chriss

Sorry for my late answer, I was out of town for a few days. Meanwhile I did some comparison between the different windows Versions and the patch-results: On our original corporate CD the folder I386\ASMS\60 is completely missing, in fact, there are a few folders less: 16.07.2007 14:09 <DIR> 7000 16.07.2007 14:09 <DIR> 6000 16.07.2007 14:09 <DIR> 5100 16.07.2007 14:09 <DIR> 1000 After applying service pack 2 it looks like: 23.08.2007 10:20 <DIR> 1 23.08.2007 10:20 <DIR> 10 23.08.2007 10:20 <DIR> 1000 23.08.2007 10:20 <DIR> 2 23.08.2007 10:20 <DIR> 5100 23.08.2007 10:20 <DIR> 52 23.08.2007 10:20 <DIR> 60 23.08.2007 10:20 <DIR> 6000 23.08.2007 10:20 <DIR> 70 23.08.2007 10:20 <DIR> 7000 Content of I386\ASMS\60\MSFT\WINDOWS\COMMON\CONTROLS 04.08.2004 00:54 1.050.624 comctl32.dll 04.08.2004 01:47 7.433 controls.cat 04.08.2004 01:20 1.862 controls.man On our normal windows xp pro cd (some oem cd from ibm) all the folders in ASMS are existent before applying sp2. The content of I386\ASMS\60\MSFT\WINDOWS\COMMON\CONTROLS is: 04.08.2004 06:00 423.749 COMCTL32.DL_ 04.08.2004 06:00 4.831 CONTROLS.CA_ 04.08.2004 06:00 1.862 CONTROLS.MAN After applying sp2 it looks like this: 04.08.2004 00:54 1.050.624 comctl32.dll 04.08.2004 06:00 423.749 COMCTL32.DL_ 04.08.2004 01:47 7.433 controls.cat 04.08.2004 06:00 4.831 CONTROLS.CA_ 04.08.2004 01:20 1.862 CONTROLS.MAN I think there is my first problem, since those files don't actually belong there, on a unpatched clean windows xp cd. After hfslip 1.5.0 is done, I386\ASMS\60\MSFT\WINDOWS\COMMON\CONTROLS looks that way: 25.08.2006 08:46 1.054.208 comctl32.dll 04.08.2004 06:00 423.749 COMCTL32.DL_ 25.08.2006 18:44 8.339 controls.cat 04.08.2004 06:00 4.831 CONTROLS.CA_ 25.08.2006 17:56 1.862 CONTROLS.MAN the compressed files doesn't have changed. Hfsplip 1.6.2 in contrast cares only about the compressed files: 04.08.2004 00:54 1.050.624 comctl32.dll 28.08.2007 14:19 424.633 COMCTL32.DL_ 04.08.2004 01:47 7.433 controls.cat 28.08.2007 14:19 5.773 CONTROLS.CA_ 25.08.2006 17:56 1.862 CONTROLS.MAN I think first of all I have to clean up my sources or find an other (really clean) windows xp cd. But I think it would be wise, to check, If there are both, compressed and uncompressed files existent, if someone else works with a somehow modified oem-cd. I haven't checked, but I imagine that the other folders in \I386\ASMS might look the same. Cheers, Christian

