Closed Bug 554660 Opened 14 years ago Closed 6 years ago

New fast rising crash [@ __from_strstr_to_strchr ]

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE
Tracking Flags:
Tracking Status
firefox47 --- wontfix
firefox48 --- wontfix
firefox-esr45 --- wontfix

People

(Reporter: chofmann, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, Whiteboard: [crashkill][explosive])

Crash Data

20100308-crashdata 54 __from_strstr_to_strchr
20100309-crashdata 72 __from_strstr_to_strchr
20100310-crashdata 86 __from_strstr_to_strchr
20100311-crashdata 83 __from_strstr_to_strchr
20100312-crashdata 67 __from_strstr_to_strchr
20100313-crashdata 46 __from_strstr_to_strchr
20100314-crashdata 47 __from_strstr_to_strchr
20100315-crashdata 123 __from_strstr_to_strchr
20100316-crashdata 131 __from_strstr_to_strchr
20100317-crashdata 449 __from_strstr_to_strchr
20100318-crashdata 445 __from_strstr_to_strchr
20100319-crashdata 564 __from_strstr_to_strchr
20100320-crashdata 606 __from_strstr_to_strchr
20100321-crashdata 658 __from_strstr_to_strchr
20100322-crashdata 743 __from_strstr_to_strchr


not much to go on on the stack

0  	ntdll.dll  	__from_strstr_to_strchr  	
1 	ntdll.dll 	strstr 	
2 	ntdll.dll 	RtlpWorkerCallout 	
3 	ntdll.dll 	RtlpExecuteWorkerRequest 	
4 	ntdll.dll 	RtlpApcCallout 	
5 	ntdll.dll 	RtlpExecuteWorkerRequest 	
6 	kernel32.dll 	BaseThreadStart

most user comments are in foreign languages.

www.Studivz.de
Submitted: 2010-03-23 17:04:23-07
qs
Submitted: 2010-03-23 20:29:52-07
Обновился, блин, на свою голову :((((((((((((
Submitted: 2010-03-23 14:11:23-07
писец полный.............
Submitted: 2010-03-23 14:12:43-07
pishing links
Submitted: 2010-03-23 23:01:15-07
Die Abstüze treten fast immer beim ersten Start auf
Submitted: 2010-03-23 23:03:14-07

Most affects 3.6, and its starting to rise on 3.6.2

all     346949  743     0.00214153
3.0.16  282     2       0.0070922
3.0.18  11836   18      0.00152078
3.5.5   2323    9       0.0038743
3.5.6   1203    3       0.00249377
3.5.7   3069    5       0.0016292
3.5.8   38487   78      0.00202666
3.6     255251  600     0.00235063
3.6.2   3318    8       0.00241109
3.6b5   911     6       0.00658617
3.7a1   61              0
3.7a1pre240             0


URLs look like general browsing patters at first glance

domains of sites
  44 \N//
  43 about:blank//
  26 http://www.facebook.com
  26 http://apps.facebook.com
  16 http://www.google.com
  16 http://www.google.co.in
   9 http://www.youtube.com
   9 http://www.yahoo.com
   8 http://www.orkut.co.in
   7 https://www.google.com
   7 http://www.mozilla.com
   7 http://thepiratebay.org
   6 //
   4 https://login.facebook.com
   4 http://yandex.ru
   4 http://www.myspace.com
   4 http://www.google.com.my
   4 http://vkontakte.ru
   4 http://images.google.co.in
   4 http://home.myspace.com
<long tail removed>
Whiteboard: [crashkill][explosive]
some correleation to kasperski

61% (294/484) vs.   3% (6051/182553) KavLinkFilter.dll which is installed in

c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll

and other correlation to

77% (372/484) vs.   4% (7671/182553) mzvkbd3.dll
61% (293/484) vs.   3% (5327/182553) params.ppl
61% (293/484) vs.   3% (5327/182553) pxstub.ppl
61% (293/484) vs.   3% (5411/182553) prremote.dll
61% (293/484) vs.   3% (5412/182553) prloader.dll
60% (291/484) vs.   3% (5156/182553) WinReg.ppl
60% (291/484) vs.   3% (5157/182553) filemap.ppl
60% (291/484) vs.   3% (5157/182553) propmap.ppl
60% (291/484) vs.   3% (5157/182553) nfio.ppl
60% (291/484) vs.   3% (5236/182553) kltbar.dll
60% (291/484) vs.   3% (5237/182553) klwtblc.dll
http://www.spydig.com/file-diagnosis/kltbar-dll.html says kltbar.dll is spyware.

need to look closer to see if all these are connected

60% (291/484) vs.   3% (5156/182553) WinReg.ppl
60% (291/484) vs.   3% (5157/182553) filemap.ppl
60% (291/484) vs.   3% (5157/182553) propmap.ppl
60% (291/484) vs.   3% (5157/182553) nfio.ppl
60% (291/484) vs.   3% (5236/182553) kltbar.dll
60% (291/484) vs.   3% (5237/182553) klwtblc.dll
Blocks: malware-attacks
This crash shows up on the trunk as well but of course in much lesser numbers: http://tinyurl.com/ybnqr2y.

