P2Plife Forums: genuin windows validation failed to complete notice after a cleaning up a spyware attack - P2Plife Forums

Hi Guys
I'm new to this forum, after spending days trying to figure why I got a blue star by my clock saying that validation failed to complete. It does not say windows is invalid. I have been running this copy of windows for a couple of years. It's been validated and everything was fine till I downloaded some spyware/malware. After running malwarebytes, spybot, superantispyware, kaspersky antvirus....to get rid of the bad shit. The blue star appeared. It's never given me any problems with updates etc. Till now. Anyway, I hope someone has some ideas....I have run out.

I have run muBlinder and gotten rid of the blue star, but the underling problem remains.

This post has been edited by jatrader: 29 September 2008 - 12:57 AM

Having read your post three times, I'm still not sure what you mean by your "underlying problem".

Follow the steps in the muBlinder User Guide and then tell us at what stage you hit a problem, giving a precise description of the problem.

I also did not understand. Here is what I understood:

The problem is that you see a blue star when you should not. By using muBlinder the blue star is now gone. Problem solved.

What have we missed?

WarXchild, on Sep 29 2008, 04:38 AM, said:

Hi
Sorry for the confusion. The issue is that I had a verified working copy of xp and now I don't. I will use muBuilder if I have to, but I would rather get my system back to where it was before the virus/malware attack. If possible.
I was just wondering if anyone here who has had this experience has been able to return to a verified state. I don't know if what happened was due to the changes I made to my system to get rid of the virus or if coincidentally microsoft has done something to make my system unverified. The message that comes up does not say that verification failed, it says that windows was unable to complete the verification process. It points me to a ms site to fix the problem but it has not helped.
Thanks

Since you completely ignored my first offer of help, I do not know why I am even bothering to continue with this.

Let's get one or two things straight. There is no 'one size fits all solution', which is why we need precise details in order to diagnose your problem. You use the term " verification", but I think you are referring to Validation. Note that muBlinder does nothing to your computer that cannot easily be undone, so there should be no concern about using it.

In my first post I asked you to follow the steps in the User Guide. Unless, and until, you do that, I cannot help you. To make it easier for you I will describe the steps you need to take. Open muBlinder and click on the Validation tab to view the Validation screen. Go to the Validation section in the User Guide and consult the images until you find the one that matches the Validation screen you are viewing in muBlinder. Take the action described for that image and then report back here with the outcome.

snodger, on Sep 30 2008, 02:36 AM, said:

Ok. Didn't mean to ignore you. I did not realize that muBuilder could be a diagnostic tool. I thought it was a way of circumventing ms validation. Your right, I did mean validation. I will go through the steps you suggest, but can't until late tonight or tomorrow afternoon. Thanks for your patience.

MuBlinder is not designed as a diagnostic tool, but if you identify the image in the User Guide that is identical to the Validation screen you see in muBlinder, and if you report the result of following the instructions in the Guide, then we can use this information to get a better understanding of what is causing your problem.

snodger, on Sep 30 2008, 10:29 AM, said:

Hi snodger
I ran muBlinder, went to validation screen, detecting DLL=passed... DLL version=passed...DLL status=failed(no replacement DLL)....
Hit enable...DLL staus changed to passed.
went to micrsoft updates and downloaded and installed 1 update.

Good!

Does that mean all is now well?

snodger, on Oct 2 2008, 08:01 AM, said:

Hi snodger
All is well as far as bypassing ms validation, but that is not what I was looking for. My copy of xp was validated before, and became unvalidated either by my trying to fix my virus problems or coincidentally by something ms did.

There are several points to clarify here. Periodically, Microsoft updates its WGA Validation ActiveX; validation is not a once for all procedure, but occurs every time you visit Microsoft Update or attempt to download a protected file from Download Center. From your description of what you saw on the muBlinder Validation screen, you have the latest version of the ActiveX installed on your computer. Do you still receive the message that Validation failed to complete?

If you have a genuine copy of Windows and are using the correct key, you can try the following steps. Open muBlinder and go to the Settings screen. In the box at the bottom you should see the message Validation backup: Found. If this is the case, click on the Restore button in the Backup Options section. This will undo the blinding procedure you carried out on the Validation screen. You can check this by going to the Validation screen. Now close muBlinder and try to visit Microsoft Update using IE. Report back on the results.

snodger, on Oct 2 2008, 09:33 AM, said:

Hi
I did as you said and restored with the restore function in msBlinder settings page. I then went to windows update. It said I needed to validate, so I accepted the validate option. I get the same results as before I started this thread. Here is a copy of the screen from ms validation
This copy of Windows did not pass genuine validation because the validation process could not be completed.
There are several possible causes:

Your system level security settings prevented validation from running.
Your user account may not have the correct permissions necessary to run validation.
Your system settings have been modified in one of the following ways:
Security software may have been installed that inadvertently altered your Windows product ID.
The validation controls you used were downloaded from a site other than the Microsoft site.
You chose to run the validation controls in an alternate compatibility mode.
Option 1: Follow steps in Microsoft Knowledge Base article and run validation again
Most customers who receive this error are able to resolve the problem by following the resolution steps found in Microsoft Knowledge Base article # 822798 and then running the validation again.

Option 2: Install the latest Windows Genuine Advantage Notifications
If this error still occurs, we recommend that you log in as an Administrator and install the latest version of Windows Genuine Advantage Notifications.

[0x80080205]

I am now quite sure that this problem arises from your malware infection. The advice from Microsoft that you quote will be of no use in this situation. You might have cleansed your computer of the infection, but some damage, particularly in registry entries, might remain. I suspect that one or more rogue registry entries is preventing the correct validation procedure.