Hello, I switched form version 1.5.0 to 1.6.2 and now the installation fails with a "fatal error" in catalog manifest in the file: "I386\ASMS\60\MSFT\WINDOWS\COMMON\CONTROLS\CONTROLS.MAN". I doublechecked the situation, the only thing I changed was the version of hfslip (when I changed it back, it worked again). Funny to thing is: I tried it with two different sources (XP-Pro-SP2 and XP-Pro-SP2-corp.), with 1.5.0 both versions result in a working installation-cd, with 1.6.2 only the XP-Pro-SP2-corp. cd works. The output in hfslip.log is essentially the same. HFSLIP Version - 1.5.0 build 70607 HFSLIP Path - D:\xp-cd-bau\HFSlip.tmp\ OS in SOURCESS - XP SP2 German Drivers - DRIVER.CAB Updated CD Install Path - Default CDTAG - WIN51 =============================================================================== Files in your FIX folder: WINNT.SIF Files in your HF folder: IE7-WindowsXP-KB937143-x86-DEU.exe IE7-WindowsXP-KB938127-x86-DEU.exe IE7-WindowsXP-x86-deu.exe msxml2sp6-kb887606-x86-deu.exe msxml4-KB936181-deu.exe msxml6-KB933579-deu-x86.exe rootsupd_b3d86436bbab3dc3158abfac8e87611ef0c53d07.exe WindowsInstaller-KB893803-v2-x86.exe Windows-KB890830-V1.32.exe Windows-KB909520-v1.000-x86-DEU.exe WindowsMedia11-KB929399-v2-x86-intl.exe WindowsMedia11-KB936782-x86-DEU.exe WindowsMedia6-KB925398-x86-DEU.exe WindowsMedia-KB911564-x86-DEU.exe WindowsUpdateAgent30-x86.exe WindowsXP-KB873339-x86-DEU.exe WindowsXP-KB885835-x86-DEU.exe WindowsXP-KB885836-x86-DEU.exe WindowsXP-KB886185-x86-deu.exe WindowsXP-KB887472-x86-deu.exe WindowsXP-KB888302-x86-DEU.exe WindowsXP-KB890046-x86-DEU.exe WindowsXP-KB890859-x86-DEU.exe WindowsXP-KB891781-x86-DEU.exe WindowsXP-KB893756-x86-DEU.exe WindowsXP-KB894391-x86-DEU.exe WindowsXP-KB896358-x86-DEU.exe WindowsXP-KB896423-x86-DEU.exe WindowsXP-KB896428-x86-DEU.exe WindowsXP-KB898461-x86-DEU.exe WindowsXP-KB899587-x86-DEU.exe WindowsXP-KB899591-x86-DEU.exe WindowsXP-KB900485-v2-x86-DEU.exe WindowsXP-KB900725-x86-DEU.exe WindowsXP-KB901017-x86-DEU.exe WindowsXP-KB901214-x86-DEU.exe WindowsXP-KB902400-x86-DEU.exe WindowsXP-KB904706-v2-x86-DEU.exe WindowsXP-KB904942-v2-x86-DEU.exe WindowsXP-KB905414-x86-DEU.exe WindowsXP-KB905474-ENU-x86-Standalone.exe WindowsXP-KB905749-x86-DEU.exe WindowsXP-KB908519-x86-DEU.exe WindowsXP-KB908531-v2-x86-DEU.exe WindowsXP-KB910437-x86-DEU.exe WindowsXP-KB911280-v2-x86-DEU.exe WindowsXP-KB911562-x86-DEU.exe WindowsXP-KB911927-x86-DEU.exe WindowsXP-KB913580-x86-DEU.exe WindowsXP-KB914388-x86-DEU.exe WindowsXP-KB914389-x86-DEU.exe WindowsXP-KB914440-v12-x86-DEU.exe WindowsXP-KB916595-x86-DEU.exe WindowsXP-KB917953-x86-DEU.exe WindowsXP-KB918118-x86-DEU.exe WindowsXP-KB918439-x86-DEU.exe WindowsXP-KB919007-x86-DEU.exe WindowsXP-KB920213-x86-DEU.exe WindowsXP-KB920342-x86-DEU.exe WindowsXP-KB920670-x86-DEU.exe WindowsXP-KB920683-x86-DEU.exe WindowsXP-KB920685-x86-DEU.exe WindowsXP-KB920872-x86-DEU.exe WindowsXP-KB921503-x86-DEU.exe WindowsXP-KB922582-x86-DEU.exe WindowsXP-KB922819-x86-DEU.exe WindowsXP-KB923191-x86-DEU.exe WindowsXP-KB923414-x86-DEU.exe WindowsXP-KB923980-x86-DEU.exe WindowsXP-KB924270-x86-DEU.exe WindowsXP-KB924667-x86-DEU.exe WindowsXP-KB925720-x86-DEU.exe WindowsXP-KB925876-X86-DEU.EXE WindowsXP-KB925902-x86-DEU.exe WindowsXP-KB926255-x86-DEU.exe WindowsXP-KB926436-x86-DEU.exe WindowsXP-KB927779-x86-DEU.exe WindowsXP-KB927802-x86-DEU.exe WindowsXP-KB927891-v3-x86-DEU.exe WindowsXP-KB928255-x86-DEU.exe WindowsXP-KB928843-x86-DEU.exe WindowsXP-KB929123-x86-DEU.exe WindowsXP-KB930178-x86-DEU.exe WindowsXP-KB930916-x86-DEU.exe WindowsXP-KB931261-x86-DEU.exe WindowsXP-KB931784-x86-DEU.exe WindowsXP-KB931836-x86-DEU.exe WindowsXP-KB932168-x86-DEU.exe WindowsXP-KB935839-x86-DEU.exe WindowsXP-KB935840-x86-DEU.exe WindowsXP-KB936021-x86-DEU.exe WindowsXP-KB936357-x86-DEU.exe WindowsXP-KB938828-x86-DEU.exe WindowsXP-KB938829-x86-DEU.exe wmp11-windowsxp-x86-DE-DE.exe Files in your HFCABS folder: Apr2005_d3dx9_25_x86.cab Apr2006_d3dx9_30_x86.cab APR2007_d3dx10_33_x86.cab APR2007_d3dx9_33_x86.cab Aug2005_d3dx9_27_x86.cab Dec2005_d3dx9_28_x86.cab DEC2006_d3dx10_00_x86.cab DEC2006_d3dx9_32_x86.cab Feb2005_d3dx9_24_x86.cab Feb2006_d3dx9_29_x86.cab IEAWSDC.CAB IUCTL.CAB Jun2005_d3dx9_26_x86.cab JUN2007_d3dx10_34_x86.cab JUN2007_d3dx9_34_x86.cab LegitCheckControl.cab MuCatalogWebControl.cab MUWEB_SITE.CAB OCT2006_d3dx9_31_x86.cab OGAControl.cab OPUC4.CAB swflash.cab Files in your HFSVCPACK folder: DNF11.exe DNF20.exe Files in your HFSVCPACK_SW1 folder: MBSASetup-2.0.1-DE.msi Messenger_5.1.0.706_de.msi UPHClean-Setup.msi Files in your HFSVCPACK_SW2 folder: Files in your HFGUIRUNONCE folder: DNF30.exe Files in your HFTOOLS folder: bbie.exe bbie.lic BOOT.BIN CDIMAGE.EXE cmdow.exe cygwin1.dll HFANSWER.INI mkisofs.exe modifyPE.exe Files in your HFCLEANUP folder: =============================================================================== HFSLIP run time: 21m42s Cheers, Christian

