Closed Bug 599354 Opened 9 years ago Closed 6 months ago

crash under Windows XP in BaseThreadStart @ RtlpWorkerCallout (malware-related?)

Categories

(Core :: General, defect, critical)

x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox5 - ---

People

(Reporter: scoobidiver, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, Whiteboard: startupcrash)

Crash Data

Build : Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b7pre) Gecko/20100924 Firefox/4.0b7pre

This is a residual crash signature that is present in 3.0, 3.5, 3.6, 4.0beta.
It happens only on Windows XP.
It #60 top crasher in 4.0b6 for the last 2 weeks.

Here are some comments of users that are very angry because it happens every time:
"3.6.10 CRASHES ABOUT EVERY 120 SECONDS!!!! ARGH!"
"I don't know what happened, I have to turn my computer off,after every time I use it to get back on line. I do not know the address of the page I was on."
"When trying to upgrade to 3.6 from 3.5 Firefox crashes and I have to reset again. This has happened numerous times. What can you do to fix this problem. It has been going on for days. It is getting very ridiculous. Firefox may be a thing of the past for me."

The crashing thread says nothing about the implicated firefox process, even in looking at the others threads.

Signature	RtlpWorkerCallout
UUID	73f53bcc-69a9-423f-bc7f-788782100924
Time 	2010-09-24 01:43:10.190693
Uptime	69
Last Crash	2159450 seconds (3.6 weeks) before submission
Install Age	577030 seconds (6.7 days) since version was first installed.
Product	Firefox
Version	3.5.13
Build ID	20100914130356
Branch	1.9.1
OS	Windows NT
OS Version	5.1.2600 Dodatek Service Pack 3
CPU	x86
CPU Info	AuthenticAMD family 15 model 95 stepping 2
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x0

Crashing Thread
Frame 	Module 	Signature [Expand] 	Source
0 		@0x1a2d0f 	
1 	ntdll.dll 	RtlpWorkerCallout 	
2 	ntdll.dll 	RtlpExecuteWorkerRequest 	
3 	ntdll.dll 	RtlpApcCallout 	
4 	ntdll.dll 	RtlpExecuteWorkerRequest 	
5 	kernel32.dll 	BaseThreadStart 

More reports at :
http://crash-stats.mozilla.com/report/list?range_value=4&range_unit=weeks&signature=RtlpWorkerCallout
Having a quick look a the Modules of some random Reports there a quite some unversioned DLLs listed, like
sshnas21.dll
grtklxk.dll
cdklgvz.dll

Since all Branches seem affected, I presume this is caused by some Malware Stuff.
Keywords: crash
The current 4.0 crashes in https://crash-stats.mozilla.com/report/list?signature=RtlpWorkerCallout have a 100% correlation with tapi32.dll but looking into reports, I also see a few with unversioned DLLs like dadkeyb.dll or RocketDock.dll or a Syncor11.dll with version 0.1.2.3 that somehow looks interesting, but some don't look suspicious from a fast glance over modules.

Still, this is #190 on yesterday's 4.0* topcrash list with ~25 crashes per ADU and a rising tendency.
Summary: crash under Windows XP [@ RtlpWorkerCallout ] → crash under Windows XP [@ RtlpWorkerCallout ] (malware-related?)
This is still rising on both 3.6 and 4.0, we might want to take a look at what this really is.
It is now #17 top crasher in 4.0 over the last 3 days.
I see no unversioned DLLs in correlations.
On the rise together with bug 647366 (@ RtlpTpWorkCallback) in the last few days, #10 on 4.0*, #11 on 3.6* now (yesterday's data).
It is now #4 top crasher in 4.0.1 and #3 in 5.0b3.
not going to track this for Firefox 5, because there's nothing we can do for this in the timeframe we have. Initiatives to improve this situation are actually outside of this bug and our release cycle.
Crash Signature: [@ RtlpWorkerCallout ]
Keywords: topcrash
Just over 50% of these crashes happen in < 1 min. Adding the whiteboard tag.
Whiteboard: startupcrash
Depends on: 720655
Crash Signature: [@ RtlpWorkerCallout ] → [@ RtlpWorkerCallout ] [@ RtlpWorkerCallout | RtlpExecuteWorkerRequest | RtlpApcCallout | RtlpExecuteWorkerRequest | BaseThreadStart]
Summary: crash under Windows XP [@ RtlpWorkerCallout ] (malware-related?) → crash under Windows XP in BaseThreadStart @ RtlpWorkerCallout (malware-related?)
Still high in crash stats - #21 on Fx12.
No longer blocks: malware-attacks
No longer depends on: 720655
Depends on: 720655
Duplicate of this bug: 758183
It's #66 top browser crasher in 15.0.1.
Keywords: topcrash
Looking up online it's malware. The 2 dlls are malware, look up the sshnas21.dll.

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 6 months ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.