Closed Bug 957258 Opened 8 years ago Closed 7 years ago

crash in sprotector.dll@0xb343f


(Core :: General, defect)

Windows NT
Not set



Tracking Status
firefox26 --- wontfix
firefox27 + fixed
firefox28 + fixed
firefox29 --- verified


(Reporter: away, Assigned: away)



(Keywords: crash, Whiteboard: [qa-])

Crash Data


(1 file)

This bug was filed from the Socorro interface and is 
report bp-6d7b204e-8011-49dc-9f9c-46f702140106.

sprotector.dll@0xb343f is currently the #20 crash on v26 release, though combined signatures for sprotector would probably be more like #13.

This DLL was blocked on Win8+ in bug 792541, so all the reports are from Win7 and previous.

The crashing DLLs are unversioned, but there are several checksums compiled on the same day, and in various path names. It looks like it's malware trying to hide (or maybe sprotector is legitimate but got bundled along with malware).

    Image path: c:\Program Files (x86)\BrowseToSave\sprotector.dll
    Image path: c:\Program Files (x86)\SaveShare\sprotector.dll
    Image path: c:\Program Files\SafeSaver\sprotector.dll
    Image path: f:\Program Files\WebSearch\sprotector.dll
    Image path: c:\Program Files (x86)\SimpleSpeedy\sprotector.dll
    Image path: c:\Program Files (x86)\MagniPic\sprotector.dll
    Image path: c:\Program Files\Ss-Helper\sprotector.dll

    Timestamp:        Thu Jan 24 03:16:53 2013 (51011825)
    CheckSum:         00102033

    Timestamp:        Thu Jan 24 03:25:02 2013 (51011A0E)
    CheckSum:         0010659F

    Timestamp:        Thu Jan 24 03:20:16 2013 (510118F0)
    CheckSum:         00109237

    Timestamp:        Thu Jan 24 03:58:04 2013 (510121CC)
    CheckSum:         00105E70
Jorge, can you talk to Safend about these crashes? It seems they were willing to help last time in bug 792541, maybe they might be aware of other issues.
Flags: needinfo?(jorge)
The crashing code appears to be on a 2-minute timer. Most crashes are at 120 seconds after startup, with a few at 240 etc.
sprotector has no debug ID nor version. Whether or not this is actually malware or just broken software, that's terrible engineering practice and I think we should block all versions for the crashes here. dmajor can you hit me up with a patch?
In theory UNVERSIONED would be sufficient, but we've already been blocking ALL_VERSIONS.

In theory we could get rid of the blocklist flags now, but I imagine we'd just add them back later for something else.
Assignee: nobody → dmajor
Attachment #8356832 - Flags: review?(benjamin)
Attachment #8356832 - Flags: review?(benjamin)
Attachment #8356832 - Flags: review+
Attachment #8356832 - Flags: feedback?(jorge)
Comment on attachment 8356832 [details] [diff] [review]
Block sprotector.dll on all versions of Windows

I'm okay with blocking this DLL. The other bugs suggest that it's a legacy component (unless casing matters, since they refer to SProtector.dll).
Attachment #8356832 - Flags: feedback?(jorge) → feedback+
Flags: needinfo?(jorge)
Keywords: checkin-needed
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
Should I nominate this for Aurora/Beta? We won't be able to use Nightly numbers to say whether this worked, since there's been only one crash on that channel in the past month. (Nightly users might be less malware-prone)

We do know that the block is effective in general, because 26 already blocks sprotector on Win8+, and there are no hits coming from Win8 or 8.1.
Yes. It's already marked tracking+, and we can verify via crash-stats after this lands.
Comment on attachment 8356832 [details] [diff] [review]
Block sprotector.dll on all versions of Windows

[Approval Request Comment]
Bug caused by (feature/regressing bug #): External software
User impact if declined: Crashes
Testing completed (on m-c, etc.): We are already blocking this DLL in release builds on Win8 and higher. Crash stats show that the block has been effective on those platforms. The change in this bug is to block on all versions of Windows.
Risk to taking this patch (and alternatives if risky): 
String or IDL/UUID changes made by this patch: None
Attachment #8356832 - Flags: approval-mozilla-beta?
Attachment #8356832 - Flags: approval-mozilla-aurora?
Attachment #8356832 - Flags: approval-mozilla-beta?
Attachment #8356832 - Flags: approval-mozilla-beta+
Attachment #8356832 - Flags: approval-mozilla-aurora?
Attachment #8356832 - Flags: approval-mozilla-aurora+
Keywords: verifyme
Thanks Ioana. I looked at the crash reports from 27 post-fix and they come from two unique installations that both send the "User32BeforeBlocklist=1" annotation, which indicates that our blocklist has limited effectiveness on those machines.
I'm marking this bug qawanted to find a way to get sprotector.dll installed as a first step, as per today's Crashkill meeting.
Keywords: qawanted
I've been trying to get sprotector.dll onto my system for a few hours now with no luck. 

After installing several products from I managed to get a "Search Protect" program in my Program Files folder and it seems to be running because I'm getting notifications of blocking default search engine changes. I've also noticed a SPStub.exe in my Local Settings folder. 

Unforunately I've not yet discovered sprotector.dll on my system.
I managed to find an external source for downloading sprotector.dll but I'm not sure if it's of any use:
In combined signatures this is currently the #23 topcrash since the blocklist was landed. I'll keep monitoring to see how this is moving. I'm not sure what other action we can take at this point given my attempts to install sprotector.dll failed.
The recent crash reports have 100% correlation with various AVAST modules. It's possible that something about having AVAST installed pulls in user32 so early that our blocklist doesn't work. I couldn't reproduce that scenario on a local installation, but maybe I'm missing something. I've put in a data request to how strong this correlation is more generally.
Depends on: 978330
Would anyone object to me cloning this bug? I think we've "fixed" what we set out to do in *this* bug (ie. deploy a blocklist for sprotector.dll). I'd like to call this one fixed and we can investigate further crashes with this .dll in a cloned bug.

Any objections?
Keywords: qawanted
No objection here, as long as the dependent bug 978330 gets connected to the clone.
Closing this bug as per comment 20.
Closed: 8 years ago7 years ago
Resolution: --- → FIXED
Whiteboard: [qa-]
I'm going to refrain from cloning this bug for now since the sprotector.dll crashes are very low volume now, accounting for only 11 crashes in Firefox 28 over the last week.
You need to log in before you can comment on or make changes to this bug.