# Buffer overflow exploit blocked from Microsoft Word, then Normal.dot error



## Stephe (Mar 12, 2009)

November 3, 2012

Hi,

I have a Dell Pentium D dual core CPU 3.00GHz with 2.99 GHz, 3.00 GB of RAM with Microsoft Windows XP Media Center Edition Version 2002, Service Pack 3. I have all my installation discs including a Windows Install disc, but no Boot CD. I do not have Java on my PC, and have disabled javascript in Adobe Reader, both because it reduces vulnerabilities. Whenever I am done online, I pull out my PC's ethernet cable. I update McAfee manually before each time I go online for four hours.

I surfed some iffy sites on November 1st and foolishly closed a few popup windows. Now, whenever I try to open Microsoft Word, Word closes and McAfee gives me a message that says "Buffer overflow exploit blocked."

The pathway given is 

C:\Program Files\Microsoft Office\Office10\WINWORD.EXE

I went to this file and right-clicked for a McAfee scan, and no issues were detected. Then I right-clicked for a Malwarebytes scan, and no issues were detected with that, either. I hovered my cursor over WINDWORD.EXE and it said (among other things): Date Created: 5/3/2002 11:07 PM

Using System Restore to return to a time prior to the problem didn't solve it. Could this be a McAfee software issue? McAfee updated itself while I was online yesterday, before I went to use Microsoft Word that day.

I went to Safe Mode, where McAfee said "Real-time Scanning is Off." In Safe Mode, I ran Malwarebytes, then right-clicked on My Computer and ran McAfee. Then I ran the McAfee Stinger. Then, as suggested at https://community.mcafee.com/docs/DOC-1294 , I ran the Stinger again, then clicked Preferences and changed "On virus detection" to Report Only, set the "Heuristics" level to VERY HIGH, and disabled the option to Scan inside compressed files. But still, whenever I try to open Microsoft Word, Word closes and McAfee gives me a message that says "Buffer overflow exploit blocked."

As suggested at https://community.mcafee.com/docs/DOC-2168 I tried RootkitRemover, and then ran GetSusp.

In the past few years, I have at times seen notices from McAfee saying "Buffer overflow blocked" but these incidents were solitary and isolated. November 1st and 2nd constitute the first time I have seen "Buffer overflow exploit blocked," and I got the message each and every time I try to open Microsoft Word on those two days.

On November 3rd, I updated McAfee, and now I am able to open Microsoft Word, but whenever I close Microsoft Word, now, I encounter a message that reads

"This file is in use by another application of user. 
(C:\Documents and Settings\...\Normal.dot)" 

and am prompted to Save As File name normal.dot File type Document Template (*.dot). I went to C:\, right-clicked on Documents and Settings, selected Search..., and searched for Normal.dot, but nothing came up in the search. 

What is the difference between the messages "Buffer overflow blocked" and "Buffer overflow exploit blocked"?

Will uninstalling Microsoft Office then re-installing Microsoft Office solve anything, or is the exploit located somewhere else? How does one remedy a buffer overflow exploit?

There are about 35 references to C:\Program Files\Microsoft Office\Office10\WINWORD.EXE[2240] in my GMER ark.txt.

