It’s been some time since I had to post here. I am currently using Comodo Firewall (solely the firewall) from the February 2009 release. The May release is far to bloaty for me and runs like a slug.
I also am running SUPERAnti-Spyware and A-Squared anti-virus on Windows XP Home SP3.
Please read carefully my scenario, as I doubt it’s a simple fix
On with the problem…
It all started when playing Re-Volt (a racing game, http://revolt.wikia.com for more info) this past week or so I noticed a DEP window.
“Date Execution Prevention”, “Windows Explorer has been closed to protect your computer”.
The next thing I know, revolt.exe crashes, drwatson crashes. etc. This happened actually during the online gameplay. The biggest crash in the history of the newer computer.
Another thing to consider, a program called RVHouse (a gaming lobby for the game) has had 150 OUTBOUND connections. I have not been using this program since I noticed the issue, and have since contacted the developer. The matter is currently being resolved, but it does indeed look like an exploit was available to send data and DDoS over the Overnet framework from which it is built. Why do I say this? It may have been cause of the issue, but who knows.
What did I do? I ran CCleaner, did a defrag, and assumed at the time it was just some quirck in the online gameplay, but alas…
Just this morning I booted up my computer, had CallWave(iam.exe), Comodo, and FireFox 3.0.10 running. I went to check my yahoo mail and was leisurely doing so. I had no downloads on, no other windows or movie players on, nothing. Then wham, up comes the exact same DEP window as the other day. And explorer.exe does NOT crash until I click “Close” on the window. Interesting… and as seen from event viewer:
Event ID 1000:
Faulting application explorer.exe, version 6.0.2900.5512, faulting module unknown, version 0.0.0.0, fault address 0x0414a410.
I click close and then Event ID 1002:
The shell stopped unexpectedly and Explorer.exe was restarted.
I have since been working on the computer offline without any problems. I also have learned to use WireShark and other utilities and run my own honeypot on occasion (on another older PC of course, lol not this one).
I see no sign of outbound/inbound traffic, it happens at random and even though it would appear as a remote exploit I can’t seem to lay a finger on it as it comes and goes without a trace.
If you guys have any ideas or comments let me know. I’ve ran spyware and malware checks, the computer seems to be clean. And I run just about every download past virustotal.com before installing to be safe. ???
Attached is the dump of explorer.exe and the Event Viewer logs.
Thanks for your time.
[attachment deleted by admin]