Closed Bug 556178 Opened 15 years ago Closed 8 years ago

Firefox Crashes [@ shlwapi.dll@0x2c4d8 ] and other addresses

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Version:
3.5 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: chofmann, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, user-doc-needed)

Crash Data

Attachments

(1 file)

crash trend for march 2010
71.55 KB, image/png
Details
currently ranked #54 for firefox 3.6.2 but climbing. stacks and comments look like http://crash-stats.mozilla.com/report/index/69f1c4b7-893b-464a-aa10-15cb22100330 well nothing happened..then all of a sudden my computer said i had viruses then mozzila crashed All I have to do is attempt to open something on the same link or go to another site and CRASH! believe I got the Google Redirect Virus...despite repeated attempts to purge it using Spybot Search & Destory, it has persisted, and has made using the internet with Firefox very difficult. Frame Module Signature [Expand] Source 0 shlwapi.dll shlwapi.dll@0x2c4d8 1 shlwapi.dll shlwapi.dll@0x2c52a 2 @0x1b3ca4 3 ws2_32.dll WSARecv 4 wsock32.dll recv 5 nspr4.dll _PR_MD_RECV nsprpub/pr/src/md/windows/w95sock.c:327 6 nspr4.dll SocketRead nsprpub/pr/src/io/prsocket.c:657 7 xul.dll nsSocketInputStream::Read netwerk/base/src/nsSocketTransport2.cpp:353 8 xul.dll nsHttpConnection::OnWriteSegment netwerk/protocol/http/src/nsHttpConnection.cpp:632 9 xul.dll nsHttpTransaction::WritePipeSegment netwerk/protocol/http/src/nsHttpTransaction.cpp:499 10 xul.dll nsPipeOutputStream::WriteSegments xpcom/io/nsPipe3.cpp:1137 11 @0xfff 12 xul.dll nsHttpTransaction::WriteSegments netwerk/protocol/http/src/nsHttpTransaction.cpp:525 13 xul.dll nsHttpConnection::OnSocketReadable netwerk/protocol/http/src/nsHttpConnection.cpp:648 14 xul.dll nsHttpConnection::OnInputStreamReady netwerk/protocol/http/src/nsHttpConnection.cpp:762 15 xul.dll nsSocketInputStream::OnSocketReady netwerk/base/src/nsSocketTransport2.cpp:256 16 xul.dll nsSocketTransport::OnSocketReady netwerk/base/src/nsSocketTransport2.cpp:1519 17 xul.dll nsSocketTransportService::DoPollIteration netwerk/base/src/nsSocketTransportService2.cpp:674 18 xul.dll nsSocketTransportService::OnProcessNextEvent netwerk/base/src/nsSocketTransportService2.cpp:538 19 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:508 20 xul.dll NS_ProcessNextEvent_P obj-firefox/xpcom/build/nsThreadUtils.cpp:250 21 xul.dll nsSocketTransportService::Run netwerk/base/src/nsSocketTransportService2.cpp:581 22 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:527 23 xul.dll NS_ProcessNextEvent_P obj-firefox/xpcom/build/nsThreadUtils.cpp:250 24 xul.dll nsThread::ThreadFunc xpcom/threads/nsThread.cpp:254 25 nspr4.dll _PR_NativeRunThread nsprpub/pr/src/threads/combined/pruthr.c:426 26 nspr4.dll pr_root nsprpub/pr/src/md/windows/w95thred.c:122 27 mozcrt19.dll _callthreadstartex obj-firefox/memory/jemalloc/crtsrc/threadex.c:348 28 mozcrt19.dll _threadstartex obj-firefox/memory/jemalloc/crtsrc/threadex.c:326 29 kernel32.dll BaseThreadStart shlwapi.dll is a process belonging to the Microsoft Windows Shell program . shlwapi.dll is a library which contains functions for UNC and URL paths, registry entries, and color settings. But it sounds like attacks have been seen where shlwapi.dll is part of malware packages and replacement DLL's load from non-standard locations.
Blocks: malware-attacks
up about 30% from earlier in march, and sharp uptick starting after march 14.
