1 2 3 Previous Next 23 Replies Latest reply on Dec 15, 2012 3:02 PM by Hayton

    McAfee says "Buffer overflow exploit blocked" whenever I open Microsoft Word

    stephe

      November 1, 2012

       

      Hi,

       

           I surfed some iffy sites today and foolishly closed a few popup

      windows.  Now, whenever I try to open Microsoft Word, Word closes and

      McAfee gives me a message that says "Buffer overflow exploit blocked."

       

           I used System Restore to return to a time prior to the problem, and

      it didn't solve it.

       

           I went to Safe Mode, where McAfee said "Real-time Scanning is Off."

      In Safe Mode, I ran Malwarebytes, then right-clicked on My Computer

      and ran McAfee.  Then I ran the McAfee Stinger.  Then, as suggested at

      https://community.mcafee.com/docs/DOC-1294 , I ran the Stinger again,

      then clicked Preferences and changed "On virus detection" to Report

      Only, set the "Heuristics" level to VERY HIGH, and disabled the option to

      Scan inside compressed files.  But still, whenever I try to open Microsoft

      Word, Word closes and McAfee gives me a message that says "Buffer overflow

      exploit blocked."

       

           As suggested at https://community.mcafee.com/docs/DOC-2168 I tried

      RootkitRemover, and then ran GetSusp.

       

           Here are the anomalies from GetSusp, along with some OK files, to

      give them some context:

       

      <<

      GetSusp initiated on Thu Nov 01 23:07:54 2012

       

        Master Boot Record(s):....1

        Possibly Infected:.............0

        Boot Sector(s):.................1

        Possibly Infected:.............0

       

      C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPRBXX.EXE ... is OK.

      C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe ... is OK.

      C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPUIXX.DLL ... is OK.

      C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATRPUIXX.ENU ... is Unknown !!!

       

      C:\PROGRAM FILES\CONNECTION WIZARD\CONNWIZ.EXE ... is Unknown !!!

      C:\PROGRAM FILES\DELL PHOTO AIO PRINTER 924\DLCCAIOX.EXE ... is Unknown !!!

      C:\Program Files\Dell Photo AIO Printer 924\dlcccfg.dll ... is OK.

      C:\Program Files\Dell Photo AIO Printer 924\dlcccomc.dll ... is OK.

      C:\PROGRAM FILES\DELL PHOTO AIO PRINTER 924\DLCCCOMX.DLL ... is OK.

      C:\Program Files\Dell Photo AIO Printer 924\dlccdrec.dll ... is OK.

      C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe ... is OK.

      C:\Program Files\Dell Photo AIO Printer 924\dlccpplc.dll ... is OK.

      C:\Program Files\Dell Photo AIO Printer 924\dlccscw.dll ... is OK.

      C:\Program Files\Dell Photo AIO Printer 924\dlcctsfw.dll ... is OK.

       

      C:\PROGRAM FILES\FLVPLAYER\FLVPLAYER.EXE ... is OK.

      C:\PROGRAM FILES\FLVPLAYER\UNINSTALL.EXE ... is Suspicious !!!

      C:\PROGRAM FILES\INPAINT\INPAINT.EXE ... is Suspicious !!!

      C:\PROGRAM FILES\INPAINT\UNINS000.EXE ... is OK.

       

      C:\Program Files\Intel\Intel Matrix Storage Manager\IAAMon_ENU.dll ... is OK.

      C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe ... is OK.

      C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe ... is OK.

      C:\Program Files\Intel\Intel Matrix Storage Manager\ISDI.dll ... is OK.

      C:\PROGRAM FILES\INTEL\INTEL MATRIX STORAGE MANAGER\SHELL.EXE ... is Unknown !!!

       

      C:\PROGRAM FILES\JUNO\BIN\JUNO.EXE ... is OK.

      C:\PROGRAM FILES\JUNO\BIN\JUNOINFO.EXE ... is Unknown !!!

      C:\PROGRAM FILES\JUNO\BIN\JUNOSAVE.EXE ... is Unknown !!!

      C:\PROGRAM FILES\KODAK\KODAK SHARE BUTTON APP\BMDNS.DLL ... is Suspicious !!!

      C:\PROGRAM FILES\KODAK\KODAK SHARE BUTTON APP\BOOST_PYTHON-VC90-MT-1_40.DLL ... is OK.

      C:\Program Files\Kodak\KODAK Share Button App\KGShare_App.exe ... is Suspicious !!!

      C:\PROGRAM FILES\KODAK\KODAK SHARE BUTTON APP\KODAK WIRELESS UTILITY.EXE ... is Unknown !!!

      C:\PROGRAM FILES\KODAK\KODAK SHARE BUTTON APP\LIBEAY32.DLL ... is OK.

      C:\Program Files\Kodak\KODAK Share Button App\Listener.exe ... is Unknown !!!

      C:\PROGRAM FILES\KODAK\KODAK SHARE BUTTON APP\NATIVESERVICES.PYD ... is Unknown !!!

      C:\PROGRAM FILES\KODAK\KODAK SHARE BUTTON APP\PY\_CTYPES.PYD ... is OK.

      C:\PROGRAM FILES\KODAK\KODAK SHARE BUTTON APP\PYTHON26.DLL ... is OK.

      C:\PROGRAM FILES\KODAK\KODAK SHARE BUTTON APP\ROUTER.DLL ... is Suspicious !!!

       

      C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\MCPS.DLL ... is OK.

      C:\Program Files\Microsoft Office\Office10\msohev.dll ... is OK.

      C:\Program Files\Microsoft Office\Office10\MSWORD.OLB ... is OK.

      C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\OSA.EXE ... is OK.

      C:\Program Files\Microsoft Works\1033\wkgl80.dll ... is Unknown !!!

      C:\Program Files\Microsoft Works\1033\WkWdLang.dll ... is Unknown !!!

      C:\Program Files\Microsoft Works\MSVCP71.dll ... is OK.

      C:\Program Files\Microsoft Works\MSVCR71.dll ... is OK.

