G
Giuseppe Vitillaro
Last week I meet a really "esoteric" problem that, maybe, can be
clarified on this newsgroup (otherwise, please, address me to the
right one).
It started with "Windows File Protection" claiming this files has a
wrong signature (under Windows XP Professional Italian Version, SP1
and SP1a):
qasf.dll
laprxy.dll
wmvdmod.dll
wmvcore.dll
wmsdmod.dll
wmnetmgr.dll
wmasf.dll
wmadmoe.dll
wmadmod.dll
mpg4dmod.dll
logagent.exe
It is "easy" to realize this DLL/EXE files belongs (most of them) to
Windows Media Player 9.
I restarted a scratch installation (thinking I had a problem) just to
find that any installation path that contains WMP9 lead to the same
situation.
I checked on the news and on other machine without being able to
replicate the problem. So I started to investigate deeply.
Well I realized that my WMP9 was installed (from Windows Update) from
this URL:
http://download.windowsupdate.com/m..._6DC8B5258261C746CC4421FA5DD336B8C42F8CDF.EXE
extracted from the log file of an "empty" squid cache.
This is the actual log of the squid cache:
1091035479.420 144 XXX.XXX.XXX.XXX TCP_MISS/200 437 HEAD
http://download.windowsupdate.com/m..._6DC8B5258261C746CC4421FA5DD336B8C42F8CDF.EXE
- DIRECT/195.22.198.71 application/x-msdownload
with my address masked for security.
Now, if you try to download this file from this URL, you will obtain a
valid MPSetupXP.exe file that, if installed, generate the problem.
The same file, download "now", from MS site is different and do not
generate any signature problem and keep the WFP happy.
The wrong file has length "9289840" and MD5 signature
"fda94079455d1828fc4ebeeb17dc2aba", while the rigth file has length
"10135688" and md5 signature "876f2c0ac871f45d2c93a7dc28e3aa98".
Now ... what the hell is wrong here? I was installing from "original"
olographic MS CD ... on a scratch partition (reformatted) ... using
"Windows Update" and an "empty" squid cache ... even now I downloaded
many times the "wrong" file from different machines on different
networks ... it is still "wrong".
I have to suppose microsoft servers has been hacked? What about the
security and itegrity of our machines?
May I ask to this group to do some ancilliary test on this?
It may be my own problem ... who konws ... but if someone would be
able to replicate the problem ... well "we" have a problem ...
Thanks, G. Vitillaro.
P.S. If you send reply via e-mail, please send them to this address
"(e-mail address removed)" after removing the "-nospam" mask.
clarified on this newsgroup (otherwise, please, address me to the
right one).
It started with "Windows File Protection" claiming this files has a
wrong signature (under Windows XP Professional Italian Version, SP1
and SP1a):
qasf.dll
laprxy.dll
wmvdmod.dll
wmvcore.dll
wmsdmod.dll
wmnetmgr.dll
wmasf.dll
wmadmoe.dll
wmadmod.dll
mpg4dmod.dll
logagent.exe
It is "easy" to realize this DLL/EXE files belongs (most of them) to
Windows Media Player 9.
I restarted a scratch installation (thinking I had a problem) just to
find that any installation path that contains WMP9 lead to the same
situation.
I checked on the news and on other machine without being able to
replicate the problem. So I started to investigate deeply.
Well I realized that my WMP9 was installed (from Windows Update) from
this URL:
http://download.windowsupdate.com/m..._6DC8B5258261C746CC4421FA5DD336B8C42F8CDF.EXE
extracted from the log file of an "empty" squid cache.
This is the actual log of the squid cache:
1091035479.420 144 XXX.XXX.XXX.XXX TCP_MISS/200 437 HEAD
http://download.windowsupdate.com/m..._6DC8B5258261C746CC4421FA5DD336B8C42F8CDF.EXE
- DIRECT/195.22.198.71 application/x-msdownload
with my address masked for security.
Now, if you try to download this file from this URL, you will obtain a
valid MPSetupXP.exe file that, if installed, generate the problem.
The same file, download "now", from MS site is different and do not
generate any signature problem and keep the WFP happy.
The wrong file has length "9289840" and MD5 signature
"fda94079455d1828fc4ebeeb17dc2aba", while the rigth file has length
"10135688" and md5 signature "876f2c0ac871f45d2c93a7dc28e3aa98".
Now ... what the hell is wrong here? I was installing from "original"
olographic MS CD ... on a scratch partition (reformatted) ... using
"Windows Update" and an "empty" squid cache ... even now I downloaded
many times the "wrong" file from different machines on different
networks ... it is still "wrong".
I have to suppose microsoft servers has been hacked? What about the
security and itegrity of our machines?
May I ask to this group to do some ancilliary test on this?
It may be my own problem ... who konws ... but if someone would be
able to replicate the problem ... well "we" have a problem ...
Thanks, G. Vitillaro.
P.S. If you send reply via e-mail, please send them to this address
"(e-mail address removed)" after removing the "-nospam" mask.