Stephe

DDS (Ver_2012-10-19.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702
Run by Steve at 18:55:39 on 2012-11-02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2506 [GMT -4:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* 
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\Kodak\KODAK Share Button App\Listener.exe
C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
C:\Program Files\Process Lasso\processlasso.exe
C:\Program Files\Process Lasso\processgovernor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Works\WkDStore.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
BHO: AcroIEHlprObj Class: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - <orphaned>
BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
BHO: NitroPDFBHO Class: {CF070CB8-F02F-4af4-A7B7-8D45CAD4BB54} - c:\program files\nitro pdf\pdf download\NitroPDF.dll
TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [KGShareApp] c:\program files\kodak\kodak share button app\KGShare_App.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,[email protected]
mRun: [dlccmon.exe] "c:\program files\dell photo aio printer 924\dlccmon.exe"
mRun: [KodakShareButtonApp] c:\program files\kodak\kodak share button app\Listener.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [Wondershare Helper Compact.exe] c:\program files\common files\wondershare\wondershare helper compact\WSHelper.exe
mRun: [ProcessLassoManagementConsole] "c:\program files\process lasso\processlasso.exe"
mRun: [ProcessGovernor] "c:\program files\process lasso\processgovernor.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: Save Page As PDF ... - c:\program files\nitro pdf\pdf download\nitroweb.htm
IE: {96538116-AB8C-4879-9F21-BD2BFE22A414} - {DC6169B9-3397-4D01-8639-07F1A34BAF99} - <orphaned>
IE: {AD9E6088-E00B-42f9-9F0C-8480525D234E} - {FF5073C0-28A0-4223-9BDF-59FF020FE77C} - c:\program files\nitro pdf\pdf download\NitroPDF.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: mcafee.com
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\program files\mcafee\msc\McSnIePl.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
Handler: junomsg - {C4D10830-379D-11d4-9B2D-00C04F1579A5} - c:\program files\juno\bin\jmsgpph.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\steve\application data\mozilla\firefox\profiles\phdhjgig.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.weather.com/outlook/recreation/outdoors/hourbyhour/02130?from=36hr_topnav_outdoors
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-10-15 554048]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2012-4-5 91168]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-4-5 167784]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-4-5 167784]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-4-5 167784]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-4-5 167784]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2012-4-5 200816]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2012-4-5 168368]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2012-4-5 166320]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2012-4-5 60480]
R3 dvdfab;dvdfab;c:\windows\system32\drivers\dvdfab.sys [2011-1-27 54144]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2012-4-5 230224]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2012-4-5 61912]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2012-4-5 360792]
S3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [2012-10-27 146872]
S3 MFE_RR;MFE_RR;\??\c:\docume~1\steve\locals~1\temp\mfe_rr.sys --> c:\docume~1\steve\locals~1\temp\mfe_rr.sys [?]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2012-4-5 92192]
.
=============== Created Last 30 ================
.
2012-11-02 21:01:39	33944	----a-w-	c:\program files\mozilla firefox\ScriptFF.dll
2012-11-02 02:08:08	--------	d-----w-	c:\program files\stinger
2012-11-02 01:25:44	--------	d-----w-	c:\windows\system32\wbem\repository\FS
2012-11-02 01:25:44	--------	d-----w-	c:\windows\system32\wbem\Repository
2012-10-27 04:37:37	146872	----a-w-	c:\windows\system32\drivers\HipShieldK.sys
2012-10-04 09:00:21	84328	----a-w-	c:\windows\system32\WSMonitor.dll
2012-10-04 08:59:16	--------	d-----w-	c:\program files\Wondershare
.
==================== Find3M ====================
.
2012-09-29 23:54:26	22856	----a-w-	c:\windows\system32\drivers\mbam.sys
2012-08-28 15:14:53	916992	----a-w-	c:\windows\system32\wininet.dll
2012-08-28 15:14:53	43520	----a-w-	c:\windows\system32\licmgr10.dll
2012-08-28 15:14:52	1469440	------w-	c:\windows\system32\inetcpl.cpl
2012-08-28 12:07:15	385024	----a-w-	c:\windows\system32\html.iec
2012-08-24 13:53:22	177664	----a-w-	c:\windows\system32\wintrust.dll
2012-08-21 13:33:26	2148864	----a-w-	c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58:09	2027520	----a-w-	c:\windows\system32\ntkrnlpa.exe
2001-08-18 04:59:12	28160	----a-w-	c:\program files\UnFREEz.exe
1999-11-12 22:30:54	4880	----a-w-	c:\program files\mplayer2.exe
.
============= FINISH: 19:01:39.07 ===============


----------



## Stephe (Mar 12, 2009)

Having updated McAfee, I was able to open Microsoft Word, but whenever I closed Microsoft Word, I encounter a message that read...