      C:\Program Files\Microsoft Works\WkDStore.exe ... is Unknown !!!

      C:\Program Files\Microsoft Works\WkWat.dll ... is Unknown !!!

      C:\Program Files\Microsoft Works\WkWbl.dll ... is Unknown !!!

      C:\Program Files\Microsoft Works\WKWDADDN.DLL ... is OK.

      C:\Program Files\Microsoft Works\WkWinUni.dll ... is Unknown !!!

      C:\Program Files\Microsoft Works\workssvc.dll ... is Unknown !!!

       

      C:\PROGRAM FILES\WONDERSHARE\PDF CONVERTER PRO\PDFCONVERTERPRO.EXE ... is OK.

      C:\PROGRAM FILES\WONDERSHARE\PDF CONVERTER PRO\UNINS000.EXE ... is Unknown !!!

       

      C:\WINDOWS\SYSTEM32\IMSMUDLG.EXE ... is Unknown !!!

       

      GetSusp scan identified (5) Suspicious file(s) and (18) Unknown file(s).

      Scan results are saved at C:\xxxxx

      Scan results have been successfully delivered to McAfee Labs.

      <<

       

           As far as I can see, the genuinely questionable files are:

       

      <<

      C:\Program Files\Microsoft Works\1033\wkgl80.dll ... is Unknown !!!

      C:\Program Files\Microsoft Works\1033\WkWdLang.dll ... is Unknown !!!

      C:\Program Files\Microsoft Works\WkDStore.exe ... is Unknown !!!

      C:\Program Files\Microsoft Works\WkWat.dll ... is Unknown !!!

      C:\Program Files\Microsoft Works\WkWbl.dll ... is Unknown !!!

      C:\Program Files\Microsoft Works\WkWinUni.dll ... is Unknown !!!

      C:\Program Files\Microsoft Works\workssvc.dll ... is Unknown !!!

       

      C:\WINDOWS\SYSTEM32\IMSMUDLG.EXE ... is Unknown !!!

      <<

       

           Any guesses where I go from here?

       

      Stephe

       

      Message was edited by stephe: changed "closed a few nag screens" to "closed a few popup windows." on 11/2/12 4:15:40 AM CDT
        • 1. Re: McAfee says "Buffer overflow exploit blocked" whenever I open Microsoft Word
          stephe

          Hi,

           

               Okay, full disclosure: the iffy sites that I surfed yesterday

          (November 1st) were porn sites.  (Is it against McAfee Community rules

          to request aid for problems potentially caused by surfing porn sites?) 

          I perhaps foolishly closed some age verification and Enter/Exit popup

          windows at foreign porn sites without being able to clearly read all

          the text thereon since I am fluent in no other language than English. 

          One such site was in France.  After this, I noticed that whenever I

          open Microsoft Word, Word closes and McAfee gives me a message that

          says "Buffer overflow exploit blocked."  The pathway given is

           

          C:\Program Files\Microsoft Office\Office10\WINWORD.EXE

           

               I went to this file and right-clicked for a McAfee scan, and no issues

          were detected.  Then I right-clicked for a Malwarebytes scan, and no issues

          were detected with that, either.  I hovered my cursor over WINDWORD.EXE and

          it said (among other things): Date Created: 5/3/2002 11:07 PM

           

               Using System Restore to return to a time prior to the problem didn't

          solve it.  Could this be a McAfee software issue?  McAfee updated itself

          while I was online yesterday, before I went to use Microsoft Word that day.

           

               In the past few years, I have at times seen notices from McAfee saying

          "Buffer overflow blocked" but these incidents were solitary and isolated. 

          Yesterday and today constitute the first time I have seen "Buffer overflow

          exploit blocked," and I get the message each and every time I try to open

          Microsoft Word. 

           

              What is the difference between the messages "Buffer overflow blocked" and

          "Buffer overflow exploit blocked"?

           

               Will uninstalling Microsoft Office then re-installing Microsoft Office

          solve anything, or is the exploit located somewhere else?  How does one remedy

          a buffer overflow exploit?

           

          Stephe

           

          Message was edited by stephe to highlight questions in red. on 11/2/12 5:07:59 PM CDT

           

          Message was edited by stephe to change a word. on 11/2/12 5:13:01 PM CDT
          • 2. Re: McAfee says "Buffer overflow exploit blocked" whenever I open Microsoft Word
            Peter M

            McAfee doesn't care where you surf, only that you do it safely.   This isn't normal behaviour for the software and usually indicates missing updates in my experience at least.   I'm afraid I don't have the expertise to explain the difference between those two different blocked messages.

             

            Check for updates that you may missed in Microsoft Updates, make sure the settings include "for Windows and Other Products from Microsoft Update".   Especially for Office and for Intternet Explorer, even if you don't use that for a browser, it's important to keep it up to date, plus keep all its plug-ins/add-ons up to date too.  Reason:  other products still use IE regardless of default browser settings, McAfee included.

             

            Check your machine for malware using Stinger and Malwarebytes Free listed in the last link in my signature below.  Ignore the trial option for MBAM or else it will load the Pro version which may react badly with McAfee.

             

            If those don't find anything and the problem continues I suggest downloading Hijackthis and posting its log on one of the forums also mentioned in that link nearer the bottom, they should also explain those messages.

             

            If those forums can't find anything bad then contact Technical Support via the link under Useful Links at the top of this page as it certainly shouldn't be happening.

             

            It's a free phone call or online chat.

             

            Edit:  The fact that GetSusp identified suspicious files means it has submitted them to the labs and hopefully something will result from that assuming you entered your email adrdress in it before running.

             

             

             

             

             

             

             

            Message was edited by: Ex_Brit on 03/11/12 9:39:24 EDT AM
            • 3. Re: McAfee says "Buffer overflow exploit blocked" whenever I open Microsoft Word
              Peter M

              Moved to Malware Discussion > Home User Assistance.

              • 4. Re: McAfee says "Buffer overflow exploit blocked" whenever I open Microsoft Word
                stephe

                     I went to Safe Mode, where McAfee said "Real-time Scanning is Off."

