Hi,
My father’s computer recently installed the Hitman Pro trial version to do a quick check, after several emails with viruses he’d gotten in his inbox. The computer was cleared and had no viruses, but now, a couple of days later, Hitman Pro won’t allow Office apps like Word and Excel to run, claiming that “‘Microsoft Word 15’ has been terminated to prevent execution of malicious code.”
The computer has had Malwarebytes installed for over a year, and it has not found anything (the Hitman Pro was just an additional security check), and a full scan (rootkits included) comes up clear, as does every other free antivirus apps like Avast, F-Secure, etc. As both his webserver and his email has been hacked and included viruses the last few months, and he’s been in contact with it, I think it’s worth asking for help just in case. I’ve included the error message/log below, and if it’s benign, I’ll be grateful for the confirmation. If not, I’d still be grateful for the help!
Sincerely,
Tommy L.
Error:
‘Microsoft Word 15’ has been terminated to prevent execution of malicious code. Please check your computer for malware and software updates.
Mitigation ROP
Platform 10.0.10586/x64 06_3c
PID 5664
Application C:\Program Files\Microsoft Office 15\root\office15\winword.exe
Description Microsoft Word 15
Branch Trace Opcode To
0x5C020B58 MSO.DLL RET 0x5C020A69 MSO.DLL
0x5D6BDCE5 MSO.DLL ~ RET 0x0158910F (anonymous; WWLIB.DLL)
0x5D646A9D MSO.DLL RET 0x5D6BDCCF MSO.DLL
0x5C0128EC MSO.DLL RET 0x5D646A9C MSO.DLL
0x5D6BDCE5 MSO.DLL ~ RET 0x01589E8D (anonymous; WWLIB.DLL)
0x5D6A092F MSO.DLL RET 0x5D6BDCCF MSO.DLL
0x5C0128EC MSO.DLL RET 0x5D6A092E MSO.DLL
?AuthHandlerSupportAutoLogonBasedOnURL@Http@Mso@@YAXXZ() RET 0x01589BB6 (anonymous; WWLIB.DLL)
0x5C01A75C MSO.DLL
0x5D615955 MSO.DLL ~ RET 0x01589BA6 (anonymous; WWLIB.DLL)
0x5D1F5C70 MSO.DLL ~ RET* 0x5C070CA2 MSO.DLL
837d0800 CMP DWORD [EBP+0x8], 0x0
8907 MOV [EDI], EAX
7549 JNZ 0x5c070cf3
57 PUSH EDI
8bce MOV ECX, ESI
e83d435a01 CALL 0x5d614fef
5b POP EBX
b48d MOV AH, 0x8d
004800 ADD [EAX+0x0], CL
0010 ADD [EAX], DL
84c0 TEST AL, AL
7435 JZ 0x5c070cf3
8bce MOV ECX, ESI
e8a79ad400 CALL 0x5cdba76c
8bc8 MOV ECX, EAX
e8b41ad500 CALL 0x5cdc2780
(8A7CB2157EE5E207)
0x5CAB2238 MSO.DLL ~ RET* 0x5D1F5C70 MSO.DLL
c20400 RET 0x4
_MsoRegOpenKeyExW@16 +0x13a RET 0x0158627B (anonymous; WWLIB.DLL)
0x5C012BA3 MSO.DLL
0x5C0128EC MSO.DLL RET _MsoFreePv@4 +0xb8
0x5C0183FA MSO.DLL
Stack Trace
Address Module Location
1 5C020A74 MSO.DLL
8bce MOV ECX, ESI
8986ac000000 MOV [ESI+0xac], EAX
e81f010000 CALL 0x5c020ba0
8bc6 MOV EAX, ESI
5e POP ESI
c3 RET
2 01589114 (anonymous; WWLIB.DLL)
3 5C070CBA MSO.DLL
4 5C2416F5 MSO.DLL
5 015880D3 (anonymous; WWLIB.DLL)
6 5C26D8DC MSO.DLL
7 5C26B62B MSO.DLL
8 5C03D94A MSO.DLL
9 5C02D28D MSO.DLL
10 5C02D05A MSO.DLL
Process Trace
1 C:\Program Files\Microsoft Office 15\root\office15\winword.exe [5664]
“C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE” /n “C:\Users\Acer\Desktop\Huskeliste.docx” /o “”
2 C:\Windows\explorer.exe [15520]
3 C:\Windows\System32\userinit.exe [16036]
4 C:\Windows\System32\winlogon.exe [10832]
C:\WINDOWS\System32\WinLogon.exe -SpecialSession
5 C:\Windows\System32\smss.exe [16028]
\SystemRoot\System32\smss.exe 00000124 00000074 C:\WINDOWS\System32\WinLogon.exe -SpecialSession