Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System cache leak part II


  • This topic is locked This topic is locked
54 replies to this topic

#16 M332

M332
  • Topic Starter

  • Members
  • 211 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:07 PM

Posted 28 March 2010 - 06:41 PM

I will be downloading the 316mb SP3 package until tomorrow since I'm on 56k so I will have to wait to post the requested info until sometime tomorrow.

Edited by M332, 28 March 2010 - 06:44 PM.


BC AdBot (Login to Remove)

 


#17 M332

M332
  • Topic Starter

  • Members
  • 211 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:07 PM

Posted 29 March 2010 - 08:38 PM

Ok it took me 24hrs to download that 316mb program since I'm on 56k and it only used 25% of the network. Wish I knew how to change downloads to run at full speed. The xpsp3 folder was created.

Here is the pasted SWReg log:

SteelWerX Registry Console Tool 3.0
Written by Bobbi Flekman 2006 ©

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup
DriverCachePath REG_EXPAND_SZ %SystemRoot%\Driver Cache
BootDir REG_SZ C:\
PrivateHash REG_BINARY fc788dba8e8060929cc2db3163ba74bf
Installation Sources REG_SZ C:
SourcePath REG_SZ C:\WINDOWS
ServicePackSourcePath REG_SZ c:\windows\ServicePackFiles
CDInstall REG_DWORD 0 (0x0)
LogLevel REG_DWORD 0 (0x0)
ServicePackCachePath REG_SZ c:\windows\ServicePackFiles\ServicePackCache

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\BaseWinOptions

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\ExceptionComponents
ComponentList REG_MULTI_SZ {981FB688-E76B-4246-987B-92083185B90A}\0{CFB4B314-0328-45E1-94AF-45A3F5F48E0B}\0{60204BB3-7078-4F70-8F69-68297621941C}\0{077ACEC7-979C-40AB-9835-435BA1511E0D}\0{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\0{A47B3654-48EE-48A5-B629-97D70175E58F}\0{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\0{30C7234B-6482-4A55-A11D-ECD9030313F2}\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\ExceptionComponents\{077ACEC7-979C-40AB-9835-435BA1511E0D}
FriendlyName REG_SZ Windows Media Files
ComponentGUID REG_SZ {077ACEC7-979C-40AB-9835-435BA1511E0D}
Version REG_DWORD 655360 (0xa0000)
Sub-Version REG_DWORD 4332 (0x10ec)
ExceptionInfName REG_EXPAND_SZ C:\WINDOWS\RegisteredPackages\{077ACEC7-979C-40AB-9835-435BA1511E0D}\MPPRE10.inf
ExceptionCatalogName REG_EXPAND_SZ C:\WINDOWS\RegisteredPackages\{077ACEC7-979C-40AB-9835-435BA1511E0D}\mppre10.cat

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\ExceptionComponents\{30C7234B-6482-4A55-A11D-ECD9030313F2}
FriendlyName REG_SZ Windows Media Files
ComponentGUID REG_SZ {30C7234B-6482-4A55-A11D-ECD9030313F2}
Version REG_DWORD 655360 (0xa0000)
Sub-Version REG_DWORD 4332 (0x10ec)
ExceptionInfName REG_EXPAND_SZ C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\WMDM10.inf
ExceptionCatalogName REG_EXPAND_SZ C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\wmdm10.cat

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\ExceptionComponents\{A47B3654-48EE-48A5-B629-97D70175E58F}
FriendlyName REG_SZ Windows Media Files
ComponentGUID REG_SZ {A47B3654-48EE-48A5-B629-97D70175E58F}
Version REG_DWORD 655360 (0xa0000)
Sub-Version REG_DWORD 4332 (0x10ec)
ExceptionInfName REG_EXPAND_SZ C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\codecs10.inf
ExceptionCatalogName REG_EXPAND_SZ C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\codecs10.cat

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\ExceptionComponents\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}
FriendlyName REG_SZ Windows Media Files
ComponentGUID REG_SZ {AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}
Version REG_DWORD 655360 (0xa0000)
Sub-Version REG_DWORD 4332 (0x10ec)
ExceptionInfName REG_EXPAND_SZ C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\WMFSDK10.inf
ExceptionCatalogName REG_EXPAND_SZ C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\wmfsdk10.cat

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\ExceptionComponents\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}
FriendlyName REG_SZ Windows Media Files
ComponentGUID REG_SZ {C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}
Version REG_DWORD 655360 (0xa0000)
Sub-Version REG_DWORD 4332 (0x10ec)
ExceptionInfName REG_EXPAND_SZ C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\DRM10.inf
ExceptionCatalogName REG_EXPAND_SZ C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\drm10.cat

