Shellcode Injection on explorer.exe, What is This?

JJ2K · June 13, 2009, 5:52pm

Hi,

I was’nt really doing anything, on the dekstop I think without anything open maybe just Google on Firefox, and was playing some songs on WM Player.

Then I got this warning from Comodo saying explorer.exe has to be prevented from a buffer overflow attack or something, i can’t exactly remember. I clicked terminate anyways and restarted my computer.

In the Defence + log it simply lists this as:
Application: C:\Windows\explorer.exe
Action: Shellcode Injection

Should I be worried, what was this warning about?

I’m going to scan now anyhow and see if theres any results.

Other Note: I have noticed over the past week that explorer.exe might be taking up more memory than usual as shown on Windows Task Manager. Currently it states it’s using 26K , i’m sure it used to be a lot less than this or I might just be paranoid ? I’m on 512Mb Ram btw.

AntivirusXpert · June 14, 2009, 8:36pm

a shellcode injection isnt good…it means that when you were browsing on the web or something that you downloaded…when executed…injected a small shellcode into explorer.exe…that could be why CIS is going nuts…or it could be that something is running in the background and changed the properties of explorer…or another reason could be that when you installed a program recently it changed the way explorer works… (trust me i had this happen so much that explorer didnt work anymore :D) i found something online that scans the files and can possibly restore them to is original state…if i can find it again i can send you the link

Dch48 · June 14, 2009, 9:16pm

I just had this happen when I uninstalled the futuremark system info software that was installed by the Peacekeeper browser benchmark site. It said that explorer.exe would be isolated unless i skipped the alert. I chose to skip it since I don’t think it was a real malicious action and I certainly did not want explorer.exe to be disabled. I think there may be a bug in CIS somewhere causing these alerts.

Citizen_K · June 14, 2009, 9:31pm

Apparently whatever caused the buffer overflow. You were protected from a possible danger. You may also have found an error in explorer.exe.

I would not worry about it until further notice. If it keeps occurring please you could scan your computer using this tutorial: https://forums.comodo.com/virusmalware_removal_assistance/what_to_do_if_youre_infected_experience_rev2-t32467.0.html .

JJ2K · June 14, 2009, 10:23pm

Thanks everyone for the replies.

HazardHacX I can only remember having my music playing I don’t think I was doing anything else, but hopefully Comodo prevented what might have happened as EricJH has said.
As for restoring windows files you can type sfc /scannow into the Start > Run box I think it is and it will check all the main windows files and restore them if there’s any problems or if you’re missing any.

Dch48 I think rather than a bug it might be a false positive in your example depending on what the software was.

EricJH, it’s good to know Comodo has prevented it (hopefully)
I did scan with MBAM, SAS and Comodo AV Scanner straight after and they found nothing.

Citizen_K · June 19, 2009, 4:21pm

Tarantela. Please start your own topic and provide us with more specific details about the problem. This way your problem will get the attention it deserves.