Faulting application winword.exe, version 11.0.6568.0, stamp 42e178a5, faulting module mso.dll,

Thanks JOrzech.

I had a look but I couldn't find .xlb files on the PC(I have the full Office suite).

Do you know what the equivalent word files would be?

Hey Simon - is this PC on a network or stand alone?  If networked (or anyone else you know has same OS and Office Suite) and it works for them, you could always try copying their mso.dll and then re-register it with regserve32.exe.

I believe the xlb file is similar to normal.dot in Word.  
Try Dreamboat's suggestions found here:
http://www.theofficeexperts.com/word.htm#TroubleshootingWord

Hi JOrzech,

Thanks for coming back to me. This is a networked PC and I did have a bash at copying over the mso.dll without any luck. I also tried the renaming of normal.dot and renaming the registry too still with no joy.

What is strange is that it only crashes when trying to open a document in IE. That and the fact that it is still running as a process when it crashes or when I just close it down.

I'll try another uninstall and re-install, hopefully today.

And all of your windows and office patches are current - correct?  Try updating all drivers for graphics/video/printers.....

Hi JOrzech,

OK, the uninstall and re-install failed to resolve it so I'm figuring it's something in the registry.

I have to hold up my hand and say "no" to the patches and service packs. I'm a newbie to this environment and it's the first thing I noticed. There are bespoke packages here that take a dive on XP SP2 so it's still SP1 here otherwise I woul have gone for that. I have installed all the office patches though and other machines run OK too.

It may be environmental to anoother app, but I've taken off everything except for the base apps that we install.

Well flummoxed now.

Well - you could always delete the Word data key - might be worth a try.  Please read this article:
http://support.microsoft.com/kb/259413/en-us

Hi JOrzech,

I'm afraid that didn't work either.

I think the only way now is to re-image and go from there.

Thanks,

Simon

Hi JOrzech,

I found out what it was. A warning came up about a missing wintme.html. I looked on the web and found it was to do with a Trojan (See http://securityresponse.symantec.com/avcenter/venc/data/pf/pwsteal.tarno.q.html)

My spyware and AV had both failed to pick it up. I deleted the registry entries that it mentioned and hey presto it all worked. See below. Thanks for all your help!

When PWSteal.Tarno.Q arrives, it has the following characteristics:


Arrives in the following email with the downloader portion of the Trojan contained in the attachment:

Subject:
Payment Receipt
Message:
Dear customer.

Thank you for your subscription to [http://]www.viewpornstars.com.

You have been billed as Paycom LLC for the amount of: GBP 24.95 for 30 days then GBP 24.95 recurring every 30 days.

Time: 2005-12-16 10:54:56
Transaction ID: 965658
Amount: GBP 24.95
Applied to Account #: 10915104
Pay Method: VISA

Your new subscription identification number is: 10915104, please keep this number in a safe place, as it will be required
for reference in all future correspondence regarding your membership.

Your membership access information is:
Username for your subscription: 112002
Password for your subscription: regina
Membership website: [http://]www.viewpornstars.com

For further details regarding this transaction and direct access to our online billing support services, available
24-hours a day, 365-days a year, please check your transaction details in attachment.

Thank you for choosing Paycom as the eMerchant for your subscription!

Customer Support

****************************************
Billing services provided by Paycom, LLC

Attachment:
FILE.965658.exe


Downloads the main part of the Trojan from the following location, once the attachment executed:

[http://]dimmers.phpwebhosting.com/[REMOVED]/msupdate.exe?r=[UNIQUE_ID]


When PWSteal.Tarno.Q is executed, it performs the following actions:


Creates the following file in the %System% folder or in the %CurrentFolder% folder:

svchost.dll

Note:
%System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%CurrentFolder% is a variable that refers to the folder where the risk was originally executed.


Registers svchost.dll as a browser help object so that it runs every time Internet Explorer starts by creating and populating the following registry subkeys:

HKEY_CLASSES_ROOT\CLSID\{3A4E6FF3-BF59-446E-9DC8-731BCE2F349A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
\{3A4E6FF3-BF59-446E-9DC8-731BCE2F349A}


Registers itself by creating the following registry subkey:

HKEY_LOCAL_MACHINE\Software\Classes\svchost.Update


Monitors windows and Web pages with the following strings:


gold
cash
bank
pas
log
user
usr
pwd
psw
parol
firma
pin
clave
trans
porcue
memorable
secret


Captures keystrokes typed into that window and logs HTML Web forms transferred from the compromised computer to the remote Web sites visited, once an active window exists:


Logs the information gathered into some of the following files:


%System%\wint.ini
%System%\ierror.rep
%System%\sui.dll
C:\update.sys


Creates the following file:

winte.html


Creates the following folders which may be used to store configuration files or extensions as it is extensible and can be configured remotely:


\svact
\svcontr
\svskn


Sends a unique numeric ID of the compromised computer to the remote attacker using an HTTP GET request:

[http://]neverdays.com/[REMOVED]/navigator.php?tid=ID[UNIQUE_ID]


Periodically sends gathered information using the following URL:

[http://]neverdays.com/[REMOVED]/reporter.php

JOrzech,

Thanks for all your help.

Simon

Welcome :)