115 Firefox 3.0.10 92 Firefox 3.0.5 84 Firefox 3.5 72 Firefox 3.0.1 69 Firefox 3.0.8 41 Firefox 3.0.6 ... and more possible related signatures 10178 NPFFAddOn.dll@0x11867 336 NPFFAddOn.dll@0xceb8 289 NPFFAddOn.dll@0x11657 155 NPFFAddOn.dll@0x11867 \N 137 NPFFAddOn.dll@0xe707 81 NPFFAddOn.dll@0xe590 7 NPFFAddOn.dll@0xe707 \N 4 NPFFAddOn.dll@0x11657 \N 2 NPFFAddOn.dll@0xceb8 \N 2 NPFFAddOn.dll@0x151b1
I wonder if blocking this plugin is a possibility?
18157 total crashes for NPFFAddOn.dll on 20090823-crashdata.csv 11073 start up crashes inside 3 minutes
http://support.mozilla.com/tiki-view_forum_thread.php?comments_parentId=418045&forumId=1 has a suggestion to resolve had the same problem (firefox 3.5.2 crashed with Signature: NPFFAddOn.dll@0x11867) I resolved that problem by uninstalling the FF, and deleting following 3 files that located in: C:\Program Files (x86)\Internet Saving Optimizer\126.96.36.19940\FF\components NPFFAddOn.dll NPFFAddOn.xpt NPFFHelperComponent.js After that I reboot the windows (vista sp2) and reinstalled the FF. Alex
Looks like quite a few reports also have "HPFFAddOn.dll" which is also adware/malware, afaict. If we blocklist, we might just move the crash to this dll, but we should do it anyway. You can remove that one from here: C:\Program Files\Media Access Startup\188.8.131.520\FF\components\HPFFAddOn.dll I'd just kill "Media Access Startup" entirely, since I'm pretty sure the entire directory is bad. Users should do a virus/adware scan asap if they're seeing this crash.
bug 512406 for blocklisting.
a few references indicate some virus checkers are removing these files to combat Adware-DoubleD http://www.computerforum.com/155336-please-take-look-malwarebytes-hjthis-log.html Adware-DoubleD is a potentially unwanted program that can be installed on computers without users consent via trojan infection. Adware-DoubleD can display excessive popup advertisements on the compromised computer. http://www.precisesecurity.com/threats/adware/adware-doubled/
Tobbi, I couldn't rename the article, but I could open in the editor and copy/paste the contents into a new article (without the decimal in the title): https://support.mozilla.com/en-US/kb/Crash+signature+-+%40NPFFAddOndll%400x11867?bl=n Given all the recent comments, I think the article can be more specific.
I wonder if there is a way to test the net effect of the blocklisting? Does the blocklisting happen early enough in the start up process so that existing users that can't start will now be able to? we should have some stats after midnight tonight that will tell us if the crashes are reduced. I also have some contact names that were in the comment data that we can reach out to for gathering additional information. I'll send that info to cww. 12519 total crashes for NPFFAddOn.dll on 20090824-crashdata.csv 7081 start up crashes inside 3 minutes
Maybe a section of the article can provide general caution about how to avoid problems. One item in the caution list is a reminder against downloading any kind of software from unverified/untrusted sources. This article suggest rash of recent infections when installing free celeb screen savers and desktop http://newsok.com/searching-web-for-celebs-might-infect-pc/article/3395153 this site offers such a jessica-beil screen saver. http://www.flash-screen.com/free-wallpaper/jessica-beil-sexy-wallpaper.html it also offers a similar firefox screen saver, so we might be a similar target. http://www.flash-screen.com/free-wallpaper/category,firefox,1.html
ss has been checking hourly decline in crash submissions. they indicate good progress in shutting down the loading of the plugin. 9:00a PDT ss> I'm still showing 120 crashes in the last hour. 11:00a PDT ss> chofmann: 50 in the last hour http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/406100-annoying-pop-up-firefox.html reports virus checkers also removing the suspect files so maybe some of that is kicking in. C:\Program Files\Media Access Startup\184.108.40.2060\FF\components\HPFFAddOn.dll (Adware.DoubleD) -> Delete on reboot. <chofmann> C:\Program Files\Internet Saving Optimizer\220.127.116.1140\FF\components\NPFFAddOn.dll (Adware.DoubleD) -> Delete on reboot. =-= griswolf is now known as griswolf-lunch <chofmann> c:\program files\internet saving optimizer\18.104.22.16840\FF\components\NPFFHelperComponent.js (Adware.DoubleD) -> Quarantined and deleted successfully. We aren't doing any blocking of some of the other files indicated in the list above but should keep an eye out for what these files are doing. very low crash volume on HPFFAddOn.dll but we should keep an eye on it.
