Google hijacked

Page 1 of 2 12 LastLast

  1. Posts : 8
    windows 7 pro 64bit sp1
       #1

    Google hijacked


    So I recently got the google hijack malware. Basically anytime I went to google or most common sites I get a message saying the site may contain maleware and is dangerous blah blah blah.

    But then I realized another problem some of my windows services won't start like bits service. Basically microsoft security essentials, Microsoft firewall, and Microsoft updater all give me errors and won't run.

    Now I reinstalled security essentials and it works now as far as I can tell, and I ran malewarebytes and removed the google hijack as far as I know. But the services are still missing as well as things like desktop icons keep rearranging and won't stay in place as well as folders won't stay in the preferred method of viewing ie. Group by type and sort by date modified (resets to sort by name and detail view).

    I've also run a repair and restore point from a windows ISO on a USB from boot to avail.

    I'm running windows 7 64bit pro sp1.

    I would format but I've lost my key and can't recover it.

    Thanks for any help

    Edit: I also get a error code 0x80070424 when trying to start up windows firewall
      My Computer


  2. Posts : 19,383
    Windows 10 Pro x64 ; Xubuntu x64
       #2

    Hi,

    Lets start here to make sure your validation is all OK. Run the MGADIAG as explained in the tutorial below, and then post the results back here in your next reply:

    Windows Genuine and Activation Issue Posting Instructions

    Regards,
    Golden
      My Computer


  3. Posts : 627
    Windows 7 Pro 64 bit
       #3

    It worries me that you have all the MS protection in place and it still get through and hijacks your system
      My Computer


  4. Posts : 8
    windows 7 pro 64bit sp1
    Thread Starter
       #4

    I will run the mgdiag when I get back from work.

    But yeah it concerns me as well. I'm currently working and living in China but unless they have some new technique for intrusion then I've got no clue.

    Im not inexperienced when it comes to computers. I'm working towards a degree in computer engineering/science but still have a lot to learn.

    Basically I had no problem with my pc one day. Shut it off and turned it on the next day and that's when all the problems arose. I'm assuming it waiting till startup to do its damage.
      My Computer


  5. Posts : 143
    32 bit
       #5

    Please download Rkill by Grinler and save it to your desktop.


    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista, right-click on it and Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • The log should be saved on the desktop
    • Post it here
      My Computer


  6. Posts : 8
    windows 7 pro 64bit sp1
    Thread Starter
       #6

    Ok i am copying and pasting both logs here

    MGADIA

    Code:
    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->
    
    Validation Code: 0
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-*****-*****-3FDVB
    Windows Product Key Hash: zMqXYtYEDgdAH3DdMtEa+1hpce8=
    Windows Product ID: 55041-146-3246346-86969
    Windows Product ID Type: 6
    Windows License Type: Volume MAK
    Windows OS version: 6.1.7601.2.00010100.1.0.048
    ID: {7F6ACEAD-DE38-46CE-B0D8-59679219A225}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Professional
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.120503-2030
    TTS Error: 
    Validation Diagnostic: 
    Resolution Status: N/A
    
    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    
    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002
    
    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002
    
    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3
    
    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Users\Meh\AppData\Local\Google\Chrome\Application\chrome.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed
    
    File Scan Data-->
    
    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{7F6ACEAD-DE38-46CE-B0D8-59679219A225}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-BBBBB</PKey><PID>55041-146-3246346-86969</PID><PIDType>6</PIDType><SID>S-1-5-21-674352357-4045067315-2804868904</SID><SYSTEM><Manufacturer>Gigabyte Technology Co., Ltd.</Manufacturer><Model>GA-970A-D3</Model></SYSTEM><BIOS><Manufacturer>Award Software International, Inc.</Manufacturer><Version>F8e</Version><SMBIOSVersion major="2" minor="4"/><Date>20111227000000.000000+000</Date></BIOS><HWID>D1400600018400FC</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>China Standard Time(GMT+08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>  
    
    Spsys.log Content: 0x80070002
    
    Licensing Data-->
    Software licensing service version: 6.1.7601.17514
    
    Name: Windows(R) 7, Professional edition
    Description: Windows Operating System - Windows(R) 7, VOLUME_MAK channel
    Activation ID: 9abf5984-9c16-46f2-ad1e-7fe15931a8dd
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 55041-00172-146-324634-03-1033-7601.0000-0412012
    Installation ID: 014422797384934144756980466071858005562454646433673185
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: 3FDVB
    License Status: Licensed
    Remaining Windows rearm count: 3
    Trusted time: 8/28/2012 8:59:12 PM
    
    Windows Activation Technologies-->
    HrOffline: 0x00000000
    HrOnline: 0x00000000
    HealthStatus: 0x0000000000000000
    Event Time Stamp: 6:20:2012 18:53
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    
    
    HWID Data-->
    HWID Hash Current: MAAAAAAABAABAAEAAAABAAAAAgABAAEAln0GjNzf3BUQM1TyGrnuP86aWsKuPiAh
    
    OEM Activation 1.0 Data-->
    N/A
    
    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes, but no SLIC table
    Windows marker version: N/A
    OEMID and OEMTableID Consistent: N/A
    BIOS Information: 
      ACPI Table Name    OEMID Value    OEMTableID Value
      APIC            GBT           GBTUACPI
      FACP            GBT           GBTUACPI
      HPET            GBT           GBTUACPI
      MCFG            GBT           GBTUACPI
      MSDM            GBT           GBTUACPI
      MATS            GBT           
      TAMG            GBT           GBT   B0
      MATS            GBT           
      SSDT            AMD           POWERNOW
    
    
    Rkill LOG
    
    Rkill 2.3.3 by Lawrence Abrams (Grinler)
    Bleeping Computer - Computer Help and Discussion
    Copyright 2008-2012 BleepingComputer.com
    More Information about Rkill can be found at this link:
     RKill - What it does and What it Doesn't - A brief introduction to the program
    
    Program started at: 08/28/2012 10:21:07 PM in x64 mode.
    Windows Version: Windows 7 Professional Service Pack 1
    
    Checking for Windows services to stop.
    
     * No malware services found to stop.
    
    Checking for processes to terminate.
    
     * C:\Users\Meh\Local Settings\Apps\F.lux\flux.exe (PID: 5012) [UP-HEUR]
    
    1 proccess terminated!
    
    Checking Registry for malware related settings.
    
     * Explorer Policy Removed:  NoActiveDesktopChanges [HKLM]
    
    Backup Registry file created at:
     C:\Users\Meh\Desktop\rkill\rkill-08-28-2012-10-21-19.reg
    
    Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
    
    Performing miscellaneous checks.
    
     * ALERT: ZEROACCESS rootkit symptoms found!
    
         * HKEY_CLASSES_ROOT\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 [ZA Reg Hijack]
         * C:\Users\Meh\AppData\Local\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\ [ZA Dir]
         * C:\Users\Meh\AppData\Local\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\@ [ZA File]
         * C:\Users\Meh\AppData\Local\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\L\ [ZA Dir]
         * C:\Users\Meh\AppData\Local\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\L\00000004.@ [ZA File]
         * C:\Users\Meh\AppData\Local\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\U\ [ZA Dir]
         * C:\Users\Meh\AppData\Local\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\U\00000004.@ [ZA File]
         * C:\Users\Meh\AppData\Local\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\U\00000008.@ [ZA File]
         * C:\Users\Meh\AppData\Local\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\U\000000cb.@ [ZA File]
         * C:\Users\Meh\AppData\Local\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\U\80000064.@ [ZA File]
         * C:\Windows\installer\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\ [ZA Dir]
         * C:\Windows\installer\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\@ [ZA File]
         * C:\Windows\installer\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\L\ [ZA Dir]
         * C:\Windows\installer\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\L\00000004.@ [ZA File]
         * C:\Windows\installer\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\L\201d3dde [ZA File]
         * C:\Windows\installer\{1d4e8859-da19-7bf9-2a70-e6be9b449c29}\U\ [ZA Dir]
    
    Checking Windows Service Integrity: 
    
     * Windows Firewall Authorization Driver (mpsdrv) is not Running.
       Startup Type set to: Manual
    
     * BFE [Missing Service]
     * BITS [Missing Service]
     * iphlpsvc [Missing Service]
     * MpsSvc [Missing Service]
     * WinDefend [Missing Service]
     * wscsvc [Missing Service]
     * wuauserv [Missing Service]
    
    Searching for Missing Digital Signatures: 
    
     * No issues found.
    
    Program finished at: 08/28/2012 10:21:33 PM
    Execution time: 0 hours(s), 0 minute(s), and 25 seconds(s)
    -------------------------------------------------------------------------------
    dang i have more missing services then i thought. any advice on how to restore them?
      My Computer


  7. Posts : 19,383
    Windows 10 Pro x64 ; Xubuntu x64
       #7

    Hi,

    You have posted an edited version of the MGADIAG report which shows several inconsistencies - please post the full unedited MGADIAG report.

