Author Topic: services.exe -- tried to execute shellcode ... buffer overflow attack  (Read 17575 times)

Offline macbeth8

  • Newbie
  • *
  • Posts: 3
Hello everyone,
first of all, sorry for similar topic, but I simply could not find a reply button in that topic, so I created a new one, if that's a problem, please join the topics, thanx.

And now, some facts about my problem. Every now and then, it's hard to say exactly when, but usually after the comupter is turned on and Win XP SP3 is booted, Comodo says that services.exe tried to execute shellcode as a result of a buffer overflow attack. The problem is that when I hit the terminate button, that leaves me with 60 seconds countdown and my computer is going to restart itself. I'm kind of worried, if this is not some malware or sth, and because services.exe is an important part of the windows system. I'm also running Avast antivirus and tried to use Spyware Terminator, performed a full system scan, I also scanned the system with Avast antivirus, but nothing was found. Another thing I used was Procexp to examine processes running on my system, but again, I did not find anything suspicious, the log file from Procexp follows:

Code: [Select]
Process PID CPU Description Company Name
System Idle Process 0 75.38
 Interrupts n/a 1.54 Hardware Interrupts
 DPCs n/a 3.08 Deferred Procedure Calls
 System 4
  smss.exe 1324 Správce relací systému Windows NT Microsoft Corporation
   csrss.exe 1444 Client Server Runtime Process Microsoft Corporation
   winlogon.exe 1476 Windows NT Logon Application Microsoft Corporation
    services.exe 1524 Services and Controller app Microsoft Corporation
     svchost.exe 1736 Generic Host Process for Win32 Services Microsoft Corporation
      COCIManager.exe 5072 Camera Control Interface Logitech Inc.
      COMServer2Helper.exe 3060
     svchost.exe 1816 Generic Host Process for Win32 Services Microsoft Corporation
     cmdagent.exe 588 COMODO Internet Security COMODO
     svchost.exe 616 10.77 Generic Host Process for Win32 Services Microsoft Corporation
      GoogleUpdate.exe 236 Instalační program Google Google Inc.
     MsMpEng.exe 664 Service Executable Microsoft Corporation
     svchost.exe 892 Generic Host Process for Win32 Services Microsoft Corporation
     svchost.exe 964 Generic Host Process for Win32 Services Microsoft Corporation
     aswUpdSv.exe 1344 avast! Antivirus updating service ALWIL Software
     ashServ.exe 1396 avast! antivirus service ALWIL Software
     spoolsv.exe 552 Spooler SubSystem App Microsoft Corporation
     Apache.exe 1236 Apache HTTP Server Apache Software Foundation
      Apache.exe 2872 Apache HTTP Server Apache Software Foundation
     LVComSer.exe 1264 Logitech Video COM Service Logitech Inc.
      LVComSer.exe 4556 Logitech Video COM Service Logitech Inc.
     LVPrcSrv.exe 2512 Logitech LVPrcSrv Module. Logitech Inc.
     mysqld-nt.exe 2604
     nvsvc32.exe 2672 NVIDIA Driver Helper Service, Version 181.20 NVIDIA Corporation
     sp_rsser.exe 2724 Spyware Terminator Realtime Shield Service Crawler.com
     sqlbrowser.exe 3216 SQL Browser Service EXE Microsoft Corporation
     sqlwriter.exe 3268 SQL Server VSS Writer Microsoft Corporation
     svchost.exe 3320 Generic Host Process for Win32 Services Microsoft Corporation
     ashMaiSv.exe 2652 avast! e-Mail Scanner Service ALWIL Software
     ashWebSv.exe 2808 avast! Web Scanner ALWIL Software
     svchost.exe 4568 Generic Host Process for Win32 Services Microsoft Corporation
     alg.exe 5116 Application Layer Gateway Service Microsoft Corporation
     svchost.exe 5816 Generic Host Process for Win32 Services Microsoft Corporation
    lsass.exe 1544 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 1976 1.54 Průzkumník Windows Microsoft Corporation
 TSVNCache.exe 416 TortoiseSVN status cache www.tortoisesvn.org
 NvMixerTray.exe 1036 NVIDIA nForce Mixer Tray Application NVIDIA Corporation
 MSASCui.exe 1072 Windows Defender User Interface Microsoft Corporation
 Communications_Helper.exe 1092 Communications Manager Logitech Inc.
 Quickcam.exe 1152 Camera Software Logitech Inc.
 ashDisp.exe 1240 avast! service GUI component ALWIL Software
 MBM5.exe 1260 MBM 5 Core EXE Alex van Kaam
 rundll32.exe 1300 Run a DLL as an App Microsoft Corporation
 cfp.exe 1536 COMODO Internet Security COMODO
 ctfmon.exe 1912 CTF Loader Microsoft Corporation
 daemon.exe 1932 Virtual DAEMON Manager DT Soft Ltd.
 GoogleUpdate.exe 1268 Instalační program Google Google Inc.
 firefox.exe 5928 Firefox Mozilla Corporation
 foobar2000.exe 1824 foobar2000 Application
  LastFM.exe 5324 Last.fm Last.fm
 infium.exe 4860 1.54 QIP Infium QIP
 SpywareTerminator.exe 4408 6.15 Crawler Spyware Terminator Crawler.com
 procexp.exe 908 Sysinternals Process Explorer Sysinternals - www.sysinternals.com


