 | |
| |
| 27 Aug 2012 | |
| windows 7 pro 64bit sp1 8 posts | Google hijacked So I recently got the google hijack malware. Basically anytime I went to google or most common sites I get a message saying the site may contain maleware and is dangerous blah blah blah. But then I realized another problem some of my windows services won't start like bits service. Basically microsoft security essentials, Microsoft firewall, and Microsoft updater all give me errors and won't run. Now I reinstalled security essentials and it works now as far as I can tell, and I ran malewarebytes and removed the google hijack as far as I know. But the services are still missing as well as things like desktop icons keep rearranging and won't stay in place as well as folders won't stay in the preferred method of viewing ie. Group by type and sort by date modified (resets to sort by name and detail view). I've also run a repair and restore point from a windows ISO on a USB from boot to avail. I'm running windows 7 64bit pro sp1. I would format but I've lost my key and can't recover it. Thanks for any help Edit: I also get a error code 0x80070424 when trying to start up windows firewall |
My System Specs | |
| 28 Aug 2012 | |
| Windows 7 Ultimate SP1 (x64) 9,924 posts South Australia | Hi, Lets start here to make sure your validation is all OK. Run the MGADIAG as explained in the tutorial below, and then post the results back here in your next reply: Windows Genuine and Activation Issue Posting Instructions Regards, Golden |
| My System Specs |
| 28 Aug 2012 | |
| Windows 7 Pro 64 bit 684 posts | It worries me that you have all the MS protection in place and it still get through and hijacks your system |
| My System Specs |
| . |
| |
| 28 Aug 2012 | |
| windows 7 pro 64bit sp1 8 posts | I will run the mgdiag when I get back from work. But yeah it concerns me as well. I'm currently working and living in China but unless they have some new technique for intrusion then I've got no clue. Im not inexperienced when it comes to computers. I'm working towards a degree in computer engineering/science but still have a lot to learn. Basically I had no problem with my pc one day. Shut it off and turned it on the next day and that's when all the problems arose. I'm assuming it waiting till startup to do its damage. |
| My System Specs |
| 28 Aug 2012 | |
| 32 bit 143 posts | Please download Rkill by Grinler and save it to your desktop.
|
| My System Specs |
| 28 Aug 2012 | |
| windows 7 pro 64bit sp1 8 posts | Ok i am copying and pasting both logs here MGADIA Code: Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-*****-*****-3FDVB
Windows Product Key Hash: zMqXYtYEDgdAH3DdMtEa+1hpce8=
Windows Product ID: 55041-146-3246346-86969
Windows Product ID Type: 6
Windows License Type: Volume MAK
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: {7F6ACEAD-DE38-46CE-B0D8-59679219A225}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Professional
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.120503-2030
TTS Error:
Validation Diagnostic:
Resolution Status: N/A
Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Users\Meh\AppData\Local\Google\Chrome\Application\chrome.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{7F6ACEAD-DE38-46CE-B0D8-59679219A225}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-BBBBB</PKey><PID>55041-146-3246346-86969</PID><PIDType>6</PIDType><SID>S-1-5-21-674352357-4045067315-2804868904</SID><SYSTEM><Manufacturer>Gigabyte Technology Co., Ltd.</Manufacturer><Model>GA-970A-D3</Model></SYSTEM><BIOS><Manufacturer>Award Software International, Inc.</Manufacturer><Version>F8e</Version><SMBIOSVersion major="2" minor="4"/><Date>20111227000000.000000+000</Date></BIOS><HWID>D1400600018400FC</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>China Standard Time(GMT+08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>
Spsys.log Content: 0x80070002
Licensing Data-->