OK, I snipped of the first MB and sent it to virus-total since clamav just scanned 0.13MB and found that trojan. Here are the results - what do you think? AhnLab-V3 2007.8.2.0 2007.08.01 - AntiVir 7.4.0.54 2007.08.01 - Authentium 4.93.8 2007.08.01 - Avast 4.7.1029.0 2007.08.01 - AVG 7.5.0.476 2007.08.01 - BitDefender 7.2 2007.08.01 - CAT-QuickHeal 9.00 2007.08.01 - ClamAV 0.91 2007.08.01 Trojan.Downloader.Zlob-545 DrWeb 4.33 2007.08.01 - eSafe 7.0.15.0 2007.07.31 suspicious Trojan/Worm eTrust-Vet 31.1.5024 2007.08.01 - Ewido 4.0 2007.08.01 - FileAdvisor 1 2007.08.01 - Fortinet 2.91.0.0 2007.08.01 - F-Prot 4.3.2.48 2007.08.01 - F-Secure 6.70.13030.0 2007.08.01 - Ikarus T3.1.1.8 2007.08.01 Trojan-Downloader.Win32.Zlob.ni Kaspersky 4.0.2.24 2007.08.01 - McAfee 5087 2007.07.31 - Microsoft 1.2704 2007.08.01 - NOD32v2 2430 2007.07.31 error occurred while reading archive Norman 5.80.02 2007.08.01 - Panda 9.0.0.4 2007.08.01 Suspicious file Prevx1 V2 2007.08.01 - Rising 19.34.22.00 2007.08.01 - Sophos 4.19.0 2007.08.01 - Sunbelt 2.2.907.0 2007.08.01 - Symantec 10 2007.08.01 - TheHacker 6.1.7.160 2007.08.01 - VBA32 3.12.2.2 2007.07.31 - VirusBuster 4.3.26:9 2007.08.01 - Webwasher-Gateway 6.0.1 2007.08.01 Win32.ModifiedUPX.gen!84 (suspicious) If this es really a trojan-downloader, its either a good one, or most of the scanners are really crap, since Zlob-545 is form 2006 and less than 20 percent found it. Chris

Does not work, virus-total rejects the file because it is too big (about 20MB). But thank you for the suggestion. Chris

There are several things you can do: Don't use the disk at school ;-) Disable autostart for all drives on your PC at home, change your explorer view to show you ALL files, even hidden and system files and watch out for those autostart files and remove them form your disk. Scan your disc with a very good and updated antivirus-software every time when you got home (don't use sophos - its the worst scanner I know). As long as no code is executed, a virus can reside on your hdd without harming your PC, just be carefull with the files you exchange. Some Disks can be writeprotected, but Windoofs does not like this, and you won't be able to write data to it on school. Use Linux/BSD/MacOS at home and don't bother with Viruses/Trojans/Spyware etc. Greetings, Chris

Hi there, I found this trojan loader in the recent Codec-Pack from Cool2K (done with clamav): Scan Started Mon Jul 30 23:13:27 2007 ------------------------------------------------------------------------------- D:\Users\cs\Desktop\Cole2k.Media.-.Codec.Pack.V6.0.9.-Advanced-.32Bit.Setup.exe: Trojan.Downloader.Zlob-545 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 141644 Engine version: 0.91.1 Scanned directories: 0 Scanned files: 1 Skipped non-executable files: 0 Infected files: 1 Data scanned: 0.13 MB Time: 2.719 sec (0 m 2 s) -------------------------------------- Completed -------------------------------------- The download is form www.cole2k.net directly. Since the guys from cole2k do not seem to be interested in such warnings (on valid email-address on the page, the forum-registration does not work) I try some more serious forums to post this. Please post this warning in other forums you know Best regards, Chris