The DEP Window, explorer.exe, the shell that stopped, and the woes of XP SP3

Hello All,
It’s been some time since I had to post here. I am currently using Comodo Firewall (solely the firewall) from the February 2009 release. The May release is far to bloaty for me and runs like a slug.

I also am running SUPERAnti-Spyware and A-Squared anti-virus on Windows XP Home SP3.

Please read carefully my scenario, as I doubt it’s a simple fix
On with the problem…

It all started when playing Re-Volt (a racing game, for more info) this past week or so I noticed a DEP window.
It stated…
“Date Execution Prevention”, “Windows Explorer has been closed to protect your computer”.
The next thing I know, revolt.exe crashes, drwatson crashes. etc. This happened actually during the online gameplay. The biggest crash in the history of the newer computer.

Another thing to consider, a program called RVHouse (a gaming lobby for the game) has had 150 OUTBOUND connections. I have not been using this program since I noticed the issue, and have since contacted the developer. The matter is currently being resolved, but it does indeed look like an exploit was available to send data and DDoS over the Overnet framework from which it is built. Why do I say this? It may have been cause of the issue, but who knows.

What did I do? I ran CCleaner, did a defrag, and assumed at the time it was just some quirck in the online gameplay, but alas… :frowning:

Just this morning I booted up my computer, had CallWave(iam.exe), Comodo, and FireFox 3.0.10 running. I went to check my yahoo mail and was leisurely doing so. I had no downloads on, no other windows or movie players on, nothing. Then wham, up comes the exact same DEP window as the other day. And explorer.exe does NOT crash until I click “Close” on the window. Interesting… and as seen from event viewer:
Event ID 1000:
Faulting application explorer.exe, version 6.0.2900.5512, faulting module unknown, version, fault address 0x0414a410.

I click close and then Event ID 1002:
The shell stopped unexpectedly and Explorer.exe was restarted.

I have since been working on the computer offline without any problems. I also have learned to use WireShark and other utilities and run my own honeypot on occasion (on another older PC of course, lol not this one).

I see no sign of outbound/inbound traffic, it happens at random and even though it would appear as a remote exploit I can’t seem to lay a finger on it as it comes and goes without a trace.

If you guys have any ideas or comments let me know. I’ve ran spyware and malware checks, the computer seems to be clean. And I run just about every download past before installing to be safe. ???

Attached is the dump of explorer.exe and the Event Viewer logs.

Thanks for your time. :slight_smile:

[attachment deleted by admin]

DEP should be disabled for CIS files (either set to ‘Windows files only’ or exclude CIS files from the list).
I’m not that familiar with reading the files you attached so I can’t help there. I am sure someone else will view it and be able to provide additional help for you.

I have heard I might want to do this with DEP, but considering that DEP has not caused any problems on anything other “than windows components” i.e. explorer.exe I see no need to enable that.

I’ve been running the computer for several hours today with no sign of DEP, but I’m sure it will pop up sooner or later. When it does I’ll see if I can get any more info out of the cause. :slight_smile:

So far I’ve only had one DEP Window since this post. And this time it was offline and occurred right after closing my CD-Rom tray. It may actually be related to a faulty CD-Rom Drive, more testing may be able to verify this. I’ll keep you posted.