"This file is in use by another application of user. 
(C:\Documents and Settings\...\Normal.dot)" 

...and was prompted to... 

Save As File name normal.dot File type Document Template (*.dot).

The two files already there were ~$Normal.dot (grayed out) and Normal.dot

I went to C:\, right-clicked on Documents and Settings, selected Search..., and searched for Normal.dot, but nothing came up in the search. 

I opened Microsoft Word again, then closed it, so as to get Save As prompt. I moved my cursor to the Save in: box at the top and clicked on the down arrow to see the path, and it is this:

C:\Documents and Settings\Steve\Application Data\Microsoft\Templates

I went inside this folder, copied the Normal.dot file, re-named it Normal.txt, and looked inside. Besides a lot of badly formatted stuff, was the repeating phrase...

C u s t o m P o p u p (followed by a 9-digit number with each digit separated by one space)

...about a hundred times or so. Example: 

C u s t o m P o p u p 1 0 4 4 1 0 8 2 8

Towards the bottom, it says:

A t t e n t i o n :   A T T N :   A u t h o r , P a g e # , D a t e 
 
B e s t r e g a r d s ,  B e s t w i s h e s , 
  C E R T I F I E D M A I L  C O N F I D E N T I A L 
  C o n f i d e n t i a l , P a g e # , D a t e  
C o r d i a l l y , 
 
C r e a t e d b y  
C r e a t e d o n   D e a r M a d a m o r S i r : 
  D e a r M a d a m :   D e a r M o m a n d D a d , 
  D e a r M o t h e r a n d F a t h e r , 
  D e a r S i r o r M a d a m :  D e a r S i r : 
  F i l e n a m e   F i l e n a m e a n d p a t h 
  I n r e g a r d s t o : I n r e p l y t o :  L a d i e s a n d G e n t l e m e n : 
 L a s t p r i n t e d  
L a s t s a v e d b y 
  L o v e ,   P a g e X o f Y   P E R S O N A L 
  R E : 
R e f e r e n c e :  R e g a r d s , 
  R E G I S T E R E D M A I L   R e s p e c t f u l l y y o u r s , 
 
R e s p e c t f u l l y ,   S F   S i n c e r e l y y o u r s , 
 
S i n c e r e l y ,   S P E C I A L D E L I V E R Y 
  S P E C I A L H A N D L I N G   S t e v e n F e l d m a n 
  S u b j e c t :  
T a k e c a r e ,  
T h a n k y o u , 
  T h a n k s ,   T o W h o m I t M a y C o n c e r n : 
  V I A A I R M A I L  
V I A F A C S I M I L E 
  V I A O V E R N I G H T M A I L  Y o u r s t r u l y ,  ÿÿ 
  R e f e r e n c e L i n e  A t t e n t i o n L i n e 
 M a i l i n g I n s t r u c t i o n s S u b j e c t L i n e 

S a l u t a t i o n  C l o s i n g 

H e a d e r / F o o t e r 
S i g n a t u r e 
 R e f e r e n c e I n i t i a l s

Please note that I never use templates in Microsoft Word. The reason for that is that I don't know how to use them. That means that I did not create the Normal.dot file quoted above.

Inside the C:\Documents and Settings\Steve\Application Data\Microsoft\Templates folder, I created a new folder called for study, and tried to move the Normal.dot files there. Backup of Normal.wbk and ~$Normal.dot moved, but Normal.dot and Normal.txt did not. I was then able to move Normal.txt on its on. Normal.dot, however, cannot be be re-named nor deleted. Each time I try, I get messages that say:

Error Renaming File or Folder
Cannot rename Normal. It is being used by another person or program.
Close and programs that might be using the file and try again.

Error Deleting File or Folder
Cannot delete Normal. It is being used by another person or program.
Close and programs that might be using the file and try again.

I went to Safe Mode, and was able to move Normal.dot from the Templates folder to the for study folder, whereupon I re-named the file Normal.jpg

I then re-booted. I can use Microsoft Word now without any problem, but I suspect that I only removed a component of a trojan, which is still on my PC. I don't know how to figure out what program was using the Normal.dot file.

