Closed Bug 556178 Opened 10 years ago Closed 3 years ago

Firefox Crashes [@ shlwapi.dll@0x2c4d8 ] and other addresses

Categories

(Firefox :: General, defect, critical)

3.5 Branch
x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: chofmann, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, user-doc-needed)

Crash Data

Attachments

(1 file)

currently ranked #54 for firefox 3.6.2 but climbing.

stacks and comments look like

http://crash-stats.mozilla.com/report/index/69f1c4b7-893b-464a-aa10-15cb22100330

well nothing happened..then all of a sudden my computer said i had viruses then mozzila crashed

All I have to do is attempt to open something on the same link or go to another site and CRASH! 

believe I got the Google Redirect Virus...despite repeated attempts to purge it using Spybot Search & Destory, it has persisted, and has made using the internet with Firefox very difficult.

Frame  	Module  	Signature [Expand]  	Source
0 	shlwapi.dll 	shlwapi.dll@0x2c4d8 	
1 	shlwapi.dll 	shlwapi.dll@0x2c52a 	
2 		@0x1b3ca4 	
3 	ws2_32.dll 	WSARecv 	
4 	wsock32.dll 	recv 	
5 	nspr4.dll 	_PR_MD_RECV 	nsprpub/pr/src/md/windows/w95sock.c:327
6 	nspr4.dll 	SocketRead 	nsprpub/pr/src/io/prsocket.c:657
7 	xul.dll 	nsSocketInputStream::Read 	netwerk/base/src/nsSocketTransport2.cpp:353
8 	xul.dll 	nsHttpConnection::OnWriteSegment 	netwerk/protocol/http/src/nsHttpConnection.cpp:632
9 	xul.dll 	nsHttpTransaction::WritePipeSegment 	netwerk/protocol/http/src/nsHttpTransaction.cpp:499
10 	xul.dll 	nsPipeOutputStream::WriteSegments 	xpcom/io/nsPipe3.cpp:1137
11 		@0xfff 	
12 	xul.dll 	nsHttpTransaction::WriteSegments 	netwerk/protocol/http/src/nsHttpTransaction.cpp:525
13 	xul.dll 	nsHttpConnection::OnSocketReadable 	netwerk/protocol/http/src/nsHttpConnection.cpp:648
14 	xul.dll 	nsHttpConnection::OnInputStreamReady 	netwerk/protocol/http/src/nsHttpConnection.cpp:762
15 	xul.dll 	nsSocketInputStream::OnSocketReady 	netwerk/base/src/nsSocketTransport2.cpp:256
16 	xul.dll 	nsSocketTransport::OnSocketReady 	netwerk/base/src/nsSocketTransport2.cpp:1519
17 	xul.dll 	nsSocketTransportService::DoPollIteration 	netwerk/base/src/nsSocketTransportService2.cpp:674
18 	xul.dll 	nsSocketTransportService::OnProcessNextEvent 	netwerk/base/src/nsSocketTransportService2.cpp:538
19 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:508
20 	xul.dll 	NS_ProcessNextEvent_P 	obj-firefox/xpcom/build/nsThreadUtils.cpp:250
21 	xul.dll 	nsSocketTransportService::Run 	netwerk/base/src/nsSocketTransportService2.cpp:581
22 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:527
23 	xul.dll 	NS_ProcessNextEvent_P 	obj-firefox/xpcom/build/nsThreadUtils.cpp:250
24 	xul.dll 	nsThread::ThreadFunc 	xpcom/threads/nsThread.cpp:254
25 	nspr4.dll 	_PR_NativeRunThread 	nsprpub/pr/src/threads/combined/pruthr.c:426
26 	nspr4.dll 	pr_root 	nsprpub/pr/src/md/windows/w95thred.c:122
27 	mozcrt19.dll 	_callthreadstartex 	obj-firefox/memory/jemalloc/crtsrc/threadex.c:348
28 	mozcrt19.dll 	_threadstartex 	obj-firefox/memory/jemalloc/crtsrc/threadex.c:326
29 	kernel32.dll 	BaseThreadStart

shlwapi.dll is a process belonging to the Microsoft Windows Shell program . shlwapi.dll is a library which contains functions for UNC and URL paths, registry entries, and color settings.  But it sounds like attacks have been seen where shlwapi.dll is part of malware packages and replacement DLL's load from non-standard locations.
up about 30% from earlier in march, and sharp uptick starting after march 14.
also known by this signatures

signature list
 508 shlwapi.dll@0x2c4d8
 163 shlwapi.dll@0x2c428
  29 shlwapi.dll@0x10817
  12 shlwapi.dll@0x2c408
  11 shlwapi.dll@0x11465
  11 shlwapi.dll@0x107e5
  10 shlwapi.dll@0x2c468
   9 shlwapi.dll@0x2c4a8
   9 shlwapi.dll@0x2c3f8
   9 shlwapi.dll@0x11497
   4 shlwapi.dll@0xbbea
   4 shlwapi.dll@0x2c4b8
   4 shlwapi.dll@0x1a9f8
<long tail snipped>

