Closed
Bug 554660
Opened 14 years ago
Closed 6 years ago
New fast rising crash [@ __from_strstr_to_strchr ]
Categories
(Core :: General, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: chofmann, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, Whiteboard: [crashkill][explosive])
Crash Data
20100308-crashdata 54 __from_strstr_to_strchr 20100309-crashdata 72 __from_strstr_to_strchr 20100310-crashdata 86 __from_strstr_to_strchr 20100311-crashdata 83 __from_strstr_to_strchr 20100312-crashdata 67 __from_strstr_to_strchr 20100313-crashdata 46 __from_strstr_to_strchr 20100314-crashdata 47 __from_strstr_to_strchr 20100315-crashdata 123 __from_strstr_to_strchr 20100316-crashdata 131 __from_strstr_to_strchr 20100317-crashdata 449 __from_strstr_to_strchr 20100318-crashdata 445 __from_strstr_to_strchr 20100319-crashdata 564 __from_strstr_to_strchr 20100320-crashdata 606 __from_strstr_to_strchr 20100321-crashdata 658 __from_strstr_to_strchr 20100322-crashdata 743 __from_strstr_to_strchr not much to go on on the stack 0 ntdll.dll __from_strstr_to_strchr 1 ntdll.dll strstr 2 ntdll.dll RtlpWorkerCallout 3 ntdll.dll RtlpExecuteWorkerRequest 4 ntdll.dll RtlpApcCallout 5 ntdll.dll RtlpExecuteWorkerRequest 6 kernel32.dll BaseThreadStart most user comments are in foreign languages. www.Studivz.de Submitted: 2010-03-23 17:04:23-07 qs Submitted: 2010-03-23 20:29:52-07 Обновился, блин, на свою голову :(((((((((((( Submitted: 2010-03-23 14:11:23-07 писец полный............. Submitted: 2010-03-23 14:12:43-07 pishing links Submitted: 2010-03-23 23:01:15-07 Die Abstüze treten fast immer beim ersten Start auf Submitted: 2010-03-23 23:03:14-07 Most affects 3.6, and its starting to rise on 3.6.2 all 346949 743 0.00214153 3.0.16 282 2 0.0070922 3.0.18 11836 18 0.00152078 3.5.5 2323 9 0.0038743 3.5.6 1203 3 0.00249377 3.5.7 3069 5 0.0016292 3.5.8 38487 78 0.00202666 3.6 255251 600 0.00235063 3.6.2 3318 8 0.00241109 3.6b5 911 6 0.00658617 3.7a1 61 0 3.7a1pre240 0 URLs look like general browsing patters at first glance domains of sites 44 \N// 43 about:blank// 26 http://www.facebook.com 26 http://apps.facebook.com 16 http://www.google.com 16 http://www.google.co.in 9 http://www.youtube.com 9 http://www.yahoo.com 8 http://www.orkut.co.in 7 https://www.google.com 7 http://www.mozilla.com 7 http://thepiratebay.org 6 // 4 https://login.facebook.com 4 http://yandex.ru 4 http://www.myspace.com 4 http://www.google.com.my 4 http://vkontakte.ru 4 http://images.google.co.in 4 http://home.myspace.com <long tail removed>
Reporter | ||
Updated•14 years ago
|
Whiteboard: [crashkill][explosive]
Reporter | ||
Comment 1•14 years ago
|
||
some correleation to kasperski 61% (294/484) vs. 3% (6051/182553) KavLinkFilter.dll which is installed in c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll and other correlation to 77% (372/484) vs. 4% (7671/182553) mzvkbd3.dll 61% (293/484) vs. 3% (5327/182553) params.ppl 61% (293/484) vs. 3% (5327/182553) pxstub.ppl 61% (293/484) vs. 3% (5411/182553) prremote.dll 61% (293/484) vs. 3% (5412/182553) prloader.dll 60% (291/484) vs. 3% (5156/182553) WinReg.ppl 60% (291/484) vs. 3% (5157/182553) filemap.ppl 60% (291/484) vs. 3% (5157/182553) propmap.ppl 60% (291/484) vs. 3% (5157/182553) nfio.ppl 60% (291/484) vs. 3% (5236/182553) kltbar.dll 60% (291/484) vs. 3% (5237/182553) klwtblc.dll
Reporter | ||
Comment 2•14 years ago
|
||
http://www.spydig.com/file-diagnosis/kltbar-dll.html says kltbar.dll is spyware. need to look closer to see if all these are connected 60% (291/484) vs. 3% (5156/182553) WinReg.ppl 60% (291/484) vs. 3% (5157/182553) filemap.ppl 60% (291/484) vs. 3% (5157/182553) propmap.ppl 60% (291/484) vs. 3% (5157/182553) nfio.ppl 60% (291/484) vs. 3% (5236/182553) kltbar.dll 60% (291/484) vs. 3% (5237/182553) klwtblc.dll
Reporter | ||
Updated•14 years ago
|
Blocks: malware-attacks
Comment 3•14 years ago
|
||
This crash shows up on the trunk as well but of course in much lesser numbers: http://tinyurl.com/ybnqr2y. Also found this thread re: the linkfilter: http://tinyurl.com/y9uu5gx. Probably worth getting a copy of Kaspersky 2010?