Blacklisting this extension isn't going to help users that already have this program installed, since we can't update the blacklist if we can't start Firefox, right? We probably should restart in safe mode if we crash on startup more than once.
Bug 502958 - Automatically start in Safe Mode when Firefox crashes at startup
(In reply to comment #17) > Blacklisting this extension isn't going to help users that already have this > program installed, since we can't update the blacklist if we can't start > Firefox, right? We probably should restart in safe mode if we crash on startup > more than once. In this case, I think it's helping since, from what chofmann was saying, a number of these users are actually getting their browser up for a minute or so, which should be enough time for us to check the blocklist. At ~1:15pm PDT, we were down to 19 crashes in the last hour.
re: comment 17 I was worried about the effectiveness of blocklisting this too. but it looks like we check the blocklist before trying to load that bad plugin and crash, or at least the huge drop in crash reports today would indicate that. the other explaination for the big drop in crash bugs is that anti-virus programs are beating us to the punch and removing the files. that would also explain the bug drop in crashes. I guess we would really need the files and an installation set up to test that.
> that would also explain the bug drop in crashes. it would also explain a *big* drop in crashes ;-)
periodically checking the hourly rate from time to time shows great progress, but progress over the 24 hour period is less than I would have expected. So here is a recap of the profile of crash activity for the few days. 164 total crashes for NPFFAddOn.dll on 20090818-crashdata.csv 115 total crashes for NPFFAddOn.dll on 20090819-crashdata.csv 156 total crashes for NPFFAddOn.dll on 20090820-crashdata.csv 118 total crashes for NPFFAddOn.dll on 20090821-crashdata.csv 11191 total crashes for NPFFAddOn.dll on 20090822-crashdata.csv 18157 total crashes for NPFFAddOn.dll on 20090823-crashdata.csv 12519 total crashes for NPFFAddOn.dll on 20090824-crashdata.csv 10164 total crashes for NPFFAddOn on 20090825-crashdata.csv 5778 start up crashes inside 3 minutes
Summary: KB article: Crash signature - @NPFFAddOn.dll@0x11867 → KB article: Possible Possible Adware.DoubleD related Crash [@NPFFAddOn.dll@0x11867
Summary: KB article: Possible Possible Adware.DoubleD related Crash [@NPFFAddOn.dll@0x11867 → KB article: Possible Adware.DoubleD related Crash [@NPFFAddOn.dll@0x11867
Shouldn't someone add this Bug Id to the Crash report Query Results? -So perhaps at least some would find this Bug easier and know they are Malware infected. Also, if Bug 411425 - "Email or tell users how to fix the crash they just encountered" would have been fixed, I think a mass-mail with detailed Explanation (and Tips how to desinfect) would have been really appreciated by Firefox Users.
Is this bug report for fixing/mitigating the crash or writing and article on it?
> re: comment 23: I just fixed the title so crash-reporter should start showing this bug number in crash reports soon. > re: comment 24: we can't fix the crash. it appears in the code of the rouge plugin. we don't have that code. all we can do is block its execution. crash numbers continue to come down as more people get the updated blocklist and/or virus checkers remove the malware from the systems of firefox users. 7260 total crashes for NPFFAddOn on 20090826-crashdata.csv 3983 start up crashes inside 3 minutes
Summary: KB article: Possible Adware.DoubleD related Crash [@NPFFAddOn.dll@0x11867 → KB article: Possible Adware.DoubleD related Crash [@ NPFFAddOn.dll@0x11867 ]
Summary: KB article: Possible Adware.DoubleD related Crash [@ NPFFAddOn.dll@0x11867 ] → KB article: Possible Adware.DoubleD related Crash [@ NPFFAddOn.dll@0x11867, NPFFAddOn.dll@0xceb8, NPFFAddOn.dll@0x11657, PFFAddOn.dll@0xe707, NPFFAddOn.dll@0xe590 ]
Are there any crashes with 'NPFFAddOn.dll' not included in this? We may as well not include the '@0x11867' in the article name.
