Windows XP Professional installation security problem?

I noticed the v3-19990518 in the path - v3 signifies this may be from
the old v3 of the Windows update site, which tells me you are
downloading a Win98/Win98SE version - somehow you are either selecting
or being redirected to the incorrect version of WMP - as a Win9x
version won't work on an NT OS?

--

Star Fleet Admiral Q @ your service
--------------------------------------------------------
"Giuseppe Vitillaro" wrote in message
om...
Last week I meet a really "esoteric" problem that, maybe, can be
clarified on this newsgroup (otherwise, please, address me to the
right one).

It started with "Windows File Protection" claiming this files has a
wrong signature (under Windows XP Professional Italian Version, SP1
and SP1a):

qasf.dll
laprxy.dll
wmvdmod.dll
wmvcore.dll
wmsdmod.dll
wmnetmgr.dll
wmasf.dll
wmadmoe.dll
wmadmod.dll
mpg4dmod.dll
logagent.exe

It is "easy" to realize this DLL/EXE files belongs (most of them) to
Windows Media Player 9.

I restarted a scratch installation (thinking I had a problem) just
to
find that any installation path that contains WMP9 lead to the same
situation.

I checked on the news and on other machine without being able to
replicate the problem. So I started to investigate deeply.

Well I realized that my WMP9 was installed (from Windows Update)
from
this URL:


http://download.windowsupdate.com/ms...C42F8CDF .EXE

extracted from the log file of an "empty" squid cache.

This is the actual log of the squid cache:

1091035479.420 144 XXX.XXX.XXX.XXX TCP_MISS/200 437 HEAD

http://download.windowsupdate.com/ms...C42F8CDF .EXE
- DIRECT/195.22.198.71 application/x-msdownload

with my address masked for security.

Now, if you try to download this file from this URL, you will obtain
a
valid MPSetupXP.exe file that, if installed, generate the problem.

The same file, download "now", from MS site is different and do not
generate any signature problem and keep the WFP happy.

The wrong file has length "9289840" and MD5 signature
"fda94079455d1828fc4ebeeb17dc2aba", while the rigth file has length
"10135688" and md5 signature "876f2c0ac871f45d2c93a7dc28e3aa98".

Now ... what the hell is wrong here? I was installing from
"original"
olographic MS CD ... on a scratch partition (reformatted) ... using
"Windows Update" and an "empty" squid cache ... even now I
downloaded
many times the "wrong" file from different machines on different
networks ... it is still "wrong".

I have to suppose microsoft servers has been hacked? What about the
security and itegrity of our machines?

May I ask to this group to do some ancilliary test on this?

It may be my own problem ... who konws ... but if someone would be
able to replicate the problem ... well "we" have a problem ...

Thanks, G. Vitillaro.

P.S. If you send reply via e-mail, please send them to this address
" after removing the "-nospam" mask.

I'm installing Windows Media Player 9 on a Windows XP Professional
(installed
from scratch at least 4 times) using "Windows Update" integrated in
Windows XP Professional. So ... how Windows Update may choose a
Windows 98 Version?

Did you noted the file is called MPSetupXP? In both cases? It really
seems the XP installer ... and it actually install on Windows XP ... I
never installed the WMP9 on a Windows 98 ... but I cannot the believe
MPSetup.exe installs itself on the wrong type of OS ...

Furthermore I just downloaded from MS the Windows 98/ME/2000 ... the
file is called MPSetup.exe, is 13951112 bytes long and has md5
signature "e919c4e0050b32aebe83a5d2eb613dd4" ... so ... as you can see
.... your explanation doesn't work.

Again I'm "begging" for some deeper analysis ... it can be MS didn't
updated some site ... it can be a server hacking ... it can be a root
DNS server hacking ... I haven't an explanation by now ... but I'm
pretty sure ... is "not" a trivial explanation.

Thank, G. Vitillaro.

"Star Fleet Admiral Q" wrote in message ...
I noticed the v3-19990518 in the path - v3 signifies this may be from
the old v3 of the Windows update site, which tells me you are
downloading a Win98/Win98SE version - somehow you are either selecting
or being redirected to the incorrect version of WMP - as a Win9x
version won't work on an NT OS?

--

Star Fleet Admiral Q @ your service
--------------------------------------------------------
"Giuseppe Vitillaro" wrote in message
om...
Last week I meet a really "esoteric" problem that, maybe, can be
clarified on this newsgroup (otherwise, please, address me to the
right one).

It started with "Windows File Protection" claiming this files has a
wrong signature (under Windows XP Professional Italian Version, SP1
and SP1a):

qasf.dll
laprxy.dll
wmvdmod.dll
wmvcore.dll
wmsdmod.dll
wmnetmgr.dll
wmasf.dll
wmadmoe.dll
wmadmod.dll
mpg4dmod.dll
logagent.exe

It is "easy" to realize this DLL/EXE files belongs (most of them) to
Windows Media Player 9.

I restarted a scratch installation (thinking I had a problem) just
to
find that any installation path that contains WMP9 lead to the same
situation.

I checked on the news and on other machine without being able to
replicate the problem. So I started to investigate deeply.