Software licensing service version: 6.1.7601.17514
Name: Windows(R) 7, Professional edition
Description: Windows Operating System - Windows(R) 7, VOLUME_MAK channel
Activation ID: 9abf5984-9c16-46f2-ad1e-7fe15931a8dd
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 55041-00172-146-324634-03-1033-7601.0000-0412012
Installation ID: 014422797384934144756980466071858005562454646433673185
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: 3FDVB
License Status: Licensed
Remaining Windows rearm count: 3
Trusted time: 8/28/2012 8:59:12 PM
Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x00000000
HealthStatus: 0x0000000000000000
Event Time Stamp: 6:20:2012 18:53
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
HWID Data-->
HWID Hash Current: MAAAAAAABAABAAEAAAABAAAAAgABAAEAln0GjNzf3BUQM1TyGrnuP86aWsKuPiAh
OEM Activation 1.0 Data-->
N/A
OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes, but no SLIC table
Windows marker version: N/A
OEMID and OEMTableID Consistent: N/A
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC GBT GBTUACPI
FACP GBT GBTUACPI
HPET GBT GBTUACPI
MCFG GBT GBTUACPI
MSDM GBT GBTUACPI
MATS GBT
TAMG GBT GBT B0
MATS GBT
SSDT AMD POWERNOW
Rkill LOG
Rkill 2.3.3 by Lawrence Abrams (Grinler)
Bleeping Computer - Computer Help and Discussion
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
RKill - What it does and What it Doesn't - A brief introduction to the program
Program started at: 08/28/2012 10:21:07 PM in x64 mode.
Windows Version: Windows 7 Professional Service Pack 1
Checking for Windows services to stop.
* No malware services found to stop.
Checking for processes to terminate.
* C:\Users\Meh\Local Settings\Apps\F.lux\flux.exe (PID: 5012) [UP-HEUR]
1 proccess terminated!
Checking Registry for malware related settings.
* Explorer Policy Removed: NoActiveDesktopChanges [HKLM]
Backup Registry file created at:
C:\Users\Meh\Desktop\rkill\rkill-08-28-2012-10-21-19.reg
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks.
* ALERT: ZEROACCESS rootkit symptoms found!
* HKEY_CLASSES_ROOT\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 [ZA Reg Hijack]
* C:\Users\Meh\AppData\Local\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\ [ZA Dir]
* C:\Users\Meh\AppData\Local\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\@ [ZA File]
* C:\Users\Meh\AppData\Local\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\L\ [ZA Dir]
* C:\Users\Meh\AppData\Local\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\L\00000004.@ [ZA File]
* C:\Users\Meh\AppData\Local\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\U\ [ZA Dir]
* C:\Users\Meh\AppData\Local\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\U\00000004.@ [ZA File]
* C:\Users\Meh\AppData\Local\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\U\00000008.@ [ZA File]
* C:\Users\Meh\AppData\Local\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\U\000000cb.@ [ZA File]
* C:\Users\Meh\AppData\Local\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\U\80000064.@ [ZA File]
* C:\Windows\installer\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\ [ZA Dir]
* C:\Windows\installer\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\@ [ZA File]
* C:\Windows\installer\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\L\ [ZA Dir]
* C:\Windows\installer\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\L\00000004.@ [ZA File]
* C:\Windows\installer\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\L\201d3dde [ZA File]
* C:\Windows\installer\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\U\ [ZA Dir]
Checking Windows Service Integrity:
* Windows Firewall Authorization Driver (mpsdrv) is not Running.
Startup Type set to: Manual
* BFE [Missing Service]
* BITS [Missing Service]
* iphlpsvc [Missing Service]
* MpsSvc [Missing Service]
* WinDefend [Missing Service]
* wscsvc [Missing Service]
* wuauserv [Missing Service]
Searching for Missing Digital Signatures:
* No issues found.