Could you please give me some advice what to do? Is that probably some threat or should I ignore that? Or should I try the new beta?

Thanx for every advice and pardon my bad english.

EDIT: I found a log of Defense+ events, so now I know, when did the incidents happen:
First it showed on 22nd of Feb, then 9th of March, and then it started to appear more often -- 4th, 7th and 14th of April (7th and 14th of April is the last two times when I booted the computer). And I also forgot to mention, that after the restart, the alert does not appear any more, the problem appears only after the first boot.
« Last Edit: April 16, 2009, 07:53:23 PM by macbeth8 »

Offline macbeth8

  • Newbie
  • *
  • Posts: 3
Re: services.exe -- tried to execute shellcode ... buffer overflow attack
« Reply #1 on: April 22, 2009, 03:22:45 PM »
Is my question unclear? Unproperly formulated? Have I not provided enough information? Or just nobody knows...?

Offline eXPerience

  • Left the Forums
  • Comodo's Hero
  • *****
  • Posts: 6958
  • Free Forever !
Re: services.exe -- tried to execute shellcode ... buffer overflow attack
« Reply #2 on: April 22, 2009, 03:26:11 PM »
greetings,

I'm sorry you didn't get any earlier support, but I guess nobody knew what to do just as me ( I'm a comodo forums volenteer, not a developer). But perhaps you have a malware ? just a wild guess.
please take a look over here for further instructions on how to remove virusses.

Thanks
Xan

Offline macbeth8

  • Newbie
  • *
  • Posts: 3
Re: services.exe -- tried to execute shellcode ... buffer overflow attack
« Reply #3 on: April 23, 2009, 08:05:44 AM »
Thanks for your reply eXPerience. I used both Superantispyware and Malwarebytes Antimalware and they haven't found anything (besides some tracking cookies). I didn't install the Bitdefender Antivirus, because I already have another one (Avast, as I said earlier).

Well, it seems that my malware is very sophisticated or there is no malware, just bug in services.exe or comodo...

Offline eXPerience

  • Left the Forums
  • Comodo's Hero
  • *****
  • Posts: 6958
  • Free Forever !
Re: services.exe -- tried to execute shellcode ... buffer overflow attack
« Reply #4 on: April 23, 2009, 10:50:38 AM »
Well, in that case I sujest you use the latest beta and see if that helps ?

sorry I couldn't help you,

Xan

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek