Remove From My Forums

Redirect infection

Question
0

Sign in to vote

Hi

I've been sent here from the AumHa forums. I have an infection on my PC which I now believe to have been caused by a non-genuine installation of XP of which I was previously unaware. I had a problem about a year ago, when Norton Antivirus 2006 would not update either automatically or manually. I contacted Norton support in August 2009 and they installed Norton 2009 by remote control which appeared to solve the problem. I had no further issues until a few days ago when I started to get redirected to trash commercial websites every time I tried to open a Google search result.

I contacted the AumHa forum for help. They looked at the log files I sent them, and redirected me here.

In addition, just a few minutes ago, Norton reported that it had detected Trojan.FakeAV!gen29 which it removed and recommended a restart. I complied.

Here is the MGADiag file:

---MGADiag starts---

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Invalid Product Key
Validation Code: 8
Cached Validation Code: N/A
Windows Product Key: *****-*****-3BPVW-TFB22-V8HXQ
Windows Product Key Hash: te42yePet5hWXpNPbW5xX84ULQQ=
Windows Product ID: 55274-645-7918334-23757
Windows Product ID Type: 1
Windows License Type: Volume
Windows OS version: 5.1.2600.2.00010100.2.0.pro
ID: {69C1A34B-4CBB-4FF4-8B43-7ACB0B3111D5}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.42.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 103 Blocked VLK
Microsoft Office Enterprise 2007 - 103 Blocked VLK
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-604-645_025D1FF3-230-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\WINDOWS\system32\syssetup.dll[5.1.2600.2180], Hr = 0x800b0100

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{69C1A34B-4CBB-4FF4-8B43-7ACB0B3111D5}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.2.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-V8HXQ</PKey><PID>55274-645-7918334-23757</PID><PIDType>1</PIDType><SID>S-1-5-21-1482476501-823518204-725345543</SID><SYSTEM><Manufacturer>INTEL_</Manufacturer><Model>D945GNT_</Model></SYSTEM><BIOS><Manufacturer>Intel Corp.</Manufacturer><Version>NT94510J.86A.1616.2005.0708.1742</Version><SMBIOSVersion major="2" minor="3"/><Date>20050708000000.000000+000</Date></BIOS><HWID>F62734770184E07C</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Arab Standard Time(GMT+03:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>103</Result><Products><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>103</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>ACD7202654E586</Val><Hash>fFic3JgCreGGRxyF8uMWB4R4Jcg=</Hash><Pid>89388-707-1528066-65778</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="103"/><App Id="16" Version="12" Result="103"/><App Id="18" Version="12" Result="103"/><App Id="19" Version="12" Result="103"/><App Id="1A" Version="12" Result="103"/><App Id="1B" Version="12" Result="103"/><App Id="44" Version="12" Result="103"/><App Id="A1" Version="12" Result="103"/><App Id="BA" Version="12" Result="103"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: no
Marker string from BIOS: N/A
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->
N/A

---MGADiag ends---

Thanks in anticipation of your help.

Rob

Tuesday, September 14, 2010 7:27 PM

Answers

0

Sign in to vote
"DesertRob" wrote in message news:94b6da25-a105-4bfb-9710-3feb39bcf4d9...

Hi

I've been sent here from the AumHa forums. I have an infection on my PC which I now believe to have been caused by a non-genuine installation of XP of which I was previously unaware. I had a problem about a year ago, when Norton Antivirus 2006 would not update either automatically or manually. I contacted Norton support in August 2009 and they installed Norton 2009 by remote control which appeared to solve the problem. I had no further issues until a few days ago when I started to get redirected to trash commercial websites every time I tried to open a Google search result.

I contacted the AumHa forum for help. They looked at the log files I sent them, and redirected me here.

In addition, just a few minutes ago, Norton reported that it had detected Trojan.FakeAV!gen29 which it removed and recommended a restart. I complied.

Here is the MGADiag file:

---MGADiag starts---

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Invalid Product Key
Validation Code: 8
Cached Validation Code: N/A
Windows Product Key: *****-*****-3BPVW-TFB22-V8HXQ
Windows Product Key Hash: te42yePet5hWXpNPbW5xX84ULQQ=
Windows Product ID: 55274-645-7918334-23757
Windows Product ID Type: 1
Windows License Type: Volume
Windows OS version: 5.1.2600.2.00010100.2.0.pro

Your major Licensing problem is that your installation of Windows is using an Invalid Product Key for a Volume Licensed version of XP Professional.

