[Essexboy]

From the earlier run isolation of Intel PROSet Wireless Event Log appeared to stop the problem. But then it started occuring again

The error code is also a tad weird as (as far as I can ascertain ) INVALID_PROCESS_DETACH_ATTEMPT has generally been known to occur in win2K and is exceedingly rare. There is no confirmed reason as to why this occurs

Could you next run a disc check and then follow up with SFC



Disc check step by step guide here

SFC : Go Start > Run and copy/paste the following command :

sfc /scannow

[Advertisements]

Ran chkdsk c: /r

The message after the boot screen said:

Cannot open volume for direct access

and the scan ended there. No results shown.

Ran SFC

took about two hours. It completed while I was away from the computer. No messages or errors apparent.


BSOD started after IE8 and Flash installation, but before OTL clean up. That's a pretty narrow window, but, as you say, the stop code seems particularly rare and tough to isolate. It's just so random.

[pivan]

Ran chkdsk c: /r

The message after the boot screen said:

Cannot open volume for direct access

and the scan ended there. No results shown.

Ran SFC

took about two hours. It completed while I was away from the computer. No messages or errors apparent.


BSOD started after IE8 and Flash installation, but before OTL clean up. That's a pretty narrow window, but, as you say, the stop code seems particularly rare and tough to isolate. It's just so random.

[Essexboy]

OK roll back the IE8 install initially
From add/remove select installed updates
Then select IE8 to uninstall

That chck disc error is intriguing - I am running a few searches on that at the moment

[pivan]

Will perform IE8 rollback later today and report.

In meantime, it looks as if the reason for the Access error in msconfig was due to the avast self-defence module. Upon disabling it, I no longer get the error message, though avast isn't happy about it.

Still no closer to solving the chkdsk error, though this looks reasonable:

http://www.vistaforu...lem-t24645.html

I run XP, not Vista, but the principle seems the same. Any thoughts?

[pivan]

Okay, I've rolled back to IE7.

As soon as I did, I arrived back at square one with regard to the iexplore.exe issue. Once again it is constantly seeking connections, with one site in particular being blocked by avast every couple of minutes. Network Shield clocks up thousands of scans in no time, and TCPView is once again showing a lot of established connections (dozens) even when nothing else is running.

Here are some screengrabs, just for the record:





However, it's only been two hours or so, but the system has been running stably since the rollback with no BSOD. So square one it is (so far).

One peculiarity I've noticed is that when I use the Windows search function to find instances of the iexplore.exe file, it can not find version 7.0.6000.17108, even though it's plainly in the correct place. It does, however, find version 8.0.6001.18702, in a gobbledygook folder which I presume to be a leftover from the rollback.

Ultimately, the question appears to be how do we get the added security benefit of IE8 without triggering the BSOD? Or, alternatively, how do we find the root cause of the unwanted iexplore.exe activity in the first place?

Oh, and still no joy with chkdsk after the rollback.

[Essexboy]

I have just finished one on the Avast forum with this site being the culprit. As Avast is blocking it, it is now just an annoyance rather than a danger

Although this one was caused by whistler MBR bootkit

As for disc check I am just trying out a few things on my XP VM ... So I should have an answer in a few hours

Could you run a fresh OTL scan please with this custom scan script and all users selected

netsvcs
HKLM\SOFTWARE\CLIENTS\Startmenuinternet|command /rs
HKLM\SOFTWARE\CLIENTS\Startmenuinternet|command /64 /rs
CREATERESTOREPOINT

[pivan]

New OTL logs:

 OTL.Txt   260.51KB   103 downloads

 Extras.Txt   45.25KB   90 downloads

Still no crashes since rollback. 7 hours now.

Thanks for persisting.

[Essexboy]

There is an intriguing element attached to the end of the OTL extras, it is Chinese - I need to figure out where that came from

After you have run these could you retry the disc check and see if the same error occurs, I have included a small fix for it within OTL

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from "Start with Windows"
Reboot and then run OTL


Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTL
  IE - HKU\S-1-5-21-2903581846-4258368876-1226996085-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 0.0.0.0:80
  O3 - HKU\S-1-5-21-2903581846-4258368876-1226996085-1005\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
  O4 - HKU\.DEFAULT..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe -update activex File not found
  O4 - HKU\S-1-5-18..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe -update activex File not found
  O34 - HKLM BootExecute: (autocheck autochk /r \??\C:)
  [2012/04/16 21:19:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

I would also like to run TDSSKiller to confirm that the MBR is clean

Download the latest version of TDSSKiller from here and save it to your Desktop.

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  
  
  
• Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
  
  
  
• Click the Start Scan button.
  
  
  
• If a suspicious object is detected, the default action will be Skip, click on Continue.
  
  
  
• If malicious objects are found, they will show in the Scan results and offer three (3) options.
• Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
  
  
  
• Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

[pivan]

How long is the OTL fix meant to take? It's been running an hour now, seems to be hanging on O34... I've no way of knowing if it's doing anything, and it's past my bedtime (am on another machine now). I may have to leave it overnight, but if it has frozen, is there anything else I should disable first? The avast warnings are still popping up regularly as it scans, etc. Cheers.

[Essexboy]

Stop OTL as it is hanging on the fix bit I put in

i will try a few other fixes whilst you are asleep

[pivan]

Just a quick update to say not a single crash all day, so definitely related to the IE8 upgrade.

Cheers.

[Essexboy]

Thats good, I will check out the IE8 developer site for this problem

Next, is Avast still alerting ?

If so could you run TDSSKiller to check for the latest whistler variant

[pivan]

Will do now. Any luck with any of the OTL fixes?

[Essexboy]

Nearly there one more to try

[Essexboy]

OK this worked on my system - it will require a shutdown and then a reboot. Not a restart

In the run Box type cmd
A black box will open
Copy/paste the following command followed by enter

CHKNTFS /X C:

Shut down the PC

Restart the PC
Once in windows run the command box again
Copy paste the following command followed by enter :

CHKDSK /f /r C: