Avast WEBforum
Other => Viruses and worms => Topic started by: REDACTED on May 27, 2016, 04:41:51 PM
-
Hi,
My father's computer recently installed the Hitman Pro trial version to do a quick check, after several emails with viruses he'd gotten in his inbox. The computer was cleared and had no viruses, but now, a couple of days later, Hitman Pro won't allow Office apps like Word and Excel to run, claiming that "'Microsoft Word 15' has been terminated to prevent execution of malicious code."
The computer has had Malwarebytes installed for over a year, and it has not found anything (the Hitman Pro was just an additional security check), and a full scan (rootkits included) comes up clear, as does every other free antivirus apps like Avast, F-Secure, etc. As both his webserver and his email has been hacked and included viruses the last few months, and he's been in contact with it, I think it's worth asking for help just in case. I've included the error message/log below, and if it's benign, I'll be grateful for the confirmation. If not, I'd still be grateful for the help! :P
Sincerely,
Tommy L.
Error:
'Microsoft Word 15' has been terminated to prevent execution of malicious code. Please check your computer for malware and software updates.
Mitigation ROP
Platform 10.0.10586/x64 06_3c
PID 5664
Application C:\Program Files\Microsoft Office 15\root\office15\winword.exe
Description Microsoft Word 15
Branch Trace Opcode To
-------------------------------- -------- --------------------------------
0x5C020B58 MSO.DLL RET 0x5C020A69 MSO.DLL
0x5D6BDCE5 MSO.DLL ~ RET 0x0158910F (anonymous; WWLIB.DLL)
0x5D646A9D MSO.DLL RET 0x5D6BDCCF MSO.DLL
0x5C0128EC MSO.DLL RET 0x5D646A9C MSO.DLL
0x5D6BDCE5 MSO.DLL ~ RET 0x01589E8D (anonymous; WWLIB.DLL)
0x5D6A092F MSO.DLL RET 0x5D6BDCCF MSO.DLL
0x5C0128EC MSO.DLL RET 0x5D6A092E MSO.DLL
?AuthHandlerSupportAutoLogonBasedOnURL@Http@Mso@@YAXXZ() RET 0x01589BB6 (anonymous; WWLIB.DLL)
0x5C01A75C MSO.DLL
0x5D615955 MSO.DLL ~ RET 0x01589BA6 (anonymous; WWLIB.DLL)
0x5D1F5C70 MSO.DLL ~ RET* 0x5C070CA2 MSO.DLL
837d0800 CMP DWORD [EBP+0x8], 0x0
8907 MOV [EDI], EAX
7549 JNZ 0x5c070cf3
57 PUSH EDI
8bce MOV ECX, ESI
e83d435a01 CALL 0x5d614fef
5b POP EBX
b48d MOV AH, 0x8d
004800 ADD [EAX+0x0], CL
0010 ADD [EAX], DL
84c0 TEST AL, AL
7435 JZ 0x5c070cf3
8bce MOV ECX, ESI
e8a79ad400 CALL 0x5cdba76c
8bc8 MOV ECX, EAX
e8b41ad500 CALL 0x5cdc2780
(8A7CB2157EE5E207)
0x5CAB2238 MSO.DLL ~ RET* 0x5D1F5C70 MSO.DLL
c20400 RET 0x4
_MsoRegOpenKeyExW@16 +0x13a RET 0x0158627B (anonymous; WWLIB.DLL)
0x5C012BA3 MSO.DLL
0x5C0128EC MSO.DLL RET _MsoFreePv@4 +0xb8
0x5C0183FA MSO.DLL
Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 5C020A74 MSO.DLL
8bce MOV ECX, ESI
8986ac000000 MOV [ESI+0xac], EAX
e81f010000 CALL 0x5c020ba0
8bc6 MOV EAX, ESI
5e POP ESI
c3 RET
2 01589114 (anonymous; WWLIB.DLL)
3 5C070CBA MSO.DLL
4 5C2416F5 MSO.DLL
5 015880D3 (anonymous; WWLIB.DLL)
6 5C26D8DC MSO.DLL
7 5C26B62B MSO.DLL
8 5C03D94A MSO.DLL
9 5C02D28D MSO.DLL
10 5C02D05A MSO.DLL
Process Trace
1 C:\Program Files\Microsoft Office 15\root\office15\winword.exe [5664]
"C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE" /n "C:\Users\Acer\Desktop\Huskeliste.docx" /o ""
2 C:\Windows\explorer.exe [15520]
3 C:\Windows\System32\userinit.exe [16036]
4 C:\Windows\System32\winlogon.exe [10832]
C:\WINDOWS\System32\WinLogon.exe -SpecialSession
5 C:\Windows\System32\smss.exe [16028]
\SystemRoot\System32\smss.exe 00000124 00000074 C:\WINDOWS\System32\WinLogon.exe -SpecialSession
-
First thing to do is deciding which av he wants to use.
Completely remove all others.
Links to removal instructions/tools > http://www.ache.nl
After having done the above follow these instructions > https://forum.avast.com/index.php?topic=53253.0
-
Malwarebytes has been the best tool I've ever used, so I'm keeping that one. I didn't want to delete Hitman Pro if it's the only thing preventing the virus from spreading, though - if it IS a virus.
The MB scan is clean. Do you still want me to add the log here?
I'll do the other two scans in a few. :)
Thanks so far.
-
Malwarebytes is not a antivirus so you can keep that
HitmanPRO is known to remove stuff it should not
The important logs are the two diagnostic logs from Farbar Recovery Scan Tool ... attach them
-
*Sigh*
Windows Defender pops up each time I try to download Farbar Recovery Scan Tool. Says it's a virus. I assume it's a false-positive?
This is what it found:
https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Trojan%3aWin32%2fVarpes.N!cl&threatid=2147708973&enterprise=0
-
Yes, it is a false positive.
Disable Windows defender so you can download it.
-
Here are the logs.
Thanks for the quick response so far. :)
-
Ok, have some patience now.
One of the malware removers will soon have a look at the logs.
-
Nothing untoward, I would go for a false positive
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
2016-01-17 19:21 - 2016-01-17 19:21 - 0000000 _____ () C:\Users\Acer\AppData\Local\{8427586B-21CA-4D82-B314-BCE941C0EB8A}
BHO: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> No File
BHO: No Name -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> No File
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
(https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG)
Run FRST and press Fix
On completion a log will be generated please post that
-
Thanks a lot for your help! :)
The log is attached.