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\Migration DLLs
Microsoft Office Family REG_SZ C:\PROGRA~1\MICROS~2\OFFICE11\MIGRAT~1\MIGRATE.DLL

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\Oc Manager

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\Oc Manager\MasterInfs

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\Oc Manager\Subcomponents
beacon REG_DWORD 1 (0x1)
fax REG_DWORD 0 (0x0)
wmpocm REG_DWORD 1 (0x1)
plusgold REG_DWORD 0 (0x0)
plusspac REG_DWORD 0 (0x0)
plusdavn REG_DWORD 0 (0x0)
plusnatr REG_DWORD 0 (0x0)
plusmpix REG_DWORD 0 (0x0)
plusdancer REG_DWORD 0 (0x0)
plusparty REG_DWORD 0 (0x0)
plusaudio REG_DWORD 0 (0x0)
pluscdlm REG_DWORD 0 (0x0)
plustheme REG_DWORD 0 (0x0)
msmsgs REG_DWORD 1 (0x1)
rootautoupdate REG_DWORD 0 (0x0)
msnexplr REG_DWORD 1 (0x1)
msmq_core REG_DWORD 0 (0x0)
msmq_localstorage REG_DWORD 0 (0x0)
msmq_triggersservice REG_DWORD 0 (0x0)
iis_common REG_DWORD 0 (0x0)
iis_inetmgr REG_DWORD 0 (0x0)
dtc REG_DWORD 1 (0x1)
com REG_DWORD 1 (0x1)
iis_www REG_DWORD 0 (0x0)
msmq_httpsupport REG_DWORD 0 (0x0)
msmq_adintegrated REG_DWORD 0 (0x0)
ieaccess REG_DWORD 0 (0x0)
iis_www_vdir_scripts REG_DWORD 0 (0x0)
iis_www_vdir_printers REG_DWORD 0 (0x0)
tswebclient REG_DWORD 0 (0x0)
iis_doc REG_DWORD 0 (0x0)
iis_ftp REG_DWORD 0 (0x0)
iis_smtp REG_DWORD 0 (0x0)
fp_extensions REG_DWORD 0 (0x0)
oeaccess REG_DWORD 0 (0x0)
tpg REG_DWORD 1 (0x1)
system REG_DWORD 1 (0x1)
oobe REG_DWORD 1 (0x1)
notebook REG_DWORD 1 (0x1)
stickynotes REG_DWORD 1 (0x1)
freestyle REG_DWORD 1 (0x1)
mswordpad REG_DWORD 0 (0x0)
calc REG_DWORD 0 (0x0)
charmap REG_DWORD 0 (0x0)
clipbook REG_DWORD 0 (0x0)
deskpaper REG_DWORD 0 (0x0)
mousepoint REG_DWORD 0 (0x0)
paint REG_DWORD 0 (0x0)
templates REG_DWORD 0 (0x0)
chat REG_DWORD 0 (0x0)
dialer REG_DWORD 0 (0x0)
hypertrm REG_DWORD 0 (0x0)
mplay REG_DWORD 0 (0x0)
rec REG_DWORD 0 (0x0)
vol REG_DWORD 0 (0x0)
accessopt REG_DWORD 0 (0x0)
pinball REG_DWORD 0 (0x0)
freecell REG_DWORD 0 (0x0)
hearts REG_DWORD 0 (0x0)
minesweeper REG_DWORD 0 (0x0)
solitaire REG_DWORD 0 (0x0)
spider REG_DWORD 0 (0x0)
zonegames REG_DWORD 0 (0x0)
wmaccess REG_DWORD 1 (0x1)
wbem REG_DWORD 1 (0x1)
netfx REG_DWORD 0 (0x0)
indexsrv_system REG_DWORD 0 (0x0)
terminalserver REG_DWORD 0 (0x0)
snmp REG_DWORD 0 (0x0)
wbemsnmp REG_DWORD 0 (0x0)
simptcp REG_DWORD 0 (0x0)
upnp REG_DWORD 0 (0x0)
iprip REG_DWORD 0 (0x0)
p2p REG_DWORD 0 (0x0)
lpdsvc REG_DWORD 0 (0x0)
sonicdvdandcdburning REG_DWORD 0 (0x0)
display REG_DWORD 1 (0x1)
ntcomponents REG_DWORD 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\OOBE
UpdateKeys REG_DWORD 2 (0x2)
RunWelcomeProcess REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\OOBE\CKPT
0 REG_DWORD 2 (0x2)
TOS REG_DWORD 2 (0x2)
1 REG_DWORD 3 (0x3)