I opened Search and typed in the box named A word or phrase in the file: Normal.dot, but all that came up were .doc and .wkb files, this .txt file that I'm typing right now, and the following three files:

C:\Program Files\Microsoft Office\Office10\OPW1OUSR.INI
C:\WINDOWS\ServicePackFiles\i386\migapp.inf
C:\WINDOWS\system32\usmt

...as well as whole lot of files in the C:\Program Files\Microsoft Works\1033\Wizards folder with .dot and .wwt extensions. 

All the C:\Program Files\Microsoft Works\1033\Wizards .dot files were in the form of crdus**w.dot, where the asterisks represent a two-digit number between 13 and 99.

I searched for *.* in Program Files for files modified on 11/1/12, and the only things I didn't recognize were Dl_cats and stinger. Stinger was related to McAfee's Stinger program. Dl_cats looks harmless. McAfee scans were negative.

I then searched for *.* in WINDOWS for files modified on 11/1/12, and found C:\WINDOWS\system32\CatRoot and C:\WINDOWS\system32\CatRoot2 McAfee scans were negative.

After running DDS and GMER, GMER found exactly 36 entries for each of the following 13 programs:

C:\WINDOWS\system32\services.exe[864]
C:\WINDOWS\system32\lsass.exe[876]
C:\WINDOWS\system32\svchost.exe[1092]
C:\WINDOWS\system32\svchost.exe[1176]
C:\WINDOWS\System32\svchost.exe[1272]
C:\WINDOWS\system32\svchost.exe[1332]
C:\WINDOWS\system32\svchost.exe[1364]
C:\WINDOWS\system32\svchost.exe[1440]
C:\WINDOWS\Explorer.EXE[1880]
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE[2240]
C:\WINDOWS\system32\svchost.exe[2436]
C:\WINDOWS\system32\dllhost.exe[3584]
C:\WINDOWS\System32\svchost.exe[3936]

To the far right of every program listed above was the following same exact sequence of 36 lines of information (with the exception of the 29th line...

(line 29) ADVAPI32.DLL!RegCreateKeyW + 3 77DFBA58 2 Bytes [55, 88]

...which had different numbers in the bracketed area each time):

(line 01) ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0014000A 
(line 02) ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00140025 
(line 03) ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00140FD2 
(line 04) ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00140FE3 
(line 05) kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00260000 
(line 06) kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 002600B2 
(line 07) kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 002600A1 
(line 08) kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00260FC7 
(line 09) kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00260084 
(line 10) kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0026004E 
(line 11) kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 002600E0 
(line 12) kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 002600CF 
(line 13) kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0026010C 
(line 14) kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00260F69 
(line 15) kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0026011D 
(line 16) kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0026005F 
(line 17) kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00260011 
(line 18) kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00260F98 
(line 19) kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0026003D 
(line 20) kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0026002C 
(line 21) kernel32.dll!WinExec 7C86250D 5 Bytes JMP 002600F1 
(line 22) ADVAPI32.DLL!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00350FD4 
(line 23) ADVAPI32.DLL!RegCreateKeyExW 77DD776C 5 Bytes JMP 00350F72 
(line 24) ADVAPI32.DLL!RegOpenKeyExA 77DD7852 5 Bytes JMP 0035001B 
(line 25) ADVAPI32.DLL!RegOpenKeyW 77DD7946 5 Bytes JMP 00350FE5 
(line 26) ADVAPI32.DLL!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00350F83 
(line 27) ADVAPI32.DLL!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00350000 
(line 28) ADVAPI32.DLL!RegCreateKeyW 77DFBA55 2 Bytes JMP 00350FA8 
(line 29) ADVAPI32.DLL!RegCreateKeyW + 3 77DFBA58 2 Bytes [55, 88]
(line 30) ADVAPI32.DLL!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00350FB9 
(line 31) msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00360014 
(line 32) msvcrt.dll!system 77C293C7 5 Bytes JMP 00360F7F 
(line 33) msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00360FAB 
(line 34) msvcrt.dll!_open 77C2F566 5 Bytes JMP 00360FEF 
(line 35) msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00360F9A 
(line 36) msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00360FD2 

That strikes me as a bit odd.