Can you remember the name of the trojan/malware that you removed? Knowing that could be very helpful.

There are several things I would like you to do. Note that one procedure involves inspecting the registry. Be careful while doing that.

snodger, on Oct 2 2008, 12:25 PM, said:

I had a lot of malware files that were cleaned up. I don't remember what they were.

On the General screen, in the 'Registered to' section copy the Product ID (4 sets of digits)
My Name and no under that.

Regedit=product ID value=55274-015-5491817-22378

MGA diagnostic

Diagnostic Report (1.7.0095.0):
-----------------------------------------
WGA Data-->
Validation Status: Not Activated
Validation Code: 1
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-MWM4B-2M2HF-HFM7D
Windows Product Key Hash: Un83+XRhlyVcaRZUnAjvhtO+apk=
Windows Product ID: 55274-015-5491817-22378
Windows Product ID Type: 0
Windows License Type: Unknown
Windows OS version: 5.1.2600.2.00010100.3.0.pro
CSVLK Server: N/A
CSVLK PID: N/A
ID: {B2E7399A-45D0-4B1B-8F3A-8FBFAF5FD1A2}(3)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.8.31.9
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-171-1_025D1FF3-85-80004005
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: 5
File Exists: Yes
Version: 1.8.31.0
WgaTray.exe Signed By: N/A, hr = 0x80096010
WgaLogon.dll Signed By: N/A, hr = 0x80096010

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
WGATray.exe Signed By: N/A, hr = 0x80096010
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 108 Invalid VLK
Microsoft Office Enterprise 2007 - 108 Invalid VLK
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-171-1_025D1FF3-85-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{B2E7399A-45D0-4B1B-8F3A-8FBFAF5FD1A2}</UGUID><Version>1.7.0095.0</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-HFM7D</PKey><PID>55274-015-5491817-22378</PID><PIDType>0</PIDType><SID>S-1-5-21-73586283-2111687655-725345543</SID><SYSTEM><Manufacturer>System manufacturer</Manufacturer><Model>System Product Name</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>1601 </Version><SMBIOSVersion major="2" minor="4"/><Date>20070713000000.000000+000</Date></BIOS><HWID>59F432D701847A72</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><BRT/></MachineData><Software><Office><Result>108</Result><Products><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>108</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>64BC76978749586</Val><Hash>GW6PzcEVEDTVKeO5Ym5UUm41dBk=</Hash><Pid>89388-707-0441865-65464</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="108"/><App Id="16" Version="12" Result="108"/><App Id="18" Version="12" Result="108"/><App Id="19" Version="12" Result="108"/><App Id="1A" Version="12" Result="108"/><App Id="1B" Version="12" Result="108"/><App Id="44" Version="12" Result="108"/><App Id="A1" Version="12" Result="108"/><App Id="BA" Version="12" Result="108"/></Applications></Office></Software></GenuineResults>

Thanks for the info. I can identify one important error in your registry from this, but I am doubtful that, on its own, it would cause the Validation Status to be reported as "Not Activated" by the Diagnostic tool. I now have some further steps for you to follow.

• Copy your Product ID 55274-015-5491817-22378 to the clipboard.
  
• Open regedit and navigate to the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion (note that this is not the same key as last time).
  
• With the key highlighted, look at the entries in the right-hand column. Can you confirm that there are values (in the name column) DigitalProductId and LicenseInfo, each with data entries comprising a long list of double digit hexadecimal numbers?
  
• The value ProductId will either be missing or will have a blank data entry. This is why you did not see your Product ID when you went to My Computer --> Properties.
  
• If the value is there and the type is given as REG_SZ, but the data entry is missing, double-click on the value (in the name column) and, when the Edit String box appears, paste the ID into the box and click on the OK button. The ID should now appear in the data column.
  
• If the value ProductId is NOT there, you must create it and then paste in the data as above. To create the value, go to Edit --> New --> String Value and name it ProductId.
  
• Navigate to the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WPAEvents.
  
• Highlight the key and go to File --> Export and save it with name WPAEvents to your desktop.
  
• The reg file created is a plain text file that you can view in Notepad by right-clicking and selecting Edit. Paste the contents into a post so that I can inspect them. You can then delete the reg file.

I have changed the font for the instructions so that there is no confusion between I (I) and l (l).

snodger, on Oct 3 2008, 03:33 AM, said:

Good morning

I followed your instructions and I no longer get the "validation could not complete" screen....woohoo!! Thank you very much. Before I found this forum, I had noticed that I had no productID and tried to change the registry but was not successful. Here is a copy of the info you asked for.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents]
"OOBETimer"=hex:ff,49,d7,c0,c1,bf,f7,0e,a4,e1,32,38
"LastWPAEventLogged"=hex:d7,07,09,00,04,00,1b,00,0f,00,34,00,11,00,18,01

That problem seems to have been solved. Of course we cannot guarantee that we have found every error in your registry caused by the malware, so you might find another problem somewhere down the line. The OOBETimer data seems OK.

snodger, on Oct 3 2008, 09:42 AM, said:

Thanks again snodger.

It is asking me to install genuine advantage notification, would you install it, or is it likely to cause problems again?

The Notification tool provides no benefits for the user and now comes with a EULA designed to allow Microsoft to install what it likes, when it likes, on your computer without seeking further permission from you. Hide it! It will come back again when a new version is released, but simply hide it every time it rears its ugly head.

snodger, on Oct 3 2008, 11:45 AM, said:

cool, thanks