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\OptionalComponents

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\OptionalComponents\MAPI
Installed REG_SZ 1
NoChange REG_SZ 1

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\OptionalComponents\Messenger
Installed REG_SZ 0

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\OptionalComponents\Moviemk
Installed REG_SZ 1

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\OptionalComponents\SwFlash
Installed REG_SZ 1

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\WindowsFeatures
Windows Media Player REG_DWORD 1 (0x1)


#18 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:07 AM

Posted 29 March 2010 - 11:19 PM

Well done. thumbup2.gif

Next do this....

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

==========

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:

CODE
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"SourcePath"="C:\\xpsp3"


Name the file as sfcregedit.reg, making sure save as type is set to " All Files ".
Double click on sfcregedit.reg & allow it to run.

==========
  1. Click Start > Run and type sfc /scannow and the click OK.
  2. Note the space between the c and the /
  3. Allow the scan to run and when completed, reboot the system.

Success??

Do you want to keep it like this or revert it back?

Kind regards,
~ t









Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#19 M332

M332
  • Topic Starter

  • Members
  • 211 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:07 PM

Posted 30 March 2010 - 02:44 PM

Ok I backed up the registry with ERUNT, created the sfcregedit entry and saved it, ran it successfully, then when I ran sfc it still asked for the XP cd.

Is this because of the double \\ in the command line "SourcePath"="C:\\xpsp3"? EDIT: I tried using one "\" instead of two but it made no difference.

So, do I need to tell sfc to cancel every time it stops on a file and asks for the XP cd then let it run to the end when it will supposedly ask me for the XP cd?

Edited by M332, 30 March 2010 - 02:50 PM.


#20 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:07 AM

Posted 30 March 2010 - 10:34 PM

Hmmmm.

Few reasons for this...

Give me a look at that reg key and let's see if the reg fix worked. And yes..the \\ is correct in regedit.

Re-run the regfix again.

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:

CODE
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"SourcePath"="C:\\xpsp3"


Name the file as sfcregedit.reg, making sure save as type is set to " All Files ".
Double click on sfcregedit.reg & allow it to run.

==========

There is another key that might need to be manipulated.
  1. Copy the following into notepad (Start>Run>"notepad"). Do not copy the word "code".
    CODE
    regedit /e regkey.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SourcePath"
  2. Click File, then Save As... .
  3. Click Desktop on the left.
  4. Under the Save as type dropdown, select All Files.
  5. In the box File Name, input reglook1.bat
  6. Hit OK.
  7. Double click reglook1.bat. You will see a black command prompt window open then close. It might seem like nothing is happening, but the script is running.
Post the results of reglook1.txt.

==========

Re-boot. Then do this...
  1. Copy the following into notepad (Start>Run>"notepad"). Do not copy the word "code".
    CODE
    regedit /e regkey.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup"
  2. Click File, then Save As... .
  3. Click Desktop on the left.
  4. Under the Save as type dropdown, select All Files.
  5. In the box File Name, input reglook2.bat.bat
  6. Hit OK.
  7. Double click reglook2.bat. You will see a black command prompt window open then close. It might seem like nothing is happening, but the script is running.
Post the results of reglook2.bat.

==========

With your next post please provide:

* Reglook1.txt
* Reglook2.txt

Kind regards,
~t


Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#21 M332

M332
  • Topic Starter

  • Members
  • 211 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:07 PM

Posted 31 March 2010 - 01:59 PM

I ran the regfix again then created reglook1.bat as instructed and double clicked it but there is no reglook1.txt file created after 10 minutes+ of idle time afterward.

Edited by M332, 31 March 2010 - 02:00 PM.


#22 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:07 AM

Posted 31 March 2010 - 09:36 PM

Alright. Do this instead....

Right click and delete the log.txt and bat file in your SWReg folder then............
  • Launch Notepad, (Start > Run, type in: notepad)
  • Copy/paste all the text inside the code box below to Notepad:

CODE
@echo off
swreg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SourcePath" /s >>log.txt
swreg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup" /s >>log.txt
Notepad log.txt

  • In Notepad, go to File (upper menu bar), and select: Save as
  • Save in: SWRegfolder
  • File Name: SWReg.bat
  • Save as Type: All files
  • Click: Save
  • Exit out of Notepad.
Note: Both SWReg.exe and SWReg.bat must be in the same folder for this to work.
  • Locate SWReg.bat in the SWRegfolder and double-click on it.
  • When done, a log opens in Notepad.
  • Please post the contents of the log in your reply.