Anyways, will uninstalling Microsoft Office then re-installing Microsoft Office solve anything?

Stephe


----------



## jo-briggs (Jan 29, 2005)

I doubt it as Normal.dot will remain as a file if uninstalling Office doesn't clean out the data files. Have you tried using the Office "Repair" option? Every time you open Word it should open the blank page Normal or Doc1.

Have you typed *cmd* into the search box and navigated your way to the file in DOS and then tried to delete it? 

I assume that you have used Task Manager to check what processes are running and highlighted and turned off non-essential processes one by one to see which may be the culprit.

You might try opening an old document, deleting everything in it so that you have a blank page with your preferred fonts and margins etc., then try to overwrite the corrupted file by saving the new blank page as Normal.dot file in the templates folder.

This site might help You are prompted to save the changes to the Normal.dot or Normal.dotm or Normal.dotm global template every time that you quit Word


----------



## Stephe (Mar 12, 2009)

Sunday, November 4, 2012

I was going to respond, but I just had an interesting/bad thing happen.

A fairly recent (the same day that the Microsoft Word buffer overflow exploit was identified and blocked) McAfee update updated the software, and I didn't realize until a half hour ago that there was a new feature in the program's firewall called Intrusion Detection, which says "Protect yourself from hackers who exploit weaknesses in your operating system or programs to take control of your PC. Learn more," with a checkbox for Use Intrusion Protection, with the options being "Basic -- Detect activities that are very likely to be attacks. (Recommended)" and "High -- Detect suspicious activities, even though some might not be attacks."

What blows my mind is that the Use Intrusion Protection box was not checked.

I checked the box and chose High, then clicked Apply. Then I clicked on Learn more, which opened Internet Explorer. 

Right then and there, a McAfee box popped up saying...

<<
Intrusion blocked.
McAfee blocked suspicious program activity. Please check for updates for this program and for your Windows operating system.

About This Detection
Program: Internet Explorer
Activity: Buffer_Overflow

If your attempt to fix the issue doesn't work, and you think it's a false alarm, change your intrusion protection settings in Firewall.
<<

So, I unplugged my ethernet cable, clicked on Home inside McAfee, then clicked on Security History. At the top is

<<
PC intrusion blocked
Program name: IEXPLORE.EXE
<<

I clicked on the + to expand the section, and saw this:

<<
Firewall blocked a hacker from exploiting the Buffer_Overflow weakness in C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE on your PC.
<<

What I'd like to know is why is it that the popup only said, "McAfee blocked suspicious program activity. ... If your attempt to fix the issue doesn't work, and you think it's a false alarm, change your intrusion protection settings in Firewall." instead of telling me outright, "Firewall blocked a hacker"?

So, it looks like the reason I got malware on my computer and hacker attacks is that McAfee's new software is sent with a new feature called Intrusion Protection which is turned off by default!?!?!? That makes it McAfee's fault!!! Grrr. :angry:

This is the first time I have ever had an anti-virus program detect a PC intrusion attempt, in my 12 years as an owner of a PC. I have gotten trojans and viruses, but never a detected intrusion attempt until now.



jo-briggs said:


> I doubt it as Normal.dot will remain as a file if uninstalling Office doesn't clean out the data files. Have you tried using the Office "Repair" option? Every time you open Word it should open the blank page Normal or Doc1.


 I'd never heard of the Repair option. I just found it in Help > Detect and Repair...



jo-briggs said:


> Have you typed cmd into the search box and navigated your way to the file in DOS and then tried to delete it?


 I didn't know that that was/is an option. I am not *that* computer savvy.



jo-briggs said:


> I assume that you have used Task Manager to check what processes are running and highlighted and turned off non-essential processes one by one to see which may be the culprit.


