Closed Bug 516743 Opened 11 years ago Closed 3 years ago

crash [@ protect.dll@0x3182 ] -- block protect.dll?

Categories

(Firefox :: Security, defect)

3.5 Branch
x86
macOS
defect
Not set

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: chofmann, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: user-doc-needed, Whiteboard: [notacrash])

Crash Data

saw this comment in crash reports from today.

protect.dll@0x3182
        I have developed some type of problem with my web browsing that consists of all hyperlinks of all sites going to either globexonline.com or thefeedyard.com. I believe thi
s virus has caused the crash and am having trouble fixing it.
        http://www.google.com/search?q=register+mcafee&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a
        Firefox 3.0.14 Windows NT 6.0.6001 Service Pack 1
          20090914-crashdata.csv http://crash-stats.mozilla.com/report/index/27d81425-7699-49e2-87b1-108642090913

protect.dll appears to be associated with a variety of threats

http://www.threatexpert.com/files/protect.dll.html

need to keep an eye out for increase number of crashes and instances of this .dll.
instances of protect.dll in 20090901-crashdata.csv      271
instances of protect.dll in 20090902-crashdata.csv      207
instances of protect.dll in 20090903-crashdata.csv      168
instances of protect.dll in 20090904-crashdata.csv      191
instances of protect.dll in 20090905-crashdata.csv      164
instances of protect.dll in 20090906-crashdata.csv      197
instances of protect.dll in 20090907-crashdata.csv      193
instances of protect.dll in 20090908-crashdata.csv      157
instances of protect.dll in 20090909-crashdata.csv      134
instances of protect.dll in 20090910-crashdata.csv      109
instances of protect.dll in 20090911-crashdata.csv      109
instances of protect.dll in 20090912-crashdata.csv      140
instances of protect.dll in 20090913-crashdata.csv      125
instances of protect.dll in 20090914-crashdata.csv      145
both globexonline.com and thefeedyard.com appear to be registered to anonymous site owners in ru. 

Domain servers in listed order:
    ns2.x-casino.biz
    ns1.x-casino.biz

Registrant:
    loads
    dewfewfer        *********@ya.ru)
    ewfewqfe
    Dneefwqf
    Dnipropetrovsk Oblast,49000
    UA
    Tel. +380.0979625314
we should add this one to the malware stuff on sumo.  the number of crashes is just currently running just below x86.dll reports.  might be 2cd overall in malware related crashes.
Keywords: user-doc-needed
We can't block random dlls. we can block plugins (npXXXX.dll) and addons (which might prevent them loading dll's). There are purely windows mechanisms for injecting libraries into other processes that are currently out of our control. If we get Electrolysis running we might be able to block dlls in child processes the way green-border does in Chrome.
Whiteboard: [notacrash]
I'm marking this bug as WORKSFORME as bug crashlog signature didn't appear from a long time (over half year).
Status: NEW → RESOLVED
Crash Signature: [@ protect.dll@0x3182 ]
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.