    Regards,
    Golden
      My Computer


  8. Posts : 8
    windows 7 pro 64bit sp1
    Thread Starter
       #8

    i posted it just like the directions explained, but here it is again. thanks~!

    Code:
    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->
    
    Validation Code: 0
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-*****-*****-3FDVB
    Windows Product Key Hash: zMqXYtYEDgdAH3DdMtEa+1hpce8=
    Windows Product ID: 55041-146-3246346-86969
    Windows Product ID Type: 6
    Windows License Type: Volume MAK
    Windows OS version: 6.1.7601.2.00010100.1.0.048
    ID: {7F6ACEAD-DE38-46CE-B0D8-59679219A225}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Professional
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.120503-2030
    TTS Error: 
    Validation Diagnostic: 
    Resolution Status: N/A
    
    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    
    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002
    
    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002
    
    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3
    
    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Users\Meh\AppData\Local\Google\Chrome\Application\chrome.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed
    
    File Scan Data-->
    
    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{7F6ACEAD-DE38-46CE-B0D8-59679219A225}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-BBBBB</PKey><PID>55041-146-3246346-86969</PID><PIDType>6</PIDType><SID>S-1-5-21-674352357-4045067315-2804868904</SID><SYSTEM><Manufacturer>Gigabyte Technology Co., Ltd.</Manufacturer><Model>GA-970A-D3</Model></SYSTEM><BIOS><Manufacturer>Award Software International, Inc.</Manufacturer><Version>F8e</Version><SMBIOSVersion major="2" minor="4"/><Date>20111227000000.000000+000</Date></BIOS><HWID>D1400600018400FC</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>China Standard Time(GMT+08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>  
    
    Spsys.log Content: 0x80070002
    
    Licensing Data-->
    Software licensing service version: 6.1.7601.17514
    
    Name: Windows(R) 7, Professional edition
    Description: Windows Operating System - Windows(R) 7, VOLUME_MAK channel
    Activation ID: 9abf5984-9c16-46f2-ad1e-7fe15931a8dd
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 55041-00172-146-324634-03-1033-7601.0000-0412012
    Installation ID: 014422797384934144756980466071858005562454646433673185
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: 3FDVB
    License Status: Licensed
    Remaining Windows rearm count: 3
    Trusted time: 8/28/2012 10:47:44 PM
    
    Windows Activation Technologies-->
    HrOffline: 0x00000000
    HrOnline: 0x00000000
    HealthStatus: 0x0000000000000000
    Event Time Stamp: 6:20:2012 18:53
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    
    
    HWID Data-->
    HWID Hash Current: MAAAAAAABAABAAEAAAABAAAAAgABAAEAln0GjNzf3BUQM1TyGrnuP86aWsKuPiAh
    
    OEM Activation 1.0 Data-->
    N/A
    
    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes, but no SLIC table
    Windows marker version: N/A
    OEMID and OEMTableID Consistent: N/A
    BIOS Information: 
      ACPI Table Name	OEMID Value	OEMTableID Value
      APIC			GBT   		GBTUACPI
      FACP			GBT   		GBTUACPI
      HPET			GBT   		GBTUACPI
      MCFG			GBT   		GBTUACPI
      MSDM			GBT   		GBTUACPI
      MATS			GBT   		
      TAMG			GBT   		GBT   B0
      MATS			GBT   		
      SSDT			AMD   		POWERNOW
      My Computer


  9. Posts : 19,383
    Windows 10 Pro x64 ; Xubuntu x64
       #9

    Hi,

    The rootkit behaviour is a worry - unless shawn77 has other suggestions, you might want to consider a clean installation after wiping the disk using DISKPART CLEAN ALL. Some rootkits are notoriously difficult to remove using conventional means.

    You say you've lost your licence key. You have a MAK volume licence, usually used by organizations with more than a handfull of PC's - I don't understand why you cannot have them reinstall and reactivate your licence. Can you shed some light on that?

    Regards,
    Golden
      My Computer


  10. Posts : 8
    windows 7 pro 64bit sp1
    Thread Starter
       #10

    ok i was afraid i would have to do that. ive been trying to recover my key but ive been having issues. thanks
      My Computer


 
Page 1 of 2 12 LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 11:07.
Find Us