Yes it may only be in the newer builds ... look at the bottom of the orange CTP enabled / disabled panel.
HMPA 728 beta - FF 57.0.2 - Win 10 Pro x64 v1709 16299.125 Code: Mitigation ROP Platform 10.0.16299/x64 v723 06_45 PID 36532 Application C:\Program Files\Mozilla Firefox\firefox.exe Description Firefox 57.0.2 Callee Type LoadLibrary Stack Trace # Address Module Location -- ---------------- ------------------------ ---------------------------------------- 1 00007FFF57DA966D KernelBase.dll 2 00007FFF5ACD8508 ntdll.dll 3 00007FFF5ACC0F56 ntdll.dll __C_specific_handler +0x96 4 00007FFF5ACD4C3D ntdll.dll __chkstk +0x11d 5 00007FFF5AC4D1B8 ntdll.dll 6 00007FFF5ACD3B6E ntdll.dll KiUserExceptionDispatcher +0x2e 7 00007FFF1366E133 xul.dll cc INT 3 8 00007FFF142F37DA xul.dll 9 00007FFF142DCB4E xul.dll 10 00007FFF140AABF8 xul.dll Code Injection 0000017D5DDBA000-0000017D5DDBB000 4KB C:\Program Files\Mozilla Firefox\firefox.exe [20196] 00007FFF5ACD0000-00007FFF5ACD1000 4KB 00007FFF5ACD2000-00007FFF5ACD3000 4KB 00007FFF5ACCF000-00007FFF5ACD0000 4KB 1 C:\Program Files\Mozilla Firefox\firefox.exe [20196] 2 C:\Program Files\Mozilla Firefox\firefox.exe [36748] 3 C:\Windows\explorer.exe [11072] 4 C:\Windows\System32\userinit.exe [7988] Process Trace 1 C:\Program Files\Mozilla Firefox\firefox.exe [36532] "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="20196.20.838565459\1300654183" -childID 3 -isForBrowser -intPrefs 5:50|6:-1|28:1000|34:20|35:5|36:10|45:128|46:10000|51:0|53:400|54:1|55:0|56:0|61:0|62:120|63:120|98:2|99:1|114:5000|124 2 C:\Program Files\Mozilla Firefox\firefox.exe [20196] 3 C:\Program Files\Mozilla Firefox\firefox.exe [36748] 4 C:\Windows\explorer.exe [11072] 5 C:\Windows\System32\userinit.exe [7988] Thumbprint fc3a5387fcdd473596ed531b9cf808ec8d9f63394765f3c1640dc3f2d3444647
Do you really have 728 installed? Because: "Platform 10.0.16299/x64 v723 06_45" Btw.: The mitigation above looks nearly exactly the same as this: #710 (Build 721 - Nov 4, 2017)
Yes I do have 728 beta installed now. I see that alert is from just a minute before I posted that I had updated to 728 (#882) ... so I guess my post can be ignored. Edit: Maybe it happened during the restart ...
About 728: - Windows Backup's issue with EFI/ESP locked, fix is confirmed, now it works again properly.
Been running build 728 now for a couple of days. So far it seems much more stable (no IE crashes) than 723.
Well, maybe not a real infection but... I clicked on an image in a Google search and Norton started blocking JsCoinminer Download 8. I opened Task Manager and killed Firefox, then HMP.A blocked a ROP attack in FF Plugin Container. I don't know if it would have run anyway as NoScript should have blocked the JavaScript, right? Many scans later I'm satisfied my machine is clean.
OK, installed 728 beta and disabled the Network Lockdown as I did with the 723. I'm still having problems with the network adapter in Fall CU--every day it's a hassle, either with the frozen Start/apps on taskbar and/or failure to connect to Internet. So far, it's been good w/startup. Realtek PCIe Family Controller current version 9.1.406 2015. I have tried them all. Krusty, that's interesting--it takes a real-life episode for something to prove its real value, right? Alert proved its merits to me long ago. Edit: problem w/start/taskbar returned after a hiatus . So, back to the drawing board.
