none
MSE Reports "Windows Did Not Pass Genuine Validation", Following Installation of Malicious Software Removal Tool From Windows Update

    Question

  • Following installation of the Windows Malicious Software Removal Tool for April 2011, MSE reported that XP Pro did not pass genuine validation. Rebooting the machine upon receiving this message resolved the issue temporarily, until MSE was updated. The message then reappeared. The message also appeared after performing a "full" scan (upon reboot). The machine in question has been in service since July of 2008, and has never experienced this type of validation issue.

    In an attempt to resolve this issue, I had uninstalled MSE, IE8 and all of the WGA and Windows Update components from the operating system in safe mode. Upon reinstalling these components via Windows Update, the problem appeared to be resolved. Upon installing the latest Windows Malicious Software Removal Tool for May 2011, however, the same problem recurred.

    Any clue as to what may be causing the problem? The MGADiag report is posted below.

     

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->
    Validation Status: Genuine
    Validation Code: 0
    Cached Validation Code: N/A
    Windows Product Key: *****-*****-2YTBC-B9C6X-44JYT
    Windows Product Key Hash: *****Ytt1CyfZUpHut9DOI6kFU4=
    Windows Product ID: *****-OEM-2243361-76422
    Windows Product ID Type: 3
    Windows License Type: OEM System Builder
    Windows OS version: 5.1.2600.2.00010100.3.0.pro
    ID: {********-CD02-4D50-****-7751438D2071}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: Registered, 1.7.69.2
    Signed By: Microsoft
    Product Name: N/A
    Architecture: N/A
    Build lab: N/A
    TTS Error: N/A
    Validation Diagnostic: 025D1FF3-230-1
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A
    Version: N/A

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Home and Student 2007 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-230-1

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files\Opera\Opera.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\WINDOWS\system32\oembios.bin[Hr = 0x80070002]
    File Mismatch: C:\WINDOWS\system32\oembios.dat[Hr = 0x80070002]
    File Mismatch: C:\WINDOWS\system32\oembios.sig[Hr = 0x80070002]

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{605433A7-CD02-4D50-B7B9-7751438D2071}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-44JYT</PKey><PID>76487-OEM-2243361-76422</PID><PIDType>3</PIDType><SID>S-1-5-21-1275210071-1004336348-1606980848</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>HP Compaq dc7600 Small Form Factor</Model></SYSTEM><BIOS><Manufacturer>Hewlett-Packard</Manufacturer><Version>786D1 v01.61</Version><SMBIOSVersion major="2" minor="4"/><Date>20090701000000.000000+000</Date></BIOS><HWID>A03B3D7F0184E07C</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120000-002F-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Home and Student 2007</Name><Ver>12</Ver><Val>17640A4EBE55726</Val><Hash>zR1X0vnt4RvgXp76giuTjszyYrE=</Hash><Pid>81602-915-6392035-68682</Pid><PidType>1</PidType></Product></Products><Applications><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>

    Licensing Data-->
    N/A

    Windows Activation Technologies-->
    N/A

    HWID Data-->
    N/A

    OEM Activation 1.0 Data-->
    BIOS string matches: yes
    Marker string from BIOS: 8619:Compaq Computer Corporation|116FC:Compaq Computer Corporation|1FFEA:Compaq Computer Corporation|E618:Compaq Computer Corporation|11723:Compaq Computer Corporation|11723:Compaq Computer Corporation|1FFEA:Hewlett-Packard Company|E618:Hewlett-Packard Company
    Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

    OEM Activation 2.0 Data-->
    N/A


    Wednesday, May 11, 2011 6:42 PM

Answers

All replies

  • "RCA7591" wrote in message news:e337f9da-4a3c-4e4a-bb76-58f2b6362a9f...

    Following installation of the Windows Malicious Software Removal Tool for April 2011, MSE reported that XP Pro did not pass genuine validation. Rebooting the machine upon receiving this message resolved the issue temporarily, until MSE was updated. The message then reappeared. The message also appeared after performing a "full" scan (upon reboot). The machine in question has been in service since July of 2008, and has never experienced this type of validation issue.

    In an attempt to resolve this issue, I had uninstalled MSE, IE8 and all of the WGA and Windows Update components from the operating system in safe mode. Upon reinstalling these components via Windows Update, the problem appeared to be resolved. Upon installing the latest Windows Malicious Software Removal Tool for May 2011, however, the same problem recurred.

    Any clue as to what may be causing the problem? The MGADiag report is posted below.

