Windows XP Professional SP-3 Returnil System Safe 2011 3.2.12918-REL14 (free version) Avast 7.0.1426 (free version) When I exit virtual mode for Returnil, or I shutdown Windows (to reboot to get out of Returnil's virtual mode), I see the "Saving settings" dialog followed by "Windows shutting down" and then the computer crashes with a BSOD which says: Code: Event Type: Error Event Source: System Error Event Category: (102) Event ID: 1003 Date: 04/22/2012 Time: 10:30:00 PM User: N/A Computer: ZODIAC Description: Error code 00000024, parameter1 001902fe, parameter2 f78be0c0, parameter3 f78bddbc, parameter4 804e37fe. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 53 79 73 74 65 6d 20 45 System E 0008: 72 72 6f 72 20 20 45 72 rror Er 0010: 72 6f 72 20 63 6f 64 65 ror code 0018: 20 30 30 30 30 30 30 32 0000002 0020: 34 20 20 50 61 72 61 6d 4 Param 0028: 65 74 65 72 73 20 30 30 eters 00 0030: 31 39 30 32 66 65 2c 20 1902fe, 0038: 66 37 38 62 65 30 63 30 f78be0c0 0040: 2c 20 66 37 38 62 64 64 , f78bdd 0048: 62 63 2c 20 38 30 34 65 bc, 804e 0050: 33 37 66 65 37fe Attached is the minidump file and the output from msinfo32.exe to give system info on my host. Well, I tried to upload the .dmp file but your "Manage Attachments" uploader screws up. It fails the upload when I select the .dmp file. I compressed it into a .zip file but then your uploader complains that it is an invalid file. Uh huh, invalid, sure, especially when I extract the compressed file and it compares okay bit-for-bit against the original. The .dmp file is 64KB. The .zip file is 9KB. You'll have to fix your forum software so I can attach the .dmp or its .zip file. Update: Figuring this forum software restricts the filetypes that can be uploaded, I renamed the .dmp file to .dmp.txt to pretend it was a text file. That uploaded okay. So rename .dmp.txt back to just .dmp when you retrieve it to your host. I attached the rvs-inst.log file. The rvs3.log file wouldn't upload due to filetype and size constraints in this forum. So I compressed the logfile into a .zip archive (but this forum won't take .zip files, either), and renamed it to rvs3.zip.txt. Rename back to .zip and then extract the rvs3.log file within (which is 4.7MB in size which exceeds the 1MB max for text files). Yes, I already know about the age-old shotgun troubleshooting step of installing Returnil first and then follow by Avast. I uninstalled both Avast and Returnil, used Avast's cleanup utility, installed Returnil, and lastly installed Avast. That did not help. Returnil still generates a BSOD when shutting down Windows. I looked at the minidump using Nirsoft's BlueScreenViewer. I selected the red-highlighted items which presumably means they are the likely candidates or just the top 4 items on the stack. I pasted then lines below: Code: aswMon2.SYS aswMon2.SYS+485327f8 0xaf38c000 0xaf3a2000 0x00016000 0x00000000 avast! Antivirus System avast! File System Filter Driver for Windows XP 7.0.1426.0 AVAST Software C:\WINDOWS\system32\drivers\aswMon2.SYS fltMgr.sys fltMgr.sys+4907b0 0xf742e000 0xf744db00 0x0001fb00 0x480251da 04/13/2008 01:32:58 PM Microsoft® Windows® Operating System Microsoft Filesystem Filter Manager 5.1.2600.5512 (xpsp.080413-2111) Microsoft Corporation C:\WINDOWS\system32\drivers\fltMgr.sys Ntfs.sys Ntfs.sys+dff0 0xf7b52000 0xf7bde600 0x0008c600 0x48025be5 04/13/2008 02:15:49 PM Microsoft® Windows® Operating System NT File System Driver 5.1.2600.5512 (xpsp.080413-2111) Microsoft Corporation C:\WINDOWS\system32\drivers\Ntfs.sys ntoskrnl.exe ntoskrnl.exe+c7fe 0x804d7000 0x806ee580 0x00217580 0x4ea6ba87 10/25/2011 08:32:55 AM Microsoft® Windows® Operating System NT Kernel & System 5.1.2600.6165 (xpsp_sp3_gdr.111025-1629) Microsoft Corporation C:\WINDOWS\system32\ntoskrnl.exe The above list doesn't include the headers so you can tell what are all the values in each line. So I saved those lines from Nirsoft's BlueScreenView into bsod.txt (attached) that shows the name and value of each parameter. So, if I'm reading this listing correctly (with items shown listed in ascending order by their "Address in Stack"), it looks like aswMon2.sys might be crashing first; however, it is Returnil making Avast crash. If I don't go into Returnil's virtual mode or if Returnil is absent from my computer then there are no crashes when I shutdown Windows. I disabled Returnil's anti-virus component since Avast would be active before going into virtual mode and still active after entering virtual mode. Of course, if Returnil is working correctly, it doesn't matter what AV program is running before and then during virtual mode since a reboot is supposed to wipe all changes, anyway. I disable the AV component in Returnil to eliminate overlapped functionality with Avast and try to prevent conflict. In Avast, I configured its auto-sandbox to ask me if I want a process sandboxed. I don't want anything sandboxed unless I say so. This is to provide protection against malware but I don't want my known good apps to get sandboxed, so I have Avast ask me what to do with any process it thinks is behaving suspiciously. I am not prompted to sandbox any Returnil process when I enable Returnil's virtual mode. Returnil's anti-execute option is set to "Trust programs from real disk only". In Avast, I added an exclusion for C:\Program Files\Returnil\RVS where are some of Returnil's files. Not all of them since, for example, it looks like Returnil puts some of its files under C:\Windows\system32\drivers. I didn't add those files because I'm not sure which ones belong to Returnil plus there could be other places Returnil deposited its files. Unless a comprehensive list of files and their locations is supplied, telling users to exclude Returnil files from Avast (or whatever other active security product they use) is probably worthless advice since users won't know where are all the locations for Returnil files. While I can try to exclude files in Avast for Returnil, I don't see anywhere in Returnil to exclude files for Avast. After adding the Returnil\RVS folder to Avast's exclusion list (in their File Shield since the exclude list under Settings is only for manual scan exclusions), I entered Returnil's virtual mode and shutdown Windows. I still got the BSOD. Right after Avast's driver is listed Microsoft's Filesystem Filter Manager driver (fltMgr.sys). Well, Returnil sticks in its own file driver to intercept disk changes (to the cache or virtualized disk) to discard them on a reboot. No, I'm not getting rid of Avast because Returnil still has problems playing nice with Avast. If I get rid of one of these two programs, I'll get rid of Returnil.