このフォーラムスレッドには解決策が必要です。
拍手0

How to fix Office executable files getting infected after each installation

I was initially getting an intrusion message that some executable files (windows, office and Adobe exe files inclusive) were trying to send traffic to malicious websites. After clearing browser cache, history, etc and updating the Norton antivirus, the exe files that were trying to send traffic were removed with their accomplices. Each time I try to install Microsoft office again, the same files keep getting infected and removed. I thought Norton should be able to detect the file infector and remove rather than removing a whole application or are they false positives?

返信

拍手0

Re: How to fix Office executable files getting infected after each installation

Hello. Please give us a bit more information to help:

- What is the OS you are running and its version?

-What Norton product do you have and its version?

-What Office / Adobe products are being detected and are you downloading them or doing a local install from media?

-What web browser are you using? 

Please post screenshots of what  detections are being seen. That will help us further understand what is taking place. Here is how to post screenshots directly into your posts: https://community.norton.com/en/forums/how-post-image-forums-0

SA

MS Certified Professional : Windows 11 Home/Pro 23H2 x 64 build 22631.3155 / Windows 10 Pro x 64 version 22H2 / build 19045.4046 / Norton Security Ultra / Norton 360 Deluxe ver. 22.24.1.6 / Opera GX LVL5 (core:106.0.4998.76) 64 bit-Early Access w/Norton Chrome Extensions / Android 14 One UI 6.1
拍手0

Re: How to fix Office executable files getting infected after each installation

Windows 7 SP1

Norton Security 22.15.0.88

Office 2013 and Adobe Acrobat Pro DC 2015. It's a local install from media

Google Chrome

拍手1 統計

Re: How to fix Office executable files getting infected after each installation

Hi yinkajewole:

Just a few more questions while you're waiting for Norton Guru SoulAsylum to reply.

Go to Help | General Information | About and confirm that your your Norton Security product is still on v22.15.0.88.  Norton Security v22.15.0.88 was released over 4 years ago on 11-Aug-2018, so if your Win 7 SP1 OS is patched to end of support (14-Jan-2022) and Windows Update installed the KB4474419 update released in September 2019 that adds SHA-2 code-signing support for Win 7 SP1 (see Norton employee Gayathri R's 16-Apr-2021 announcement SHA 2 Code Signing Support for Windows 7 ) then you should be able to run the latest Norton v22.22.11.12 products on your system.

If you aren't certain if KB4474419 is installed, search your installed updates at Control Panel | Programs and Features | View Installed Updates for KB4474419. When searching, enter the full KB number in the search box (e.g., "KB4474419" and not a partial string like "4474419").

Do you have a 32-bit or 64-bit Win 7 operating system, and could you also confirm that you have Service Pack 1 installed for your Win 7 OS (see the Lifewire article How to Find Which Windows Service Pack or Update You Have Installed)? Even if you only had Win 7 SP0 (i.e., Win 7 without any service packs) your Norton Security should still have automatically updated to v22.15.5.40, which is the legacy version for Win XP / Vista / Win 7 SP0 operating systems (see the 24-Apr-2020 release notes for v22.15.5.0 <here>).

Is your MS Office 2013 fully patched?  If you have the Click-to-Run / self-updating version of MS Office 2013 the release notes <here> show you should have v15.0.5501.1000 (rel. 08-Nov-2022).  If you have a the perpetual versions of MS Office 2013 that uses the Windows Installer (MSI) installation technology then should have Service Pack 1 and Windows Update should have delivered the latest November 2022 updates described in the KB5002082 article <here>.

Is your Adobe Acrobat Pro DC 2015 fully patched?  If you want to know more about the acrotray.exe executable mentioned in your Norton intrusion alert see gkarasik's 29-Jun-2015 What's Starting acrotray.exe? in the Adobe forum.  One of the posters in that thread noted that the legitimate acrotray.exe executable is Adobe Acrobat Distiller helper application that helps convert documents into PDF files.  There are also instructions in that thread on how to prevent acrotray.exe from starting at boot up.

Have you tried running a second-opinion scanner like Malwarebytes Free to see if it can detect any PUPs (potentially unwanted programs like adware, browser toolbars, etc.) or malware that might have been missed by your Norton antivirus?  If you aren't familiar with Malwarebytes see the hints I posted for first-time users on 10-Apr-2022 in the last paragraph of George Matsukis' Removing McAfee's Safe Connect App From My Computer.

What antivirus, if any, were you using on your system before installing Norton?  Also do, you use Piriform's CCleaner disk cleaner? If you ever used an Avira or BullGuard antivirus or currently use CCleaner see Peter N's 17-Nov-2022 CCleaner 6.06 Crashes MS Office & Acrobat Reader in the CCleaner Bug Reporting board.
-------------
Dell Inspiron 5584 * 64-bit Win 10 Pro v22H2 build 19045.2251 * Firefox v107.0.1 * Microsoft Defender v4.18.2210.6-1.1.19900.2 * Malwarebytes Premium v4.5.18.226-1.0.1838 * Macrium Reflect Free v8.0.7175

拍手0

Re: How to fix Office executable files getting infected after each installation

All: First thing is, Adobe Acrobat Pro DC 2015 has reached end of life and no longer supported. Norton is more than likely not seeing a valid security signature since many Adobe products have been updated very frequently over the years due to certificate issues ( see lmacri's post ) and other security fixes. From your screenshot the attacking IP traces to the Netherlands. Based on the attacking IP address in your screenshot I have to question why an IP in the Netherlands is focused on this Acrobat installer. Where did you get this software from is the question I have at this point. Are you located in that geographic region? That would make sense if you were, otherwise I find it suspect.

https://www.ip-tracker.org/lookup.php?ip=167.99.35.88

Regarding your office installer. Office 2013 is also end of life for both the stand alone install and Office 365. Please read this article: 

https://support.microsoft.com/en-us/topic/description-of-the-security-up...

I would submit BOTH installer executables to VirusTotal and have them tell you if these are tampered with in any manner and / or being flagged. Please let us know what those results are so we may follow-up with you.

Edited: The attacking URL as shown here shows as malicious on Virustotal

https://www.virustotal.com/gui/url/9df604081210b95e54f1331a011700f9c15bf...

SA

MS Certified Professional : Windows 11 Home/Pro 23H2 x 64 build 22631.3155 / Windows 10 Pro x 64 version 22H2 / build 19045.4046 / Norton Security Ultra / Norton 360 Deluxe ver. 22.24.1.6 / Opera GX LVL5 (core:106.0.4998.76) 64 bit-Early Access w/Norton Chrome Extensions / Android 14 One UI 6.1
拍手0

Re: How to fix Office executable files getting infected after each installation

Though the products mentioned have reached end of life, I don't think that can be the cause of infection as I have been using the products along Norton for a number of years without any issue. To disprove your point, I downloaded the latest version of CC cleaner, it installed successfully and I tried to clean the PC perhaps it will solve the issue, unfortunately, it didn't. The worst part is that after restarting the PC, the CC cleaner executable file was infected and could not open again. This applies to all other new softwares I installed including Notepad++. Also, my geographic location is not Netherlands. I have submitted one of the office executables to VirusTotal and this is the result https://www.virustotal.com/gui/file/15e07a62d09370c74849a7b2aa004d14761c...

拍手0

Re: How to fix Office executable files getting infected after each installation

Hi yinkajewole:

If you check the Details tab of your VirusTotal report <here> for the VSTOInstaller.exe file you uploaded it says this is the Visual Studio Tools for Office Solution Installer for Microsoft Visual Studio 2010, and the Signature Verification section warns that "File is not signed", which points to a problem with the digital certificate of this old file.

Just to clarify, I wasn't suggesting that you install and run CCleaner. I only asked if you normally used CCleaner since some  users in Peter N's 17-Nov-2022 CCleaner 6.06 Crashes MS Office & Acrobat Reader that I linked to in my previous post to are reporting that MS Office and Adobe executables can be corrupted after CCleaner is run under certain circumstances (e.g., if an Avira antivirus is installed), which could in turn cause Norton to detect the modified executable as suspicious/malicious.  However, if you have a Win 7 SP1 OS that is fully patched to 14-Jan-2020 and you installed the latest CCleaner Free v6.06 that does not explain why CCleaner would not launch after you re-booted your computer.

Do you know why your Norton Security v22.15.0.88 (rel. 11-Aug-2018) hasn't installed a product update for over 4 years?  I used Norton Security Deluxe v22.15.x (the legacy version for Win XP and Vista) on my old Vista SP2 laptop and if I recall correctly you cannot prevent automatic updates to newer v22.x product versions that are compatible with your operating system unless you completely disable Automatic LiveUpdates as shown below (or never connect your computer to the internet), which would also prevent LiveUpdate from delivering regular updates to your SDS Virus definitions, Intrusion Prevention definitions, etc.