Also found this thread re: the linkfilter: http://tinyurl.com/y9uu5gx. Probably worth getting a copy of Kaspersky 2010?
I can download the 30 day trial and give it a whirl.
re: comment 5

I wonder what this means?

<AVZ_CollectSysInfo>
...
C:\Dokumente und Einstellungen\All Users\Desktop\Kaspersky Lab Tool\prkernel.ppl --> Suspicion for a Keylogger or Trojan DLL
c:\dokumente und einstellungen\all users\desktop\kaspersky lab tool\pxstub.ppl --> Suspicion for a Keylogger or Trojan DLL

is that - AVZ Antiviral Toolkit finding a false positive in kaspersky, or is it a keyloger that has installed into the kaspersky files?

I've got a new contact at kaspersky that I check with to see if they can shed some light on what is going on.
http://209.85.129.132/search?q=cache:dSs98cP-pO4J:www.bleepingcomputer.com/forums/topic280530.html+AVZ_CollectSysInfo+Suspicion+for+a+Keylogger+or+Trojan+DLL&cd=2&hl=en&ct=clnk&client=firefox-a seems to have an example of the output, it seems like that's just one step in the sequence, however, it doesn't seem like those files are normally identified, which makes me suspicious.

i'm traveling today and will be relatively inaccessible for a while.

http://forum.kaspersky.com/index.php?showtopic=57493 is odd

the other hits i'm getting are for IIS's md5 filter

I think http://www.spydig.com/file-diagnosis/avgvault-dll.html is just a fake site.

> How to Manually Remove Spyware?
> 1. Check the Registry entries RUN, RUNSERVEICE [sic] in the Registry.

the following have users fingering kaspersky:
bp-a0ef3cd1-3dd5-4052-8ba0-be5622100325
bp-36ec9b63-9e3b-41fd-851e-34c092100325
bp-abc0f86c-82c3-4926-ad98-73fac2100325
now up over 1100 crashes per day.

date     crashes at
         __from_strstr_to_strchr
20100420 942
20100421 1021
20100422 1031
20100423 1017
20100424 958
20100425 934
20100426 1180
20100427 1060
20100428 1122
20100429 1043
I did install the 30 day trial on the Windows Vista lab machine but I never did encounter on of these crashes. I can try again on another machine.
there is 100% correlation to rasapi32.dll which is a windows library for handling dial up connections.  maybe slow or dial up connections play a role in the crash.   also 100% correlation to imagehlp.dll.

some particular images over dial up using these possible versions of kasperski or the .dll's listed below 9.0.0.740 9.0.0.736  might be keys to reproducing.

     61% (130/212) vs.   4% (9688/217420) mzvkbd3.dll
          3% (7/212) vs.   0% (604/217420) 8.0.0.454
          3% (7/212) vs.   0% (1056/217420) 8.0.0.522
          1% (2/212) vs.   0% (241/217420) 8.0.0.523
          1% (2/212) vs.   0% (109/217420) 9.0.0.192
         12% (25/212) vs.   1% (2014/217420) 9.0.0.464
         40% (85/212) vs.   2% (5326/217420) 9.0.0.740


     57% (120/212) vs.   4% (8238/217420) KavLinkFilter.dll
          1% (2/212) vs.   0% (99/217420) 9.0.0.192
          7% (14/212) vs.   0% (996/217420) 9.0.0.459
          7% (15/212) vs.   1% (1306/217420) 9.0.0.463
         42% (89/212) vs.   3% (5778/217420) 9.0.0.736
          0% (0/212) vs.   0% (3/217420) 9.0.0.747
Very steep rise again in the last days. Was 0.4-0.5 crashes per 1M ADU the days before, both 2011-03-08 and 2011-03-09 has been at ~4.5 crashes per 1M ADU (that's probably 600-700 total), so a factor 10 rise, roughly.
It is #30 top crasher in 4.0 over the last 3 days.
Crash Signature: [@ __from_strstr_to_strchr ]
Crash volume for signature '__from_strstr_to_strchr':
 - nightly(version 50):0 crashes from 2016-06-06.
 - aurora (version 49):0 crashes from 2016-06-07.
 - beta   (version 48):8 crashes from 2016-06-06.
 - release(version 47):37 crashes from 2016-05-31.
 - esr    (version 45):1 crash from 2016-04-07.

Crash volume on the last weeks:
            W. N-1  W. N-2  W. N-3  W. N-4  W. N-5  W. N-6  W. N-7
 - nightly       0       0       0       0       0       0       0
 - aurora        0       0       0       0       0       0       0
 - beta          0       3       4       0       1       0       0
 - release       6       4       6       8       2       2       7
 - esr           0       0       0       0       0       0       1

Affected platform: Windows
status-firefox47: --- → affected
status-firefox48: --- → affected
status-firefox-esr45: --- → affected
I sampled 7 crash reports and 6 of them are nvdahelperremote.dll which is bug 1403590. That means the original stack reported here is rare at best.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.