     

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->
    Validation Status: Genuine
    Validation Code: 0
    Cached Validation Code: N/A
    Windows Product Key: *****-*****-2YTBC-B9C6X-44JYT
    Windows Product Key Hash: *****Ytt1CyfZUpHut9DOI6kFU4=
    Windows Product ID: *****-OEM-2243361-76422
    Windows Product ID Type: 3
    Windows License Type: OEM System Builder
    Windows OS version: 5.1.2600.2.00010100.3.0.pro


    File Scan Data-->
    File Mismatch: C:\WINDOWS\system32\oembios.bin[Hr = 0x80070002]
    File Mismatch: C:\WINDOWS\system32\oembios.dat[Hr = 0x80070002]
    File Mismatch: C:\WINDOWS\system32\oembios.sig[Hr = 0x80070002]





    I'm not certain, but from the looks of the File Scan Data you either have a hack, or an over-aggressive cleanup program.
    The errors are 'File not Found' errors - i.e. either Windows can't see the files concerned, or they don't exist.
    Please check in Windows Explorer - do the files appear?
    Open a Command Prompt window, and type the following at the prompt.
    dir C:\windows\system32\oem*.*
    hit the Enter key
    Do the files appear in the listing?
     

    --


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Wednesday, May 11, 2011 9:06 PM
  • Those three OEM files are indeed present in the System32 folder.
    Wednesday, May 11, 2011 9:44 PM
  • "RCA7591" wrote in message news:ce170f97-280b-4823-8b92-7f2cbe10be73...
    Those three OEM files are indeed present in the System32 folder.

    In that case, they must have been altered in some way, possibly by your virus infection.
    First try a System File Check run - you'll need your XP disk handy.
    Click on Start>Run..
    in the popup, type
    SFC   /SCANNOW
    and hit the Enter key
     
    See if that fixes it .
     
    If not, You should be able to extract them from your XP CD (so long as the CD is SP2) or the i386 folder - see here for instructions http://www.winxptutor.com/expand.htm

    --


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Wednesday, May 11, 2011 10:16 PM
  • Thanks for your response. Running the command appears to have resolved the issue. Here are the updated results:

     

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->
    Validation Status: Genuine
    Validation Code: 0
    Cached Validation Code: N/A
    Windows Product Key: *****-*****-2YTBC-B9C6X-44JYT
    Windows Product Key Hash: cDWT0Ytt1CyfZUpHut9DOI6kFU4=
    Windows Product ID: 76487-OEM-2243361-76422
    Windows Product ID Type: 3
    Windows License Type: OEM System Builder
    Windows OS version: 5.1.2600.2.00010100.3.0.pro
    ID: {605433A7-CD02-4D50-B7B9-7751438D2071}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: Registered, 1.7.69.2
    Signed By: Microsoft
    Product Name: N/A
    Architecture: N/A
    Build lab: N/A
    TTS Error: N/A
    Validation Diagnostic: 025D1FF3-230-1
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A
    Version: N/A

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Home and Student 2007 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-230-1

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files\Opera\Opera.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{605433A7-CD02-4D50-B7B9-7751438D2071}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-44JYT</PKey><PID>76487-OEM-2243361-76422</PID><PIDType>3</PIDType><SID>S-1-5-21-1275210071-1004336348-1606980848</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>HP Compaq dc7600 Small Form Factor</Model></SYSTEM><BIOS><Manufacturer>Hewlett-Packard</Manufacturer><Version>786D1 v01.61</Version><SMBIOSVersion major="2" minor="4"/><Date>20090701000000.000000+000</Date></BIOS><HWID>A03B3D7F0184E07C</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120000-002F-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Home and Student 2007</Name><Ver>12</Ver><Val>17640A4EBE55726</Val><Hash>zR1X0vnt4RvgXp76giuTjszyYrE=</Hash><Pid>81602-915-6392035-68682</Pid><PidType>1</PidType></Product></Products><Applications><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>

    Licensing Data-->
    N/A

    Windows Activation Technologies-->
    N/A

    HWID Data-->
    N/A

    OEM Activation 1.0 Data-->
    BIOS string matches: yes
    Marker string from BIOS: 8619:Compaq Computer Corporation|116FC:Compaq Computer Corporation|1FFEA:Compaq Computer Corporation|E618:Compaq Computer Corporation|11723:Compaq Computer Corporation|11723:Compaq Computer Corporation|1FFEA:Hewlett-Packard Company|E618:Hewlett-Packard Company
    Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

    OEM Activation 2.0 Data-->
    N/A


    Wednesday, May 11, 2011 11:42 PM
  • "RCA7591" wrote in message news:42ff4960-9d25-4dee-bb62-49a6da480046...

    Thanks for your response. Running the command appears to have resolved the issue. Here are the updated results:

     

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->
    Validation Status: Genuine
    Validation Code: 0
    Cached Validation Code: N/A
    Windows Product Key: *****-*****-2YTBC-B9C6X-44JYT
    Windows Product Key Hash: cDWT0Ytt1CyfZUpHut9DOI6kFU4=
    Windows Product ID: 76487-OEM-2243361-76422
    Windows Product ID Type: 3
    Windows License Type: OEM System Builder
    Windows OS version: 5.1.2600.2.00010100.3.0.pro



    It looks good to me - hopefully someone else can confirm it. Are you still getting non-genuine notifications, or not?
     

    --


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Thursday, May 12, 2011 10:18 PM