cluberti

Note that you can create a free security case with Microsoft support on this - if you're in the US or Canada, call (866) 727-2338. If you're elsewhere, try http://support.microsoft.com/common/international.aspx. As to the hotfixes, the first thing I would do is download them on another machine, put them on something like a USB key, and then remove the infected server(s) from the network COMPLETELY and install any missing hotfixes. Next, do a FULL scan of the machine with a virus scanner. If it doesn't find anything, then consider those machines compromised (I'd do this first, but some people like to save servers for some reason) and rebuild offline. Next thing to do is start actively monitoring any ingress and egress points from your network for suspicious activity (and make sure that your servers are fully patched, and enable the windows firewall and only open necessary ports if possible).

Well, if it's not included in the XP SP3 package, then yes, you will need to integrate those as well. IE7, updated DX, Windows Media, .net, etc are all not a part of the SP3 package.

OK, got the new dump, and was able to open and analyze it. It's indeed a 2nd chance access violation (meaning the process will crash). Here's the analysis: // Thread showing the 2nd chance Access Violation, causing the crash: 0:036> kb ChildEBP RetAddr Args to Child 0fafef04 748a0a80 3a4f9e50 00000002 00000001 winmm!ValidateHandle+0x24 0fafef18 0e2021fd 3a4f9e50 0f8e0020 00000000 winmm!waveInClose+0x16 WARNING: Stack unwind information not available. Following frames may be wrong. 0fafef68 0e1f3854 ffffffff 00c2c770 00000000 c0!COM_ENTRY+0x4cac 0fafefb0 0e1f9fee 00c2c770 0faff2e8 0e1f9fa6 c0+0x3854 0fafefec 6b6412df 0f8e0020 a4feffe5 0faff2e8 c0!DllUnregisterServer+0x650 0faff070 6b63df66 00000001 00000000 0e220bc8 mfc42!CWnd::OnWndMsg+0x273 0faff098 6b6ca5b3 00000001 00000000 0faff2e8 mfc42!CWnd::WindowProc+0x2e 0faff0c0 6b63fa9d 00000001 00000000 0faff2e8 mfc42!COleControl::WindowProc+0x12f 0faff128 6b63fbd1 00c2c770 00000000 00000001 mfc42!AfxCallWndProc+0xb5 0faff14c 0e21e0ea 00060334 00000001 00000000 mfc42!AfxWndProc+0x3e 0faff178 7689f8d2 00060334 00000001 00000000 c0!COM_ENTRY+0x20b99 0faff1a4 76891912 0e21e0bc 00060334 00000001 user32!InternalCallWinProc+0x23 0faff21c 768a0817 00000000 0e21e0bc 00060334 user32!UserCallWinProcCheckWow+0xe0 0faff278 768939f7 00e5df78 00000001 00000000 user32!DispatchClientMessage+0xda 0faff2a8 778f99ce 0faff2c0 00000078 0faff78c user32!__fnINLPCREATESTRUCT+0x8b 0faff334 76893cf7 76893b94 80000004 0faff660 ntdll!KiUserCallbackDispatcher+0x2e 0faff338 76893b94 80000004 0faff660 0faff388 user32!NtUserCreateWindowEx+0xc 0faff5dc 76893cc3 80000004 0faff660 0faff674 user32!VerNtUserCreateWindowEx+0x1ac 0faff688 7688fd91 80000004 6b62449c 0faff674 user32!_CreateWindowEx+0x1f9 0faff6c4 6b640d4a 00000004 6b62449c 6b70a690 user32!CreateWindowExA+0x33 0faff734 6b6cb27d 00000004 00000000 6b70a690 mfc42!CWnd::CreateEx+0xb8 0faff798 6b6cfb96 000402e8 00cee9c8 0faff7b8 mfc42!COleControl::CreateControlWindow+0x1d8 0faff7e0 6b6d11f9 00000000 00000000 a4fef789 mfc42!COleControl::OnActivateInPlace+0x2e6 0faff81c 6f0075b6 00c2c89c fffffffb 00000000 mfc42!COleControl::XOleObject::DoVerb+0x17d 0faff894 6f00906a 00c2c89c 000402e8 00000000 mshtml!COleSite::InPlaceActivate+0xdd 0faff938 6f00911c 00000003 00000000 0a634508 mshtml!COleSite::TransitionTo+0x535 0faff958 6eeb6793 00000004 0a59d718 0a634508 mshtml!COleSite::TransitionToBaselineState+0x41 0faff978 6ef1ed69 00000001 00000000 00000052 mshtml!CView::EndDeferTransition+0xae 