Answered by:
Redirect infection

Question
-
Hi
I've been sent here from the AumHa forums. I have an infection on my PC which I now believe to have been caused by a non-genuine installation of XP of which I was previously unaware. I had a problem about a year ago, when Norton Antivirus 2006 would not update either automatically or manually. I contacted Norton support in August 2009 and they installed Norton 2009 by remote control which appeared to solve the problem. I had no further issues until a few days ago when I started to get redirected to trash commercial websites every time I tried to open a Google search result.
I contacted the AumHa forum for help. They looked at the log files I sent them, and redirected me here.
In addition, just a few minutes ago, Norton reported that it had detected Trojan.FakeAV!gen29 which it removed and recommended a restart. I complied.
Here is the MGADiag file:
---MGADiag starts---
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Invalid Product Key
Validation Code: 8
Cached Validation Code: N/A
Windows Product Key: *****-*****-3BPVW-TFB22-V8HXQ
Windows Product Key Hash: te42yePet5hWXpNPbW5xX84ULQQ=
Windows Product ID: 55274-645-7918334-23757
Windows Product ID Type: 1
Windows License Type: Volume
Windows OS version: 5.1.2600.2.00010100.2.0.pro
ID: {69C1A34B-4CBB-4FF4-8B43-7ACB0B3111D5}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.42.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/AVista WgaER Data-->
ThreatID(s): N/A
Version: N/AWindows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002OGA Data-->
Office Status: 103 Blocked VLK
Microsoft Office Enterprise 2007 - 103 Blocked VLK
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-604-645_025D1FF3-230-1Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: AllowedFile Scan Data-->
File Mismatch: C:\WINDOWS\system32\syssetup.dll[5.1.2600.2180], Hr = 0x800b0100Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{69C1A34B-4CBB-4FF4-8B43-7ACB0B3111D5}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.2.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-V8HXQ</PKey><PID>55274-645-7918334-23757</PID><PIDType>1</PIDType><SID>S-1-5-21-1482476501-823518204-725345543</SID><SYSTEM><Manufacturer>INTEL_</Manufacturer><Model>D945GNT_</Model></SYSTEM><BIOS><Manufacturer>Intel Corp.</Manufacturer><Version>NT94510J.86A.1616.2005.0708.1742</Version><SMBIOSVersion major="2" minor="3"/><Date>20050708000000.000000+000</Date></BIOS><HWID>F62734770184E07C</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Arab Standard Time(GMT+03:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>103</Result><Products><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>103</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>ACD7202654E586</Val><Hash>fFic3JgCreGGRxyF8uMWB4R4Jcg=</Hash><Pid>89388-707-1528066-65778</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="103"/><App Id="16" Version="12" Result="103"/><App Id="18" Version="12" Result="103"/><App Id="19" Version="12" Result="103"/><App Id="1A" Version="12" Result="103"/><App Id="1B" Version="12" Result="103"/><App Id="44" Version="12" Result="103"/><App Id="A1" Version="12" Result="103"/><App Id="BA" Version="12" Result="103"/></Applications></Office></Software></GenuineResults>Licensing Data-->
N/AWindows Activation Technologies-->
N/AHWID Data-->
N/AOEM Activation 1.0 Data-->
BIOS string matches: no
Marker string from BIOS: N/A
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005OEM Activation 2.0 Data-->
N/A---MGADiag ends---
Thanks in anticipation of your help.
Rob
Tuesday, September 14, 2010 7:27 PM
Answers
-
"DesertRob" wrote in message news:94b6da25-a105-4bfb-9710-3feb39bcf4d9...
Hi
I've been sent here from the AumHa forums. I have an infection on my PC which I now believe to have been caused by a non-genuine installation of XP of which I was previously unaware. I had a problem about a year ago, when Norton Antivirus 2006 would not update either automatically or manually. I contacted Norton support in August 2009 and they installed Norton 2009 by remote control which appeared to solve the problem. I had no further issues until a few days ago when I started to get redirected to trash commercial websites every time I tried to open a Google search result.
I contacted the AumHa forum for help. They looked at the log files I sent them, and redirected me here.
In addition, just a few minutes ago, Norton reported that it had detected Trojan.FakeAV!gen29 which it removed and recommended a restart. I complied.
Here is the MGADiag file:
---MGADiag starts---
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Invalid Product Key
Validation Code: 8
Cached Validation Code: N/A
Windows Product Key: *****-*****-3BPVW-TFB22-V8HXQ
Windows Product Key Hash: te42yePet5hWXpNPbW5xX84ULQQ=
Windows Product ID: 55274-645-7918334-23757
Windows Product ID Type: 1
Windows License Type: Volume
Windows OS version: 5.1.2600.2.00010100.2.0.pro
Your major Licensing problem is that your installation of Windows is using an Invalid Product Key for a Volume Licensed version of XP Professional.The Key has been tagged 'Invalid' because it is one that was never issued by MS - and must therefore have been generated by a hacker's KeyGen program.Is there a COA Sticker on the case? If so, what version and edition of Windows is quoted there? Does the Key on the sticker agree with what you can see of the Key above??Note also, that you are using a counterfeit copy of Office Enterprise - which is not for sale to the general public, but only to organisations for use on their own machines - The key here has been blocked, presumably for abuse by the vendor.
--
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth- Marked as answer by Darin Smith MS Wednesday, September 15, 2010 7:27 PM
Tuesday, September 14, 2010 7:43 PMModerator
All replies
-
"DesertRob" wrote in message news:94b6da25-a105-4bfb-9710-3feb39bcf4d9...
Hi
I've been sent here from the AumHa forums. I have an infection on my PC which I now believe to have been caused by a non-genuine installation of XP of which I was previously unaware. I had a problem about a year ago, when Norton Antivirus 2006 would not update either automatically or manually. I contacted Norton support in August 2009 and they installed Norton 2009 by remote control which appeared to solve the problem. I had no further issues until a few days ago when I started to get redirected to trash commercial websites every time I tried to open a Google search result.
I contacted the AumHa forum for help. They looked at the log files I sent them, and redirected me here.
In addition, just a few minutes ago, Norton reported that it had detected Trojan.FakeAV!gen29 which it removed and recommended a restart. I complied.
Here is the MGADiag file:
---MGADiag starts---
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Invalid Product Key
Validation Code: 8
Cached Validation Code: N/A
Windows Product Key: *****-*****-3BPVW-TFB22-V8HXQ
Windows Product Key Hash: te42yePet5hWXpNPbW5xX84ULQQ=
Windows Product ID: 55274-645-7918334-23757
Windows Product ID Type: 1
Windows License Type: Volume
Windows OS version: 5.1.2600.2.00010100.2.0.pro
Your major Licensing problem is that your installation of Windows is using an Invalid Product Key for a Volume Licensed version of XP Professional.The Key has been tagged 'Invalid' because it is one that was never issued by MS - and must therefore have been generated by a hacker's KeyGen program.Is there a COA Sticker on the case? If so, what version and edition of Windows is quoted there? Does the Key on the sticker agree with what you can see of the Key above??Note also, that you are using a counterfeit copy of Office Enterprise - which is not for sale to the general public, but only to organisations for use on their own machines - The key here has been blocked, presumably for abuse by the vendor.
--
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth- Marked as answer by Darin Smith MS Wednesday, September 15, 2010 7:27 PM
Tuesday, September 14, 2010 7:43 PMModerator -
Sorry, I don't have a product case so I can't check the key, and there's nothing on the PC case. I would like to resolve the problems by getting rid of the counterfeit rubbish and replacing it with genuine licensed software. To get rid of the malware, I'm guessing that the best solution is to flatten the system and reformat. My question is... if I back up data on my external HDD, will I risk transferring the same malware to my new installation?
Thanks for your help.
Tuesday, September 14, 2010 7:52 PM -
"DesertRob" wrote in message news:6de78260-4de6-4598-96c8-06bef30db027...
Sorry, I don't have a product case so I can't check the key, and there's nothing on the PC case. I would like to resolve the problems by getting rid of the counterfeit rubbish and replacing it with genuine licensed software. To get rid of the malware, I'm guessing that the best solution is to flatten the system and reformat. My question is... if I back up data on my external HDD, will I risk transferring the same malware to my new installation?
Thanks for your help.
If you back up the data to external media, then reformat/reinstall a legitimate OS, and follow with a decent anti-virus and anti-malware solution, you can then scan the data from the new install with minimal danger of re-infection - once satisfied that all the files are clean, you can bring them back into the main system.The main object in the reformat/reinstall is to ensure that your system is totally clean - so disconnect any other HD's and external drives before starting, and think about a zero-format of the HD itself, using the manufacturer's test utility.
--
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed SlothTuesday, September 14, 2010 8:45 PMModerator -
I've been sent here from the AumHa forums...
cf. http://aumha.net/viewtopic.php?f=30&t=44522
<waves @Noel>Tuesday, September 14, 2010 9:45 PM