 No, I didn't, but I see now that I should have. I have Process Lasso, and I tried to track things down with that, since if you hover over a process in Process Lasso, it shows you the complete path of the file.



jo-briggs said:


> You might try opening an old document, deleting everything in it so that you have a blank page with your preferred fonts and margins etc., then try to overwrite the corrupted file by saving the new blank page as Normal.dot file in the templates folder.


 I'll try that.



jo-briggs said:


> This site might help You are prompted to save the changes to the Normal.dot or Normal.dotm or Normal.dotm global template every time that you quit Word


 Looks like a plan.

Stephe


----------



## Stephe (Mar 12, 2009)

When I said...

"The same day that McAfee identified and blocked a buffer overflow exploit in Microsoft Word, McAfee had previously performed a lengthy software update that required a re-boot." 

I was in error. I looked through my System Restore restoration points, and found that the lengthy software update was not on November 1st but on October 26th.

"I didn't realize until a half hour ago (three days later!) that there was a new feature in the program's firewall called Intrusion Detection, which says "Protect yourself from hackers who exploit weaknesses in your operating system or programs to take control of your PC. Learn more," with a checkbox for Use Intrusion Protection, with the options being "Basic -- Detect activities that are very likely to be attacks. (Recommended)" and "High -- Detect suspicious activities, even though some might not be attacks."

What blows my mind is that the Use Intrusion Protection box was not checked. What the Hell, McAfee?!?!?!"

Ex_Brit at the McAfee Communities forum wrote:

<<
As you already posted here's the answer again regarding Intrusion Protection feature in Firewall.

It is a new feature for Consumer (integrated from Enterprise products) and we had concerns about compatibility with all of the 3rd party apps that are available in the Consumer environment (vs. an Enterprise environment which is usually locked down to very specific and approved applications). IOW, we’ve made it available for those customers who are very concerned about their network security, but didn’t turn it on until the Beta product reveals no issues.
<<

So, is the feature a crucial component of McAfee now, or is it superfluous?

I just went to Safe Mode and ran Malwarebytes and McAfee again, and neither found anything, whereas GMER did.

What I want to know is, if and when I re-format, will changing my IP address be enough to stymie the hacker, or will it be futile because he has my mac address? In other words, if I re-format, will the hacker instrude into my fresh, re-formatted system before I am even able to install and update McAfee?

[Re the buffer overflow exploit in Microsoft Word:]
The first time I ran GMER (on November 3rd), GMER found exactly 36 .text entries for each of the following 13 programs:

C:\WINDOWS\system32\services.exe[864]
C:\WINDOWS\system32\lsass.exe[876]
C:\WINDOWS\system32\svchost.exe[1092]
C:\WINDOWS\system32\svchost.exe[1176]
C:\WINDOWS\System32\svchost.exe[1272]
C:\WINDOWS\system32\svchost.exe[1332]
C:\WINDOWS\system32\svchost.exe[1364]
C:\WINDOWS\system32\svchost.exe[1440]
C:\WINDOWS\Explorer.EXE[1880]
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE[2240]
C:\WINDOWS\system32\svchost.exe[2436]
C:\WINDOWS\system32\dllhost.exe[3584]
C:\WINDOWS\System32\svchost.exe[3936]

To the far right of each of the 13 programs listed above was the following same exact sequence of 36 lines of information (with the exception of the 29th line...

(line 29) ADVAPI32.DLL!RegCreateKeyW + 3 77DFBA58 2 Bytes [55, 88]

...which had different numbers in the bracketed area each time):