@RonnyT 728 still crashes when using the battle.net updater (sent you logs + crash dump(s) from that crash in the stable support thread)
Win 10 Pro x64 v1709 16299.125, HMPA build beta 728 Code: Mitigation ROP Platform 10.0.16299/x64 v728 06_45 PID 27856 Application C:\Program Files\Mozilla Firefox\firefox.exe Description Firefox 57.0.3 Callee Type ProtectVirtualMemory 0x000002F0B95D4000 (4096 bytes) Branch Trace Opcode To ---------------------------------------- -------- ---------------------------------------- 0x00007FFF8946C34E xul.dll ~ RET* SleepEx() 0x00007FFFD23324D0 kernel32.dll ff25ca340500 JMP QWORD [RIP+0x534ca] Stack Trace # Address Module Location -- ---------------- ------------------------ ---------------------------------------- 1 00007FFFD0CE4065 KernelBase.dll VirtualProtect +0x35 2 00007FFF8972AB6F xul.dll 85c0 TEST EAX, EAX 7447 JZ 0x7fff8972abba 488b0ddee1d502 MOV RCX, [RIP+0x2d5e1de] 483bd9 CMP RBX, RCX 0f827ed25d00 JB 0x7fff89d07e01 4881c100000040 ADD RCX, 0x40000000 483bf9 CMP RDI, RCX 0f876ed25d00 JA 0x7fff89d07e01 b001 MOV AL, 0x1 488b5c2438 MOV RBX, [RSP+0x38] 4883c420 ADD RSP, 0x20 5f POP RDI c3 RET 3 00007FFF8946C76A xul.dll 4 00007FFF894666A8 xul.dll 5 00007FFF8941487B xul.dll 6 00007FFF894166BB xul.dll 7 000002F0B948C2F5 (anonymous; xul.dll) 8 0000006B1D5FAC58 (anonymous) 9 000002F0B948C165 (anonymous; xul.dll) Code Injection 000001A781DD0000-000001A781DD1000 4KB C:\Program Files\Mozilla Firefox\firefox.exe [38424] 00007FFFD4920000-00007FFFD4921000 4KB 00007FFFD4922000-00007FFFD4923000 4KB 00007FFFD491F000-00007FFFD4920000 4KB 1 C:\Program Files\Mozilla Firefox\firefox.exe [38424] 2 C:\Program Files\Mozilla Firefox\firefox.exe [31468] 3 C:\Windows\explorer.exe [9428] 4 C:\Windows\System32\userinit.exe [9304] Process Trace 1 C:\Program Files\Mozilla Firefox\firefox.exe [27856] "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="38424.1.1738086672\1666178497" -childID 1 -isForBrowser -intPrefs 5:50|6:-1|28:1000|34:20|35:5|36:10|45:128|46:10000|51:0|53:400|54:1|55:0|56:0|61:0|62:120|63:120|98:2|99:1|114:5000|124 2 C:\Program Files\Mozilla Firefox\firefox.exe [38424] 3 C:\Program Files\Mozilla Firefox\firefox.exe [31468] 4 C:\Windows\explorer.exe [9428] 5 C:\Windows\System32\userinit.exe [9304] Thumbprint a0adf432b5eb4964e4d59de16f674b8aa2cbb8eabe6afa1d6ba45354d95ce3b8
My Vista HP SP2 x64, which had been running build 604, was still not being offered any later build, so I went ahead and manually installed b728 and rebooted. Two effects: During startup I got two Windows errors saying something about Host Process for Windows Services being closed. The HMP.A services (User and System) don't show up in Task Manager. Local Services does list the HMP.A service, and it says it's set to Automatic startup, but I have to start it manually in order for the two services to appear in Task Manager and for the HMP.A icon to show up in the notification area. UPDATE: This is more serious than it seemed at first. Went to open Outlook 2007, and it threw up an error saying, "The application failed to initialize properly (0xc0000005). Click OK to terminate the application." Can't be sure if this error is related to the two issues in the list above, but the timing is suspicious. Scans with HMP.A and N360 reveal no malware presence. UPDATE 2: I also cannot open Spybot Search & Destroy 1.6, FlexiPDF, CCleaner -- this last one gave me an error saying that CCleaner only works on Windows 2000 or later (!?). Finally, after opening IE8, I can't close it. In view of these effects, I'm uninstalling b728 from Vista and reinstalling 604. UPDATE 3: After rebooting but before reinstalling 604, all of the above applications open normally. UPDATE 4: Reinstalled 604, rebooted, and this time I promptly got the notice about 728 being available. So I rebooted -- and ended up at the following BSOD: Code: STOP: c000021a {Fatal System Error} The NT Initial Command Process system process terminated unexpectedly with a status of 0xc0000001 (0x00000000 0x00000000). The system has been shut down. Now I rebooted and all I have is a black screen with a mouse pointer in the center, which I can move around. UPDATE 5: Went into Safe Mode, uninstalled HMP.A b728, rebooted -- and got back fine into Vista. Whereas previously I was wishing for a way to get HMP.A to update to the current build, now I'm hoping there is a way to PREVENT it from updating to the current build.
Was this a single occurrence? or is this reproducible? Something seems to inject in to firefox, can you provide us with a list of dll's loaded in firefox by DM?
can you please rename hmpalert.dll in c:\windows\system32 and c:\windows\syswow64 and reboot to see if that makes a difference?
Are you sure that was 728? Not 723? HMPA 3.7.1.723 stable should be offered for automatic updating, not 3.7.3.728 beta.
At this point, I cannot say for sure. You're probably right that the automatic update was to 723. Maybe I still had 728 on the brain, but whichever version it was that was updated to, it was not a good outcome.
That's an interesting idea. But I'm not sure that I want to run the risk of BSODing my computer again! I had some white-knuckle moments there... I'll think about it. Maybe I'll image the drive and also set a restore point before trying this. Should I rename the "hmpalert" part of the filename (for example, "hmgalert.dll"), or the "dll" part (for example, "hmpalert.dgl")?