Closed Bug 554660 Opened 16 years ago Closed 8 years ago

New fast rising crash [@ __from_strstr_to_strchr ]

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE
Tracking Flags:
Tracking Status
firefox47 --- wontfix
firefox48 --- wontfix
firefox-esr45 --- wontfix

People

(Reporter: chofmann, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, Whiteboard: [crashkill][explosive])

Crash Data

20100308-crashdata 54 __from_strstr_to_strchr 20100309-crashdata 72 __from_strstr_to_strchr 20100310-crashdata 86 __from_strstr_to_strchr 20100311-crashdata 83 __from_strstr_to_strchr 20100312-crashdata 67 __from_strstr_to_strchr 20100313-crashdata 46 __from_strstr_to_strchr 20100314-crashdata 47 __from_strstr_to_strchr 20100315-crashdata 123 __from_strstr_to_strchr 20100316-crashdata 131 __from_strstr_to_strchr 20100317-crashdata 449 __from_strstr_to_strchr 20100318-crashdata 445 __from_strstr_to_strchr 20100319-crashdata 564 __from_strstr_to_strchr 20100320-crashdata 606 __from_strstr_to_strchr 20100321-crashdata 658 __from_strstr_to_strchr 20100322-crashdata 743 __from_strstr_to_strchr not much to go on on the stack 0 ntdll.dll __from_strstr_to_strchr 1 ntdll.dll strstr 2 ntdll.dll RtlpWorkerCallout 3 ntdll.dll RtlpExecuteWorkerRequest 4 ntdll.dll RtlpApcCallout 5 ntdll.dll RtlpExecuteWorkerRequest 6 kernel32.dll BaseThreadStart most user comments are in foreign languages. www.Studivz.de Submitted: 2010-03-23 17:04:23-07 qs Submitted: 2010-03-23 20:29:52-07 Обновился, блин, на свою голову :(((((((((((( Submitted: 2010-03-23 14:11:23-07 писец полный............. Submitted: 2010-03-23 14:12:43-07 pishing links Submitted: 2010-03-23 23:01:15-07 Die Abstüze treten fast immer beim ersten Start auf Submitted: 2010-03-23 23:03:14-07 Most affects 3.6, and its starting to rise on 3.6.2 all 346949 743 0.00214153 3.0.16 282 2 0.0070922 3.0.18 11836 18 0.00152078 3.5.5 2323 9 0.0038743 3.5.6 1203 3 0.00249377 3.5.7 3069 5 0.0016292 3.5.8 38487 78 0.00202666 3.6 255251 600 0.00235063 3.6.2 3318 8 0.00241109 3.6b5 911 6 0.00658617 3.7a1 61 0 3.7a1pre240 0 URLs look like general browsing patters at first glance domains of sites 44 \N// 43 about:blank// 26 http://www.facebook.com 26 http://apps.facebook.com 16 http://www.google.com 16 http://www.google.co.in 9 http://www.youtube.com 9 http://www.yahoo.com 8 http://www.orkut.co.in 7 https://www.google.com 7 http://www.mozilla.com 7 http://thepiratebay.org 6 // 4 https://login.facebook.com 4 http://yandex.ru 4 http://www.myspace.com 4 http://www.google.com.my 4 http://vkontakte.ru 4 http://images.google.co.in 4 http://home.myspace.com <long tail removed>
Whiteboard: [crashkill][explosive]
some correleation to kasperski 61% (294/484) vs. 3% (6051/182553) KavLinkFilter.dll which is installed in c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll and other correlation to 77% (372/484) vs. 4% (7671/182553) mzvkbd3.dll 61% (293/484) vs. 3% (5327/182553) params.ppl 61% (293/484) vs. 3% (5327/182553) pxstub.ppl 61% (293/484) vs. 3% (5411/182553) prremote.dll 61% (293/484) vs. 3% (5412/182553) prloader.dll 60% (291/484) vs. 3% (5156/182553) WinReg.ppl 60% (291/484) vs. 3% (5157/182553) filemap.ppl 60% (291/484) vs. 3% (5157/182553) propmap.ppl 60% (291/484) vs. 3% (5157/182553) nfio.ppl 60% (291/484) vs. 3% (5236/182553) kltbar.dll 60% (291/484) vs. 3% (5237/182553) klwtblc.dll
http://www.spydig.com/file-diagnosis/kltbar-dll.html says kltbar.dll is spyware. need to look closer to see if all these are connected 60% (291/484) vs. 3% (5156/182553) WinReg.ppl 60% (291/484) vs. 3% (5157/182553) filemap.ppl 60% (291/484) vs. 3% (5157/182553) propmap.ppl 60% (291/484) vs. 3% (5157/182553) nfio.ppl 60% (291/484) vs. 3% (5236/182553) kltbar.dll 60% (291/484) vs. 3% (5237/182553) klwtblc.dll
Blocks: malware-attacks
This crash shows up on the trunk as well but of course in much lesser numbers: http://tinyurl.com/ybnqr2y. Also found this thread re: the linkfilter: http://tinyurl.com/y9uu5gx. Probably worth getting a copy of Kaspersky 2010?
