Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Google hijacked

27 Aug 2012   #1

windows 7 pro 64bit sp1
 
 
Google hijacked

So I recently got the google hijack malware. Basically anytime I went to google or most common sites I get a message saying the site may contain maleware and is dangerous blah blah blah.

But then I realized another problem some of my windows services won't start like bits service. Basically microsoft security essentials, Microsoft firewall, and Microsoft updater all give me errors and won't run.

Now I reinstalled security essentials and it works now as far as I can tell, and I ran malewarebytes and removed the google hijack as far as I know. But the services are still missing as well as things like desktop icons keep rearranging and won't stay in place as well as folders won't stay in the preferred method of viewing ie. Group by type and sort by date modified (resets to sort by name and detail view).

I've also run a repair and restore point from a windows ISO on a USB from boot to avail.

I'm running windows 7 64bit pro sp1.

I would format but I've lost my key and can't recover it.

Thanks for any help

Edit: I also get a error code 0x80070424 when trying to start up windows firewall

My System SpecsSystem Spec
.

28 Aug 2012   #2

Microsoft Community Contributor Award Recipient

Windows 7 Ult. x64 Windows 8.1 x64
 
 

Hi,

Lets start here to make sure your validation is all OK. Run the MGADIAG as explained in the tutorial below, and then post the results back here in your next reply:

Windows Genuine and Activation Issue Posting Instructions

Regards,
Golden
My System SpecsSystem Spec
28 Aug 2012   #3

Windows 7 Pro 64 bit
 
 

It worries me that you have all the MS protection in place and it still get through and hijacks your system
My System SpecsSystem Spec
.


28 Aug 2012   #4

windows 7 pro 64bit sp1
 
 

I will run the mgdiag when I get back from work.

But yeah it concerns me as well. I'm currently working and living in China but unless they have some new technique for intrusion then I've got no clue.

Im not inexperienced when it comes to computers. I'm working towards a degree in computer engineering/science but still have a lot to learn.

Basically I had no problem with my pc one day. Shut it off and turned it on the next day and that's when all the problems arose. I'm assuming it waiting till startup to do its damage.
My System SpecsSystem Spec
28 Aug 2012   #5

32 bit
 
 

Please download Rkill by Grinler and save it to your desktop.
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • The log should be saved on the desktop
  • Post it here
My System SpecsSystem Spec
28 Aug 2012   #6

windows 7 pro 64bit sp1
 
 

Ok i am copying and pasting both logs here

MGADIA

Code:
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-*****-*****-3FDVB
Windows Product Key Hash: zMqXYtYEDgdAH3DdMtEa+1hpce8=
Windows Product ID: 55041-146-3246346-86969
Windows Product ID Type: 6
Windows License Type: Volume MAK
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: {7F6ACEAD-DE38-46CE-B0D8-59679219A225}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Professional
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.120503-2030
TTS Error: 
Validation Diagnostic: 
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Users\Meh\AppData\Local\Google\Chrome\Application\chrome.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{7F6ACEAD-DE38-46CE-B0D8-59679219A225}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-BBBBB</PKey><PID>55041-146-3246346-86969</PID><PIDType>6</PIDType><SID>S-1-5-21-674352357-4045067315-2804868904</SID><SYSTEM><Manufacturer>Gigabyte Technology Co., Ltd.</Manufacturer><Model>GA-970A-D3</Model></SYSTEM><BIOS><Manufacturer>Award Software International, Inc.</Manufacturer><Version>F8e</Version><SMBIOSVersion major="2" minor="4"/><Date>20111227000000.000000+000</Date></BIOS><HWID>D1400600018400FC</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>China Standard Time(GMT+08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>  

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.1.7601.17514

Name: Windows(R) 7, Professional edition
Description: Windows Operating System - Windows(R) 7, VOLUME_MAK channel
Activation ID: 9abf5984-9c16-46f2-ad1e-7fe15931a8dd
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 55041-00172-146-324634-03-1033-7601.0000-0412012
Installation ID: 014422797384934144756980466071858005562454646433673185
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: 3FDVB
License Status: Licensed
Remaining Windows rearm count: 3
Trusted time: 8/28/2012 8:59:12 PM

Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x00000000
HealthStatus: 0x0000000000000000
Event Time Stamp: 6:20:2012 18:53
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:


HWID Data-->
HWID Hash Current: MAAAAAAABAABAAEAAAABAAAAAgABAAEAln0GjNzf3BUQM1TyGrnuP86aWsKuPiAh

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes, but no SLIC table
Windows marker version: N/A
OEMID and OEMTableID Consistent: N/A
BIOS Information: 
  ACPI Table Name    OEMID Value    OEMTableID Value
  APIC            GBT           GBTUACPI
  FACP            GBT           GBTUACPI
  HPET            GBT           GBTUACPI
  MCFG            GBT           GBTUACPI
  MSDM            GBT           GBTUACPI
  MATS            GBT           
  TAMG            GBT           GBT   B0
  MATS            GBT           
  SSDT            AMD           POWERNOW


Rkill LOG

Rkill 2.3.3 by Lawrence Abrams (Grinler)
Bleeping Computer - Computer Help and Discussion
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
 RKill - What it does and What it Doesn't - A brief introduction to the program

Program started at: 08/28/2012 10:21:07 PM in x64 mode.
Windows Version: Windows 7 Professional Service Pack 1

Checking for Windows services to stop.

 * No malware services found to stop.

Checking for processes to terminate.

 * C:\Users\Meh\Local Settings\Apps\F.lux\flux.exe (PID: 5012) [UP-HEUR]

1 proccess terminated!

Checking Registry for malware related settings.

 * Explorer Policy Removed:  NoActiveDesktopChanges [HKLM]

Backup Registry file created at:
 C:\Users\Meh\Desktop\rkill\rkill-08-28-2012-10-21-19.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks.

 * ALERT: ZEROACCESS rootkit symptoms found!

     * HKEY_CLASSES_ROOT\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 [ZA Reg Hijack]
     * C:\Users\Meh\AppData\Local\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\ [ZA Dir]
     * C:\Users\Meh\AppData\Local\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\@ [ZA File]
     * C:\Users\Meh\AppData\Local\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\L\ [ZA Dir]
     * C:\Users\Meh\AppData\Local\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\L\00000004.@ [ZA File]
     * C:\Users\Meh\AppData\Local\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\U\ [ZA Dir]
     * C:\Users\Meh\AppData\Local\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\U\00000004.@ [ZA File]
     * C:\Users\Meh\AppData\Local\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\U\00000008.@ [ZA File]
     * C:\Users\Meh\AppData\Local\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\U\000000cb.@ [ZA File]
     * C:\Users\Meh\AppData\Local\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\U\80000064.@ [ZA File]
     * C:\Windows\installer\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\ [ZA Dir]
     * C:\Windows\installer\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\@ [ZA File]
     * C:\Windows\installer\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\L\ [ZA Dir]
     * C:\Windows\installer\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\L\00000004.@ [ZA File]
     * C:\Windows\installer\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\L\201d3dde [ZA File]
     * C:\Windows\installer\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\U\ [ZA Dir]

Checking Windows Service Integrity: 

 * Windows Firewall Authorization Driver (mpsdrv) is not Running.
   Startup Type set to: Manual

 * BFE [Missing Service]
 * BITS [Missing Service]
 * iphlpsvc [Missing Service]
 * MpsSvc [Missing Service]
 * WinDefend [Missing Service]
 * wscsvc [Missing Service]
 * wuauserv [Missing Service]

Searching for Missing Digital Signatures: 

 * No issues found.

Program finished at: 08/28/2012 10:21:33 PM
Execution time: 0 hours(s), 0 minute(s), and 25 seconds(s)
-------------------------------------------------------------------------------
dang i have more missing services then i thought. any advice on how to restore them?
My System SpecsSystem Spec
28 Aug 2012   #7

Microsoft Community Contributor Award Recipient

Windows 7 Ult. x64 Windows 8.1 x64
 
 

Hi,

You have posted an edited version of the MGADIAG report which shows several inconsistencies - please post the full unedited MGADIAG report.