                In Safe Mode, I ran Malwarebytes, then right-clicked on My Computer

                and ran McAfee.  Then I ran the McAfee Stinger.  Then, as suggested at

                https://community.mcafee.com/docs/DOC-1294 , I ran the Stinger again,

                then clicked Preferences and changed "On virus detection" to Report

                Only, set the "Heuristics" level to VERY HIGH, and disabled the option

                to Scan inside compressed files.  No malware was found.

                 

                     On November 3rd, I updated McAfee, and now I am able to open

                Microsoft Word, but whenever I close Microsoft Word, now, I encounter a

                message that reads...

                 

                "This file is in use by another application of user.

                (C:\Documents and Settings\...\Normal.dot)"

                 

                ...and am prompted to...

                 

                Save As File name normal.dot File type Document Template (*.dot).

                 

                     The two files already there were ~$Normal.dot (grayed out) and Normal.dot

                 

                     I went to C:\, right-clicked on Documents and Settings, selected Search...,

                and searched for Normal.dot, but nothing came up in the search.  

                 

                     I opened Microsoft Word again, then closed it, so as to get Save As

                prompt.  I moved my cursor to the Save in: box at the top and clicked on

                the down arrow to see the path, and it is this:

                 

                C:\Documents and Settings\Steve\Application Data\Microsoft\Templates

                 

                     I went inside this folder, copied the Normal.dot file, re-named it Normal.txt,

                and looked inside.  Besides a lot of badly formatted stuff, was the repeating

                phrase...

                 

                C u s t o m   P o p u p (followed by a 9-digit number with each digit separated by one space)

                 

                ...about a hundred times or so.   Example:

                 

                C u s t o m   P o p u p   1 0 4 4 1 0 8 2 8

                 

                     Towards the bottom, it says:

                 

                A t t e n t i o n :       A T T N :       A u t h o r ,   P a g e   # ,   D a t e  

                 

                B e s t   r e g a r d s ,       B e s t   w i s h e s ,  

                    C E R T I F I E D   M A I L       C O N F I D E N T I A L  

                    C o n f i d e n t i a l ,   P a g e   # ,   D a t e    

                C o r d i a l l y ,  

                 

                C r e a t e d   b y    

                C r e a t e d   o n       D e a r   M a d a m   o r   S i r : 

                    D e a r   M a d a m :       D e a r   M o m   a n d   D a d ,  

                    D e a r   M o t h e r   a n d   F a t h e r ,  

                    D e a r   S i r   o r   M a d a m :          D e a r   S i r :  

                    F i l e n a m e       F i l e n a m e   a n d   p a t h  

                    I n   r e g a r d s   t o :       I n   r e p l y   t o :       L a d i e s   a n d   G e n t l e m e n :  

                    L a s t   p r i n t e d    

                L a s t   s a v e d   b y  

                    L o v e ,       P a g e   X   o f   Y       P E R S O N A L  

                    R E :    

                R e f e r e n c e :       R e g a r d s ,  

                    R E G I S T E R E D   M A I L       R e s p e c t f u l l y   y o u r s ,  

                 

                R e s p e c t f u l l y ,       S F       S i n c e r e l y   y o u r s ,  

                 

                S i n c e r e l y ,       S P E C I A L   D E L I V E R Y  

                    S P E C I A L   H A N D L I N G       S t e v e n   F e l d m a n  

                    S u b j e c t :    

                T a k e   c a r e ,    

                T h a n k   y o u ,  

                    T h a n k s ,       T o   W h o m   I t   M a y   C o n c e r n :  

                    V I A   A I R M A I L    

                V I A   F A C S I M I L E  

                    V I A   O V E R N I G H T   M A I L       Y o u r s   t r u l y ,     ÿÿ    

                    R e f e r e n c e   L i n e    A t t e n t i o n   L i n e

                   M a i l i n g   I n s t r u c t i o n s       S u b j e c t   L i n e

                 

                S a l u t a t i o n    C l o s i n g

                 

                H e a d e r / F o o t e r

                     S i g n a t u r e

                   R e f e r e n c e   I n i t i a l s

                 

                     Please note that I never use templates in Microsoft Word.  The reason

                for that is that I don't know how to use them.  That means that I did not

                create the Normal.dot file quoted above.

                 

                     Inside the C:\Documents and Settings\Steve\Application Data\Microsoft\Templates

                folder, I created a new folder called for study, and tried to move the Normal.dot files

                there.  Backup of Normal.wbk and ~$Normal.dot moved, but Normal.dot and Normal.txt

                did not.  I was then able to move Normal.txt on its on.  Normal.dot, however, cannot

                be be re-named nor deleted.  Each time I try, I get messages that say:

                 

                Error Renaming File or Folder

                Cannot rename Normal. It is being used by another person or program.

                Close and programs that might be using the file and try again.

                 

                Error Deleting File or Folder

                Cannot delete Normal. It is being used by another person or program.

                Close and programs that might be using the file and try again.

                 

                     I went to Safe Mode, and was able to move Normal.dot from the Templates

                folder to the for study folder, whereupon I re-named the file Normal.jpg

                 

                     I then re-booted.  I can use Microsoft Word now without any problem,

                but I suspect that I only removed a component of a trojan, which is still on

                my PC.  I don't know how to figure out what program was using the Normal.dot

                file.

                 

                     I opened Search and typed in the box named A word or phrase in the file:

                Normal.dot, but all that came up were .doc and .wkb files, this .txt file

                that I'm typing right now, and the following three files:

                 

                C:\Program Files\Microsoft Office\Office10\OPW1OUSR.INI

                C:\WINDOWS\ServicePackFiles\i386\migapp.inf

                C:\WINDOWS\system32\usmt

                 

                ...as well as whole lot of files in the C:\Program Files\Microsoft Works\1033\Wizards

                folder with .dot and .wwt extensions. 

                 

                     All the C:\Program Files\Microsoft Works\1033\Wizards .dot files were in the

                form of crdus**w.dot, where the asterisks represent a two-digit number between 13 and 99.

                 

                     I searched for *.* in Program Files for files modified on 11/1/12, and the

                only things I didn't recognize were Dl_cats and stinger.  Stinger was related

                to McAfee's Stinger program. Dl_cats looks harmless.  McAfee scans were negative.

                 

                     I then searched for *.* in WINDOWS for files modified on 11/1/12, and found

                C:\WINDOWS\system32\CatRoot and C:\WINDOWS\system32\CatRoot2  McAfee scans were negative.

                 

                     I visited Tech Support Forum and as requested, ran the programs called

                DDS and GMER.  GMER found 36 references to

                C:\Program Files\Microsoft Office\Office10\WINWORD.EXE[2240]

                 

                     Intriguingly, GMER found exactly 36 entries for each of the following

                13 programs:

                 

                C:\WINDOWS\system32\services.exe[864]

                C:\WINDOWS\system32\lsass.exe[876]

                C:\WINDOWS\system32\svchost.exe[1092]

                C:\WINDOWS\system32\svchost.exe[1176]

                C:\WINDOWS\System32\svchost.exe[1272]

                C:\WINDOWS\system32\svchost.exe[1332]

                C:\WINDOWS\system32\svchost.exe[1364]

                C:\WINDOWS\system32\svchost.exe[1440]

                C:\WINDOWS\Explorer.EXE[1880]

                C:\Program Files\Microsoft Office\Office10\WINWORD.EXE[2240]

                C:\WINDOWS\system32\svchost.exe[2436]

                C:\WINDOWS\system32\dllhost.exe[3584]

                C:\WINDOWS\System32\svchost.exe[3936]

                 

                     To the far right of every program listed above was the following

                same exact sequence of 36 lines of information (with the exception of the 29th line...

                 

                (line 29) ADVAPI32.DLL!RegCreateKeyW + 3       77DFBA58 2 Bytes  [55, 88]

                 

                ...which had different numbers in the bracketed area each time):

                 

                (line 01) ntdll.dll!NtCreateFile               7C90D0AE 5 Bytes  JMP 0014000A

                (line 02) ntdll.dll!NtCreateProcess            7C90D14E 5 Bytes  JMP 00140025

                (line 03) ntdll.dll!NtProtectVirtualMemory     7C90D6EE 5 Bytes  JMP 00140FD2

                (line 04) ntdll.dll!KiUserExceptionDispatcher  7C90E47C 5 Bytes  JMP 00140FE3

                (line 05) kernel32.dll!CreateFileA             7C801A28 5 Bytes  JMP 00260000

                (line 06) kernel32.dll!VirtualProtectEx        7C801A61 5 Bytes  JMP 002600B2

                (line 07) kernel32.dll!VirtualProtect          7C801AD4 5 Bytes  JMP 002600A1

                (line 08) kernel32.dll!LoadLibraryExW          7C801AF5 5 Bytes  JMP 00260FC7

                (line 09) kernel32.dll!LoadLibraryExA          7C801D53 5 Bytes  JMP 00260084

                (line 10) kernel32.dll!LoadLibraryA            7C801D7B 5 Bytes  JMP 0026004E

                (line 11) kernel32.dll!GetStartupInfoW         7C801E54 5 Bytes  JMP 002600E0

                (line 12) kernel32.dll!GetStartupInfoA         7C801EF2 5 Bytes  JMP 002600CF

                (line 13) kernel32.dll!CreateProcessW          7C802336 5 Bytes  JMP 0026010C

                (line 14) kernel32.dll!CreateProcessA          7C80236B 5 Bytes  JMP 00260F69

                (line 15) kernel32.dll!GetProcAddress          7C80AE40 5 Bytes  JMP 0026011D

                (line 16) kernel32.dll!LoadLibraryW            7C80AEEB 5 Bytes  JMP 0026005F

                (line 17) kernel32.dll!CreateFileW             7C810800 5 Bytes  JMP 00260011

                (line 18) kernel32.dll!CreatePipe              7C81D83F 5 Bytes  JMP 00260F98

                (line 19) kernel32.dll!CreateNamedPipeW        7C82F0DD 5 Bytes  JMP 0026003D

                (line 20) kernel32.dll!CreateNamedPipeA        7C860CDC 5 Bytes  JMP 0026002C

                (line 21) kernel32.dll!WinExec                 7C86250D 5 Bytes  JMP 002600F1

                (line 22) ADVAPI32.DLL!RegOpenKeyExW           77DD6AAF 5 Bytes  JMP 00350FD4

                (line 23) ADVAPI32.DLL!RegCreateKeyExW         77DD776C 5 Bytes  JMP 00350F72

                (line 24) ADVAPI32.DLL!RegOpenKeyExA           77DD7852 5 Bytes  JMP 0035001B

                (line 25) ADVAPI32.DLL!RegOpenKeyW             77DD7946 5 Bytes  JMP 00350FE5

                (line 26) ADVAPI32.DLL!RegCreateKeyExA         77DDE9F4 5 Bytes  JMP 00350F83

                (line 27) ADVAPI32.DLL!RegOpenKeyA             77DDEFC8 5 Bytes  JMP 00350000

                (line 28) ADVAPI32.DLL!RegCreateKeyW           77DFBA55 2 Bytes  JMP 00350FA8

                (line 29) ADVAPI32.DLL!RegCreateKeyW + 3       77DFBA58 2 Bytes  [55, 88]

                (line 30) ADVAPI32.DLL!RegCreateKeyA           77DFBCF3 5 Bytes  JMP 00350FB9

                (line 31) msvcrt.dll!_wsystem                  77C2931E 5 Bytes  JMP 00360014

                (line 32) msvcrt.dll!system                    77C293C7 5 Bytes  JMP 00360F7F

                (line 33) msvcrt.dll!_creat                    77C2D40F 5 Bytes  JMP 00360FAB

                (line 34) msvcrt.dll!_open                     77C2F566 5 Bytes  JMP 00360FEF

                (line 35) msvcrt.dll!_wcreat                   77C2FC9B 5 Bytes  JMP 00360F9A

                (line 36) msvcrt.dll!_wopen                    77C30055 5 Bytes  JMP 00360FD2

                 

                     That strikes me as a bit odd.

                 

                     Anyways, will uninstalling Microsoft Office then re-installing Microsoft

                Office solve anything?

                 

                Stephe

                • 5. Re: McAfee says "Buffer overflow exploit blocked" whenever I open Microsoft Word
                  Peter M

                  Not sure, if I Google Save As File name normal.dot I get quite a few hits one of which is for older version of Word but blames certain software for causing that.  I've never experienced it mysefl but you may find the answer to that there.

                  • 6. Re: McAfee says "Buffer overflow exploit blocked" whenever I open Microsoft Word
                    stephe

                    Sunday, November 4, 2012

                     

                         I just had an interesting/bad thing happen.

                     

                         The same day that McAfee identified and blocked a buffer

                    overflow exploit in Microsoft Word, McAfee had previously

                    performed a lengthy software update that required a re-boot. 

                    I didn't realize until a half hour ago (three days later!) that

                    there was a new feature in the program's firewall called

                    Intrusion Detection, which says "Protect yourself from hackers

                    who exploit weaknesses in your operating system or programs to

                    take control of your PC.  Learn more," with a checkbox for Use

                    Intrusion Protection, with the options being "Basic -- Detect

                    activities that are very likely to be attacks.  (Recommended)"

                    and "High -- Detect suspicious activities, even though some

                    might not be attacks."

                     

                         What blows my mind is that the Use Intrusion Protection box

                    was not checked.  What the Hell, McAfee?!?!?! 

                     

                         I checked the box and chose High, then clicked Apply.  Then

                    I clicked on Learn more, which opened Internet Explorer. 

                     

                         Right then and there, a McAfee box popped up saying...

                     

                    <<

                    Intrusion blocked.

                    McAfee blocked suspicious program activity.  Please check for

                    updates for this program and for your Windows operating system.

                     

                    About This Detection

                    Program: Internet Explorer

                    Activity: Buffer_Overflow

                     

                    If your attempt to fix the issue doesn't work, and you think it's

                    a false alarm, change your intrusion protection settings in

                    Firewall.

                    <<

                     

                         So, I unplugged my ethernet cable, clicked on Home inside

                    McAfee, then clicked on Security History.  At the top is

                     

                    <<

                    PC intrusion blocked

                    Program name: IEXPLORE.EXE

                    <<

                     

                         I clicked on the + to expand the section, and saw this:

                     

                    <<

                    Firewall blocked a hacker from exploiting the Buffer_Overflow

                    weakness in C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE on

                    your PC.

                    <<

                     

                         What I'd like to know is why is it that the popup only said,

                    "McAfee blocked suspicious program activity. ... If your attempt

                    to fix the issue doesn't work, and you think it's a false alarm,

                    change your intrusion protection settings in Firewall." instead

                    of telling me outright, "Firewall blocked a hacker"? 

                     

                         So, it looks like the reason I got malware on my computer

                    and hacker attacks is that McAfee's new software is sent with a

                    new feature called Intrusion Protection which is turned off by

                    default!?!?!?  That makes it McAfee's fault!!! 

                     

                         This is the first time I have ever had an anti-virus program

                    detect a PC intrusion attempt, in my 12 years as an owner of a PC. 

                    I have gotten trojans and viruses, but never a detected intrusion

                    attempt until now.

                     

                         I just got the feedback from someone at Tech Support Forum,

                    and will be sending them the following:

                     

                    <<

                    I doubt it as Normal.dot will remain as a file if uninstalling

                    Office doesn't clean out the data files. Have you tried using the

                    Office "Repair" option? Every time you open Word it should open

                    the blank page Normal or Doc1.

                    <<

                     

                         I'd never heard of the Repair option.  I just found it in

                    Help > Detect and Repair...

                     

                    <<

                    Have you typed cmd into the search box and navigated your way to

                    the file in DOS and then tried to delete it?

                    <<

                     

                         I didn't know that that was/is an option.  I am not *that*

                    computer savvy.

                     

                    <<

                    I assume that you have used Task Manager to check what processes

                    are running and highlighted and turned off non-essential processes

                    one by one to see which may be the culprit.

                    <<

                     

                         No, I didn't, but I see now that I should have.  I have Process

                    Lasso, and I tried to track things down with that, since if you hover

                    over a process in Process Lasso, it shows you the complete path of

                    the file.

                     

                    >>

                    You might try opening an old document, deleting everything in it

                    so that you have a blank page with your preferred fonts and

                    margins etc., then try to overwrite the corrupted file by saving

                    the new blank page as Normal.dot file in the templates folder.

                    >>

                     

                         I'll try that.

                     

                    >>

                    This site (http://support.microsoft.com/kb/291352) might help

                    You are prompted to save the changes to the Normal.dot or

                    Normal.dotm or Normal.dotm global template every time that you

                    quit Word

                    >>

                     

                         Looks like a plan.

                     

                    Stephe

                     

                    Message was edited by stephe to include colorized text and emoticons on 11/4/12 5:24:33 PM CST
                    • 7. Re: McAfee says "Buffer overflow exploit blocked" whenever I open Microsoft Word
                      Peter M

                      We were told this about the new feature Intrusion Protection.

                       

                      is a new feature for Consumer (integrated from Enterprise products) and we had concerns about compatibility with all of the 3rd party apps that are available in the Consumer environment (vs. an Enterprise environment which is usually locked down to very specific and approved applications).  IOW, we’ve made it available for those customers who are very concerned about their network security, but didn’t turn it on until the Beta product reveals no issues.

                      • 8. Re: McAfee says "Buffer overflow exploit blocked" whenever I open Microsoft Word
                        stephe

                        When I said...

                         

                             "The same day that McAfee identified and blocked a buffer

                        overflow exploit in Microsoft Word, McAfee had previously

                        performed a lengthy software update that required a re-boot."

                         

                             I was in error.  I looked through my System Restore

                        restoration points, and found that the lengthy software update

                        was not on November 1st but on October 26th.

                         

                        "I didn't realize until a half hour ago (three days later!) that

                        there was a new feature in the program's firewall called

                        Intrusion Detection, which says "Protect yourself from hackers

                        who exploit weaknesses in your operating system or programs to

                        take control of your PC.  Learn more," with a checkbox for Use

                        Intrusion Protection, with the options being "Basic -- Detect

                        activities that are very likely to be attacks.  (Recommended)"

                        and "High -- Detect suspicious activities, even though some

                        might not be attacks."

                         

                             What blows my mind is that the Use Intrusion Protection box

                        was not checked.  What the Hell, McAfee?!?!?!"

                         

                        Ex_Brit wrote:

                         

                        "[Here's] the answer [...] regarding Intrusion Protection feature in Firewall.

                         

                        It is a new feature for Consumer (integrated from Enterprise products) and we had concerns about compatibility with all of the 3rd party apps that are available in the Consumer environment (vs. an Enterprise environment which is usually locked down to very specific and approved applications).  IOW, we’ve made it available for those customers who are very concerned about their network security, but didn’t turn it on until the Beta product reveals no issues."

                         

                             So, is the feature a crucial component of McAfee now, or is it

                        superfluous?

                         

                             I just went to Safe Mode and ran Malwarebytes and McAfee

                        again, and neither found anything, whereas GMER did.

                         

                             What I want to know is, if and when I re-format, will changing

                        my IP address be enough to stymie the hacker, or will it be futile

                        because he has my mac address?  In other words, if I re-format, will

                        the hacker instrude into my fresh, re-formatted system before I am

                        even able to install and update McAfee?

                         

                        [Re the buffer overflow exploit in Microsoft Word:]

                        The first time I ran GMER (on November 3rd), GMER found exactly 36 .text

                        entries for each of the following 13 programs:

                         

                        C:\WINDOWS\system32\services.exe[864]

                        C:\WINDOWS\system32\lsass.exe[876]

                        C:\WINDOWS\system32\svchost.exe[1092]

                        C:\WINDOWS\system32\svchost.exe[1176]

                        C:\WINDOWS\System32\svchost.exe[1272]

                        C:\WINDOWS\system32\svchost.exe[1332]

                        C:\WINDOWS\system32\svchost.exe[1364]

                        C:\WINDOWS\system32\svchost.exe[1440]

                        C:\WINDOWS\Explorer.EXE[1880]

                        C:\Program Files\Microsoft Office\Office10\WINWORD.EXE[2240]

                        C:\WINDOWS\system32\svchost.exe[2436]

                        C:\WINDOWS\system32\dllhost.exe[3584]

                        C:\WINDOWS\System32\svchost.exe[3936]

                         

                             To the far right of each of the 13 programs listed above was the following

                        same exact sequence of 36 lines of information (with the exception of the 29th line...

                         

                        (line 29) ADVAPI32.DLL!RegCreateKeyW + 3       77DFBA58 2 Bytes  [55, 88]

                         

                        ...which had different numbers in the bracketed area each time):

                         

                        (line 01) ntdll.dll!NtCreateFile               7C90D0AE 5 Bytes  JMP 0014000A

                        (line 02) ntdll.dll!NtCreateProcess            7C90D14E 5 Bytes  JMP 00140025

                        (line 03) ntdll.dll!NtProtectVirtualMemory     7C90D6EE 5 Bytes  JMP 00140FD2

                        (line 04) ntdll.dll!KiUserExceptionDispatcher  7C90E47C 5 Bytes  JMP 00140FE3

                        (line 05) kernel32.dll!CreateFileA             7C801A28 5 Bytes  JMP 00260000

                        (line 06) kernel32.dll!VirtualProtectEx        7C801A61 5 Bytes  JMP 002600B2

                        (line 07) kernel32.dll!VirtualProtect          7C801AD4 5 Bytes  JMP 002600A1

                        (line 08) kernel32.dll!LoadLibraryExW          7C801AF5 5 Bytes  JMP 00260FC7

                        (line 09) kernel32.dll!LoadLibraryExA          7C801D53 5 Bytes  JMP 00260084

                        (line 10) kernel32.dll!LoadLibraryA            7C801D7B 5 Bytes  JMP 0026004E

                        (line 11) kernel32.dll!GetStartupInfoW         7C801E54 5 Bytes  JMP 002600E0

                        (line 12) kernel32.dll!GetStartupInfoA         7C801EF2 5 Bytes  JMP 002600CF

                        (line 13) kernel32.dll!CreateProcessW          7C802336 5 Bytes  JMP 0026010C

                        (line 14) kernel32.dll!CreateProcessA          7C80236B 5 Bytes  JMP 00260F69

                        (line 15) kernel32.dll!GetProcAddress          7C80AE40 5 Bytes  JMP 0026011D

                        (line 16) kernel32.dll!LoadLibraryW            7C80AEEB 5 Bytes  JMP 0026005F

                        (line 17) kernel32.dll!CreateFileW             7C810800 5 Bytes  JMP 00260011

                        (line 18) kernel32.dll!CreatePipe              7C81D83F 5 Bytes  JMP 00260F98

                        (line 19) kernel32.dll!CreateNamedPipeW        7C82F0DD 5 Bytes  JMP 0026003D

                        (line 20) kernel32.dll!CreateNamedPipeA        7C860CDC 5 Bytes  JMP 0026002C

                        (line 21) kernel32.dll!WinExec                 7C86250D 5 Bytes  JMP 002600F1

                        (line 22) ADVAPI32.DLL!RegOpenKeyExW           77DD6AAF 5 Bytes  JMP 00350FD4

                        (line 23) ADVAPI32.DLL!RegCreateKeyExW         77DD776C 5 Bytes  JMP 00350F72

                        (line 24) ADVAPI32.DLL!RegOpenKeyExA           77DD7852 5 Bytes  JMP 0035001B

                        (line 25) ADVAPI32.DLL!RegOpenKeyW             77DD7946 5 Bytes  JMP 00350FE5

                        (line 26) ADVAPI32.DLL!RegCreateKeyExA         77DDE9F4 5 Bytes  JMP 00350F83

                        (line 27) ADVAPI32.DLL!RegOpenKeyA             77DDEFC8 5 Bytes  JMP 00350000

                        (line 28) ADVAPI32.DLL!RegCreateKeyW           77DFBA55 2 Bytes  JMP 00350FA8

                        (line 29) ADVAPI32.DLL!RegCreateKeyW + 3       77DFBA58 2 Bytes  [55, 88]