0faff994 6edc57bf 0a634508 00000000 00000000 mshtml!CView::EndDeferTransitionCallback+0x2b 0faff9c8 6edd1f67 0faffa64 00008002 00000000 mshtml!GlobalWndOnMethodCall+0x101 0faff9e8 7689f8d2 000302ea 00000086 00000000 mshtml!GlobalWndProc+0x181 0faffa14 7689f794 6edd1eb6 000302ea 00008002 user32!InternalCallWinProc+0x23 0faffa8c 768a0008 00000000 6edd1eb6 000302ea user32!UserCallWinProcCheckWow+0x14b 0faffaf0 768a0060 6edd1eb6 00000000 0faffb68 user32!DispatchMessageWorker+0x322 0faffb00 713143fd 0faffb18 00000000 00000000 user32!DispatchMessageW+0xf 0faffb68 767e4911 044702a8 0faffbb4 778de4b6 ieframe!CTabWindow::_TabWindowThreadProc+0x280 0faffb74 778de4b6 0a622870 782956d0 00000000 kernel32!BaseThreadInitThunk+0xe 0faffbb4 778de489 71314117 0a622870 00000000 ntdll!__RtlUserThreadStart+0x23 0faffbcc 00000000 71314117 0a622870 00000000 ntdll!_RtlUserThreadStart+0x1b // Looks like the ValidateHandle function did not validate the handle // passed to it by WaveInClose, which in turn would have gotten it as // the return of the call function in c0!COM_ENTRY+0x4cac). // EAX shows the result of the call function, 0x3a4f9e50: 0:036> r eax=3a4f9e50 ebx=00000000 ecx=748a8290 edx=00000000 esi=3a4f9e50 edi=0fafefa0 eip=7488490d esp=0fafef04 ebp=0fafef04 iopl=0 nv up ei ng nz ac po cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010293 winmm!ValidateHandle+0x24: 7488490d 8b40d4 mov eax,dword ptr [eax-2Ch] ds:0023:3a4f9e24=???????? // Since we have no symbols for c0, we disassemble the previous function // to determine if this is doing the call, which it is: 0:036> ub 0e2021fd c0!COM_ENTRY+0x4c93: 0e2021e4 50 push eax 0e2021e5 ff159808220e call dword ptr [c0!DllCanUnloadNow+0x2012 (0e220898)] 0e2021eb 3bc3 cmp eax,ebx 0e2021ed 7405 je c0!COM_ENTRY+0x4ca3 (0e2021f4) 0e2021ef 83ce04 or esi,4 0e2021f2 eb09 jmp c0!COM_ENTRY+0x4cac (0e2021fd) 0e2021f4 ff75ec push dword ptr [ebp-14h] 0e2021f7 ff158008220e call dword ptr [c0!DllCanUnloadNow+0x1ffa (0e220880)] // Looking at the actual memory address shows that it is indeed invalid: 0:036> dc 3a4f9e50 L1 3a4f9e50 ???????? ???? 0:036> dc 3a4f9e24 L1 3a4f9e24 ???????? ???? // Checking the exception record does show us this as the culprit: 0:036> .exr ffffffffffffffff ExceptionAddress: 7488490d (winmm!ValidateHandle+0x00000024) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 3a4f9e24 Attempt to read from address 3a4f9e24 // c0 is apparently a Video&Voice Communication Control: 0:036> lmvm c0 start end module name 0e1f0000 0e28c000 c0 (export symbols) c0.dll Loaded symbol image file: c0.dll Image path: C:\Program Files\LtUcx\1003\c0.dll Image name: c0.dll Timestamp: Mon Jun 13 03:50:20 2005 (42AD3ABC) CheckSum: 00033668 ImageSize: 0009C000 File version: 1.1.22.333 Product version: 1.1.22.333 File flags: 0 (Mask 3F) File OS: 4 Unknown Win32 File type: 2.0 Dll File date: 00000000.00000000 Translations: 0000.04b0 CompanyName: Lotuspond Software Technology (Beijing) Co.,Ltd. ProductName: Lotuspond IMC Video&Voice Communication Control InternalName: IMCv1 OriginalFilename: IMCv1.DLL ProductVersion: 1, 1, 22, 333 FileVersion: 1, 1, 22, 333 PrivateBuild: 1, 1, 22, 333 SpecialBuild: 1, 1, 22, 333 FileDescription: Lotuspond IMC Video&Voice Communication Control LegalCopyright: Lotuspond Software Technology (Beijing) Co.,Ltd. Copyright (C) 2002 All right reserved. LegalTrademarks: Lotuspond Comments: If you have any advice or question, please mail to sales@lotuspond.com.cn\nhttp://www.lotuspond.com.cn I couldn't find anything out about this module further, but it appears that this is the culprit.

