Machine suddenly claims validation fails, been running for years RRS feed

  • Question

  • Customer machine checked for malware because of performance issues. After running an AV scan (Tren-Micro Titanium) and a scan usng COMBOFIX, bith of which found and deleted some items, the machine fails Genuine Validation. The failure first displayed after COMBOFIX rebooted the machine following its scan.

    I have tried to use a Restore Point to prior to the scanning today, but the Validation still fails.

    Here is the MGAdiag output:

    Diagnostic Report (1.9.0027.0):
    Windows Validation Data-->
    Validation Status: Invalid Product Key
    Validation Code: 8
    Cached Validation Code: N/A
    Windows Product Key: *****-*****-MMRMP-RK2F3-W2PT8
    Windows Product Key Hash: INg8YwmI8Ixy36y7+SY0Y/ms9iI=
    Windows Product ID: 76487-011-5849556-22306
    Windows Product ID Type: 5
    Windows License Type: Retail
    Windows OS version: 5.1.2600.2.00010100.3.0.pro
    ID: {DFD9B656-1508-4FA4-A964-C6E12000DA40}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: Registered,
    Signed By: Microsoft
    Product Name: N/A
    Architecture: N/A
    Build lab: N/A
    TTS Error: N/A
    Validation Diagnostic: 025D1FF3-230-1
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A
    Version: N/A

    Windows XP Notifications Data-->
    Cached Result: 8
    File Exists: Yes
    WgaTray.exe Signed By: Microsoft
    WgaLogon.dll Signed By: Microsoft

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Enterprise 2007 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-230-1

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{DFD9B656-1508-4FA4-A964-C6E12000DA40}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-W2PT8</PKey><PID>76487-011-5849556-22306</PID><PIDType>5</PIDType><SID>S-1-5-21-1004336348-920026266-682003330</SID><SYSTEM><Manufacturer>MSI</Manufacturer><Model>Z1-7309</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>V2.1B3</Version><SMBIOSVersion major="2" minor="6"/><Date>20090901000000.000000+000</Date></BIOS><HWID>A1BC35F701848E78</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version=""/><File Name="WgaLogon.dll" Version=""/></GANotification></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>64BC76978749586</Val><Hash>GW6PzcEVEDTVKeO5Ym5UUm41dBk=</Hash><Pid>89388-707-0441865-65943</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults> 

    Licensing Data-->

    Windows Activation Technologies-->

    HWID Data-->

    OEM Activation 1.0 Data-->
    BIOS string matches: yes
    Marker string from BIOS: 1E840:Systemax Manufacturing
    Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

    OEM Activation 2.0 Data-->


    I did not install this PC, and I do not have access to the Windows package used to install it. There is no sticker on the PC, being a "homebuilt" by whatever shop installed it. I do have the full key, which matches the part shown in the MGAdiag report. I know it says "invalid" but I do not understand how it could have been running for 6 or 7 years, then fail today after a malware scan. I'm wondering if something that got cleaned has damaged the Windows system.

    Friday, October 4, 2013 2:40 PM


  • Combofix can be very dangerous to use unless you know exactly what you are doing!

    That said, the Key in use here is  a Retail key - and the motherboard is also a retail one.

    It's extremely unusual to see a retail Key on a shop-installed OS, because of the high price of such licenses.

    The installed Office is a Volume Licensed version - did that come with the machine? if so, then it's counterfeit, and points to the probability that the Windows is also counterfeit.

    It's quite possible that if the Key is counterfeit, a hack was used to bypass notifications, and that your cleanup has broken the hack and restore proper checking, and discovered the fraud.

    I would suggest telephoning your local MS Activation Center and asking them to check the Key.

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Friday, October 4, 2013 3:26 PM