   1 _purecall | shlwapi.dll@0x17b02
   1 SHLWAPI.DLL@0x242a6
   1 @0x0 | @0x6c0064 | shlwapi.dll@0xa4fb


about the same crash rate against all the major releases

checking --- 20100328-crashdata.csv shlwapi.dll
release total-crashes
              shlwapi.dll crashes

3.0.18	10964	39	0.0035571
3.5.8	34753	87	0.00250338
3.6.2	212098	590	0.00278173

XP seems to be most vulnerable to this crash.

os breakdown
438     0.543424        Windows NT5.1.2600 Service Pack 3
316     0.39206 Windows NT5.1.2600 Service Pack 2
23      0.028536        Windows NT5.1.2600 Szervizcsomag 3
11      0.0136476       Windows NT5.1.2600 Szervizcsomag 2
7       0.00868486      Windows NT5.1.2600 Dodatek Service Pack 2
5       0.00620347      Windows NT5.1.2600 Dodatek Service Pack 3
2       0.00248139      Windows NT5.2.3790 Service Pack 2
2       0.00248139      Windows NT5.1.2600 Service Pack 2, v.2096
1       0.00124069      Windows NT6.1.7260
1       0.00124069      Windows NT5.1.2600 Service Pack 3, v.3311
If we can figure out a defense for this, or a recommended virus remover, a support doc's might be the only thing we can do.  

Not sure any of our blocking tools would work against this if it is in fact a imposter .dll getting loaded from a non-standard location.
Keywords: user-doc-needed
OS: Mac OS X → Windows XP
could be just part of normal pattern of browsing but facebook, myspace, youtube are the siges most frequently associated with the crash

domains of sites
  70 http://apps.facebook.com
  52 http://www.facebook.com
  49 \N//
  14 http://messaging.myspace.com
  14 http://home.myspace.com
  13 http://viewmorepics.myspace.com
  12 http://www.myspace.com
  12 http://www.google.com
  11 about:blank//
   9 http://www.youtube.com
   9 http://myvip.com
the upward climb on thess looks like it might have started back on Dec. 9.

ate     crashes at
         shlwapi.dll
20091201 22
20091202 16
20091203 20
20091204 13
20091205 13
20091206 9
20091207 10
20091208 74
20091209 112
20091210 102
20091211 125
20091212 132
20091213 155
preventing LSPs or locking out non signed libraries should work. i need to figure out what ms's status was wrt signing some libraries....
Blocks: 530074
still 100% winXP
Depends on: 557161
Blocks: 557161
No longer depends on: 557161
Re: user-doc-needed

So the cause of this is some sort of virus, and we don't have a link for a specific remedy, correct?
some possible hits here on:

 where to find the .dll, ->  %System%\acespy\Shlwapi.dll
 what packages it comes with (Sypyare.AceSpy) , 
  and an indication that symantec might provide protection for some varitions of the problem.

http://greatis.com/appdata/d/SysDir/a/acespy_shlwapi.dll.htm
http://www.symantec.com/security_response/writeup.jsp?docid=2004-062111-2932-99

it also looks a .dll by that name comes with windows so malware might be replacing the copy that normally loads from C:\WINDOWS\system32\shlwapi.dll

http://www.filename.info/f/shlwapi.dll.html
chofmann: it's fairly unlikely that it's that creature. based on its age. it's much more likely that something from:

2         @0x1b3ca4     

is calling into the standards windows system library by this name.
in the past week merely one crash each of 
shlwapi.dll@0x145bd bp-a839e416-187e-4e62-b4b8-a5b022130615
shlwapi.dll@0xc2a4 bp-589f5982-df36-4eb1-9bd7-438682130616
Severity: normal → critical
Keywords: crash
I'm marking this bug as WORKSFORME as bug crashlog signature didn't appear from a long time (over half year).
Status: NEW → RESOLVED
Crash Signature: [@ shlwapi.dll@0x2c4d8 ]
Closed: 3 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ shlwapi.dll@0x2c4d8 ] → [@ shlwapi.dll@0x2c4d8 ] [@ shlwapi.dll@0x145bd ] [@ shlwapi.dll@0xc2a4 ] [@ shlwapi.dll@0x2c428 ] [@ shlwapi.dll@0x10817 ] [@ shlwapi.dll@0x2c408 ] [@ shlwapi.dll@0x11465 ] [@ shlwapi.dll@0x107e5 ] [@ shlwapi.dll@0x2c468 ] [@ shlwapi.dll@0x2c4a8…
You need to log in before you can comment on or make changes to this bug.