also known by this signatures signature list 508 shlwapi.dll@0x2c4d8 163 shlwapi.dll@0x2c428 29 shlwapi.dll@0x10817 12 shlwapi.dll@0x2c408 11 shlwapi.dll@0x11465 11 shlwapi.dll@0x107e5 10 shlwapi.dll@0x2c468 9 shlwapi.dll@0x2c4a8 9 shlwapi.dll@0x2c3f8 9 shlwapi.dll@0x11497 4 shlwapi.dll@0xbbea 4 shlwapi.dll@0x2c4b8 4 shlwapi.dll@0x1a9f8 <long tail snipped> 1 _purecall | shlwapi.dll@0x17b02 1 SHLWAPI.DLL@0x242a6 1 @0x0 | @0x6c0064 | shlwapi.dll@0xa4fb about the same crash rate against all the major releases checking --- 20100328-crashdata.csv shlwapi.dll release total-crashes shlwapi.dll crashes 3.0.18 10964 39 0.0035571 3.5.8 34753 87 0.00250338 3.6.2 212098 590 0.00278173 XP seems to be most vulnerable to this crash. os breakdown 438 0.543424 Windows NT5.1.2600 Service Pack 3 316 0.39206 Windows NT5.1.2600 Service Pack 2 23 0.028536 Windows NT5.1.2600 Szervizcsomag 3 11 0.0136476 Windows NT5.1.2600 Szervizcsomag 2 7 0.00868486 Windows NT5.1.2600 Dodatek Service Pack 2 5 0.00620347 Windows NT5.1.2600 Dodatek Service Pack 3 2 0.00248139 Windows NT5.2.3790 Service Pack 2 2 0.00248139 Windows NT5.1.2600 Service Pack 2, v.2096 1 0.00124069 Windows NT6.1.7260 1 0.00124069 Windows NT5.1.2600 Service Pack 3, v.3311
If we can figure out a defense for this, or a recommended virus remover, a support doc's might be the only thing we can do. Not sure any of our blocking tools would work against this if it is in fact a imposter .dll getting loaded from a non-standard location.
Keywords: user-doc-needed
OS: Mac OS X → Windows XP
could be just part of normal pattern of browsing but facebook, myspace, youtube are the siges most frequently associated with the crash domains of sites 70 http://apps.facebook.com 52 http://www.facebook.com 49 \N// 14 http://messaging.myspace.com 14 http://home.myspace.com 13 http://viewmorepics.myspace.com 12 http://www.myspace.com 12 http://www.google.com 11 about:blank// 9 http://www.youtube.com 9 http://myvip.com
the upward climb on thess looks like it might have started back on Dec. 9. ate crashes at shlwapi.dll 20091201 22 20091202 16 20091203 20 20091204 13 20091205 13 20091206 9 20091207 10 20091208 74 20091209 112 20091210 102 20091211 125 20091212 132 20091213 155
preventing LSPs or locking out non signed libraries should work. i need to figure out what ms's status was wrt signing some libraries....
Blocks: 530074
still 100% winXP
Depends on: 557161
Blocks: 557161
No longer depends on: 557161
Re: user-doc-needed So the cause of this is some sort of virus, and we don't have a link for a specific remedy, correct?
some possible hits here on: where to find the .dll, -> %System%\acespy\Shlwapi.dll what packages it comes with (Sypyare.AceSpy) , and an indication that symantec might provide protection for some varitions of the problem. http://greatis.com/appdata/d/SysDir/a/acespy_shlwapi.dll.htm http://www.symantec.com/security_response/writeup.jsp?docid=2004-062111-2932-99 it also looks a .dll by that name comes with windows so malware might be replacing the copy that normally loads from C:\WINDOWS\system32\shlwapi.dll http://www.filename.info/f/shlwapi.dll.html
chofmann: it's fairly unlikely that it's that creature. based on its age. it's much more likely that something from: 2 @0x1b3ca4 is calling into the standards windows system library by this name.
in the past week merely one crash each of shlwapi.dll@0x145bd bp-a839e416-187e-4e62-b4b8-a5b022130615 shlwapi.dll@0xc2a4 bp-589f5982-df36-4eb1-9bd7-438682130616
Severity: normal → critical
Keywords: crash
I'm marking this bug as WORKSFORME as bug crashlog signature didn't appear from a long time (over half year).
Status: NEW → RESOLVED
Crash Signature: [@ shlwapi.dll@0x2c4d8 ]
Closed: 8 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ shlwapi.dll@0x2c4d8 ] → [@ shlwapi.dll@0x2c4d8 ] [@ shlwapi.dll@0x145bd ] [@ shlwapi.dll@0xc2a4 ] [@ shlwapi.dll@0x2c428 ] [@ shlwapi.dll@0x10817 ] [@ shlwapi.dll@0x2c408 ] [@ shlwapi.dll@0x11465 ] [@ shlwapi.dll@0x107e5 ] [@ shlwapi.dll@0x2c468 ] [@ shlwapi.dll@0x2c4a8…
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: