Answered by:
MSE Reports "Windows Did Not Pass Genuine Validation", Following Installation of Malicious Software Removal Tool From Windows Update

Question
-
Following installation of the Windows Malicious Software Removal Tool for April 2011, MSE reported that XP Pro did not pass genuine validation. Rebooting the machine upon receiving this message resolved the issue temporarily, until MSE was updated. The message then reappeared. The message also appeared after performing a "full" scan (upon reboot). The machine in question has been in service since July of 2008, and has never experienced this type of validation issue.
In an attempt to resolve this issue, I had uninstalled MSE, IE8 and all of the WGA and Windows Update components from the operating system in safe mode. Upon reinstalling these components via Windows Update, the problem appeared to be resolved. Upon installing the latest Windows Malicious Software Removal Tool for May 2011, however, the same problem recurred.
Any clue as to what may be causing the problem? The MGADiag report is posted below.
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-2YTBC-B9C6X-44JYT
Windows Product Key Hash: *****Ytt1CyfZUpHut9DOI6kFU4=
Windows Product ID: *****-OEM-2243361-76422
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 5.1.2600.2.00010100.3.0.pro
ID: {********-CD02-4D50-****-7751438D2071}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.7.69.2
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A
Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A
Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 100 Genuine
Microsoft Office Home and Student 2007 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Opera\Opera.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
File Mismatch: C:\WINDOWS\system32\oembios.bin[Hr = 0x80070002]
File Mismatch: C:\WINDOWS\system32\oembios.dat[Hr = 0x80070002]
File Mismatch: C:\WINDOWS\system32\oembios.sig[Hr = 0x80070002]
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{605433A7-CD02-4D50-B7B9-7751438D2071}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-44JYT</PKey><PID>76487-OEM-2243361-76422</PID><PIDType>3</PIDType><SID>S-1-5-21-1275210071-1004336348-1606980848</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>HP Compaq dc7600 Small Form Factor</Model></SYSTEM><BIOS><Manufacturer>Hewlett-Packard</Manufacturer><Version>786D1 v01.61</Version><SMBIOSVersion major="2" minor="4"/><Date>20090701000000.000000+000</Date></BIOS><HWID>A03B3D7F0184E07C</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120000-002F-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Home and Student 2007</Name><Ver>12</Ver><Val>17640A4EBE55726</Val><Hash>zR1X0vnt4RvgXp76giuTjszyYrE=</Hash><Pid>81602-915-6392035-68682</Pid><PidType>1</PidType></Product></Products><Applications><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>
Licensing Data-->
N/A
Windows Activation Technologies-->
N/A
HWID Data-->
N/A
OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 8619:Compaq Computer Corporation|116FC:Compaq Computer Corporation|1FFEA:Compaq Computer Corporation|E618:Compaq Computer Corporation|11723:Compaq Computer Corporation|11723:Compaq Computer Corporation|1FFEA:Hewlett-Packard Company|E618:Hewlett-Packard Company
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005
OEM Activation 2.0 Data-->
N/A
Wednesday, May 11, 2011 6:42 PM
Answers
-
"RCA7591" wrote in message news:ce170f97-280b-4823-8b92-7f2cbe10be73...Those three OEM files are indeed present in the System32 folder.
In that case, they must have been altered in some way, possibly by your virus infection.First try a System File Check run - you'll need your XP disk handy.Click on Start>Run..in the popup, typeSFC /SCANNOWand hit the Enter keySee if that fixes it .If not, You should be able to extract them from your XP CD (so long as the CD is SP2) or the i386 folder - see here for instructions http://www.winxptutor.com/expand.htm
--
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth- Marked as answer by Darin Smith MS Thursday, May 12, 2011 9:28 PM
Wednesday, May 11, 2011 10:16 PMModerator
All replies
-
"RCA7591" wrote in message news:e337f9da-4a3c-4e4a-bb76-58f2b6362a9f...
Following installation of the Windows Malicious Software Removal Tool for April 2011, MSE reported that XP Pro did not pass genuine validation. Rebooting the machine upon receiving this message resolved the issue temporarily, until MSE was updated. The message then reappeared. The message also appeared after performing a "full" scan (upon reboot). The machine in question has been in service since July of 2008, and has never experienced this type of validation issue.
In an attempt to resolve this issue, I had uninstalled MSE, IE8 and all of the WGA and Windows Update components from the operating system in safe mode. Upon reinstalling these components via Windows Update, the problem appeared to be resolved. Upon installing the latest Windows Malicious Software Removal Tool for May 2011, however, the same problem recurred.
Any clue as to what may be causing the problem? The MGADiag report is posted below.
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-2YTBC-B9C6X-44JYT
Windows Product Key Hash: *****Ytt1CyfZUpHut9DOI6kFU4=
Windows Product ID: *****-OEM-2243361-76422
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 5.1.2600.2.00010100.3.0.pro
File Scan Data-->
File Mismatch: C:\WINDOWS\system32\oembios.bin[Hr = 0x80070002]
File Mismatch: C:\WINDOWS\system32\oembios.dat[Hr = 0x80070002]
File Mismatch: C:\WINDOWS\system32\oembios.sig[Hr = 0x80070002]
I'm not certain, but from the looks of the File Scan Data you either have a hack, or an over-aggressive cleanup program.The errors are 'File not Found' errors - i.e. either Windows can't see the files concerned, or they don't exist.Please check in Windows Explorer - do the files appear?Open a Command Prompt window, and type the following at the prompt.dir C:\windows\system32\oem*.*hit the Enter keyDo the files appear in the listing?
--
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed SlothWednesday, May 11, 2011 9:06 PMModerator -
Those three OEM files are indeed present in the System32 folder.Wednesday, May 11, 2011 9:44 PM
-
"RCA7591" wrote in message news:ce170f97-280b-4823-8b92-7f2cbe10be73...Those three OEM files are indeed present in the System32 folder.
In that case, they must have been altered in some way, possibly by your virus infection.First try a System File Check run - you'll need your XP disk handy.Click on Start>Run..in the popup, typeSFC /SCANNOWand hit the Enter keySee if that fixes it .If not, You should be able to extract them from your XP CD (so long as the CD is SP2) or the i386 folder - see here for instructions http://www.winxptutor.com/expand.htm
--
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth- Marked as answer by Darin Smith MS Thursday, May 12, 2011 9:28 PM
Wednesday, May 11, 2011 10:16 PMModerator -
Thanks for your response. Running the command appears to have resolved the issue. Here are the updated results:
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-2YTBC-B9C6X-44JYT
Windows Product Key Hash: cDWT0Ytt1CyfZUpHut9DOI6kFU4=
Windows Product ID: 76487-OEM-2243361-76422
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 5.1.2600.2.00010100.3.0.pro
ID: {605433A7-CD02-4D50-B7B9-7751438D2071}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.7.69.2
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A
Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A
Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 100 Genuine
Microsoft Office Home and Student 2007 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Opera\Opera.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{605433A7-CD02-4D50-B7B9-7751438D2071}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-44JYT</PKey><PID>76487-OEM-2243361-76422</PID><PIDType>3</PIDType><SID>S-1-5-21-1275210071-1004336348-1606980848</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>HP Compaq dc7600 Small Form Factor</Model></SYSTEM><BIOS><Manufacturer>Hewlett-Packard</Manufacturer><Version>786D1 v01.61</Version><SMBIOSVersion major="2" minor="4"/><Date>20090701000000.000000+000</Date></BIOS><HWID>A03B3D7F0184E07C</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120000-002F-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Home and Student 2007</Name><Ver>12</Ver><Val>17640A4EBE55726</Val><Hash>zR1X0vnt4RvgXp76giuTjszyYrE=</Hash><Pid>81602-915-6392035-68682</Pid><PidType>1</PidType></Product></Products><Applications><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>
Licensing Data-->
N/A
Windows Activation Technologies-->
N/A
HWID Data-->
N/A
OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 8619:Compaq Computer Corporation|116FC:Compaq Computer Corporation|1FFEA:Compaq Computer Corporation|E618:Compaq Computer Corporation|11723:Compaq Computer Corporation|11723:Compaq Computer Corporation|1FFEA:Hewlett-Packard Company|E618:Hewlett-Packard Company
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005
OEM Activation 2.0 Data-->
N/A
Wednesday, May 11, 2011 11:42 PM -
"RCA7591" wrote in message news:42ff4960-9d25-4dee-bb62-49a6da480046...
Thanks for your response. Running the command appears to have resolved the issue. Here are the updated results:
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-2YTBC-B9C6X-44JYT
Windows Product Key Hash: cDWT0Ytt1CyfZUpHut9DOI6kFU4=
Windows Product ID: 76487-OEM-2243361-76422
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 5.1.2600.2.00010100.3.0.pro
It looks good to me - hopefully someone else can confirm it. Are you still getting non-genuine notifications, or not?
--
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed SlothThursday, May 12, 2011 10:18 PMModerator