"tried to execute shellcode as a result of possible buffer overflow attack"

[Guest]

[LostAmy]

Hi, since I got the internet back after a week off (moved home, provider needed time for reconnection) yesterday afternoon, every time i try to start Windows Media Player and iTunes player it tells me that the application has been blocked as it "tried to execute shellcode as a result of possible buffer overflow attack".
What do I do now?
For the moment I have removed itunes from my computer and am re-downloading it, see if it does the same again. But what about WMP? i appear unable to remove it completely, only to get rid of the upgrade to the latest version.
I have also did a thorough scan with avast! and it did not find anything.
I noticed someone else had the same problem with WMP since the latest update to the Comodo firewall, and to be fair I can't remember when the update was done on mine but it was quite recent so it may also be linked.
Is there definitely something wrong with the WMP and itunes players or is it something to do with the firewall?

Thanks.
Amy 

[DaRtH VaDeR.]

next tme it happens just do not terminate the application.... it could be that defense + detects some memory leaks in the program....

[LostAmy]

well i did think of that  But because i don't know anything apart from the most basic about computers and viruses etc, i wasn't sure whether it was safe to do so. There also probably is a way to tell Comodo firewall to stop blocking these 2 apps, but i'd like to make sure that allowing the apps to run would not allow unauthorised access to my computer, or whatever else this "buffer overflow attack" could be doing.
That's my main issue here, i don't know what this "attack" thing does and whether the firewall is right to stop the players from running, or whether it's being overprotective. If it's the latter, then no probs, i'll tell the fw to ignore them and that will be it. However if there is more to it i'd like some help with a possible solution.
Thanks
Amy

[egemen]

Hello,

Can you please tell us the operating system details and all other applications you have installed? A process explorer screenshot(from www.sysinternals.com) is useful if you can provide.

Thx,
Egemen

[LostAmy]

hi,
sorry for the delay in replying.
the operating system is windows xp. As for all the other applications i have installed, do you mean all the programs that come under the list of "all programs" in the start button? (i know, stupid question, but I wouldn't want to make a list of all the stuff in there if you mean something else!). As for "process explorer screenshot", i have no idea what that means.
By the way i uninstalled and re-installed itunes, nothing changed. I also removed the latest update to WMP and re-installed it, nothing changed either. For a few days now my Windows automatic update has been downloading stuff pretty much everyday, but it's probably unrelated as WMP and itunes are still blocked.
I'm trying to open other programs that i can use to play music, as it appears only the players are blocked, but RealPlayer is fine, so is Arcade (came with the computer, an Acer), and EmoDio (came with Samsung mp3 player) works also. So it seems only the 2 players above are being targeted. As far as I can tell, nothing else has been blocked by the firewall, but recently i have only been using my laptop for music and internet access, so there may be others that i haven't noticed are being blocked.
Thanks
Amy

[Ronny]

Amy,

You can run the process explorer from here:

http://live.sysinternals.com/procexp.exe, and then chose "run"

If you can make a screenshot of it by pressing the "print screen" button, if you open Microsoft Paint, you can "paste" the screenshot in there, and save it as an image file.

You can upload it here by choosing "additional options" from the post message menu.
Attach, press browse, go to the created image and press "post'

That should to the trick.

[LostAmy]

hi
once again sorry for the delay in replying. Paint isn't working (same problem) and as i have open office i have used the writer in open office and hopefully you can open and read it (i tried the "draw" program but the files type can't be attached here). i also discovered that the Adobe reader doesn't work either, again because of that shellcode thing.
thanks for your help.
Amy

[Ronny]

Hello Amy,

The new version of CIS 3.9.x (Still beta though) has a few fixes to prevent false alerts.
I can't tell from this info if yours is a false positive, but if you like you could try 3.9.x beta and see if the alert is gone.... i have to say you should probably only be using beta software if you feel confident.

You could if you have time, export your "old" 3.8 configuration, uninstall the 3.8, install the 3.9.x beta and see if the problem still exists or not, remove 3.9.x beta, install 3.8 latest and import your settings back so you are "back to where you started" only you know if the alert is still there in the latest version.

[LostAmy]

Hi Ronny,
i've downloaded and installed the Beta version and everything seems to be working fine.
thanks for your help!

[Ronny]

Your welcome, please make sure you update to a final version once 3.9 is released ;-)

[Tags:]