Program finished at: 08/28/2012 10:21:33 PM
Execution time: 0 hours(s), 0 minute(s), and 25 seconds(s)
------------------------------------------------------------------------------- |
| My System Specs |
| 28 Aug 2012 | |
| Windows 7 Ultimate SP1 (x64) 9,924 posts South Australia | Hi, You have posted an edited version of the MGADIAG report which shows several inconsistencies - please post the full unedited MGADIAG report. Regards, Golden |
| My System Specs |
| 28 Aug 2012 | |
| windows 7 pro 64bit sp1 8 posts | i posted it just like the directions explained, but here it is again. thanks~! Code: Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-*****-*****-3FDVB
Windows Product Key Hash: zMqXYtYEDgdAH3DdMtEa+1hpce8=
Windows Product ID: 55041-146-3246346-86969
Windows Product ID Type: 6
Windows License Type: Volume MAK
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: {7F6ACEAD-DE38-46CE-B0D8-59679219A225}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Professional
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.120503-2030
TTS Error:
Validation Diagnostic:
Resolution Status: N/A
Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Users\Meh\AppData\Local\Google\Chrome\Application\chrome.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{7F6ACEAD-DE38-46CE-B0D8-59679219A225}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-BBBBB</PKey><PID>55041-146-3246346-86969</PID><PIDType>6</PIDType><SID>S-1-5-21-674352357-4045067315-2804868904</SID><SYSTEM><Manufacturer>Gigabyte Technology Co., Ltd.</Manufacturer><Model>GA-970A-D3</Model></SYSTEM><BIOS><Manufacturer>Award Software International, Inc.</Manufacturer><Version>F8e</Version><SMBIOSVersion major="2" minor="4"/><Date>20111227000000.000000+000</Date></BIOS><HWID>D1400600018400FC</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>China Standard Time(GMT+08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>
Spsys.log Content: 0x80070002
Licensing Data-->
Software licensing service version: 6.1.7601.17514
Name: Windows(R) 7, Professional edition
Description: Windows Operating System - Windows(R) 7, VOLUME_MAK channel
Activation ID: 9abf5984-9c16-46f2-ad1e-7fe15931a8dd
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 55041-00172-146-324634-03-1033-7601.0000-0412012
Installation ID: 014422797384934144756980466071858005562454646433673185
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: 3FDVB
License Status: Licensed
Remaining Windows rearm count: 3
Trusted time: 8/28/2012 10:47:44 PM
Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x00000000
HealthStatus: 0x0000000000000000
Event Time Stamp: 6:20:2012 18:53
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
HWID Data-->
HWID Hash Current: MAAAAAAABAABAAEAAAABAAAAAgABAAEAln0GjNzf3BUQM1TyGrnuP86aWsKuPiAh
OEM Activation 1.0 Data-->
N/A
OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes, but no SLIC table
Windows marker version: N/A
OEMID and OEMTableID Consistent: N/A
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC GBT GBTUACPI
FACP GBT GBTUACPI
HPET GBT GBTUACPI
MCFG GBT GBTUACPI
MSDM GBT GBTUACPI
MATS GBT
TAMG GBT GBT B0
MATS GBT
SSDT AMD POWERNOW |
| My System Specs |
| 28 Aug 2012 | |
| Windows 7 Ultimate SP1 (x64) 9,924 posts South Australia | Hi, The rootkit behaviour is a worry - unless shawn77 has other suggestions, you might want to consider a clean installation after wiping the disk using DISKPART CLEAN ALL. Some rootkits are notoriously difficult to remove using conventional means. You say you've lost your licence key. You have a MAK volume licence, usually used by organizations with more than a handfull of PC's - I don't understand why you cannot have them reinstall and reactivate your licence. Can you shed some light on that? Regards, Golden |
| My System Specs |
| 28 Aug 2012 | |
| windows 7 pro 64bit sp1 8 posts | ok i was afraid i would have to do that. ive been trying to recover my key but ive been having issues. thanks |
| My System Specs |
 |
Google hijacked problems?
| Thread Tools | |
| Similar help and support threads for: Google hijacked | ||||
| Thread | Forum | |||
| Driver Hijacked ? | Network & Sharing | |||
 Browser Hijacked | System Security | |||
| Hotmail hijacked? Here’s what to do | Security News | |||
| Firefox Hijacked | Browsers & Mail | |||
| HELP! Hijacked Hotmail | System Security | |||
All times are GMT -5. The time now is 03:16 AM.