Did you try to install and run a Threat Scan with the latest Malwarebytes Free for Windows v4.5.18 to look for any threats that might have been missed by Norton as I suggested?  If you cannot run Malwarebytes Free (or if Malwarebytes finds and removes a threat but you suspect your system is still infected) you can post in Malwarebytes' Windows Malware Removal Help & Support board and ask one of their trained malware removal specialists to check your system for free.  The guidelines in the post I'm infected - What do I do now? that is pinned at the top of that malware removal board explains what information they would like you to provide in your first post.
-------------
Dell Inspiron 5584 * 64-bit Win 10 Pro v22H2 build 19045.2251 * Firefox v107.0.1 * Microsoft Defender v4.18.2210.6-1.1.19900.2 * Malwarebytes Premium v4.5.18.226-1.0.1838 * Macrium Reflect Free v8.0.7175

拍手0

Re: How to fix Office executable files getting infected after each installation

Can Malwarebytes work side by side with Norton or I must first uninstall Norton?
拍手0

Re: How to fix Office executable files getting infected after each installation

yinkajewole:
Can Malwarebytes work side by side with Norton or I must first uninstall Norton?

Hi yinkajewole:

There is no problem running Malwarebytes Free on a computer with Norton installed, since Malwarebytes Free does not load at Windows startup and does not run in real-time protection mode.  Before you do that, however, I would suggest you investigate why your Norton Security v22.15.0.88 (rel. 11-Aug-2018) hasn't updated for over 4 years, since an outdated scan engine and/or outdated malware definitions might be causing some false positive detections on your system.

Many users in this forum run Malwarebytes Premium (which requires a paid subscription) and Norton together in real-time protection mode without a problem, but see my 18-Sep-2022 post in Compatibility Norton 360 with Malwarebytes for a few hints on how you can avoid possible conflicts between Malwarebytes Premium and your Norton antivirus (e.g., by turning OFF the Malwarebytes setting at Security | Windows Security Center | Always Register Malwarebytes in the Windows Security Center to ensure that Norton is registered with Windows as your main real-time antivirus).

If you download and run the Malwarebytes installer from https://www.malwarebytes.com/mwb-download it should ask you if you would like to try a 14-day trial of the Malwarebytes Premium (real-time protection) features, so you can decline that offer or deactivate the 14-trial trial of the Premium features after installation at Settings (gear icon) | Account | Deactivate.  I suggested in my previous reply that you should read the last paragraph of my 10-Apr-2022 post in George Matsukis' Removing McAfee's Safe Connect App From My Computer if you aren't familiar with Malwarebytes, where I  advised that George Matsukis should decline or disable the 14-day trial of Malwarebytes Premium and just use Malwarebytes Free as on on-demand manual scanner.
-------------
Dell Inspiron 5584 * 64-bit Win 10 Pro v22H2 build 19045.2251 * Firefox v107.0.1 * Microsoft Defender v4.18.2210.6-1.1.19900.2 * Malwarebytes Premium v4.5.18.226-1.0.1838 * Macrium Reflect Free v8.0.7175

拍手0

Re: How to fix Office executable files getting infected after each installation

FWIW!! These files aren't "getting infected" after installation nor when they are running the installation. When you rule out things, what is left is in most cases the cause. The "invalid signatures" Norton is seeing when these files are being "installed" is the issue. Please look at the details tab of your VirusTotal submission. It also states "File not signed". Further, when you look at the fact it was compiled with Visual Studio 2010 it too has gone EOL. One thing is common with all this, ZERO security updates nor updates to the installer packages because they are all no longer supported by their perspective creators. 

Conversely you can submit the files to Norton at the below link and see what they respond with.

https://support.norton.com/sp/en/us/home/current/solutions/kb20090602171...

SA

MS Certified Professional : Windows 11 Home/Pro 23H2 x 64 build 22631.3155 / Windows 10 Pro x 64 version 22H2 / build 19045.4046 / Norton Security Ultra / Norton 360 Deluxe ver. 22.24.1.6 / Opera GX LVL5 (core:106.0.4998.76) 64 bit-Early Access w/Norton Chrome Extensions / Android 14 One UI 6.1

This thread is closed from further comment. Please visit the forum to start a new thread.