Regards,
Golden
My System SpecsSystem Spec
28 Aug 2012   #8

windows 7 pro 64bit sp1
 
 

i posted it just like the directions explained, but here it is again. thanks~!

Code:
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-*****-*****-3FDVB
Windows Product Key Hash: zMqXYtYEDgdAH3DdMtEa+1hpce8=
Windows Product ID: 55041-146-3246346-86969
Windows Product ID Type: 6
Windows License Type: Volume MAK
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: {7F6ACEAD-DE38-46CE-B0D8-59679219A225}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Professional
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.120503-2030
TTS Error: 
Validation Diagnostic: 
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Users\Meh\AppData\Local\Google\Chrome\Application\chrome.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{7F6ACEAD-DE38-46CE-B0D8-59679219A225}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-BBBBB</PKey><PID>55041-146-3246346-86969</PID><PIDType>6</PIDType><SID>S-1-5-21-674352357-4045067315-2804868904</SID><SYSTEM><Manufacturer>Gigabyte Technology Co., Ltd.</Manufacturer><Model>GA-970A-D3</Model></SYSTEM><BIOS><Manufacturer>Award Software International, Inc.</Manufacturer><Version>F8e</Version><SMBIOSVersion major="2" minor="4"/><Date>20111227000000.000000+000</Date></BIOS><HWID>D1400600018400FC</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>China Standard Time(GMT+08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>  

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.1.7601.17514

Name: Windows(R) 7, Professional edition
Description: Windows Operating System - Windows(R) 7, VOLUME_MAK channel
Activation ID: 9abf5984-9c16-46f2-ad1e-7fe15931a8dd
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 55041-00172-146-324634-03-1033-7601.0000-0412012
Installation ID: 014422797384934144756980466071858005562454646433673185
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: 3FDVB
License Status: Licensed
Remaining Windows rearm count: 3
Trusted time: 8/28/2012 10:47:44 PM

Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x00000000
HealthStatus: 0x0000000000000000
Event Time Stamp: 6:20:2012 18:53
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:


HWID Data-->
HWID Hash Current: MAAAAAAABAABAAEAAAABAAAAAgABAAEAln0GjNzf3BUQM1TyGrnuP86aWsKuPiAh

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes, but no SLIC table
Windows marker version: N/A
OEMID and OEMTableID Consistent: N/A
BIOS Information: 
  ACPI Table Name	OEMID Value	OEMTableID Value
  APIC			GBT   		GBTUACPI
  FACP			GBT   		GBTUACPI
  HPET			GBT   		GBTUACPI
  MCFG			GBT   		GBTUACPI
  MSDM			GBT   		GBTUACPI
  MATS			GBT   		
  TAMG			GBT   		GBT   B0
  MATS			GBT   		
  SSDT			AMD   		POWERNOW
My System SpecsSystem Spec
28 Aug 2012   #9

Microsoft Community Contributor Award Recipient

Windows 7 Ult. x64 Windows 8.1 x64
 
 

Hi,

The rootkit behaviour is a worry - unless shawn77 has other suggestions, you might want to consider a clean installation after wiping the disk using DISKPART CLEAN ALL. Some rootkits are notoriously difficult to remove using conventional means.

You say you've lost your licence key. You have a MAK volume licence, usually used by organizations with more than a handfull of PC's - I don't understand why you cannot have them reinstall and reactivate your licence. Can you shed some light on that?

Regards,
Golden
My System SpecsSystem Spec
28 Aug 2012   #10

windows 7 pro 64bit sp1
 
 

ok i was afraid i would have to do that. ive been trying to recover my key but ive been having issues. thanks
My System SpecsSystem Spec
Reply

 Google hijacked




Thread Tools



Similar help and support threads for2: Google hijacked
Thread Forum
Is my AT&T DSL being Hijacked? Network & Sharing
Driver Hijacked ? Network & Sharing
Solved Browser Hijacked System Security
Hotmail hijacked? Here’s what to do Security News
Firefox Hijacked Browsers & Mail
HELP! Hijacked Hotmail System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 01:14 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33