                        (line 30) ADVAPI32.DLL!RegCreateKeyA           77DFBCF3 5 Bytes  JMP 00350FB9

                        (line 31) msvcrt.dll!_wsystem                  77C2931E 5 Bytes  JMP 00360014

                        (line 32) msvcrt.dll!system                    77C293C7 5 Bytes  JMP 00360F7F

                        (line 33) msvcrt.dll!_creat                    77C2D40F 5 Bytes  JMP 00360FAB

                        (line 34) msvcrt.dll!_open                     77C2F566 5 Bytes  JMP 00360FEF

                        (line 35) msvcrt.dll!_wcreat                   77C2FC9B 5 Bytes  JMP 00360F9A

                        (line 36) msvcrt.dll!_wopen                    77C30055 5 Bytes  JMP 00360FD2

                         

                        [Re the buffer_overload Internet Explorer blocked hacker intrusion attempt"]

                        The second time I ran GMER (on November 4th), GMER found between

                        25 and 51 .text entries for each of the following 20 programs:

                         

                        C:\WINDOWS\system32\svchost.exe[568]

                        C:\WINDOWS\system32\csrss.exe[776]

                        C:\WINDOWS\system32\winlogon.exe[804]

                        C:\WINDOWS\system32\services.exe[848]

                        C:\WINDOWS\system32\lsass.exe[860]

                        C:\WINDOWS\system32\svchost.exe[1068]

                        C:\WINDOWS\system32\svchost.exe[1156]

                        C:\WINDOWS\System32\svchost.exe[1196]

                        C:\WINDOWS\system32\svchost.exe[1284]

                        C:\WINDOWS\system32\svchost.exe[1312]

                        C:\WINDOWS\system32\spoolsv.exe[1468]

                        C:\WINDOWS\system32\svchost.exe[1572]

                        C:\Program Files\Internet Explorer\iexplore.exe[1616]

                        C:\WINDOWS\Explorer.EXE[1996]

                        C:\Program Files\Internet Explorer\iexplore.exe[2576]

                        C:\Program Files\Internet Explorer\iexplore.exe[2612]

                        C:\Program Files\Internet Explorer\iexplore.exe[2764]

                        C:\WINDOWS\system32\dllhost.exe[2916]

                        C:\WINDOWS\system32\rundll32.exe[3004]

                        C:\WINDOWS\System32\alg.exe[3176]

                         

                             To the far right of the first of the 20 programs listed above was the

                        following sequence of 51 lines of information:

                         

                        (line 01) C:\WINDOWS\system32\svchost.exe[568] ntdll.dll!NtCreateFile                                   7C90D0AE 5 Bytes  JMP 00D00FEF

                        (line 02) C:\WINDOWS\system32\svchost.exe[568] ntdll.dll!NtCreateProcess                                7C90D14E 5 Bytes  JMP 00D00031

                        (line 03) C:\WINDOWS\system32\svchost.exe[568] ntdll.dll!NtProtectVirtualMemory                         7C90D6EE 5 Bytes  JMP 00EB0BE7

                        (line 04) C:\WINDOWS\system32\svchost.exe[568] ntdll.dll!NtSetSecurityObject                            7C90DD2E 5 Bytes  JMP 00EB0477

                        (line 05) C:\WINDOWS\system32\svchost.exe[568] ntdll.dll!KiUserExceptionDispatcher                      7C90E47C 5 Bytes  JMP 00D00000

                        (line 06) C:\WINDOWS\system32\svchost.exe[568] ntdll.dll!LdrLoadDll                                     7C91632D 5 Bytes  JMP 00EB0400

                        (line 07) C:\WINDOWS\system32\svchost.exe[568] ntdll.dll!LdrGetProcedureAddress                         7C917CF0 5 Bytes  JMP 00EB0B70

                        (line 08) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreateFileA                                 7C801A28 5 Bytes  JMP 00EB07B8

                        (line 09) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!VirtualProtectEx                            7C801A61 5 Bytes  JMP 00EB0D4C

                        (line 10) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!VirtualProtect                              7C801AD4 5 Bytes  JMP 00EB0CD5

                        (line 11) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!LoadLibraryExW                              7C801AF5 5 Bytes  JMP 00CF0025

                        (line 12) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!LoadLibraryExA                              7C801D53 5 Bytes  JMP 00CF0014

                        (line 13) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!LoadLibraryA                                7C801D7B 5 Bytes  JMP 00F301DC

                        (line 14) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!GetStartupInfoW                             7C801E54 5 Bytes  JMP 00CF0F09

                        (line 15) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!GetStartupInfoA                             7C801EF2 5 Bytes  JMP 00EB091D

                        (line 16) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!ReadProcessMemory                           7C8021D0 5 Bytes  JMP 00EB0F28

                        (line 17) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreateProcessW                              7C802336 5 Bytes  JMP 00EB0A82

                        (line 18) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreateProcessA                              7C80236B 5 Bytes  JMP 00EB0E3A

                        (line 19) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!VirtualAllocEx                              7C809B12 7 Bytes  JMP 00EB0DC3

                        (line 20) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!GetProcAddress                              7C80AE40 5 Bytes  JMP 00EB0994

                        (line 21) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!LoadLibraryW                                7C80AEEB 5 Bytes  JMP 00EB0A0B

                        (line 22) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreateRemoteThread                          7C8104CC 5 Bytes  JMP 00F30000

                        (line 23) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreateFileW                                 7C810800 5 Bytes  JMP 00CF0FD4

                        (line 24) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!HeapCreate                                  7C812C56 5 Bytes  JMP 00F30077