Well I realized that my WMP9 was installed (from Windows Update)
from
this URL:


http://download.windowsupdate.com/ms...C42F8CDF .EXE

extracted from the log file of an "empty" squid cache.

This is the actual log of the squid cache:

1091035479.420 144 XXX.XXX.XXX.XXX TCP_MISS/200 437 HEAD

http://download.windowsupdate.com/ms...C42F8CDF .EXE
- DIRECT/195.22.198.71 application/x-msdownload

with my address masked for security.

Now, if you try to download this file from this URL, you will obtain
a
valid MPSetupXP.exe file that, if installed, generate the problem.

The same file, download "now", from MS site is different and do not
generate any signature problem and keep the WFP happy.

The wrong file has length "9289840" and MD5 signature
"fda94079455d1828fc4ebeeb17dc2aba", while the rigth file has length
"10135688" and md5 signature "876f2c0ac871f45d2c93a7dc28e3aa98".

Now ... what the hell is wrong here? I was installing from
"original"
olographic MS CD ... on a scratch partition (reformatted) ... using
"Windows Update" and an "empty" squid cache ... even now I
downloaded
many times the "wrong" file from different machines on different
networks ... it is still "wrong".

I have to suppose microsoft servers has been hacked? What about the
security and itegrity of our machines?

May I ask to this group to do some ancilliary test on this?

It may be my own problem ... who konws ... but if someone would be
able to replicate the problem ... well "we" have a problem ...

Thanks, G. Vitillaro.

P.S. If you send reply via e-mail, please send them to this address
" after removing the "-nospam" mask.

Just another clue to this topic.

This is my windows update "wrong" URL (I found it on two of my
machines inside the "Windows Update.log" file):

http://download.windowsupdate.com/ms...C42F8CDF .EXE

and this "seems" a good URL update, found inside some "Windows
Update.log" that was posted on the Net:

http://download.windowsupdate.com/ms...0E7A6936 .EXE

The first URL lead to the bad file, the second URL to the good one (as
noted in my first post).

As you can see the URL path is the same. It only change the "hex" part
of the filename (is it a signature, a checksum, someone knows?).

This is really driving me crazy. How may I be sure in the future that
Windows Update is downloading the rigth files?

G. Vitillaro.



"Star Fleet Admiral Q" wrote in message ...
I noticed the v3-19990518 in the path - v3 signifies this may be from
the old v3 of the Windows update site, which tells me you are
downloading a Win98/Win98SE version - somehow you are either selecting
or being redirected to the incorrect version of WMP - as a Win9x
version won't work on an NT OS?

--

Star Fleet Admiral Q @ your service
--------------------------------------------------------
"Giuseppe Vitillaro" wrote in message
om...
Last week I meet a really "esoteric" problem that, maybe, can be
clarified on this newsgroup (otherwise, please, address me to the
right one).

It started with "Windows File Protection" claiming this files has a
wrong signature (under Windows XP Professional Italian Version, SP1
and SP1a):

qasf.dll
laprxy.dll
wmvdmod.dll
wmvcore.dll
wmsdmod.dll
wmnetmgr.dll
wmasf.dll
wmadmoe.dll
wmadmod.dll
mpg4dmod.dll
logagent.exe

It is "easy" to realize this DLL/EXE files belongs (most of them) to
Windows Media Player 9.

I restarted a scratch installation (thinking I had a problem) just
to
find that any installation path that contains WMP9 lead to the same
situation.

I checked on the news and on other machine without being able to
replicate the problem. So I started to investigate deeply.

Well I realized that my WMP9 was installed (from Windows Update)
from
this URL:


http://download.windowsupdate.com/ms...C42F8CDF .EXE

extracted from the log file of an "empty" squid cache.

This is the actual log of the squid cache:

1091035479.420 144 XXX.XXX.XXX.XXX TCP_MISS/200 437 HEAD

http://download.windowsupdate.com/ms...C42F8CDF .EXE
- DIRECT/195.22.198.71 application/x-msdownload

with my address masked for security.

Now, if you try to download this file from this URL, you will obtain
a
valid MPSetupXP.exe file that, if installed, generate the problem.

The same file, download "now", from MS site is different and do not
generate any signature problem and keep the WFP happy.

The wrong file has length "9289840" and MD5 signature
"fda94079455d1828fc4ebeeb17dc2aba", while the rigth file has length
"10135688" and md5 signature "876f2c0ac871f45d2c93a7dc28e3aa98".

Now ... what the hell is wrong here? I was installing from
"original"
olographic MS CD ... on a scratch partition (reformatted) ... using
"Windows Update" and an "empty" squid cache ... even now I
downloaded
many times the "wrong" file from different machines on different
networks ... it is still "wrong".

I have to suppose microsoft servers has been hacked? What about the
security and itegrity of our machines?

May I ask to this group to do some ancilliary test on this?

It may be my own problem ... who konws ... but if someone would be
able to replicate the problem ... well "we" have a problem ...

Thanks, G. Vitillaro.

P.S. If you send reply via e-mail, please send them to this address
" after removing the "-nospam" mask.