Last Comment Bug 512406 - Blocklist NPFFAddOn.dll [@ NPFFAddOn.dll@0x11867]
: Blocklist NPFFAddOn.dll [@ NPFFAddOn.dll@0x11867]
: crash, topcrash
Product: Toolkit
Classification: Components
Component: Blocklisting (show other bugs)
: 3.2
: All All
-- critical (vote)
: ---
Assigned To: Michael Morgan [:morgamic]
: Jorge Villalobos [:jorgev]
Depends on: 512412
Blocks: 494742
  Show dependency treegraph
Reported: 2009-08-24 22:30 PDT by Michael Morgan [:morgamic]
Modified: 2016-03-07 15:30 PST (History)
18 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

install.rdf from this spyware (806 bytes, text/plain)
2009-09-14 12:46 PDT, Matthew Middleton (:zzxc)
no flags Details
target blocklist.xml (2.09 KB, text/xml)
2009-09-28 22:00 PDT, Michael Morgan [:morgamic]
no flags Details
crash counts 20090716-20090930 (1.02 KB, text/plain)
2009-10-01 09:50 PDT, Bob Clary [:bc:]
no flags Details

Description User image Michael Morgan [:morgamic] 2009-08-24 22:30:46 PDT
NPFFAddOn.dll needs to be blocklisted for all apps, all versions.  It is adware.
Comment 1 User image Samuel Sidler (old account; do not CC) 2009-08-24 22:40:55 PDT
I wrote this up not knowing morgamic was filing a bug...

Per bug 512122 and the sheer rate of crashes coming in, we seem to be getting hit by malware that's latching on to Firefox and causing it to crash. afaict, there is no legit website for "NPFFAddOn.dll" which is installed in a "Internet Saving Optimizer" directory.

We should blocklist this dll immediately, the faster the better. It's clearly causing crashes and has spiked up 10 fold in the last two days.

Please block all versions of NPFFAddOn.dll.

If this turns out to be a legit extension, we can unblock it later after it's no longer crashing us.
Comment 2 User image Michael Morgan [:morgamic] 2009-08-24 22:46:41 PDT
INSERT INTO `blplugins` (`name`, `guid`, `min`, `max`, `os`, `xpcomabi`, `description`, `filename`) VALUES (NULL, '{ec8030f7-c20a-464f-9b0e-13a3a9e97384}', NULL, '*', NULL, NULL, NULL, 'NPFFAddOn.dll');
Comment 3 User image Michael Morgan [:morgamic] 2009-08-24 23:02:21 PDT
Needs list item at:

Will wait to see what happens tomorrow.
Comment 4 User image [:Cww] 2009-09-01 07:20:01 PDT
FWIW, there's been a huge drop (from ~ 5% of reports to just one) in people reporting popup ads that they can't get rid of over the past week.
Comment 5 User image Matthew Middleton (:zzxc) 2009-09-08 10:48:53 PDT
From looking at infected files from users, this seems to be loaded as a xpcom component instead of a plugin, despite the np prefix.  Plugin blocklisting doesn't affect this case, so we should also blocklist the wrapper extension that is inserting this component.

The extension is usually in C:\Program Files\Internet Saving Optimizer\ and/or C:\Program Files\Media Access Startup on affected machines.
Comment 6 User image [:Cww] 2009-09-09 11:20:44 PDT
FWIW, we're still seeing crashes but the blocklist may have helped with the popups.
Comment 7 User image Michael Morgan [:morgamic] 2009-09-09 11:23:14 PDT
Should we blocklist the extension component too
Comment 8 User image Matthew Middleton (:zzxc) 2009-09-14 12:46:33 PDT
Created attachment 400564 [details]
install.rdf from this spyware

This is the install.rdf from the Internet Saving Optimizer extension, obtained from a user on

The ID "{2224E955-00E9-4613-A844-CE69FCCAAE91}" should be blocked for all applications, all versions, as well as the name/description of "NP Helper Class".
Comment 9 User image Michael Morgan [:morgamic] 2009-09-14 13:01:55 PDT
We can't blog extensions based on name, but I could add that for plugins.
Comment 10 User image Matthew Middleton (:zzxc) 2009-09-14 14:43:12 PDT
(In reply to comment #9)
> We can't blog extensions based on name, but I could add that for plugins.

I don't think that name has ever been used as a plugin, so blocking it there wouldn't do any good.  In any case, the extension ID should be blocked ASAP.
Comment 11 User image Mike Shaver (:shaver -- probably not reading bugmail closely) 2009-09-28 16:46:47 PDT
Can we do it on the GUID for the extension part?  Is make much crashing for our users, thus sad.
Comment 12 User image Michael Morgan [:morgamic] 2009-09-28 22:00:51 PDT
Created attachment 403424 [details]
target blocklist.xml

Added blocklist entry for {2224e955-00e9-4613-a844-ce69fccaae91}.  This should go out in a few hours; waiting for IT.
Comment 13 User image Michael Morgan [:morgamic] 2009-09-28 22:33:24 PDT
<emItem id="{2224e955-00e9-4613-a844-ce69fccaae91}"/> is on prod.  Resolving.
Comment 14 User image David Baron :dbaron: ⌚️UTC-8 2009-09-30 10:02:53 PDT
For Firefox 3.5.3 crashes within the last 7 days, NPFFAddOn.dll@0x11867 is #18; for crashes in the last 1 day it's #24, so this seems perhaps to be helping a little bit.  Perhaps it takes the blocklist some time to get updated, especially for people who are crashing a lot?
Comment 15 User image Matthew Middleton (:zzxc) 2009-09-30 14:03:41 PDT
The blocklist.xml shipped with the application
( does
not yet include this update, so new users who crash on startup won't be
Comment 16 User image Bob Clary [:bc:] 2009-10-01 09:50:30 PDT
Created attachment 404060 [details]
crash counts 20090716-20090930
Comment 17 User image David Baron :dbaron: ⌚️UTC-8 2009-10-01 11:13:35 PDT
For the last 1 day period, the crashes (Windows Firefox 3.5.3) are back to #14, so I don't think this helped.
Comment 18 User image Mike Shaver (:shaver -- probably not reading bugmail closely) 2009-10-29 08:51:33 PDT
dtownsend: see comment 15, please.  Need to update the shipped blocklist.xml ASAP.

Note You need to log in before you can comment on or make changes to this bug.