locked
Windows XP Professional failing validation RRS feed

  • Question

  • I was helping a friend deal with a trojan problem on a computer used for business. This computer is a Vostro 200 from Dell. Prior to this there had been no problems with Windows updates or validation. I booted in safe mode and installed avast! anti-virus for home use. It performed a boot scan and it found several trojans in Windows folders. I deleted them and when Windows updates prompted validation I complied. The following is the diagnostic report.

    Diagnostic Report (1.9.0011.0):
    -----------------------------------------
    WGA Data-->
    Validation Status: Geographically blocked PID
    Validation Code: 13

    Cached Validation Code: N/A
    Windows Product Key: *****-*****-3R89F-D2KXW-VPK3J
    Windows Product Key Hash: Ro/Y7HENE9CfW7lW+QtlNbYQEE8=
    Windows Product ID: 76487-640-8365391-23073
    Windows Product ID Type: 1
    Windows License Type: Volume
    Windows OS version: 5.1.2600.2.00010100.3.0.pro
    ID: {7850C25F-6900-4ED2-9F2A-A4BCAA12D0E3}(3)
    Is Admin: Yes
    TestCab: 0x0
    WGA Version: Registered, 1.9.40.0
    Signed By: Microsoft
    Product Name: N/A
    Architecture: N/A
    Build lab: N/A
    TTS Error: N/A
    Validation Diagnostic: 025D1FF3-230-1
    Resolution Status: N/A

    WgaER Data-->
    ThreatID(s): N/A
    Version: N/A

    WGA Notifications Data-->
    Cached Result: 13
    File Exists: Yes
    Version: 1.9.40.0
    WgaTray.exe Signed By: Microsoft
    WgaLogon.dll Signed By: Microsoft

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 114 Blocked VLK 2
    Microsoft Office Professional Edition 2003 - 114 Blocked VLK 2
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-230-1

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
    Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\WINDOWS\system32\syssetup.dll[5.1.2600.5512]

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{7850C25F-6900-4ED2-9F2A-A4BCAA12D0E3}</UGUID><Version>1.9.0011.0</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-VPK3J</PKey><PID>76487-640-8365391-23073</PID><PIDType>1</PIDType><SID>S-1-5-21-343818398-73586283-1606980848</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>Vostro 200</Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>1.0.11</Version><SMBIOSVersion major="2" minor="5"/><Date>20080131000000.000000+000</Date></BIOS><HWID>445738F70184C07B</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>1</iJoin><SBID><stat>1</stat><msppid></msppid><name>TinyXP Rev09 [1]</name><model></model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.9.40.0"/><File Name="WgaLogon.dll" Version="1.9.40.0"/></GANotification></MachineData><Software><Office><Result>114</Result><Products><Product GUID="{90110409-6000-11D3-8CFE-0150048383C9}"><LegitResult>114</LegitResult><Name>Microsoft Office Professional Edition 2003</Name><Ver>11</Ver><Val>59D1605114E3500</Val><Hash>vfZmaSmFPIYrLWTcZSZErUQg+Fo=</Hash><Pid>73931-640-0000106-57159</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="11" Result="114"/><App Id="16" Version="11" Result="114"/><App Id="18" Version="11" Result="114"/><App Id="19" Version="11" Result="114"/><App Id="1A" Version="11" Result="114"/><App Id="1B" Version="11" Result="114"/><App Id="44" Version="11" Result="114"/></Applications></Office></Software></GenuineResults> 

    Licensing Data-->
    N/A

    HWID Data-->
    N/A

    OEM Activation 1.0 Data-->
    BIOS string matches: yes
    Marker string from BIOS: 1D88B:Dell Inc|1D88B:Microsoft Corporation
    Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

    OEM Activation 2.0 Data-->
    N/A

    So basically I think I may have deleted something I shouldn't have that was infected with a trojan. How should I go about resolving this issue? I am relatively certain the copy of XP Pro is legitimate considering it came from Dell, and also that the validation failure has something to do with geographic restrictions: something that as never happened before.

    Friday, September 11, 2009 7:22 PM

Answers

  • Hello shchou,

    Right now the Dell Vostro computer has a pirated Volume Licesning installation of XP Pro on it, as shown by this snippet:
    WGA Data-->
    Validation Status: Geographically blocked PID
    Validation Code: 13

    Cached Validation Code: N/A
    Windows Product Key: *****-*****-3R89F-D2KXW-VPK3J
    Windows Product Key Hash: Ro/Y7HENE9CfW7lW+QtlNbYQEE8=
    Windows Product ID: 76487-640-8365391-23073
    Windows Product ID Type: 1
    Windows License Type: Volume


    Does this Dell have a Certificate of Authenticity for Windows affixed to the case?  If so, what version and edtion of Windows is listed on it?


    It also has a pirated installation of Office 2003 on it, as shown by this snippet:
    OGA Data-->
    Office Status: 114 Blocked VLK 2
    Microsoft Office Professional Edition 2003 - 114 Blocked VLK 2
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-230-1

    Does the business have retail copies of Office 2003, which would come in a nice pretty retail box with a Certificate of Authenticity on the boxtop and one or more hologrammed CDs inside?

    Or did they order their computers with Office preinstalled from Dell?  In such case they would have a plain white cardboard CD sleeve/envelope with a CoA and Product Key for Office on the back of the sleeve/envelope and a hologrammed Office Cd inside the sleeve.

    If this is a business with, say 10 computers and employees or more, they may have acquired their Office licenses thru a Volume Licensing Agreement.  Do they have a current and valid Volume Licensing Agreement for Office?


    For great advice on all topics XP, visit http://www.annoyances.org/exec/forum/winxp
    • Marked as answer by Darin Smith MS Friday, September 11, 2009 9:31 PM
    Friday, September 11, 2009 8:06 PM
  • Hello shchou,

    It's extemely unlikely that the change in Windows or Office is the result of the deletion of infected files.  Changing from the presumably preinstalled OEM licenses for Windows and Office that came from Dell to the current Volume Licensing installtions of Windows and Office would entail at least a disc-based reinstallation of Windows and a disc-based reinstallation of Office.

    If the CoA on the Dell is for XP Pro, the first thing to try would be the PK Updater utility:  http://go.microsoft.com/fwlink/?linkid=45668

    Likewise, if the business can find their Dell OEM Office CD and plain white cardboard sleeve, then you can use the PK on the Office CoA on the sleeve and the technique in this MS KB  http://support.microsoft.com/kb/895456  to try to change the Office product key.

    If the above product key-changing procedures do not work, then a clean installation of the OEM license for the product in question will have to be done.

    IIRC, automatic updates does distribute the WGA and OGA updates, but these are updated much less fequently that say the Malicious Software Tool which is freshed for every Patch Tuesday.  WGA and OGA get freshened about once a quarter, give or take.  If this is a larger organization that uses WSUS for updates, Microsoft discourages the deployment of WGA and OGA thru WSUS because these two need to connect to the validation servers to work, and they need to be installed with administrative privileges, something that many larger organizations do not want their users to have the ability to do.
    For great advice on all topics XP, visit http://www.annoyances.org/exec/forum/winxp
    • Marked as answer by Darin Smith MS Tuesday, September 15, 2009 9:03 PM
    Saturday, September 12, 2009 5:08 PM

All replies

  • Hello shchou,

    Right now the Dell Vostro computer has a pirated Volume Licesning installation of XP Pro on it, as shown by this snippet:
    WGA Data-->
    Validation Status: Geographically blocked PID
    Validation Code: 13

    Cached Validation Code: N/A
    Windows Product Key: *****-*****-3R89F-D2KXW-VPK3J
    Windows Product Key Hash: Ro/Y7HENE9CfW7lW+QtlNbYQEE8=
    Windows Product ID: 76487-640-8365391-23073
    Windows Product ID Type: 1
    Windows License Type: Volume


    Does this Dell have a Certificate of Authenticity for Windows affixed to the case?  If so, what version and edtion of Windows is listed on it?


    It also has a pirated installation of Office 2003 on it, as shown by this snippet:
    OGA Data-->
    Office Status: 114 Blocked VLK 2
    Microsoft Office Professional Edition 2003 - 114 Blocked VLK 2
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-230-1

    Does the business have retail copies of Office 2003, which would come in a nice pretty retail box with a Certificate of Authenticity on the boxtop and one or more hologrammed CDs inside?

    Or did they order their computers with Office preinstalled from Dell?  In such case they would have a plain white cardboard CD sleeve/envelope with a CoA and Product Key for Office on the back of the sleeve/envelope and a hologrammed Office Cd inside the sleeve.

    If this is a business with, say 10 computers and employees or more, they may have acquired their Office licenses thru a Volume Licensing Agreement.  Do they have a current and valid Volume Licensing Agreement for Office?


    For great advice on all topics XP, visit http://www.annoyances.org/exec/forum/winxp
    • Marked as answer by Darin Smith MS Friday, September 11, 2009 9:31 PM
    Friday, September 11, 2009 8:06 PM
  • Thanks for the response. I believe the computer came with both XP Pro and Office preinstalled. I remember looking for and finding one of those CoA stickers for XP Pro, but I'm not sure of much else as I'm not at the computer at the moment. As I'm fuzzy on the details at the moment I'll try to get confirmation on the source of Office; Windows itself I know came from Dell. Is it possible that my deleting infected files could have triggered some sort of change in validation recognition? I just figured that if this copy of Windows or Office were really illegitimate the update manager would have "caught" it much sooner as this computer has been in use for at least 6 months or so.

    Saturday, September 12, 2009 4:47 PM
  • Hello shchou,

    It's extemely unlikely that the change in Windows or Office is the result of the deletion of infected files.  Changing from the presumably preinstalled OEM licenses for Windows and Office that came from Dell to the current Volume Licensing installtions of Windows and Office would entail at least a disc-based reinstallation of Windows and a disc-based reinstallation of Office.

    If the CoA on the Dell is for XP Pro, the first thing to try would be the PK Updater utility:  http://go.microsoft.com/fwlink/?linkid=45668

    Likewise, if the business can find their Dell OEM Office CD and plain white cardboard sleeve, then you can use the PK on the Office CoA on the sleeve and the technique in this MS KB  http://support.microsoft.com/kb/895456  to try to change the Office product key.

    If the above product key-changing procedures do not work, then a clean installation of the OEM license for the product in question will have to be done.

    IIRC, automatic updates does distribute the WGA and OGA updates, but these are updated much less fequently that say the Malicious Software Tool which is freshed for every Patch Tuesday.  WGA and OGA get freshened about once a quarter, give or take.  If this is a larger organization that uses WSUS for updates, Microsoft discourages the deployment of WGA and OGA thru WSUS because these two need to connect to the validation servers to work, and they need to be installed with administrative privileges, something that many larger organizations do not want their users to have the ability to do.
    For great advice on all topics XP, visit http://www.annoyances.org/exec/forum/winxp
    • Marked as answer by Darin Smith MS Tuesday, September 15, 2009 9:03 PM
    Saturday, September 12, 2009 5:08 PM