Office 360 Subscription Renewal Opens Additional Link to www.77b.com

[REDACTED]

Hello all,

Recently, my Office 360 subscription was up for renewal. When I click the link from any Office application to renew the subscription, a microsoft URL is called in my default browser and an additional one in a separate tab is also. The latter is flagged by Avast as malicious.

I've attached one of the ways to cause this to happen and the result I get.

Please help me track down the problem.

Thanks,
_t

[Eddy]

https://forum.avast.com/index.php?topic=53253.0

As alternative for MS-Office I recommend Libre Office.
It is free and has a lot more things than MS-Office.

[REDACTED]

Thanks Eddy. I produced the files required. I am in the process of sanitizing them and I will upload them when I'm done.

[REDACTED]

All files attached as per sticky post.

mbam_scan-log01 is the first scan with MBAM.
mbam_scan-log02 is a custom scan I conducted by additionally including rootkit scanning and all drives.

Reached attachment limit, will post aswMBR log in next message.

[REDACTED]

aswMBR attached here.

Please let me know if I missed uniquely identifiable information in the files attached other than usernames (sgnups and signups2), PC name (laptop0), network addresses (10.1.abc.xyz), the 3 categories, I've changed.

[essexboy]

No apparent malware on the system.  However, the IP is suspect http://whois.domaintools.com/77b.com  http://77b.com.ipaddress.com/


The only way I could see this happening is if the update module  for office was subverted or the DNS has been hijacked (although I would expect further alerts for this)

[REDACTED]

Hi all,

I rolled back my Windows install to a restore point a few months earlier and the problem disappeared. Unfortunately, by doing so, I rolled back a lot of changes so it's going to be hard to pinpoint what exactly caused the issue.

_t