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#23 M332

M332
  • Topic Starter

  • Members
  • 211 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:07 PM

Posted 01 April 2010 - 10:56 AM

Ok I did what you said and here is the log:



SteelWerX Registry Console Tool 3.0
Written by Bobbi Flekman 2006 ©

Error: Key: software\microsoft\windows nt\currentversion\sourcepath does not exist!


SteelWerX Registry Console Tool 3.0
Written by Bobbi Flekman 2006 ©

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup
DriverCachePath REG_EXPAND_SZ %SystemRoot%\Driver Cache
BootDir REG_SZ C:\
PrivateHash REG_BINARY fc788dba8e8060929cc2db3163ba74bf
Installation Sources REG_SZ C:
SourcePath REG_SZ C:\xpsp3
ServicePackSourcePath REG_SZ c:\windows\ServicePackFiles
CDInstall REG_DWORD 0 (0x0)
LogLevel REG_DWORD 0 (0x0)
ServicePackCachePath REG_SZ c:\windows\ServicePackFiles\ServicePackCache

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\BaseWinOptions

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\ExceptionComponents
ComponentList REG_MULTI_SZ {981FB688-E76B-4246-987B-92083185B90A}\0{CFB4B314-0328-45E1-94AF-45A3F5F48E0B}\0{60204BB3-7078-4F70-8F69-68297621941C}\0{077ACEC7-979C-40AB-9835-435BA1511E0D}\0{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\0{A47B3654-48EE-48A5-B629-97D70175E58F}\0{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\0{30C7234B-6482-4A55-A11D-ECD9030313F2}\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\ExceptionComponents\{077ACEC7-979C-40AB-9835-435BA1511E0D}
FriendlyName REG_SZ Windows Media Files
ComponentGUID REG_SZ {077ACEC7-979C-40AB-9835-435BA1511E0D}
Version REG_DWORD 655360 (0xa0000)
Sub-Version REG_DWORD 4332 (0x10ec)
ExceptionInfName REG_EXPAND_SZ C:\WINDOWS\RegisteredPackages\{077ACEC7-979C-40AB-9835-435BA1511E0D}\MPPRE10.inf
ExceptionCatalogName REG_EXPAND_SZ C:\WINDOWS\RegisteredPackages\{077ACEC7-979C-40AB-9835-435BA1511E0D}\mppre10.cat

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\ExceptionComponents\{30C7234B-6482-4A55-A11D-ECD9030313F2}
FriendlyName REG_SZ Windows Media Files
ComponentGUID REG_SZ {30C7234B-6482-4A55-A11D-ECD9030313F2}
Version REG_DWORD 655360 (0xa0000)
Sub-Version REG_DWORD 4332 (0x10ec)
ExceptionInfName REG_EXPAND_SZ C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\WMDM10.inf
ExceptionCatalogName REG_EXPAND_SZ C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\wmdm10.cat

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\ExceptionComponents\{A47B3654-48EE-48A5-B629-97D70175E58F}
FriendlyName REG_SZ Windows Media Files
ComponentGUID REG_SZ {A47B3654-48EE-48A5-B629-97D70175E58F}
Version REG_DWORD 655360 (0xa0000)
Sub-Version REG_DWORD 4332 (0x10ec)
ExceptionInfName REG_EXPAND_SZ C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\codecs10.inf
ExceptionCatalogName REG_EXPAND_SZ C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\codecs10.cat

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\ExceptionComponents\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}
FriendlyName REG_SZ Windows Media Files
ComponentGUID REG_SZ {AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}
Version REG_DWORD 655360 (0xa0000)
Sub-Version REG_DWORD 4332 (0x10ec)
ExceptionInfName REG_EXPAND_SZ C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\WMFSDK10.inf
ExceptionCatalogName REG_EXPAND_SZ C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\wmfsdk10.cat

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\ExceptionComponents\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}
FriendlyName REG_SZ Windows Media Files
ComponentGUID REG_SZ {C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}
Version REG_DWORD 655360 (0xa0000)
Sub-Version REG_DWORD 4332 (0x10ec)
ExceptionInfName REG_EXPAND_SZ C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\DRM10.inf
ExceptionCatalogName REG_EXPAND_SZ C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\drm10.cat