It's all evil and must be removed from this earth! ;-)
(In reply to comment #24) This bug is about writing an article about it... it's been somewhat hijacked because bug 512406 which was about mitigating has been fixed. Chris, we should have the @(address) part in the article at least because that's what we're being passed from socorro
numbers are still coming down, but only slowly now. The crash still represents about 2.7% of all crashes and that ranks it 4th behind these general areas. 0.0372 total 178950 Flash 6649 0.0676 total 178950 @0x 12096 0.1571 total 178950 NPSWF32.dll 28109 here is the ramp down trend 0.1063 total 170777 NPFFAddon 18157 on 20090823 0.0711 total 175972 NPFFAddon 12519 on 20090824 0.0538 total 188760 NPFFAddon 10164 on 20090825 0.0385 total 188483 NPFFAddon 7260 on 20090826 0.0318 total 184066 NPFFAddon 5849 on 20090827 0.0277 total 178950 NPFFAddon 4962 on 20090828 It might take another week or two before we see the number of crashes to bounce off zero, tells us something about the number of users that have turned off blocklist updates, or that we can't reach with similar kinds of blocking of start up crashes.
Hey cww, that comment you made over in Bug 512406 might make for some interesting analysis... > FWIW, there's been a huge drop (from ~ 5% of reports to just one) in people > reporting popup ads that they can't get rid of over the past week. Here is an interesting way to look at what is going on. So there are other reasons why people might get popup ads, but in this case it seems like it might take over 5% of the user base to be affected by a bug before users start taking the time to visit SUMO and report or view information on the problem. The crash chart below show 2-3% of users might still be affected by the bug. 0.0010 total 171723 NPFFAddon 164 on 20090818 0.0007 total 171843 NPFFAddon 115 on 20090819 0.0009 total 170241 NPFFAddon 156 on 20090820 0.0007 total 169518 NPFFAddon 118 on 20090821 0.0641 total 174606 NPFFAddon 11191 on 20090822 0.1063 total 170777 NPFFAddon 18157 on 20090823 0.0711 total 175972 NPFFAddon 12519 on 20090824 0.0538 total 188760 NPFFAddon 10164 on 20090825 0.0385 total 188483 NPFFAddon 7260 on 20090826 0.0318 total 184066 NPFFAddon 5849 on 20090827 0.0277 total 178950 NPFFAddon 4962 on 20090828 0.0288 total 176072 NPFFAddon 5072 on 20090829 0.0317 total 164971 NPFFAddon 5229 on 20090830 0.0258 total 172253 NPFFAddon 4445 on 20090831 It would also be interesting to see the trend of KB NPFFAddon/"popup ad" article page views and "popup ad" search counts mixed in for the dates above. Maybe forum posts are down, but if people are searching and using the KB to read about this that would also be an interesting measure of the steps that were taken in this case.
My hypothesis is that this has been generating popups for a while now but only recently became crashy (perhaps updated in the background or released a new version.) A blocklist managed to hit the people with the version that was causing popups but not the one that was doing most of the crashing.
we should make sure woutput_l is also a crash signature in this article
top reported crash on SUMO forums/livechat
Tobbi, So basically, in addition to what we have in the article now: * specify the name of the adware that causes this crash (Adware-DoubleD) * add a section reminding users not to download software like celebrity screen savers from unfamiliar websites
I added the things from comment 34, marking FIXED for review.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Reviewed and moved to KB at: Sat 12 of Sep, 2009 23:45 EST Notes from review: - I added all the crash sigs from the bug summary - added some space between the crash sigs and the first paragraph - rather than repeating all the crash sigs again, I changed it to "Crashes with any of the above signatures are..." - put the section about downloading from unfamiliar sites in a note.
Status: RESOLVED → VERIFIED
Summary: KB article: Possible Adware.DoubleD related Crash [@ NPFFAddOn.dll@0x11867, NPFFAddOn.dll@0xceb8, NPFFAddOn.dll@0x11657, PFFAddOn.dll@0xe707, NPFFAddOn.dll@0xe590 ] → KB article: Possible Adware.DoubleD related Crash [@ NPFFAddOn.dll@0x11867][@ NPFFAddOn.dll@0xceb8][@ NPFFAddOn.dll@0x11657][@ NPFFAddOn.dll@0xe707][@ NPFFAddOn.dll@0xe590]
You need to log in before you can comment on or make changes to this bug.