You shouldn't need to slipstream anything but post-service pack hotfixes. If you're asking if you slipstream SP3 over a CD with SP2+hotfixes, the answer is no, you should not have a problem. However, it is always adviseable to slip a service pack into an RTM source, rather than a modified source.

This announcement has promulgated almost all forms here at this point, although not the member contributed forums for some reason. I have to stand by this, using a torrent to get an unreleased binary is technically not OK. If you have to go to a torrent site to get a binary from a company like Microsoft, rather than download.microsoft.com or windowsupdate.microsoft.com (for reasons other than the torrent is faster, which may be true), then we view this as not an OK thing to do. Regardless of how one feels about the vendor, the release cycle, etc, they have a right to distribution of their package (autopatcher, for example, got bit by this for released packages, let alone an unreleased one), and we will follow that lead. Links to torrents or other non-Microsoft download locations for XP SP3 prior to 4/29 will get one banned, both under the warning and against rule #1 in the forum rules. If Microsoft wanted you to have the package on 4/21, they would have made it available. From here until 4/29, members violating this will be banned. Since the warning had not propogated into this forum for some reason, I have lifted the ban. However, any future incursions will result in a ban.

This KB article will include all of the changes/fixes in XP SP3 when it goes live, so you can look there. There was a similar article when XP SP2 released.

You might want to ask that question somewhere else, but it won't get answered here.

Slipstreaming SP3 does not negate the need for a key. However, pre-build SP3 CDs do work properly. I'm currently investigating why this is different, but this is currently the way it is. Edit: Make sure you're using XP to make the slipstream: http://www.msfn.org/board/Here-s-the-fix-f...ed-t116148.html

This is a "retail" OEM license, not a "royalty" OEM license. the royalty OEM licenses are bought in (serious) bulk by the vendor to preload on a machine, and are REALLY cheap per copy (due to the fact that they're buying a huge amount up-front). These cannot be moved from the machine they are sold on to another, period.The "retail" OEM copies are in all actuality the same as retail copies that come with no support from Microsoft, and must be sold preloaded by an actual OEM (smaller OEMs, like Microsoft SystemBuilder OEMs for instance) - the old "sell with a power cord" trick is technically in violation of the EULA, but I don't see Microsoft actively discouraging sales of a product just to make a point (money is money ). These cost FAR more than royalty OEM copies, and as such, yes, the cost difference IS a big deal (a few dollars per license for royalty vs perhaps a hundred or more dollas per license with retail OEM).

Right. A business is going to want a forced upgrade to IE7 and WMP 11 with a SERVICE PACK.

You need SP1 or SP2, but that's it. It will slipstream properly into RTM media, but to install onto a running system you need SP1 or SP2 installed.

OK, that's what I get for not checking carefully. x86*chk* == 331MB, x86*fre* == 316MB. /wow, I need coffee/

I'm looking at the final XP SP3 .exe file, and the en-us version of the file is 331MB from Microsoft. There are other 5512 packages that may be smaller, but they aren't the actual RTM released package as far as I can tell. Not only that but other links I've found out there are actually 3311 packages too, at approximately 312 - 316MB... I suppose anything is possible, but the package on the ISO from Microsoft (and anyone with MSDN / Technet can check it too) is 331MB. The last RC was 316MB.

