Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Microsoft word goes ''NOT RESPONDING"


  • Please log in to reply
13 replies to this topic

#1 Naziroh

Naziroh

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Virgin Islands
  • Local time:12:02 PM

Posted 16 June 2009 - 09:17 PM

Whenever I open microsoft word, it goes not responding. Is it because of any virus? A friend asked me to run combofix and I got the log, but I do not know how to proceed from there.

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:02 AM

Posted 16 June 2009 - 09:29 PM

I have serious doubts at this point that it is an issue with an infection.

From your other topic:

Whenever I want to change the font or open a pdf file in microsoft word, it goes not responding.



The problem is that the pdf is a attachment in microsoft word.
Now, whenever I start microsoft word, it immediately goes ''NOT RESPONDING''
How do i make microsoft word responding again?


A few questions:

1) Have you tried rebooting the system?

2) Have you tried clearing cache and temp. folders?

3) How much RAM do you have?

4) What do you mean by this?

the pdf is a attachment in microsoft word.


I have not heard of Word documents having attachments. E-mails, yes, word documents, no.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 Naziroh

Naziroh
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Virgin Islands
  • Local time:12:02 PM

Posted 16 June 2009 - 09:41 PM

No. I have not tried rebooting the system and clearing cache and temp. folders. I do not know hw to do so.

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:02 AM

Posted 16 June 2009 - 09:48 PM

Hello Naziroh,

I see that you have now posted here: http://www.bleepingcomputer.com/forums/topic234459.html as well. You cannot have more than one topic on the same issue open at the same time as this creates a great deal of confusion for all concerned.

Please tell me if you wish to receive assistance here or wait to receive assistance in the HiJack This forum. Please note that it may be a couple weeks before you get a response there because they are VERY busy.

Rebooting the system means turning the computer off and restarting.

You can do it like this:

Click on the Start button ==> then Turn off computer ==> the Restart on the small window that pops up.

Try that first, and please answer my other question. For the time being, I shall close your topic in the Hijack This forum.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 Naziroh

Naziroh
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Virgin Islands
  • Local time:12:02 PM

Posted 16 June 2009 - 09:55 PM

Ho do i check how much RAM i have?
Yes, I've tried rebootin, but it doesnt help.

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:02 AM

Posted 17 June 2009 - 09:40 AM

Hello Naziroh,

Since you didn't answer this question:

Please tell me if you wish to receive assistance here or wait to receive assistance in the HiJack This forum.


I've deleted your Combofix log in the HiJack This forum.

Okay, to see how much RAM you have:

Right click on My Computer Then click on Properties on the menu that pops up. Click on the General Tab You will see some general information about your computer. If it is arranged the way mine is, you will see the RAM information near the bottom right a little above a button that says "Support Information". Mine says 256 MB of RAM Yours will likely have some other figure.

Also, please tell me what you mean by this:

the pdf is a attachment in microsoft word.


Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:02 AM

Posted 17 June 2009 - 11:17 AM

Hello. do you have an XP CD?
It doesn't look like malware from your log. Other than SpyBot what antivirus is installed?
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Naziroh

Naziroh
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Virgin Islands
  • Local time:12:02 PM

Posted 17 June 2009 - 07:52 PM

My RAM is 0.99GB. What i mean is that there is a icon in the microsoft word and when i click on it, i can open the file with adobe acrobat.
I have the symantec antivirus.

#9 Naziroh

Naziroh
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Virgin Islands
  • Local time:12:02 PM

Posted 17 June 2009 - 08:15 PM

I tired emptying the files, but nothing happened. It doesnt help.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:02 AM

Posted 17 June 2009 - 08:43 PM

Hello. I feel that this not malware and you would be better to ask this agin in All Other Applications.

Or do a Repair install not a Full install.

Or You need to run HJT/DDS.
Please follow this guide. go and do steps 6 and 7 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Naziroh

Naziroh
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Virgin Islands
  • Local time:12:02 PM

Posted 18 June 2009 - 07:39 PM

Everytime I want to repair the install, halfway, it lags and stops responding.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:02 AM

Posted 18 June 2009 - 08:42 PM

OK we'll try one more thing as perhaps a rootkit is at fault here.

Next Please install RootRepeal

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Naziroh

Naziroh
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Virgin Islands
  • Local time:12:02 PM

Posted 19 June 2009 - 11:03 AM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/06/19 23:49
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA9D74000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B6C000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA7CED000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\93552\local settings\temporary internet files\content.ie5\tqd5a4i9\editmessagelight[1].htm
Status: Allocation size mismatch (API: 118784, Raw: 262144)

