Blocklist NPFFAddOn.dll [@ NPFFAddOn.dll@0x11867]




10 years ago
3 years ago


(Reporter: morgamic, Assigned: morgamic)


({crash, topcrash})

crash, topcrash
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)


(crash signature)


(3 attachments)



10 years ago
NPFFAddOn.dll needs to be blocklisted for all apps, all versions.  It is adware.
I wrote this up not knowing morgamic was filing a bug...

Per bug 512122 and the sheer rate of crashes coming in, we seem to be getting hit by malware that's latching on to Firefox and causing it to crash. afaict, there is no legit website for "NPFFAddOn.dll" which is installed in a "Internet Saving Optimizer" directory.

We should blocklist this dll immediately, the faster the better. It's clearly causing crashes and has spiked up 10 fold in the last two days.

Please block all versions of NPFFAddOn.dll.

If this turns out to be a legit extension, we can unblock it later after it's no longer crashing us.

Comment 2

10 years ago
INSERT INTO `blplugins` (`name`, `guid`, `min`, `max`, `os`, `xpcomabi`, `description`, `filename`) VALUES (NULL, '{ec8030f7-c20a-464f-9b0e-13a3a9e97384}', NULL, '*', NULL, NULL, NULL, 'NPFFAddOn.dll');


10 years ago
Depends on: 512412

Comment 3

10 years ago
Needs list item at:

Will wait to see what happens tomorrow.
Last Resolved: 10 years ago
Resolution: --- → FIXED

Comment 4

10 years ago
FWIW, there's been a huge drop (from ~ 5% of reports to just one) in people reporting popup ads that they can't get rid of over the past week.
From looking at infected files from users, this seems to be loaded as a xpcom component instead of a plugin, despite the np prefix.  Plugin blocklisting doesn't affect this case, so we should also blocklist the wrapper extension that is inserting this component.

The extension is usually in C:\Program Files\Internet Saving Optimizer\ and/or C:\Program Files\Media Access Startup on affected machines.

Comment 6

10 years ago
FWIW, we're still seeing crashes but the blocklist may have helped with the popups.

Comment 7

10 years ago
Should we blocklist the extension component too
Created attachment 400564 [details]
install.rdf from this spyware

This is the install.rdf from the Internet Saving Optimizer extension, obtained from a user on

The ID "{2224E955-00E9-4613-A844-CE69FCCAAE91}" should be blocked for all applications, all versions, as well as the name/description of "NP Helper Class".
Severity: normal → critical
Resolution: FIXED → ---

Comment 9

10 years ago
We can't blog extensions based on name, but I could add that for plugins.
(In reply to comment #9)
> We can't blog extensions based on name, but I could add that for plugins.

I don't think that name has ever been used as a plugin, so blocking it there wouldn't do any good.  In any case, the extension ID should be blocked ASAP.
Can we do it on the GUID for the extension part?  Is make much crashing for our users, thus sad.
Keywords: topcrash
Summary: Blocklist NPFFAddOn.dll → Blocklist NPFFAddOn.dll [@ NPFFAddOn.dll@0x11867]

Comment 12

10 years ago
Created attachment 403424 [details]
target blocklist.xml

Added blocklist entry for {2224e955-00e9-4613-a844-ce69fccaae91}.  This should go out in a few hours; waiting for IT.

Comment 13

10 years ago
<emItem id="{2224e955-00e9-4613-a844-ce69fccaae91}"/> is on prod.  Resolving.
Last Resolved: 10 years ago10 years ago
Resolution: --- → FIXED
For Firefox 3.5.3 crashes within the last 7 days, NPFFAddOn.dll@0x11867 is #18; for crashes in the last 1 day it's #24, so this seems perhaps to be helping a little bit.  Perhaps it takes the blocklist some time to get updated, especially for people who are crashing a lot?
The blocklist.xml shipped with the application
( does
not yet include this update, so new users who crash on startup won't be
Keywords: crash

Comment 16

10 years ago
Created attachment 404060 [details]
crash counts 20090716-20090930
For the last 1 day period, the crashes (Windows Firefox 3.5.3) are back to #14, so I don't think this helped.
Blocks: 494742
dtownsend: see comment 15, please.  Need to update the shipped blocklist.xml ASAP.
Crash Signature: [@ NPFFAddOn.dll@0x11867]
Product: → Toolkit
You need to log in before you can comment on or make changes to this bug.