(line 01) ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0014000A 
(line 02) ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00140025 
(line 03) ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00140FD2 
(line 04) ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00140FE3 
(line 05) kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00260000 
(line 06) kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 002600B2 
(line 07) kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 002600A1 
(line 08) kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00260FC7 
(line 09) kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00260084 
(line 10) kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0026004E 
(line 11) kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 002600E0 
(line 12) kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 002600CF 
(line 13) kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0026010C 
(line 14) kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00260F69 
(line 15) kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0026011D 
(line 16) kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0026005F 
(line 17) kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00260011 
(line 18) kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00260F98 
(line 19) kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0026003D 
(line 20) kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0026002C 
(line 21) kernel32.dll!WinExec 7C86250D 5 Bytes JMP 002600F1 
(line 22) ADVAPI32.DLL!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00350FD4 
(line 23) ADVAPI32.DLL!RegCreateKeyExW 77DD776C 5 Bytes JMP 00350F72 
(line 24) ADVAPI32.DLL!RegOpenKeyExA 77DD7852 5 Bytes JMP 0035001B 
(line 25) ADVAPI32.DLL!RegOpenKeyW 77DD7946 5 Bytes JMP 00350FE5 
(line 26) ADVAPI32.DLL!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00350F83 
(line 27) ADVAPI32.DLL!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00350000 
(line 28) ADVAPI32.DLL!RegCreateKeyW 77DFBA55 2 Bytes JMP 00350FA8 
(line 29) ADVAPI32.DLL!RegCreateKeyW + 3 77DFBA58 2 Bytes [55, 88]
(line 30) ADVAPI32.DLL!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00350FB9 
(line 31) msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00360014 
(line 32) msvcrt.dll!system 77C293C7 5 Bytes JMP 00360F7F 
(line 33) msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00360FAB 
(line 34) msvcrt.dll!_open 77C2F566 5 Bytes JMP 00360FEF 
(line 35) msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00360F9A 
(line 36) msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00360FD2 

[Re the buffer_overload Internet Explorer blocked hacker intrusion attempt"]
The second time I ran GMER (on November 4th), GMER found between 25 and 51 .text entries for each of the following 20 programs:

C:\WINDOWS\system32\svchost.exe[568]
C:\WINDOWS\system32\csrss.exe[776]
C:\WINDOWS\system32\winlogon.exe[804]
C:\WINDOWS\system32\services.exe[848]
C:\WINDOWS\system32\lsass.exe[860]
C:\WINDOWS\system32\svchost.exe[1068]
C:\WINDOWS\system32\svchost.exe[1156]
C:\WINDOWS\System32\svchost.exe[1196]
C:\WINDOWS\system32\svchost.exe[1284]
C:\WINDOWS\system32\svchost.exe[1312]
C:\WINDOWS\system32\spoolsv.exe[1468]
C:\WINDOWS\system32\svchost.exe[1572]
C:\Program Files\Internet Explorer\iexplore.exe[1616]
C:\WINDOWS\Explorer.EXE[1996]
C:\Program Files\Internet Explorer\iexplore.exe[2576]
C:\Program Files\Internet Explorer\iexplore.exe[2612]
C:\Program Files\Internet Explorer\iexplore.exe[2764]
C:\WINDOWS\system32\dllhost.exe[2916]
C:\WINDOWS\system32\rundll32.exe[3004]
C:\WINDOWS\System32\alg.exe[3176]

To the far right of the first of the 20 programs listed above was the following sequence of 51 lines of information:

