locked
Redirect infection RRS feed

  • Question

  • Hi

    I've been sent here from the AumHa forums.  I have an infection on my PC which I now believe to have been caused by a non-genuine installation of XP of which I was previously unaware.  I had a problem about a year ago, when Norton Antivirus 2006 would not update either automatically or manually.  I contacted Norton support in August 2009 and they installed Norton 2009 by remote control which appeared to solve the problem.  I had no further issues until a few days ago when I started to get redirected to trash commercial websites every time I tried to open a Google search result.

    I contacted the AumHa forum for help.  They looked at the log files I sent them, and redirected me here.

    In addition, just a few minutes ago, Norton reported that it had detected Trojan.FakeAV!gen29 which it removed and recommended a restart.  I complied.

    Here is the MGADiag file:

    ---MGADiag starts---

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->
    Validation Status: Invalid Product Key
    Validation Code: 8
    Cached Validation Code: N/A
    Windows Product Key: *****-*****-3BPVW-TFB22-V8HXQ
    Windows Product Key Hash: te42yePet5hWXpNPbW5xX84ULQQ=
    Windows Product ID: 55274-645-7918334-23757
    Windows Product ID Type: 1
    Windows License Type: Volume
    Windows OS version: 5.1.2600.2.00010100.2.0.pro
    ID: {69C1A34B-4CBB-4FF4-8B43-7ACB0B3111D5}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: Registered, 1.9.42.0
    Signed By: Microsoft
    Product Name: N/A
    Architecture: N/A
    Build lab: N/A
    TTS Error: N/A
    Validation Diagnostic: 025D1FF3-230-1
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A
    Version: N/A

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 103 Blocked VLK
    Microsoft Office Enterprise 2007 - 103 Blocked VLK
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: B4D0AA8B-604-645_025D1FF3-230-1

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
    Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\WINDOWS\system32\syssetup.dll[5.1.2600.2180], Hr = 0x800b0100

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{69C1A34B-4CBB-4FF4-8B43-7ACB0B3111D5}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.2.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-V8HXQ</PKey><PID>55274-645-7918334-23757</PID><PIDType>1</PIDType><SID>S-1-5-21-1482476501-823518204-725345543</SID><SYSTEM><Manufacturer>INTEL_</Manufacturer><Model>D945GNT_</Model></SYSTEM><BIOS><Manufacturer>Intel Corp.</Manufacturer><Version>NT94510J.86A.1616.2005.0708.1742</Version><SMBIOSVersion major="2" minor="3"/><Date>20050708000000.000000+000</Date></BIOS><HWID>F62734770184E07C</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Arab Standard Time(GMT+03:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>103</Result><Products><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>103</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>ACD7202654E586</Val><Hash>fFic3JgCreGGRxyF8uMWB4R4Jcg=</Hash><Pid>89388-707-1528066-65778</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="103"/><App Id="16" Version="12" Result="103"/><App Id="18" Version="12" Result="103"/><App Id="19" Version="12" Result="103"/><App Id="1A" Version="12" Result="103"/><App Id="1B" Version="12" Result="103"/><App Id="44" Version="12" Result="103"/><App Id="A1" Version="12" Result="103"/><App Id="BA" Version="12" Result="103"/></Applications></Office></Software></GenuineResults> 

    Licensing Data-->
    N/A

    Windows Activation Technologies-->
    N/A

    HWID Data-->
    N/A

    OEM Activation 1.0 Data-->
    BIOS string matches: no
    Marker string from BIOS: N/A
    Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

    OEM Activation 2.0 Data-->
    N/A

    ---MGADiag ends---

    Thanks in anticipation of your help.

    Rob

    Tuesday, September 14, 2010 7:27 PM

Answers

  • "DesertRob" wrote in message news:94b6da25-a105-4bfb-9710-3feb39bcf4d9...

    Hi

    I've been sent here from the AumHa forums.  I have an infection on my PC which I now believe to have been caused by a non-genuine installation of XP of which I was previously unaware.  I had a problem about a year ago, when Norton Antivirus 2006 would not update either automatically or manually.  I contacted Norton support in August 2009 and they installed Norton 2009 by remote control which appeared to solve the problem.  I had no further issues until a few days ago when I started to get redirected to trash commercial websites every time I tried to open a Google search result.

    I contacted the AumHa forum for help.  They looked at the log files I sent them, and redirected me here.

    In addition, just a few minutes ago, Norton reported that it had detected Trojan.FakeAV!gen29 which it removed and recommended a restart.  I complied.

