Author Topic: 'Microsoft Word 15' has been terminated to prevent execution of malicious code  (Read 3853 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Hi,

My father's computer recently installed the Hitman Pro trial version to do a quick check, after several emails with viruses he'd gotten in his inbox. The computer was cleared and had no viruses, but now, a couple of days later, Hitman Pro won't allow Office apps like Word and Excel to run, claiming that "'Microsoft Word 15' has been terminated to prevent execution of malicious code."

The computer has had Malwarebytes installed for over a year, and it has not found anything (the Hitman Pro was just an additional security check), and a full scan (rootkits included) comes up clear, as does every other free antivirus apps like Avast, F-Secure, etc. As both his webserver and his email has been hacked and included viruses the last few months, and he's been in contact with it, I think it's worth asking for help just in case. I've included the error message/log below, and if it's benign, I'll be grateful for the confirmation. If not, I'd still be grateful for the help! :P

Sincerely,

Tommy L.

Error:

'Microsoft Word 15' has been terminated to prevent execution of malicious code. Please check your computer for malware and software updates.

Mitigation   ROP

Platform     10.0.10586/x64 06_3c
PID          5664
Application  C:\Program Files\Microsoft Office 15\root\office15\winword.exe
Description  Microsoft Word 15

Branch Trace                      Opcode  To                             
-------------------------------- -------- --------------------------------
0x5C020B58 MSO.DLL                   RET  0x5C020A69 MSO.DLL             

0x5D6BDCE5 MSO.DLL                 ~ RET  0x0158910F (anonymous; WWLIB.DLL)

0x5D646A9D MSO.DLL                   RET  0x5D6BDCCF MSO.DLL             

0x5C0128EC MSO.DLL                   RET  0x5D646A9C MSO.DLL             

0x5D6BDCE5 MSO.DLL                 ~ RET  0x01589E8D (anonymous; WWLIB.DLL)

0x5D6A092F MSO.DLL                   RET  0x5D6BDCCF MSO.DLL             

0x5C0128EC MSO.DLL                   RET  0x5D6A092E MSO.DLL             

?AuthHandlerSupportAutoLogonBasedOnURL@Http@Mso@@YAXXZ()     RET  0x01589BB6 (anonymous; WWLIB.DLL)
0x5C01A75C MSO.DLL                                                       

0x5D615955 MSO.DLL                 ~ RET  0x01589BA6 (anonymous; WWLIB.DLL)

0x5D1F5C70 MSO.DLL                 ~ RET* 0x5C070CA2 MSO.DLL             
            837d0800                 CMP          DWORD [EBP+0x8], 0x0
            8907                     MOV          [EDI], EAX
            7549                     JNZ          0x5c070cf3
            57                       PUSH         EDI
            8bce                     MOV          ECX, ESI
            e83d435a01               CALL         0x5d614fef
            5b                       POP          EBX
            b48d                     MOV          AH, 0x8d
            004800                   ADD          [EAX+0x0], CL
            0010                     ADD          [EAX], DL
            84c0                     TEST         AL, AL
            7435                     JZ           0x5c070cf3
            8bce                     MOV          ECX, ESI
            e8a79ad400               CALL         0x5cdba76c
            8bc8                     MOV          ECX, EAX
            e8b41ad500               CALL         0x5cdc2780
                                 (8A7CB2157EE5E207)


0x5CAB2238 MSO.DLL                 ~ RET* 0x5D1F5C70 MSO.DLL             
            c20400                   RET          0x4


_MsoRegOpenKeyExW@16 +0x13a          RET  0x0158627B (anonymous; WWLIB.DLL)
0x5C012BA3 MSO.DLL                                                       

0x5C0128EC MSO.DLL                   RET  _MsoFreePv@4 +0xb8             
                                          0x5C0183FA MSO.DLL             

Stack Trace
#  Address  Module                   Location
-- -------- ------------------------ ----------------------------------------
1  5C020A74 MSO.DLL                 
            8bce                     MOV          ECX, ESI
            8986ac000000             MOV          [ESI+0xac], EAX
            e81f010000               CALL         0x5c020ba0
            8bc6                     MOV          EAX, ESI
            5e                       POP          ESI
            c3                       RET         

2  01589114 (anonymous; WWLIB.DLL) 
3  5C070CBA MSO.DLL                 
4  5C2416F5 MSO.DLL                 
5  015880D3 (anonymous; WWLIB.DLL) 
6  5C26D8DC MSO.DLL                 
7  5C26B62B MSO.DLL                 
8  5C03D94A MSO.DLL                 
9  5C02D28D MSO.DLL                 
10 5C02D05A MSO.DLL                 

Process Trace
1  C:\Program Files\Microsoft Office 15\root\office15\winword.exe [5664]
"C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE" /n "C:\Users\Acer\Desktop\Huskeliste.docx" /o ""
2  C:\Windows\explorer.exe [15520]
3  C:\Windows\System32\userinit.exe [16036]
4  C:\Windows\System32\winlogon.exe [10832]
C:\WINDOWS\System32\WinLogon.exe -SpecialSession
5  C:\Windows\System32\smss.exe [16028]
\SystemRoot\System32\smss.exe 00000124 00000074 C:\WINDOWS\System32\WinLogon.exe -SpecialSession


Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
First thing to do is deciding which av he wants to use.
Completely remove all others.
Links to removal instructions/tools > http://www.ache.nl

After having done the above follow these instructions > https://forum.avast.com/index.php?topic=53253.0

REDACTED

  • Guest
Malwarebytes has been the best tool I've ever used, so I'm keeping that one. I didn't want to delete Hitman Pro if it's the only thing preventing the virus from spreading, though - if it IS a virus.

The MB scan is clean. Do you still want me to add the log here?

I'll do the other two scans in a few. :)

Thanks so far.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37504
  • Not a avast user
Malwarebytes is not a antivirus so you can keep that
HitmanPRO is known to remove stuff it should not


The important logs are the two diagnostic logs from Farbar Recovery Scan Tool ... attach them

REDACTED

  • Guest
*Sigh*

Windows Defender pops up each time I try to download Farbar Recovery Scan Tool. Says it's a virus. I assume it's a false-positive?

This is what it found:

https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Trojan%3aWin32%2fVarpes.N!cl&threatid=2147708973&enterprise=0

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Yes, it is a false positive.
Disable Windows defender so you can download it.

REDACTED

  • Guest
Here are the logs.

Thanks for the quick response so far. :)

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Ok, have some patience now.
One of the malware removers will soon have a look at the logs.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Nothing untoward, I would go for a false positive

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 
Quote
CreateRestorePoint:
2016-01-17 19:21 - 2016-01-17 19:21 - 0000000 _____ () C:\Users\Acer\AppData\Local\{8427586B-21CA-4D82-B314-BCE941C0EB8A}
BHO: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> No File
BHO: No Name -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> No File
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that


REDACTED

  • Guest
Thanks a lot for your help! :)

The log is attached.