Shellcode - buffer overflow attack

Hi guys,

Today I turned my PC on and try to open Internet Explorer, but CIS popup an alert message, saying that iexplore.exe try to execute shellcode as a result of a possible buffer overflow attack! So, I deny it…

Then I opened Google Chrome normally, and try to do an online scan with Kaspersky, but when download finished, I have the same alert message, but now with chrome.exe.

Latter, when trying to investigate the problem, I have the same alert with shell32.dll and other files.

Please, someone help me! Is it a false-positive or may I really infected? If I am infected, do you know some free tool for removing this kind of “vírus” ? I already tryed NOD32 online scan, Spybot and Superantispyware, but no sucess :frowning:

I use this computer for work only, no suspected websites, pirate softwares, cracks, nothing!!

Thanks!!

Hello

Can you first open up the main CIS user interface. Navigate to Defense+>>Defense+ Settings>>Execution Control Settings. Click on Exclusions next to “Detect Shell Code Injections” and try to add the targeted filess to this exclusion list.

You can also try uninstalling and re installing CIS.

After you have uninstalled, grab the latest versions from here (depending whether your system is 32 or 64bit).

64 Bit Installer:

http://download.comodo.com/cis/download/installs/1000/standalone/cispremium_installer_x64.exe

Size: 37M ( 38168904 )

32 Bit Installer:
http://download.comodo.com/cis/download/installs/1000/standalone/cispremium_installer_x86.exe

Size: 35M ( 35919688 )

Let us know how it goes.

Regards
Josh

I will try the procedures and let you know.

Thank you very much!!

No problem. :slight_smile: Please do!

Regards
Josh

Hi,

Well, I first tried to uninstall and reinstall CIS, but had the same problem…

Then I tried to add files into “Detect Shell Code Injection > Exclusions” list, and I have no more problems with CIS, but what if I am really infected? How can I make sure I am not infected?

Thanks!

I’m glad your problems are resolved.

Okay, now what we can do to make sure your not infected - Go ahead and download Comodo Cleaning Essentials:

Again, 32 or 64bit locations.

Download Locations:
http://download.comodo.com/cce/download/setups/cce_1.6.183539.73_x32.zip
http://download.comodo.com/cce/download/setups/cce_1.6.183539.73_x64.zip

Let the Antivirus update. Click on “Kill Swtich” and in options of Kill Switch, I think it’s tools (Sorry i dont have it on me at the moment) Check “Hide Safe processes or images” and see what unknown files pop up. After you do this, run a full system scan. It make take a while since this scanner really goes indepth in your registry and files, looking for deep, dangerous malware such as rookits.

Grab a coffee or 2, maybe watch a movie while it’s running. :slight_smile: When the scan is completed and infections show up, can you post back what was found?

Also if you find anything suspicious running using kill switch, any process your not sure of, please report back too.

Any questions let me know.

Regards
Josh

http://support.kaspersky.com/viruses/avptool2010?level=2

http://security.symantec.com/nbrt/npe.aspx?lcid=1033

Hi!

First, thanks a lot to both of you for helping me…

Well, after 5 movies, lots of coffes :slight_smile: and more than 2 million files scanned twice (with Comodo and CureIt), problem seems to be solved.

Thanks again!

No problem! Glad it’s all fixed!

I’ll go ahead and close this thread.

Josh