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\Migration DLLs
Microsoft Office Family REG_SZ C:\PROGRA~1\MICROS~2\OFFICE11\MIGRAT~1\MIGRATE.DLL

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\Oc Manager

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\Oc Manager\MasterInfs

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\Oc Manager\Subcomponents
beacon REG_DWORD 1 (0x1)
fax REG_DWORD 0 (0x0)
wmpocm REG_DWORD 1 (0x1)
plusgold REG_DWORD 0 (0x0)
plusspac REG_DWORD 0 (0x0)
plusdavn REG_DWORD 0 (0x0)
plusnatr REG_DWORD 0 (0x0)
plusmpix REG_DWORD 0 (0x0)
plusdancer REG_DWORD 0 (0x0)
plusparty REG_DWORD 0 (0x0)
plusaudio REG_DWORD 0 (0x0)
pluscdlm REG_DWORD 0 (0x0)
plustheme REG_DWORD 0 (0x0)
msmsgs REG_DWORD 1 (0x1)
rootautoupdate REG_DWORD 0 (0x0)
msnexplr REG_DWORD 1 (0x1)
msmq_core REG_DWORD 0 (0x0)
msmq_localstorage REG_DWORD 0 (0x0)
msmq_triggersservice REG_DWORD 0 (0x0)
iis_common REG_DWORD 0 (0x0)
iis_inetmgr REG_DWORD 0 (0x0)
dtc REG_DWORD 1 (0x1)
com REG_DWORD 1 (0x1)
iis_www REG_DWORD 0 (0x0)
msmq_httpsupport REG_DWORD 0 (0x0)
msmq_adintegrated REG_DWORD 0 (0x0)
ieaccess REG_DWORD 0 (0x0)
iis_www_vdir_scripts REG_DWORD 0 (0x0)
iis_www_vdir_printers REG_DWORD 0 (0x0)
tswebclient REG_DWORD 0 (0x0)
iis_doc REG_DWORD 0 (0x0)
iis_ftp REG_DWORD 0 (0x0)
iis_smtp REG_DWORD 0 (0x0)
fp_extensions REG_DWORD 0 (0x0)
oeaccess REG_DWORD 0 (0x0)
tpg REG_DWORD 1 (0x1)
system REG_DWORD 1 (0x1)
oobe REG_DWORD 1 (0x1)
notebook REG_DWORD 1 (0x1)
stickynotes REG_DWORD 1 (0x1)
freestyle REG_DWORD 1 (0x1)
mswordpad REG_DWORD 0 (0x0)
calc REG_DWORD 0 (0x0)
charmap REG_DWORD 0 (0x0)
clipbook REG_DWORD 0 (0x0)
deskpaper REG_DWORD 0 (0x0)
mousepoint REG_DWORD 0 (0x0)
paint REG_DWORD 0 (0x0)
templates REG_DWORD 0 (0x0)
chat REG_DWORD 0 (0x0)
dialer REG_DWORD 0 (0x0)
hypertrm REG_DWORD 0 (0x0)
mplay REG_DWORD 0 (0x0)
rec REG_DWORD 0 (0x0)
vol REG_DWORD 0 (0x0)
accessopt REG_DWORD 0 (0x0)
pinball REG_DWORD 0 (0x0)
freecell REG_DWORD 0 (0x0)
hearts REG_DWORD 0 (0x0)
minesweeper REG_DWORD 0 (0x0)
solitaire REG_DWORD 0 (0x0)
spider REG_DWORD 0 (0x0)
zonegames REG_DWORD 0 (0x0)
wmaccess REG_DWORD 1 (0x1)
wbem REG_DWORD 1 (0x1)
netfx REG_DWORD 0 (0x0)
indexsrv_system REG_DWORD 0 (0x0)
terminalserver REG_DWORD 0 (0x0)
snmp REG_DWORD 0 (0x0)
wbemsnmp REG_DWORD 0 (0x0)
simptcp REG_DWORD 0 (0x0)
upnp REG_DWORD 0 (0x0)
iprip REG_DWORD 0 (0x0)
p2p REG_DWORD 0 (0x0)
lpdsvc REG_DWORD 0 (0x0)
sonicdvdandcdburning REG_DWORD 0 (0x0)
display REG_DWORD 1 (0x1)
ntcomponents REG_DWORD 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\OOBE
UpdateKeys REG_DWORD 2 (0x2)
RunWelcomeProcess REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\OOBE\CKPT
0 REG_DWORD 2 (0x2)
TOS REG_DWORD 2 (0x2)
1 REG_DWORD 3 (0x3)