Path: C:\Documents and Settings\93552\Local Settings\Temporary Internet Files\Content.IE5\V7IVAFON\qnn[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\93552\Local Settings\Temporary Internet Files\Content.IE5\V7IVAFON\qnn_full[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\93552\Local Settings\Temporary Internet Files\Content.IE5\V7IVAFON\qnn_preset[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\93552\Local Settings\Temporary Internet Files\Content.IE5\V7IVAFON\qnn_preset[2].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\93552\Local Settings\Temporary Internet Files\Content.IE5\V7IVAFON\qnn_save_responses[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\93552\Local Settings\Temporary Internet Files\Content.IE5\V7IVAFON\qnn_take[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\93552\Local Settings\Temporary Internet Files\Content.IE5\V7IVAFON\questionnaire[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\93552\Local Settings\Temporary Internet Files\Content.IE5\V7IVAFON\quiz_preset[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\93552\Local Settings\Temporary Internet Files\Content.IE5\V7IVAFON\index[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\93552\Local Settings\Temporary Internet Files\Content.IE5\V7IVAFON\viz[1].png
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\93552\Local Settings\Temporary Internet Files\Content.IE5\V7IVAFON\FeatureLoader.js[1].php
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\93552\Local Settings\Temporary Internet Files\Content.IE5\V7IVAFON\forums[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\93552\Local Settings\Temporary Internet Files\Content.IE5\V7IVAFON\f_hot_no[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\93552\Local Settings\Temporary Internet Files\Content.IE5\V7IVAFON\ContactList[1].aspx
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\93552\Local Settings\Temporary Internet Files\Content.IE5\V7IVAFON\css_rte[1].css
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\93552\Local Settings\Temporary Internet Files\Content.IE5\V7IVAFON\cs_page[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\93552\Local Settings\Temporary Internet Files\Content.IE5\V7IVAFON\pp-blank-thumb[1].png
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\93552\Local Settings\Temporary Internet Files\Content.IE5\V7IVAFON\p_1035788398=0[2].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\93552\Local Settings\Temporary Internet Files\Content.IE5\V7IVAFON\p_1035788398=0[3].txt
Status: Invisible to the Windows API!

Path: c:\documents and settings\93552\local settings\temporary internet files\content.ie5\v7ivafon\sendmessagelight[1].htm
Status: Size mismatch (API: 101997, Raw: 22054)

Path: C:\Documents and Settings\93552\Local Settings\Temporary Internet Files\Content.IE5\V7IVAFON\icon12[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\93552\Local Settings\Temporary Internet Files\Content.IE5\V7IVAFON\html_server[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\93552\Local Settings\Temporary Internet Files\Content.IE5\V7IVAFON\p_1035788398=0[5].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\93552\Local Settings\Temporary Internet Files\Content.IE5\V7IVAFON\p_1035788398=0[6].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\93552\Local Settings\Temporary Internet Files\Content.IE5\V7IVAFON\p_1035788398=0[7].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\93552\Local Settings\Temporary Internet Files\Content.IE5\V7IVAFON\p_1035788398=0[8].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\93552\Local Settings\Temporary Internet Files\Content.IE5\V7IVAFON\p_1035788398=0[9].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\93552\Local Settings\Temporary Internet Files\Content.IE5\V7IVAFON\p_1035788398=2[1].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\93552\Local Settings\Temporary Internet Files\Content.IE5\V7IVAFON\p_1035788398=2[2].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\93552\Local Settings\Temporary Internet Files\Content.IE5\V7IVAFON\p_1035788398=2[3].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\93552\Local Settings\Temporary Internet Files\Content.IE5\V7IVAFON\p_1035788398=5[1].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\93552\Local Settings\Temporary Internet Files\Content.IE5\V7IVAFON\p_1035788398=8[1].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\93552\Local Settings\Temporary Internet Files\Content.IE5\V7IVAFON\p_1035788398=8[2].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\93552\Local Settings\Temporary Internet Files\Content.IE5\V7IVAFON\ADSAdClient31[1].htm
Status: Invisible to the Windows API!

Path: c:\windows\system32\ccm\servicedata\messaging\endpointqueues\policyagent_policyevaluator\0000001p.msg
Status: Allocation size mismatch (API: 65536, Raw: 36864)

Path: c:\windows\system32\ccm\servicedata\messaging\endpointqueues\ls_replylocations\00000008.msg
Status: Allocation size mismatch (API: 57344, Raw: 45056)

Path: c:\windows\system32\ccm\servicedata\messaging\endpointqueues\ls_scheduledcleanup\0000000g.msg
Status: Allocation size mismatch (API: 45056, Raw: 40960)

Path: c:\windows\system32\ccm\servicedata\messaging\endpointqueues\policyagent_cleanup\00000007.msg
Status: Allocation size mismatch (API: 32768, Raw: 28672)

Path: c:\windows\system32\ccm\servicedata\messaging\endpointqueues\policyagent_replyassignments\00000006.msg
Status: Allocation size mismatch (API: 40960, Raw: 24576)

Path: c:\windows\system32\ccm\servicedata\messaging\endpointqueues\policyagent_requestassignments\0000001v.msg
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\windows\system32\ccm\servicedata\messaging\outgoingqueues\amp_[http]mp_locationmanager\00000009.msg
Status: Allocation size mismatch (API: 65536, Raw: 61440)

Path: c:\windows\system32\ccm\servicedata\messaging\outgoingqueues\mp_[http]mp_policymanager\0000001o.msg
Status: Allocation size mismatch (API: 65536, Raw: 24576)

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x86272b00

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x8627b0e8

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x8646be18

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x864adab8

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x86272788

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x863c14c8

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaa19d350

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x862a10e8

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x862728d8

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x86272a28

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x86283cb8

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x862724f8

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x862a6258

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x862830c8

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "<unknown>" at address 0x86292128

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x862d0100

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x86283090

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x862890b0

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x862825e8

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaa19d580

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x862780a8

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8627e078

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x862ad340

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x862760c8

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x862a10b0

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x864ae828

==EOF==

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:02 AM

Posted 19 June 2009 - 01:30 PM

Hello I cannot find it here..
You need to run HJT/DDS.
Please follow this guide. ,, Preparation Guide For Use Before Using Hijackthis.

Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant

Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users