Note that the final SP3 stand-alone en-us installation package is 331MB, not 316MB. The softpedia link does NOT have the final english package. That's the last I'm saying about this.

Technet has an article on activation, and how the hash that determines your PC (and gets stored with your activation with MS when you do activate over the 'net) is determined.

Correct. All non-English language versions of Windows XP are localized, meaning they cannot be changed. English versions can be changed via MUI packs (available to VL customers), but not Russian to English. You will need to buy an English copy of XP if you want English on that laptop.

Heh - it's still not in the list of XP service packs in the new interface, but it's available from the "Top downloads" link.

Well, your dump capture didn't actually include a .dmp file, but the log file shows us this: # ChildEBP RetAddr Args to Child 00 104deae8 7c359aed e06d7363 00000001 00000003 kernel32!RaiseException+0x58 01 104deb28 10022ab0 104deb68 100f522c 104ded80 MSVCR71!CxxThrowException+0x34 02 104deb58 10037c4d 104ded80 100cfc04 0eaff438 winamptb!DllUnregisterServer+0x157a0 03 104deba4 100abd9d 0eaff400 04848cd8 04848cd8 winamptb!DllUnregisterServer+0x2a93d 04 104debd4 100ab10a 104debec 04848ad0 04848cd8 winamptb!DllUnregisterServer+0x9ea8d 05 104dede0 10097ab0 047f9428 00000000 047f9428 winamptb!DllUnregisterServer+0x9ddfa 06 104dee14 1009d5f6 047f9428 06727154 00000000 winamptb!DllUnregisterServer+0x8a7a0 07 104dee4c 77520afa 000cae48 01070fd0 00000000 winamptb!DllUnregisterServer+0x902e6 08 104dee78 1009ec5b 104dee20 00000000 104def58 USER32!SendMessageW+0x49 09 104deef8 100a0ee1 7750d80a 047f9428 104def58 winamptb!DllUnregisterServer+0x9194b 0a 104def4c 100bf781 ffffffff 047f9eb8 100a1173 winamptb!DllUnregisterServer+0x93bd1 0b 104defe4 6c6f2400 0f2e5260 0001062a 0f2e5234 winamptb!DllUnregisterServer+0xb2471 0c 104df480 77520817 00000000 6c716ac1 0001061a IEFRAME!Ordinal218+0x190f 0d 104df4dc 775139f7 0108b820 00000001 00000000 USER32!ReleaseDC+0x7a 0e 104df5e0 77513cf7 77513b94 00000100 104df90c USER32!CharNextW+0xfe 0f 104dfb74 7740e489 6c724117 0f507168 00000000 USER32!CharNextW+0x3fe 10 104dfb78 6c724117 0f507168 00000000 00000000 ntdll!RtlInitializeExceptionChain+0x36 11 104dfb7c 0f507168 00000000 00000000 00000000 IEFRAME!Ordinal224+0x10e27 12 104dfb80 00000000 00000000 00000000 00000000 0xf507168 It looks like we start the exception chain at frame 10, after we release a device context. I'd have to see an actual .dmp file to see (maybe) what is happening at f507168 to know more. It could still be the WinAmp toolbar, but it's hard to say here. Since this happens when using that web-based java app, I'd have to say it's possible that's it, but again, without an actual .dmp file I can only speculate.

Links / hashes deleted. Closing thread, await the final release on the 29th. Thread closed.

Finally broke down and bought a laptop too - a 17" MBP. Installed BootCamp and Vista SP1, and it is just about the fastest piece of hardware I've ever seen run Vista...

You do what you'd like, but you are incorrect in assuming "ownership" of the license. Also, I'm fairly certain you won't find further assistance with it here - you'll find that most of the people here tend to want to uphold the EULAs for products they use, or use alternative products. And the EULA says what you did was not legal.

Even if it's free, the NDA says 'don't you dare'. So I do not .

Honestly, I'd recommend a Tyan board with Opterons if you're gonna run Hyper-V, but that would still be a nice rig.

Yes, and no, I cannot .

Confirmed, 5512. ntoskrnl.exe == 5.1.2600.5512