'Microsoft Word 15' has been terminated to prevent execution of malicious code

Hi,

My father’s computer recently installed the Hitman Pro trial version to do a quick check, after several emails with viruses he’d gotten in his inbox. The computer was cleared and had no viruses, but now, a couple of days later, Hitman Pro won’t allow Office apps like Word and Excel to run, claiming that “‘Microsoft Word 15’ has been terminated to prevent execution of malicious code.”

The computer has had Malwarebytes installed for over a year, and it has not found anything (the Hitman Pro was just an additional security check), and a full scan (rootkits included) comes up clear, as does every other free antivirus apps like Avast, F-Secure, etc. As both his webserver and his email has been hacked and included viruses the last few months, and he’s been in contact with it, I think it’s worth asking for help just in case. I’ve included the error message/log below, and if it’s benign, I’ll be grateful for the confirmation. If not, I’d still be grateful for the help! :stuck_out_tongue:

Sincerely,

Tommy L.

Error:

‘Microsoft Word 15’ has been terminated to prevent execution of malicious code. Please check your computer for malware and software updates.

Mitigation ROP

Platform 10.0.10586/x64 06_3c
PID 5664
Application C:\Program Files\Microsoft Office 15\root\office15\winword.exe
Description Microsoft Word 15

Branch Trace Opcode To


0x5C020B58 MSO.DLL RET 0x5C020A69 MSO.DLL

0x5D6BDCE5 MSO.DLL ~ RET 0x0158910F (anonymous; WWLIB.DLL)

0x5D646A9D MSO.DLL RET 0x5D6BDCCF MSO.DLL

0x5C0128EC MSO.DLL RET 0x5D646A9C MSO.DLL

0x5D6BDCE5 MSO.DLL ~ RET 0x01589E8D (anonymous; WWLIB.DLL)

0x5D6A092F MSO.DLL RET 0x5D6BDCCF MSO.DLL

0x5C0128EC MSO.DLL RET 0x5D6A092E MSO.DLL

?AuthHandlerSupportAutoLogonBasedOnURL@Http@Mso@@YAXXZ() RET 0x01589BB6 (anonymous; WWLIB.DLL)
0x5C01A75C MSO.DLL

0x5D615955 MSO.DLL ~ RET 0x01589BA6 (anonymous; WWLIB.DLL)

0x5D1F5C70 MSO.DLL ~ RET* 0x5C070CA2 MSO.DLL
837d0800 CMP DWORD [EBP+0x8], 0x0
8907 MOV [EDI], EAX
7549 JNZ 0x5c070cf3
57 PUSH EDI
8bce MOV ECX, ESI
e83d435a01 CALL 0x5d614fef
5b POP EBX
b48d MOV AH, 0x8d
004800 ADD [EAX+0x0], CL
0010 ADD [EAX], DL
84c0 TEST AL, AL
7435 JZ 0x5c070cf3
8bce MOV ECX, ESI
e8a79ad400 CALL 0x5cdba76c
8bc8 MOV ECX, EAX
e8b41ad500 CALL 0x5cdc2780
(8A7CB2157EE5E207)

0x5CAB2238 MSO.DLL ~ RET* 0x5D1F5C70 MSO.DLL
c20400 RET 0x4

_MsoRegOpenKeyExW@16 +0x13a RET 0x0158627B (anonymous; WWLIB.DLL)
0x5C012BA3 MSO.DLL

0x5C0128EC MSO.DLL RET _MsoFreePv@4 +0xb8
0x5C0183FA MSO.DLL

Stack Trace

Address Module Location


1 5C020A74 MSO.DLL
8bce MOV ECX, ESI
8986ac000000 MOV [ESI+0xac], EAX
e81f010000 CALL 0x5c020ba0
8bc6 MOV EAX, ESI
5e POP ESI
c3 RET

2 01589114 (anonymous; WWLIB.DLL)
3 5C070CBA MSO.DLL
4 5C2416F5 MSO.DLL
5 015880D3 (anonymous; WWLIB.DLL)
6 5C26D8DC MSO.DLL
7 5C26B62B MSO.DLL
8 5C03D94A MSO.DLL
9 5C02D28D MSO.DLL
10 5C02D05A MSO.DLL

Process Trace
1 C:\Program Files\Microsoft Office 15\root\office15\winword.exe [5664]
“C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE” /n “C:\Users\Acer\Desktop\Huskeliste.docx” /o “”
2 C:\Windows\explorer.exe [15520]
3 C:\Windows\System32\userinit.exe [16036]
4 C:\Windows\System32\winlogon.exe [10832]
C:\WINDOWS\System32\WinLogon.exe -SpecialSession
5 C:\Windows\System32\smss.exe [16028]
\SystemRoot\System32\smss.exe 00000124 00000074 C:\WINDOWS\System32\WinLogon.exe -SpecialSession

First thing to do is deciding which av he wants to use.
Completely remove all others.
Links to removal instructions/tools > http://www.ache.nl

After having done the above follow these instructions > https://forum.avast.com/index.php?topic=53253.0

Malwarebytes has been the best tool I’ve ever used, so I’m keeping that one. I didn’t want to delete Hitman Pro if it’s the only thing preventing the virus from spreading, though - if it IS a virus.

The MB scan is clean. Do you still want me to add the log here?

I’ll do the other two scans in a few. :slight_smile:

Thanks so far.

Malwarebytes is not a antivirus so you can keep that
HitmanPRO is known to remove stuff it should not

The important logs are the two diagnostic logs from Farbar Recovery Scan Tool … attach them

Sigh

Windows Defender pops up each time I try to download Farbar Recovery Scan Tool. Says it’s a virus. I assume it’s a false-positive?

This is what it found:

https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Trojan%3AWin32%2FVarpes.N!cl&threatid=2147708973&enterprise=0

Yes, it is a false positive.
Disable Windows defender so you can download it.

Here are the logs.

Thanks for the quick response so far. :slight_smile:

Ok, have some patience now.
One of the malware removers will soon have a look at the logs.

Nothing untoward, I would go for a false positive

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: 2016-01-17 19:21 - 2016-01-17 19:21 - 0000000 _____ () C:\Users\Acer\AppData\Local\{8427586B-21CA-4D82-B314-BCE941C0EB8A} BHO: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> No File BHO: No Name -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> No File Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Thanks a lot for your help! :slight_smile:

The log is attached.