I can download the 30 day trial and give it a whirl.
re: comment 5 I wonder what this means? <AVZ_CollectSysInfo> ... C:\Dokumente und Einstellungen\All Users\Desktop\Kaspersky Lab Tool\prkernel.ppl --> Suspicion for a Keylogger or Trojan DLL c:\dokumente und einstellungen\all users\desktop\kaspersky lab tool\pxstub.ppl --> Suspicion for a Keylogger or Trojan DLL is that - AVZ Antiviral Toolkit finding a false positive in kaspersky, or is it a keyloger that has installed into the kaspersky files? I've got a new contact at kaspersky that I check with to see if they can shed some light on what is going on.
http://209.85.129.132/search?q=cache:dSs98cP-pO4J:www.bleepingcomputer.com/forums/topic280530.html+AVZ_CollectSysInfo+Suspicion+for+a+Keylogger+or+Trojan+DLL&cd=2&hl=en&ct=clnk&client=firefox-a seems to have an example of the output, it seems like that's just one step in the sequence, however, it doesn't seem like those files are normally identified, which makes me suspicious. i'm traveling today and will be relatively inaccessible for a while. http://forum.kaspersky.com/index.php?showtopic=57493 is odd the other hits i'm getting are for IIS's md5 filter I think http://www.spydig.com/file-diagnosis/avgvault-dll.html is just a fake site. > How to Manually Remove Spyware? > 1. Check the Registry entries RUN, RUNSERVEICE [sic] in the Registry. the following have users fingering kaspersky: bp-a0ef3cd1-3dd5-4052-8ba0-be5622100325 bp-36ec9b63-9e3b-41fd-851e-34c092100325 bp-abc0f86c-82c3-4926-ad98-73fac2100325
now up over 1100 crashes per day. date crashes at __from_strstr_to_strchr 20100420 942 20100421 1021 20100422 1031 20100423 1017 20100424 958 20100425 934 20100426 1180 20100427 1060 20100428 1122 20100429 1043
I did install the 30 day trial on the Windows Vista lab machine but I never did encounter on of these crashes. I can try again on another machine.
there is 100% correlation to rasapi32.dll which is a windows library for handling dial up connections. maybe slow or dial up connections play a role in the crash. also 100% correlation to imagehlp.dll. some particular images over dial up using these possible versions of kasperski or the .dll's listed below 9.0.0.740 9.0.0.736 might be keys to reproducing. 61% (130/212) vs. 4% (9688/217420) mzvkbd3.dll 3% (7/212) vs. 0% (604/217420) 8.0.0.454 3% (7/212) vs. 0% (1056/217420) 8.0.0.522 1% (2/212) vs. 0% (241/217420) 8.0.0.523 1% (2/212) vs. 0% (109/217420) 9.0.0.192 12% (25/212) vs. 1% (2014/217420) 9.0.0.464 40% (85/212) vs. 2% (5326/217420) 9.0.0.740 57% (120/212) vs. 4% (8238/217420) KavLinkFilter.dll 1% (2/212) vs. 0% (99/217420) 9.0.0.192 7% (14/212) vs. 0% (996/217420) 9.0.0.459 7% (15/212) vs. 1% (1306/217420) 9.0.0.463 42% (89/212) vs. 3% (5778/217420) 9.0.0.736 0% (0/212) vs. 0% (3/217420) 9.0.0.747
Very steep rise again in the last days. Was 0.4-0.5 crashes per 1M ADU the days before, both 2011-03-08 and 2011-03-09 has been at ~4.5 crashes per 1M ADU (that's probably 600-700 total), so a factor 10 rise, roughly.
It is #30 top crasher in 4.0 over the last 3 days.
Crash Signature: [@ __from_strstr_to_strchr ]
Crash volume for signature '__from_strstr_to_strchr': - nightly(version 50):0 crashes from 2016-06-06. - aurora (version 49):0 crashes from 2016-06-07. - beta (version 48):8 crashes from 2016-06-06. - release(version 47):37 crashes from 2016-05-31. - esr (version 45):1 crash from 2016-04-07. Crash volume on the last weeks: W. N-1 W. N-2 W. N-3 W. N-4 W. N-5 W. N-6 W. N-7 - nightly 0 0 0 0 0 0 0 - aurora 0 0 0 0 0 0 0 - beta 0 3 4 0 1 0 0 - release 6 4 6 8 2 2 7 - esr 0 0 0 0 0 0 1 Affected platform: Windows
status-firefox47: --- → affected
status-firefox48: --- → affected
status-firefox-esr45: --- → affected
I sampled 7 crash reports and 6 of them are nvdahelperremote.dll which is bug 1403590. That means the original stack reported here is rare at best.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.