Shellcode Injection Warnings

Since the last update, I’ve received “Shellcode Injection” Warnings from CIS during removal of two different valid software applications on two different computers.

Defense Event Log posted below.
2/25/2009 5:25:30 PM \Device\HarddiskVolume1\WINDOWS\explorer.exe Shellcode Injection
2/25/2009 5:24:44 PM \Device\HarddiskVolume1\WINDOWS\explorer.exe Shellcode Injection

1.) Scanned sysem thoroughly for all types of malware, rootkits and infection, nothing was found.
2.) All software signatures are valid.
3.) No issues reported in System Event Log.

Anyone else having this problem? If so, has a solution been provided?

Please give as much info as possible about your system including OS and 32 or 64 bit etc…
Also please provide info on the softwares that have been conflicting.

PC #1
CPU: Intel 3.33Ghz
Mem: 4Gb
OS: Vista Ultimate 32Bit

PC #2
CPU: Intel 3.33Ghz
Mem: 4Gb
OS: WindowsXP 32Bit

PC #3
CPU: Intel 3.33Ghz
Mem: 4Gb
OS: Vista Ultimate 32Bit

PC #4
CPU: Intel 3.33Ghz
Mem: 4Gb
OS: WindowsXP 32Bit

The warnings initially occurred on PC #1 & PC #2.
Fired-up PC #3 & PC #4, allowed the CIS application update to proceed.
Tried unistalling an application, (MSOffice 2008), PC #3 & PC #4 are throwing the warnings.

I’m convinced that it’s not the OS, it’s not the hardware, and it’s not the installed applications.

As I stated before:

The warnings only occur when “uninstalling” a valid application.

In each instance the “Defense Event Log” posts…
\Device\HarddiskVolume1\WINDOWS\explorer.exe Shellcode Injection
\Device\HarddiskVolume1\WINDOWS\explorer.exe Shellcode Injection

Some tip-offs here are:
1.) “\explorer.exe” is being reported as the offending application not the “Windows Installer” which is hooked by necessity into “explorer.exe” and invoked for every application’s install or uninstall routine.

2.) Shortly afterwards, memory errors are thrown by CIS as well as many other “reasonably well- behaved” applications like Word, Powerpoint, Visual Studio, IE, etc.

Bottom line, it’s not the OS…it’s definitely caused by some sort of anomally in the recent CIS application update.

Hopefully, the coders will get wind of this (and the other post that references a similar issue) and fix the offending routines.

Until then, guess I’ll have to crank up the ole’ debugger and try to catch the offending rascal on my own.

Thanks for the reply.

Thank you, Also what valid application causes this? The reason why we ask is so when the developers look at this it’s nice and clear for them to understand.

I know you’re honestly trying to help and I sincerely appreciate it, however this isn’t working.
Please read my previous post where I’ve listed several legitimate applications, for example “MS Office.”

Here’s what I’ve discovered so far:
When the MSI is invoked “during an application uninstall session,” any errant mouse click on the desktop (or anywhere else for that matter) causes the “Shellcode Injection Warning” and subsequent memory exception errors are thrown.

I only posted with hopes of saving some time, that the CSI coders had a fix or that others experiencing this issue had already found a solution or work-around.

I’ll get to the bottom of the problem later this week as time permits and post what I find.

If it can’t be fixed within the confines of the “Agreement” (disassembly really ticks-off most companies) , then I’ll employ the best work-around of all until it’s fixed…“uninstall”

Again, thanks a bunch


Could it be as simple as a false Positive?

Yes, I believe that could be one problem.
Based on what I’ve been reading from others’ posts and personally experiencing, it appears that this began appearing with the last application update.

One user reported receiving similar alerts when using Windows Media Player, others report memory exception errors, while another reports a disabled soundcard that worked fine before the update.

This leads me to believe that something more than a simple FP may be at the core of this issue.
Maybe a memory allocation or hook issue? Who can say.

Regardless of the minor issues with CIS, it’s an impressive product that does what it promises and does it well.

Many “pay for play” applications are only now including features that were available within CIS from it’s birth.