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\OptionalComponents

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\OptionalComponents\MAPI
Installed REG_SZ 1
NoChange REG_SZ 1

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\OptionalComponents\Messenger
Installed REG_SZ 0

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\OptionalComponents\Moviemk
Installed REG_SZ 1

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\OptionalComponents\SwFlash
Installed REG_SZ 1

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\WindowsFeatures
Windows Media Player REG_DWORD 1 (0x1)


#24 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:07 AM

Posted 01 April 2010 - 01:08 PM

Everything looks in order.

Do you know anyone that would let you borrow their install disc for a few minutes??

Not sure why it is still prompting you for an install disc. I want to make sure that the i386 folder is inside c:\xpsp3. Can you confirm that for me? Also please make sure that the c:\xpsp3 folder is not in a zip or rar compressed format.

Re-run Sfc.

Same prompt?


Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#25 M332

M332
  • Topic Starter

  • Members
  • 211 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:07 PM

Posted 01 April 2010 - 03:39 PM

I don't know anyone with a xp cd.

The i386 folder is there and is not a zip or rar. Would check marking the xpsp3 folder to be "ready for archiving" in it's advanced properties section make any difference?

The sfc scan still asks for the cd. Question, if I skip all the files that request the cd where it states that it may ask me to insert the cd later at the end, would it give me the option at the end to browse to the xpsp3 folder to locate the files?



#26 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:07 AM

Posted 01 April 2010 - 03:51 PM

QUOTE
Would check marking the xpsp3 folder to be "ready for archiving" in it's advanced properties section make any difference?

Nah. That's for backing up files and folders.

QUOTE
The sfc scan still asks for the cd. Question, if I skip all the files that request the cd where it states that it may ask me to insert the cd later at the end, would it give me the option at the end to browse to the xpsp3 folder to locate the files?
You can try but I don't think it will work.

I have an idea. How about burning c:\xpsp3 or the i386 folder to a CD? Then insert it when prompted. Disclaimer: I made this up! Think its worth a try though.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#27 M332

M332
  • Topic Starter

  • Members
  • 211 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:07 PM

Posted 01 April 2010 - 04:24 PM

Ok I'll try making a cd and see what happens. I should have thought of that.

#28 M332

M332
  • Topic Starter

  • Members
  • 211 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:07 PM

Posted 01 April 2010 - 04:38 PM

It will not accept the cd since it's a copy and not a valid microsoft win xp cd.

Could the c/xpsp3/i386 folder be copied and pasted into the c/windows/i386 folder and c/windows/system32 folder?

#29 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:07 AM

Posted 01 April 2010 - 08:52 PM

QUOTE
It will not accept the cd since it's a copy and not a valid microsoft win xp cd.
Bummer

QUOTE
Could the c/xpsp3/i386 folder be copied and pasted into the c/windows/i386 folder and c/windows/system32 folder?

Do not alter your System32 or i386 folders. You could render Windows unbootable.

I am going to ask for some help from my colleagues. Please stay tuned.

Thanks,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#30 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:07 AM

Posted 02 April 2010 - 08:54 AM

Don't miss my last post too. smile.gif

While we are waiting for input from my colleagues I had a thought. Sfc should be searching for the i386 folder. If it is not at the root (c:\) then it prompts for the CD as I understand. We have the i386 folder but it is within the xpsp3 folder. Maybe we need to place the i386 folder directly in c:\.

Do this first...

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Then we need to change the registry again...

(And yes the "\\" is proper)

Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:

CODE
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"SourcePath"="C:\\"


Name the file as sfcedit.reg, making sure save as type is set to " All Files ".
Double click on sfcedit.reg & allow it to run.

==========

Now lets copy c:\xpsp3\i386 to the root of the drive.

Before you run this make sure there is not already a c:\i386 folder. If there is then this won't work. Do not proceed.

Otherwise.......

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:

CODE
@Echo off
md c:\i386
copy "c:\xpsp3\i386" "C:\i386" >> "%userprofile%\desktop\movefile.txt"
Notepad %userprofile%\desktop\movefile.txt


Name the file as movefile.bat, making sure save as type is set to " All Files ". It should look like
Double click on movefile.bat & allow it to run. Copy and paste the content in your next reply (If the file does not open please check here for the file C:\movefile.txt).

Make sense?

Now re-run sfc

Success??
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users