The Key has been tagged 'Invalid' because it is one that was never issued by MS - and must therefore have been generated by a hacker's KeyGen program.

Is there a COA Sticker on the case? If so, what version and edition of Windows is quoted there? Does the Key on the sticker agree with what you can see of the Key above??

Note also, that you are using a counterfeit copy of Office Enterprise - which is not for sale to the general public, but only to organisations for use on their own machines - The key here has been blocked, presumably for abuse by the vendor.

--

Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
- Marked as answer by Darin Smith MS Wednesday, September 15, 2010 7:27 PM
Tuesday, September 14, 2010 7:43 PM

Moderator

All replies

0

Sign in to vote
"DesertRob" wrote in message news:94b6da25-a105-4bfb-9710-3feb39bcf4d9...

Hi

I've been sent here from the AumHa forums. I have an infection on my PC which I now believe to have been caused by a non-genuine installation of XP of which I was previously unaware. I had a problem about a year ago, when Norton Antivirus 2006 would not update either automatically or manually. I contacted Norton support in August 2009 and they installed Norton 2009 by remote control which appeared to solve the problem. I had no further issues until a few days ago when I started to get redirected to trash commercial websites every time I tried to open a Google search result.

I contacted the AumHa forum for help. They looked at the log files I sent them, and redirected me here.

In addition, just a few minutes ago, Norton reported that it had detected Trojan.FakeAV!gen29 which it removed and recommended a restart. I complied.

Here is the MGADiag file:

---MGADiag starts---

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Invalid Product Key
Validation Code: 8
Cached Validation Code: N/A
Windows Product Key: *****-*****-3BPVW-TFB22-V8HXQ
Windows Product Key Hash: te42yePet5hWXpNPbW5xX84ULQQ=
Windows Product ID: 55274-645-7918334-23757
Windows Product ID Type: 1
Windows License Type: Volume
Windows OS version: 5.1.2600.2.00010100.2.0.pro

Your major Licensing problem is that your installation of Windows is using an Invalid Product Key for a Volume Licensed version of XP Professional.

The Key has been tagged 'Invalid' because it is one that was never issued by MS - and must therefore have been generated by a hacker's KeyGen program.

Is there a COA Sticker on the case? If so, what version and edition of Windows is quoted there? Does the Key on the sticker agree with what you can see of the Key above??

Note also, that you are using a counterfeit copy of Office Enterprise - which is not for sale to the general public, but only to organisations for use on their own machines - The key here has been blocked, presumably for abuse by the vendor.

--

Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
- Marked as answer by Darin Smith MS Wednesday, September 15, 2010 7:27 PM
Tuesday, September 14, 2010 7:43 PM

Moderator
0

Sign in to vote

Sorry, I don't have a product case so I can't check the key, and there's nothing on the PC case. I would like to resolve the problems by getting rid of the counterfeit rubbish and replacing it with genuine licensed software. To get rid of the malware, I'm guessing that the best solution is to flatten the system and reformat. My question is... if I back up data on my external HDD, will I risk transferring the same malware to my new installation?

Thanks for your help.

Tuesday, September 14, 2010 7:52 PM
0

Sign in to vote

"DesertRob" wrote in message news:6de78260-4de6-4598-96c8-06bef30db027...

Sorry, I don't have a product case so I can't check the key, and there's nothing on the PC case. I would like to resolve the problems by getting rid of the counterfeit rubbish and replacing it with genuine licensed software. To get rid of the malware, I'm guessing that the best solution is to flatten the system and reformat. My question is... if I back up data on my external HDD, will I risk transferring the same malware to my new installation?

Thanks for your help.

If you back up the data to external media, then reformat/reinstall a legitimate OS, and follow with a decent anti-virus and anti-malware solution, you can then scan the data from the new install with minimal danger of re-infection - once satisfied that all the files are clean, you can bring them back into the main system.

The main object in the reformat/reinstall is to ensure that your system is totally clean - so disconnect any other HD's and external drives before starting, and think about a zero-format of the HD itself, using the manufacturer's test utility.

--

Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

Tuesday, September 14, 2010 8:45 PM

Moderator
0

Sign in to vote

I've been sent here from the AumHa forums...

cf. http://aumha.net/viewtopic.php?f=30&t=44522
<waves @Noel>

Tuesday, September 14, 2010 9:45 PM

Answered by:

Redirect infection

Question

Answers

All replies