                        (line 25) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreatePipe                                  7C81D83F 5 Bytes  JMP 00EB08A6

                        (line 26) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreateNamedPipeW                            7C82F0DD 5 Bytes  JMP 00CF0FA8

                        (line 27) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!OpenProcess                                 7C8309E9 5 Bytes  JMP 00EB0EB1

                        (line 28) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!PeekNamedPipe                               7C860977 7 Bytes  JMP 00EB082F

                        (line 29) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreateNamedPipeA                            7C860CDC 5 Bytes  JMP 00CF0FB9

                        (line 30) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!WinExec                                     7C86250D 5 Bytes  JMP 00EB0C5E

                        (line 31) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!LoadModule                                  7C86261E 5 Bytes  JMP 00EB0AF9

                        (line 32) C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegOpenKeyExW                               77DD6AAF 5 Bytes  JMP 00CE0025

                        (line 33) C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegCreateKeyExW                             77DD776C 5 Bytes  JMP 00CE0051

                        (line 34) C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegOpenKeyExA                               77DD7852 5 Bytes  JMP 00CE000A

                        (line 35) C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegOpenKeyW                                 77DD7946 5 Bytes  JMP 00CE0FD4

                        (line 36) C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegCreateKeyExA                             77DDE9F4 5 Bytes  JMP 00CE0040

                        (line 37) C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegOpenKeyA                                 77DDEFC8 5 Bytes  JMP 00CE0FE5

                        (line 38) C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegCreateKeyW                               77DFBA55 2 Bytes  JMP 00CE0FA8

                        (line 39) C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegCreateKeyW + 3                           77DFBA58 2 Bytes  [EE, 88]

                        (line 40) C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegCreateKeyA                               77DFBCF3 5 Bytes  JMP 00CE0FB9

                        (line 41) C:\WINDOWS\system32\svchost.exe[568] RPCRT4.dll!NdrServerInitialize                           77E79FB5 5 Bytes  JMP 00EB0741

                        (line 42) C:\WINDOWS\system32\svchost.exe[568] USER32.dll!SetWindowsHookExW                             7E42820F 5 Bytes  JMP 00EB0565

                        (line 43) C:\WINDOWS\system32\svchost.exe[568] USER32.dll!SetWindowsHookExA                             7E431211 5 Bytes  JMP 00EB04EE

                        (line 44) C:\WINDOWS\system32\svchost.exe[568] GDI32.dll!GetDIBits                                      77F19FA5 5 Bytes  JMP 00EB06CA

                        (line 45) C:\WINDOWS\system32\svchost.exe[568] msvcrt.dll!_wsystem                                      77C2931E 5 Bytes  JMP 00CD0FB0

                        (line 46) C:\WINDOWS\system32\svchost.exe[568] msvcrt.dll!system                                        77C293C7 5 Bytes  JMP 00F300EE

                        (line 47) C:\WINDOWS\system32\svchost.exe[568] msvcrt.dll!_creat                                        77C2D40F 5 Bytes  JMP 00F30165

                        (line 48) C:\WINDOWS\system32\svchost.exe[568] msvcrt.dll!_open                                         77C2F566 5 Bytes  JMP 00CD0FEF

                        (line 49) C:\WINDOWS\system32\svchost.exe[568] msvcrt.dll!_wcreat                                       77C2FC9B 5 Bytes  JMP 00CD0FC1

                        (line 50) C:\WINDOWS\system32\svchost.exe[568] msvcrt.dll!_wopen                                        77C30055 5 Bytes  JMP 00CD0FDE

                        (line 51) C:\WINDOWS\system32\svchost.exe[568] NETAPI32.dll!NetpwPathCanonicalize                       5B86A3A9 5 Bytes  JMP 00EB05DC      Whatever this is, Malwarebytes and McAfee are not identifying it

                         

                             The other programs had fewer lines of text.

                         

                             There was also this:

                         

                        C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1948] kernel32.dll!LoadLibraryA   7C801D7B 5 Bytes  JMP 62418360 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)

                        C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1948] kernel32.dll!LoadLibraryW   7C80AEEB 5 Bytes  JMP 62418460 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)

                         

                             Whatever this series of commands is, Malwarebytes and McAfee are not

                        identifying it as malware-related activity.  I think it is it might be

                        automated, i.e. the hacker is not personally sitting there at the ready

                        each time I get a new buffer overflow.

                         

                             Two minutes ago, I got a buffer overflow in Firefox!  In McAfee's

                        Security History, I clicked on the + to expand the section, and saw this:

                         

                        <<

                        Firewall blocked a hacker from exploiting the Buffer_Overflow

                        weakness in C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE

                        on your PC

                        <<

                         

                             And when I opened a second Firefox window, I got another Firefox

                        Buffer_Overflow alert.

                         

                        Stephe

                         

                        Message was edited by: stephe on 11/5/12 5:01:33 AM CST

                         

                        Message was edited by: stephe on 11/5/12 5:15:50 AM CST
                        • 9. Re: McAfee says "Buffer overflow exploit blocked" whenever I open Microsoft Word
                          Peter M

                          It is a new component and until testing is complete wont be activated by default.  There is nothing stopping you activating it yourself.   As I already explained elsewhere as you have two threads going, it's an additional layer of protection.  Your firewall already blocks unknowns.   This is a new departure from normal practice for McAfee as they don't normally release new features until they are fully tested and I feel, although I don't know, that perhaps it was included in that build by mistake.

                          We have it in the beta software, where it would normally appear first and be tested.

                           

                          Please do not post HJT/DDS/GMER logs here, we do not analyze them as I explained in my post in your other thread in this section.

                           

                          There are forums who specialize in such things and are listed in the last link in my signature below.   They will hopefully give you a good idea of what is going on with your buffer overflows.

                           

                           

                           

                           

                           

                          .

                           

                           

                           

                           

                           

                           

                           

                           

                           

                           

                           

                          Message was edited by: Ex_Brit on 05/11/12 12:25:39 EST PM
                          1 2 3 Previous Next