(line 01) C:\WINDOWS\system32\svchost.exe[568] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00D00FEF 
(line 02) C:\WINDOWS\system32\svchost.exe[568] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00D00031 
(line 03) C:\WINDOWS\system32\svchost.exe[568] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00EB0BE7 
(line 04) C:\WINDOWS\system32\svchost.exe[568] ntdll.dll!NtSetSecurityObject 7C90DD2E 5 Bytes JMP 00EB0477 
(line 05) C:\WINDOWS\system32\svchost.exe[568] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D00000 
(line 06) C:\WINDOWS\system32\svchost.exe[568] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00EB0400 
(line 07) C:\WINDOWS\system32\svchost.exe[568] ntdll.dll!LdrGetProcedureAddress 7C917CF0 5 Bytes JMP 00EB0B70 
(line 08) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EB07B8 
(line 09) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EB0D4C 
(line 10) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EB0CD5 
(line 11) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CF0025 
(line 12) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CF0014 
(line 13) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F301DC 
(line 14) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CF0F09 
(line 15) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EB091D 
(line 16) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!ReadProcessMemory 7C8021D0 5 Bytes JMP 00EB0F28 
(line 17) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EB0A82 
(line 18) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EB0E3A 
(line 19) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!VirtualAllocEx 7C809B12 7 Bytes JMP 00EB0DC3 
(line 20) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EB0994 
(line 21) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EB0A0B 
(line 22) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreateRemoteThread 7C8104CC 5 Bytes JMP 00F30000 
(line 23) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CF0FD4 
(line 24) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!HeapCreate 7C812C56 5 Bytes JMP 00F30077 
(line 25) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EB08A6 
(line 26) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CF0FA8 
(line 27) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 00EB0EB1 
(line 28) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!PeekNamedPipe 7C860977 7 Bytes JMP 00EB082F 
(line 29) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CF0FB9 
(line 30) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EB0C5E 
(line 31) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 00EB0AF9 
(line 32) C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CE0025 
(line 33) C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CE0051 
(line 34) C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CE000A 
(line 35) C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CE0FD4 
(line 36) C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CE0040 
(line 37) C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CE0FE5 
(line 38) C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CE0FA8 
(line 39) C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [EE, 88]
(line 40) C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CE0FB9 
(line 41) C:\WINDOWS\system32\svchost.exe[568] RPCRT4.dll!NdrServerInitialize 77E79FB5 5 Bytes JMP 00EB0741 
(line 42) C:\WINDOWS\system32\svchost.exe[568] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00EB0565 
(line 43) C:\WINDOWS\system32\svchost.exe[568] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00EB04EE 
(line 44) C:\WINDOWS\system32\svchost.exe[568] GDI32.dll!GetDIBits 77F19FA5 5 Bytes JMP 00EB06CA 
(line 45) C:\WINDOWS\system32\svchost.exe[568] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CD0FB0 
(line 46) C:\WINDOWS\system32\svchost.exe[568] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F300EE 
(line 47) C:\WINDOWS\system32\svchost.exe[568] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F30165 
(line 48) C:\WINDOWS\system32\svchost.exe[568] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CD0FEF 
(line 49) C:\WINDOWS\system32\svchost.exe[568] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CD0FC1 
(line 50) C:\WINDOWS\system32\svchost.exe[568] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CD0FDE 
(line 51) C:\WINDOWS\system32\svchost.exe[568] NETAPI32.dll!NetpwPathCanonicalize 5B86A3A9 5 Bytes JMP 00EB05DC Whatever this is, Malwarebytes and McAfee are not identifying it

The other programs had fewer lines of text.

There was also this:

C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1948] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62418360 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1948] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62418460 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)

Whatever this series of commands is, Malwarebytes and McAfee are not identifying it as malware-related activity. I think it is it might be automated, i.e. the hacker is not personally sitting there at the ready each time I get a new buffer overflow.

Two minutes ago, I got a buffer overflow in Firefox! In McAfee's Security History, I clicked on the + to expand the section, and saw this:

<<
Firewall blocked a hacker from exploiting the Buffer_Overflow weakness in C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE on your PC
<<

And when I opened a second Firefox window, I got another Firefox Buffer_Overflow alert.

Stephe


----------



## Stephe (Mar 12, 2009)

*What I need to know is, if and when I re-format, will changing my IP address be enough to stymie the hacker, or will it be futile because he has my mac address? In other words, if I re-format, will the hacker instrude into my fresh, re-formatted system before I am even able to install and update McAfee?*


----------



## jo-briggs (Jan 29, 2005)

Your IP address will have been, in all probability, allocated by your service provider. Have a look here, you might find some clues as to how to change it: Google

If, however your problem is within Normal.Dot, you will have to delete the file before reinstalling your data, or preferably before you back up your files; that last thing you want to do is re-introduce it!

Go to the "Removing Malware" part of the forum for further help on removing it.


----------

