Explorer.exe - BufferOverflow / Shellcode Injection

I get a buffer overflow from C:\Windows\syswow64\explorer.exe after each game installation since yesterday. As soon as the installation is finished, I get the overflow msg. Then, I checked the Comodo defense history and saw this:

C:\Users\xxx\AppData/Local/Temp/_isEE6.exe → Create Process → C:\Windows\syswow64\explorer.exe

Could this be the cause?

Here’s a screen: http://img5.imageshack.us/img5/5969/shellcodeinjection.jpg

I checked “Skip this application in the future” and didn’t get the message after that. Is there any way to undo that to see if the problem is still there?

You can take the program out of the list of exclusions under Defense + → Advanced → Image Execution Control settings → exclusions.

Ok, thx.

But why is there a BO after an installation? Any clue?

I am not sure I understand. Can you explain a bit more?

As soon as a installation of a game (Virtua Tennis 2009 or Anno 1404) completes, I get the Comodo message box I posted above. Never occured while I was surfing a watching a video. I just want to know if it’s a false positive or not…

There’s a post here that may help a little:

Firewall wants me to “block” explorer.exe

This article, although quite old, does a good job of describing BO:

Thanks. So you think it’s rather because of a corruption issue than a attack? I remember that I installed some Windows Vista Updates a couple of days ago. It’s odd that when I boot Vista 64 I only have one explorer.exe (from c:\windows), but after an installation I also see the other one from c:\windows\syswow64. When I choose terminate, the system runs fine nonetheless.

So what’s your suggestion? Block access or choose “skip in the future” in the Comodo msg box?

Are there any events in the Windows event logs? The only thing that I’m concerned about is the _isEE6 temp file. Have you checked that location to see if the file exists and if so has any identification?

Initially, I deleted the file, but there are new files in the folder with the exact same structure which are defined as Macrovision Corp. So it seems it was just a copy protection from my games.

I just installed Vista SP2, maybe it’s fixed now. :wink:

Edit: Nothing special in the Windows event logs.

Edit 2: I uninstalled something and got it again. As soon as the install shield starts, the other explorer.exe pops up.

Edit 3: Would it help if I installed a clean explorer.exe from someone with Vista x64?

I’ve just been doing a little reading around this and I came across something I believe explains, to some extent at least, what we’re seeing:

In x64 versions of Windows, a process that starts from a 64-bit executable such as Explorer.exe can only load Win64 DLLs, while a process started from a 32-bit executable can only load Win32 DLLs. When a Win32 process makes a call to kernel mode—to read a file, for instance—the WOW64 code intercepts the call silently and invokes the correct x64 equivalent code in its place.

Of course, processes of different lineages (32-bit versus 64-bit) need to be able to communicate with each other. Luckily, all the usual interprocess communication mechanisms that you know and love in Win32 also work in Win64, including shared memory, named pipes, and named synchronization objects.

There’s more here:

Ok hm , so that’s totally normal.

Here’s what my Comodo Defense log says:

No target. Is that relevant?

[attachment deleted by admin]

My guess is D+ is playing safe, it sees what it believes to be a potential problem and does what it believes is right.

Even though that article seems to explain some of the behaviour, I’d still like to know more about that temp file…

I googled and they’re part of the install shield by Macrovision. I’ve a couple of other files in my temp ordner with the same structure: _is***.exe

Does this happen with every installation or just a certain type?

Every installation involving the install shield it seems.

I’m inclined to say that it may be a ‘feature’. If there are no additional manifestations, I’d let it do it’s thing, but with the provisio of keeping a close eye on it.

One last thought, what are your D+ settings for explorer(s).exe

Trusted application.

I got news: While I played Call of Juarez 2 I had a lot of crashes and finally a blue screen 0x0000003B. After that I ran the Windows Memory Diagnosis + Memtest and a memory occured both times. So maybe it was a RAM problem after all which caused all the problems. Who knows… I get my new memory next week, because it wasn’t on stock.

i am from greece aloo ror ol

Congratulations on finding that dk_. Too bad you need to buy new memory though.

I still have warranty. Thanks for your help! ;D