Comodo Buffer and wJQs.exe

Hi,
I was doing some work and Comodo (free Defense+) came up warning about a buffer overflow and stopped Acrobat.exe. It then mentioned that wJQs.exe was doing something that it stopped.

I checked the Defense+Events and there is an entry for a “Shellcode Injection” for …/acrobat/acrobat.exe, as well as \Local Settings\Temp\wJQS.exe.

There were no wJSQ.exe processes running.

I checked the registry (find in regedit) and found two entries with the file. I went ahead and deleted everything from the \Local Settings\Temp directory including the wJQS.exe file.

I then went back to the registry and deleted the two entries.

I am I correct that Comodo “intercepted” the malware’s attempt to do harm, and that by deleting the .exe file and the two registry entries that I’m ok now? I am running scans and I downloaded hijackthis to triple check. I’m assuming the registry entries were just for the fact that the file existed.

Any advice is much appreciated.
Thank you.

If you check with Google you will find a lot of information about this, with mentions of Acrobat.

Prevx has some interesting info about what this could have done to you if CIS hadn’t stopped it :-TU so you seem to have had a narrow escape from having a completely hijacked computer.

If you don’t know how to check the HJT log you could post it here for opinions and suggestions if further action is needed.

Thank you for your reply. I actually did an extensive google search and saw what that file could do. :o

So thankfully, then, it does seem that comodo stopped it – that was my critical concern. Do you think the steps I took were appropriate in removing the file? Is there anything else you would do?

And yes, I’m very familiar with system processes, etc. so I did take a fine tooth comb look at the HJT log and everything at this point appears to be ok.

Thank you to you for your help, and thank you to comodo for picking up the problem.

That sounds good then, you obviously know about checking out any Defense+ or connection alerts before allowing anything unknown, so you seem to be in the clear if there is nothing showing up in the log. Certainly it would have caused havoc if it had been allowed to run.

This is a great example of the effectiveness of the BO protection. :-TU

Although on an interesting note, I’m now getting an RPC server error when I try to connect via my local internet connection. It wasn’t connecting (and other machines on my LAN) are fine, so when I ran ipconfig /renew, it gave me the RPC problem.

Maybe the malware was able to do something?

That being said, I’m planning on wiping and restoring this machine (it was due anyway). I always run on partitions and my data (E:) is on a separate partition than my OS (C:), and Program Files (D).

In your opinion, would there be any risk to leaving the data partition (E:) intact? I would reinstall the OS on the C and the Program on the D. There are som executables on E:, but mostly just data.

Thanks for your continued help.

Sorry I don’t have knowledge to advise on this, maybe someone who does will answer.

Too technical for me.

Fair enough. BTW: Will HTS check off for you what it thinks is a problem? I was doing some more reading and interpreting the log doesn’t seem as simple I as first thought (though my list did look ok and I’m still checking it manually just to learn more and make sure).

And is there an appropriate place to post the HTC log on this fourm?

Since each partition is a virtual separate drive, I don’t see any risk associated with wiping the C: and D: drives to perform a clean install of everything. If you still have concerns, create a backup of the contents on the E: partition first.

Without sounding naive, it’s my (limited) understanding that data doesn’t really “carry” the malware (unless of course the data was previously affected/deleted/rewritten – but I’d know that as soon as I opened the file).

I’m going with the notion that once I wipe and reinstall the OS (in general) that residual data (separate partition) should be safe.
(and I do have a backup but that’s a good reminder).

Once I’m back uip and running, I will rescan just to be sure.

Thank you.

I rebooted and now the internet works fine. Where would it be appropriate to post my HTC log file for someone to look at? Thank you.

You can post it here.

Here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:45 AM, on 4/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\svchost.exe
d:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\WFXSVC.EXE
d:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\Program Files\Norton SystemWorks\WinFax\WFXMOD32.EXE
d:\PROGRA~1\AVG\AVG8\avgnsx.exe
d:\PROGRA~1\AVG\AVG8\avgemc.exe
D:\Program Files\VMware\VMware Player\vmware-authd.exe
d:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HPQ\Q Menu\QICON.EXE
C:\Program Files\HPQ\Q Menu\CpqMcSrV.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\HPQ\Shared\hpqwmi.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
D:\Program Files\Logitech\QuickCam10\QuickCam10.exe
D:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\Program Files\Comodo\Firewall\cfp.exe
D:\Program Files\VMware\VMware Player\hqtray.exe
D:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
D:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
D:\Program Files\MagicDisc\MagicDisc.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - d:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM..\Run: [tabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM..\Run: [tabletTip] “C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe” /resume
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM..\Run: [Q Menu] C:\Program Files\HPQ\Q Menu\QICON.EXE -QICON
O4 - HKLM..\Run: [hpqMcSrv] “C:\Program Files\HPQ\Q Menu\CpqMcSrV.exe” /Start
O4 - HKLM..\Run: [UpdateManager] “C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe” /r
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe”
O4 - HKLM..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule
O4 - HKLM..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM..\Run: [COMODO Firewall Pro] “D:\Program Files\Comodo\Firewall\cfp.exe” -h
O4 - HKLM..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM..\Run: [Acrobat Assistant 8.0] “D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe”
O4 - HKLM..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM..\Run: [QuickTime Task] “D:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [LogitechCommunicationsManager] “C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe”
O4 - HKLM..\Run: [LogitechQuickCamRibbon] “D:\Program Files\Logitech\QuickCam10\QuickCam10.exe” /hide
O4 - HKLM..\Run: [AVG8_TRAY] d:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM..\Run: [RoxWatchTray] “C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe”
O4 - HKLM..\Run: [COMODO Internet Security] “D:\Program Files\Comodo\Firewall\cfp.exe” -h
O4 - HKLM..\Run: [VMware hqtray] “D:\Program Files\VMware\VMware Player\hqtray.exe”
O4 - HKLM..\Run: [WFXSwtch] D:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKCU..\Run: [ISUSPM] “C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe” -scheduler
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19..\Run: [tabletWizard] %windir%\help\wizard.hta (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [tabletWizard] %windir%\help\wizard.hta (User ‘NETWORK SERVICE’)
O4 - Startup: MagicDisc.lnk = D:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = D:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = D:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra ‘Tools’ menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\program files\vmware\vmware player\vsocklib.dll
O10 - Unknown file in Winsock LSP: d:\program files\vmware\vmware player\vsocklib.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: ASAPHook,
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - d:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - d:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - D:\Program Files\VMware\VMware Player\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - D:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.11\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.1.32\bin\mysqld.exe
O23 - Service: WinFax Basic Edition (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE


End of file - 15821 bytes

I don’t see anything strange in there.

You don’t have SP3?

No. SP2 works great and everything I’ve read really doesn’t place much emphasis on SP3. I keep current will all critical updates, though.

How does Comodo protect users from shellcode injections? Does it prevent the buffer from being overflown (I don’t know if that even makes sense, I completely alien to all the technical talk) or shield the targeted application from being tampered with or does it only block the payload from execution? If all it does is block the malicious code, then you already have that by tweaking “access rights” in “policy settings”, in which case memory firewall becomes redundant.