Exploit.OfficeScriptingAbuse - OneNote won't even start now

[bghospe]

I finally upgraded my laptop to Windows 10 and reinstalled Office and all that. Most of the Office applications seem to work fine, but OneNote refuses to even start. It gives me some nonsense about lacking write permission or being out of disk space (unlikely since it's a fresh install on a 2TB drive).

Basically -- the first time I try to run OneNote on an admin account *ever* (it will not do it again for that account even if I completely uninstall and reinstall Office), OneNote will give me some weird warning about not being able to find my Documents folder (how???) and if I continue anyway, MalwareBytes will pop up saying it blocked this exploit (Exploit.OfficeScriptingAbuse). OneNote will open just fine then the first time. But once I exit out of OneNote and try to open it again, it will eternally be stuck on the "OneNote cannot open, something something write permissions" message that pops up over the splash.

 

 

I am wondering if MalwareBytes did something to completely kneecap the program, even after reinstall? Never, ever had this problem on any other Windows 10 computer before (or even any Windows 10 running MBAM). I tried going into MalwareBytes options -> Security -> Advanced Settings -> Application Behavior Protection and unchecking "Office scripting abuse protection" for MSOffice. Didn't seem to work.

Here's the dump from MBAM:
 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 2/11/24
Protection Event Time: 5:44 PM
Log File: 74bcbea6-c937-11ee-bc2a-240a64de5e2b.json

-Software Information-
Version: 4.6.8.311
Components Version: 1.0.2259
Update Package Version: 1.0.80825
License: Trial

-System Information-
OS: Windows 10 (Build 19045.3930)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Exploit.OfficeScriptingAbuse, C:\Users\Blythe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk, Blocked, 721, 392684, 0.0.0, ,

-Exploit Data-
Affected Application: Microsoft OneNote
Protection Layer: Application Behavior Protection
Protection Technique: Exploit Office scripting abuse blocked
File Name: C:\Users\Blythe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
URL:


(end)

 

Any insight? I don't want to have to completely nuke my OS and install EVERYTHING all over again...

Thanks!
Blythe

 

[Porthos]

14 minutes ago, bghospe said:

Any insight?

Please uncheck the following setting in the advanced exploit settings.

 

Edited February 13 by Porthos
Wrong image

[bghospe]

Thanks! At the moment OneNote is still giving me the write permissions message. I'll try rebooting and see if that changes anything.

[Porthos]

6 minutes ago, bghospe said:

License: Trial

Also, it will not be relevant any longer if you do not get/have the Premium version.

[Porthos]

5 minutes ago, bghospe said:

Thanks! At the moment OneNote is still giving me the write permissions message.

Sorry, this one instead my bad Responded too quick.

Edited February 13 by Porthos

[bghospe]

Thanks!

I disabled both to see what would happen.

So at least, when I tried opening ON for the first time on a new dummy admin account, I did not get a notification from MBAM. So that issue is solved. However, the initial "cannot find documents/documents folder is read-only" and the subsequent write permissions messages are still there.

I've also been looking through Microsoft related solutions as well, but most things come down to suggesting permissions issues as the cause and disabling antivirus as something to try.

I'm wondering if maybe MBAM really messed up my permissions somehow when it flagged the exploit the first time? I have no idea. I can write to my documents folder just fine the usual way, but various things I should have access to as an admin don't seem to be available? Maybe a conflict with Defender? I don't know, this isn't happening on my other computers...

I guess I'll just have to try uninstalling Malwarebytes and reinstalling it again after I get Office working...

[Porthos]

3 minutes ago, bghospe said:

I'm wondering if maybe MBAM really messed up my permissions somehow when it flagged the exploit the first time?

It did not.

1 hour ago, bghospe said:

I finally upgraded my laptop to Windows 10

How did you do/install 10? was it a clean install or an upgrade from a previous OS?? If an upgrade, from what OS?

[bghospe]

1 minute ago, Porthos said:

How did you do/install 10? was it a clean install or an upgrade from a previous OS?? If an upgrade, from what OS?

Clean install from Win 10 image on USB drive. Have tried upgrading the MS suggested way in the past, but it always gunked up the computer. Computer was previously running Windows 8.1. Didn't do a full wipe of the drive when I installed 10, just installed it on top of the partition 8.1 had been on.

I have a Windows.old folder on C: which I don't like, but it's barebones and doesn't seem to be interfering with anything. Maybe.

------

I did uninstall MalwareBytes and rebooted and magically OneNote started working fine. So MBAM is the culprit then I assume, but I have no idea how. I'll see if reinstalling it again after Office will keep it from interfering.

[Porthos]

1 minute ago, bghospe said:

just installed it on top of the partition 8.1 had been on.

 

1 minute ago, bghospe said:

Clean install from Win 10 image on USB drive.

Did you boot from the USB to install or run setup from the usb?

[bghospe]

22 minutes ago, Porthos said:

 

Did you boot from the USB to install or run setup from the usb?

Shoot, I don't remember. I think I booted from the USB.

[Porthos]

2 minutes ago, bghospe said:

Shoot, I don't remember. I think I booted from the USB.

Was your previous data still where it was like documents pictures and such?

What year version is your office and one note?

Edited February 13 by Porthos

[Arthi]

HI bghospe,

Do you have penetration testing setting ON ? If so, please turn that off and hit Apply.

You can find this setting as in the below screenshot:

 

[bghospe]

Thanks!

I did wipe all my personal files (pretty much just asked it to write over the existing C partition) when installing Windows 10. The version of Office I use is Office Ultimate 2007 (which includes Word, Excel, OneNote etc). They went and changed OneNote ages ago and I just prefer the 2007 look better.

I do believe I had "Block penetration testing attacks" off already, unfortunately. Maybe whatever it's doing to trigger MBAM hasn't really been looked into because people don't use 2007 much anymore? idk I guess that's what I get for being a stubborn old fart. It's just odd because I have not had this issue on either of my other Windows 10 devices that run both MBAM and OneNote 2007.

Anyway, I might wait for an update or something and try to reinstall MBAM on the laptop again and see what happens.

[Porthos]

1 hour ago, bghospe said:

reinstall MBAM on the laptop again and see what happens.

Do you have the paid version of Malwarebytes for this computer? You never answered my question on this.