There are ~1600 crash reports in WSOFFAddOn.dll in the past week. http://crash-stats.mozilla.com/query/query?version=ALL%3AALL&date=&range_value=1&range_unit=weeks&query_search=signature&query_type=contains&query=WSOFFAddOn&do_query=1 http://cc.bingj.com/cache.aspx?q=%22wsoffaddon+dll%22&d=173207983928&mkt=sv-SE&setlang=en-US&w=a9732106,84b96d22 suggests it's installed under: c:\program files\web search operator\3.1.0.1800\ff\components\WSOFFAddOn.dll and when renaming the files Firefox stopped crashing. Apparently it's related to "HottieStar Toolbar": (WARNING: soft porn pictures) http://www.hottiestar.com/

should also get some SUMO love on pages that talk about taking care in downloading software, and removal of problems related to crashing and search popups and pop-unders.

and we could consider blocklisting on a typical day here is the breakdown of crashes across releases checking --- 20091211-crashdata.csv WSOFFAddOn.dll@0x95fd release total-crashes WSOFFAddOn.dll@0x95fd crashes pct. all 222413 325 0.00146125 3.0.15 41096 56 0.00136266 3.5.5 122770 138 0.00112405 3.6b4 20994 91 0.00433457 3.6b3 803 4 0.00498132 3.6b2 890 1 0.0011236 3.6b1 2371 5 0.00210881 apparently malware bytes deletes the module http://www.bleepingcomputer.com/forums/topic274809.html one signature is associated with version 1840 and the other signature is associated with version 1800 WSOFFAddOn.dll@0x95fd|EXCEPTION_ACCESS_VIOLATION (43 crashes) 100% (43/43) vs. 1% (127/16853) WSOCommon.dll 0% (0/43) vs. 0% (77/16853) 3.1.0.1800 100% (43/43) vs. 0% (50/16853) 3.1.0.1840 WSOFFAddOn.dll@0x955d|EXCEPTION_ACCESS_VIOLATION (45 crashes) 100% (45/45) vs. 1% (127/16853) WSOCommon.dll 100% (45/45) vs. 0% (77/16853) 3.1.0.1800 0% (0/45) vs. 0% (50/16853) 3.1.0.1840

currently ranks #34 for topcrashes on 3.6b4

and ranked #100 and #146 on 3.5.5 and rising. would be higher if you combine the two signatures.

http://www.exterminate-it.com/malpedia/remove-doubled indicates "Web Search Operator" maybe part of DoubleD. more on DoubleD in bug 512785

We can blocklist this when we get confirmation from the vendor or discover that we're unable to reach them for comment. Not blocking the final release at this time.

3.6b5 ranking and volume #95 .13 WSOFFAddOn.dll@0x9c5d #115 .12 WSOFFAddOn.dll@0x95fd #132 .11 WSOFFAddOn.dll@0x955d #191 .07 WSOFFAddOn.dll@0x9c6d that works out to be #18 .43 WSOFFAddOn.dll combined I've searched for "WSOFFAddOn.dll" and "Web Search Operator" with no luck in trying to identify a vendor or vendor site. All I found were malware bytes/other virus scanner logs where the file was removed or was quarantined. I think its unlikely that a vendor will turn up for this one. Some of the scanner logs make it look like its dropped into components directory, so I'm wondering why component blocking isn't having an impact in reducing on 3.6b5. maybe the registry entries are just misnamed.

the set of urls we are crashing on is pretty evil stuff. guessing we might be crashing on the malware popups that have evil content.

behind flash, and a couple of windows .dll's, crashes, WSOFFAddOn.dll ranks around #4-10 when looking at just the .dll crash signatures in 3.6. johnath, what do you think about blocking?

One of the extensions loading this file, that should be included in any blocklisting, is: WSO Helper Class 4.1.0.2080 true {E63605FC-D583-4C81-867F-9457BDB3EA1B} A user on SUMO confirmed that disabling this stops the crash.

There have been no crashes with signatures containing wsoffaddon in versions above 4.0 for the last four weeks. I close it as WFM.