    Here is the MGADiag file:

    ---MGADiag starts---

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->
    Validation Status: Invalid Product Key
    Validation Code: 8
    Cached Validation Code: N/A
    Windows Product Key: *****-*****-3BPVW-TFB22-V8HXQ
    Windows Product Key Hash: te42yePet5hWXpNPbW5xX84ULQQ=
    Windows Product ID: 55274-645-7918334-23757
    Windows Product ID Type: 1
    Windows License Type: Volume
    Windows OS version: 5.1.2600.2.00010100.2.0.pro


    Your major Licensing problem is that your installation of Windows is using an Invalid Product Key for a Volume Licensed version of XP Professional.
    The Key has been tagged 'Invalid' because it is one that was never issued by MS - and must therefore have been generated by a hacker's KeyGen program.
    Is there a COA Sticker on the case? If so, what version and edition of Windows is quoted there? Does the Key on the sticker agree with what you can see of the Key above??
    Note also, that you are using a counterfeit copy of Office Enterprise - which is not for sale to the general public, but only to organisations for use on their own machines - The key here has been blocked, presumably for abuse by the vendor.

    --


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    • Marked as answer by Darin Smith MS Wednesday, September 15, 2010 7:27 PM
    Tuesday, September 14, 2010 7:43 PM
    Moderator

All replies

  • "DesertRob" wrote in message news:94b6da25-a105-4bfb-9710-3feb39bcf4d9...

    Hi

    I've been sent here from the AumHa forums.  I have an infection on my PC which I now believe to have been caused by a non-genuine installation of XP of which I was previously unaware.  I had a problem about a year ago, when Norton Antivirus 2006 would not update either automatically or manually.  I contacted Norton support in August 2009 and they installed Norton 2009 by remote control which appeared to solve the problem.  I had no further issues until a few days ago when I started to get redirected to trash commercial websites every time I tried to open a Google search result.

    I contacted the AumHa forum for help.  They looked at the log files I sent them, and redirected me here.

    In addition, just a few minutes ago, Norton reported that it had detected Trojan.FakeAV!gen29 which it removed and recommended a restart.  I complied.

    Here is the MGADiag file:

    ---MGADiag starts---

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->
    Validation Status: Invalid Product Key
    Validation Code: 8
    Cached Validation Code: N/A
    Windows Product Key: *****-*****-3BPVW-TFB22-V8HXQ
    Windows Product Key Hash: te42yePet5hWXpNPbW5xX84ULQQ=
    Windows Product ID: 55274-645-7918334-23757
    Windows Product ID Type: 1
    Windows License Type: Volume
    Windows OS version: 5.1.2600.2.00010100.2.0.pro


    Your major Licensing problem is that your installation of Windows is using an Invalid Product Key for a Volume Licensed version of XP Professional.
    The Key has been tagged 'Invalid' because it is one that was never issued by MS - and must therefore have been generated by a hacker's KeyGen program.
    Is there a COA Sticker on the case? If so, what version and edition of Windows is quoted there? Does the Key on the sticker agree with what you can see of the Key above??
    Note also, that you are using a counterfeit copy of Office Enterprise - which is not for sale to the general public, but only to organisations for use on their own machines - The key here has been blocked, presumably for abuse by the vendor.

    --


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    • Marked as answer by Darin Smith MS Wednesday, September 15, 2010 7:27 PM
    Tuesday, September 14, 2010 7:43 PM
    Moderator
  • Sorry, I don't have a product case so I can't check the key, and there's nothing on the PC case.  I would like to resolve the problems by getting rid of the counterfeit rubbish and replacing it with genuine licensed software.  To get rid of the malware, I'm guessing that the best solution is to flatten the system and reformat.  My question is... if I back up data on my external HDD, will I risk transferring the same malware to my new installation?

    Thanks for your help.

    Tuesday, September 14, 2010 7:52 PM
  • "DesertRob" wrote in message news:6de78260-4de6-4598-96c8-06bef30db027...

    Sorry, I don't have a product case so I can't check the key, and there's nothing on the PC case.  I would like to resolve the problems by getting rid of the counterfeit rubbish and replacing it with genuine licensed software.  To get rid of the malware, I'm guessing that the best solution is to flatten the system and reformat.  My question is... if I back up data on my external HDD, will I risk transferring the same malware to my new installation?

    Thanks for your help.


    If you back up the data to external media, then reformat/reinstall a legitimate OS, and follow with a decent anti-virus  and anti-malware solution, you can then scan the data from the new install with minimal danger of re-infection - once satisfied that all the files are clean, you can bring them back into the main system.
    The main object in the reformat/reinstall is to ensure that your system is totally clean - so disconnect any other HD's and external drives before starting, and think about a zero-format of the HD itself, using the manufacturer's test utility.

    --


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Tuesday, September 14, 2010 8:45 PM
    Moderator
  • I've been sent here from the AumHa forums...

    cf. http://aumha.net/viewtopic.php?f=30&t=44522 
    <waves @Noel>
    Tuesday, September 14, 2010 9:45 PM