Comment 4•14 years ago
|
||
I can download the 30 day trial and give it a whirl.
Reporter | ||
Comment 6•14 years ago
|
||
re: comment 5 I wonder what this means? <AVZ_CollectSysInfo> ... C:\Dokumente und Einstellungen\All Users\Desktop\Kaspersky Lab Tool\prkernel.ppl --> Suspicion for a Keylogger or Trojan DLL c:\dokumente und einstellungen\all users\desktop\kaspersky lab tool\pxstub.ppl --> Suspicion for a Keylogger or Trojan DLL is that - AVZ Antiviral Toolkit finding a false positive in kaspersky, or is it a keyloger that has installed into the kaspersky files? I've got a new contact at kaspersky that I check with to see if they can shed some light on what is going on.
http://209.85.129.132/search?q=cache:dSs98cP-pO4J:www.bleepingcomputer.com/forums/topic280530.html+AVZ_CollectSysInfo+Suspicion+for+a+Keylogger+or+Trojan+DLL&cd=2&hl=en&ct=clnk&client=firefox-a seems to have an example of the output, it seems like that's just one step in the sequence, however, it doesn't seem like those files are normally identified, which makes me suspicious. i'm traveling today and will be relatively inaccessible for a while. http://forum.kaspersky.com/index.php?showtopic=57493 is odd the other hits i'm getting are for IIS's md5 filter I think http://www.spydig.com/file-diagnosis/avgvault-dll.html is just a fake site. > How to Manually Remove Spyware? > 1. Check the Registry entries RUN, RUNSERVEICE [sic] in the Registry. the following have users fingering kaspersky: bp-a0ef3cd1-3dd5-4052-8ba0-be5622100325 bp-36ec9b63-9e3b-41fd-851e-34c092100325 bp-abc0f86c-82c3-4926-ad98-73fac2100325
Reporter | ||
Comment 8•14 years ago
|
||
now up over 1100 crashes per day. date crashes at __from_strstr_to_strchr 20100420 942 20100421 1021 20100422 1031 20100423 1017 20100424 958 20100425 934 20100426 1180 20100427 1060 20100428 1122 20100429 1043
Comment 9•14 years ago
|
||
I did install the 30 day trial on the Windows Vista lab machine but I never did encounter on of these crashes. I can try again on another machine.
Reporter | ||
Comment 10•14 years ago
|
||
there is 100% correlation to rasapi32.dll which is a windows library for handling dial up connections. maybe slow or dial up connections play a role in the crash. also 100% correlation to imagehlp.dll. some particular images over dial up using these possible versions of kasperski or the .dll's listed below 9.0.0.740 9.0.0.736 might be keys to reproducing. 61% (130/212) vs. 4% (9688/217420) mzvkbd3.dll 3% (7/212) vs. 0% (604/217420) 8.0.0.454 3% (7/212) vs. 0% (1056/217420) 8.0.0.522 1% (2/212) vs. 0% (241/217420) 8.0.0.523 1% (2/212) vs. 0% (109/217420) 9.0.0.192 12% (25/212) vs. 1% (2014/217420) 9.0.0.464 40% (85/212) vs. 2% (5326/217420) 9.0.0.740 57% (120/212) vs. 4% (8238/217420) KavLinkFilter.dll 1% (2/212) vs. 0% (99/217420) 9.0.0.192 7% (14/212) vs. 0% (996/217420) 9.0.0.459 7% (15/212) vs. 1% (1306/217420) 9.0.0.463 42% (89/212) vs. 3% (5778/217420) 9.0.0.736 0% (0/212) vs. 0% (3/217420) 9.0.0.747
Comment 11•13 years ago
|
||
Very steep rise again in the last days. Was 0.4-0.5 crashes per 1M ADU the days before, both 2011-03-08 and 2011-03-09 has been at ~4.5 crashes per 1M ADU (that's probably 600-700 total), so a factor 10 rise, roughly.
Comment 12•13 years ago
|
||
It is #30 top crasher in 4.0 over the last 3 days.
Assignee | ||
Updated•13 years ago
|
Crash Signature: [@ __from_strstr_to_strchr ]
Comment 13•8 years ago
|
||
Crash volume for signature '__from_strstr_to_strchr': - nightly(version 50):0 crashes from 2016-06-06. - aurora (version 49):0 crashes from 2016-06-07. - beta (version 48):8 crashes from 2016-06-06. - release(version 47):37 crashes from 2016-05-31. - esr (version 45):1 crash from 2016-04-07. Crash volume on the last weeks: W. N-1 W. N-2 W. N-3 W. N-4 W. N-5 W. N-6 W. N-7 - nightly 0 0 0 0 0 0 0 - aurora 0 0 0 0 0 0 0 - beta 0 3 4 0 1 0 0 - release 6 4 6 8 2 2 7 - esr 0 0 0 0 0 0 1 Affected platform: Windows
status-firefox47:
--- → affected
status-firefox48:
--- → affected
status-firefox-esr45:
--- → affected
Comment 14•6 years ago
|
||
I sampled 7 crash reports and 6 of them are nvdahelperremote.dll which is bug 1403590. That means the original stack reported here is rare at best.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INCOMPLETE
Updated•2 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•