glnz Posted May 28, 2017 Author Share Posted May 28, 2017 (edited) den - I have an idea! If you were to compare our last XP-valid mrt.exe (from August 2016) to this new one, would the comparison show other changes/differences you could undo in the new one to get it to work? I don't have the savvy, but you do. Edited May 28, 2017 by glnz Link to comment Share on other sites More sharing options...
glnz Posted May 28, 2017 Author Share Posted May 28, 2017 (edited) PKCano just wrote: Quote Other than it’s running in a Parallels VM, as far as I know it’s a standard install. Edited May 28, 2017 by glnz Link to comment Share on other sites More sharing options...
glnz Posted May 28, 2017 Author Share Posted May 28, 2017 (edited) PKCano sent me a PM: Quote @glnz Just to let you know what I’ve done since last post: I pulled out my laptop that has the other XP VM to see if I had the same resultswith MSRT. Thought it might be something that Parallels was doing in the VM. Same procedure to download and save to the desktop. It DID NOT run, with the same “it’s not a valid Win32 program” that you all have been getting. Then I went back in the desktop VM and tried to run it again – with the same failure. I don’t know what the quirk was the first time, because it DID run. I can’t reproduce it now. Letting you know that you aren’t mistaken and I’m evidently not some miracle worker. It had to be some fluke. PKCano So it was just another FALSE ALARM. Edited May 28, 2017 by glnz Link to comment Share on other sites More sharing options...
dencorso Posted May 29, 2017 Share Posted May 29, 2017 8 hours ago, glnz said: den - I have an idea! If you were to compare our last XP-valid mrt.exe (from August 2016) to this new one, would the comparison show other changes/differences you could undo in the new one to get it to work? I don't have the savvy, but you do. Maybe. Then again, it's a signed file: if it checks for a valid signature before running, it's no go. So, before anything, we'd have to find out whether it can run on one of the OSes it likes (say, 7 x86, for instance) after being stripped of the signature. In case it does, then it's possible to do. But is it worth it? IMO, no. MSE works. Malwarebytes anti-malware works. Clam antivirus works. Other similar software does work, too. Ain't that enough? Link to comment Share on other sites More sharing options...
submix8c Posted May 29, 2017 Share Posted May 29, 2017 @Winfried - additionally... https://web.archive.org/web/20160103165653/http://www.pcdisktools.com/download/PCRegedit.iso It's a (in essence) LiveLinux. Link to comment Share on other sites More sharing options...
erpdude8 Posted May 30, 2017 Share Posted May 30, 2017 On 5/14/2017 at 4:23 AM, Dave-H said: Interesting that bulletin still lists Vista as a supported OS. I thought support for that ended a month ago! Vista users should still have had the patch back in March though. Are there any instances of machines on current fully patched operating systems being affected by the exploit? I'd be surprised if Windows 10 was affected, because as we all know, you can't avoid getting patched on that, unless you make a deliberate decision to prevent it! Let's hope that the next evolution of the malware is blocked before it has a chance to strike. the WannaCry ransomware only infects Win7 based computers and NOT XP machines (whether KB4012598 for XP is installed or not): https://www.askwoody.com/2017/the-original-wannacry-does-not-infect-windows-xp-boxes/ Link to comment Share on other sites More sharing options...
erpdude8 Posted May 30, 2017 Share Posted May 30, 2017 (edited) On 5/16/2017 at 0:56 AM, Winfried said: After reading more about this hack, I'm having second thoughts, and would rather remove it. it's not a good idea to remove the posready registry entries after installing any posready specific updates - that will prevent installation of posready specific updates on your XP computer after removing the posready keys. best to leave the posready reg key alone Edited May 30, 2017 by erpdude8 Link to comment Share on other sites More sharing options...
patclash Posted June 2, 2017 Share Posted June 2, 2017 On 21/05/2017 at 2:22 AM, heinoganda said: POSReady 2009 KB4018556 no longer available via WSUS catalog! KB4018556 seems occasionally to cause problems, appears to have been withdrawn for now. In the context of KB4018556 there seems to be problems with Server 2003 (Technet Forum). Hi , I got it this morning as automatic update 1 Link to comment Share on other sites More sharing options...
heinoganda Posted June 2, 2017 Share Posted June 2, 2017 (edited) 1 hour ago, patclash said: Hi , I got it this morning as automatic update KB4018556 has been revised and is now available as KB4018556-v2! (POSReady 2009 KB4018556-v2 via WSUS catalog) Info: In the WSUS catalog, all possible language variants are now offered at the download, with the web browser Firefox or Google Chrome. Miracles still happen! Edited June 2, 2017 by heinoganda 1 Link to comment Share on other sites More sharing options...
Mathwiz Posted June 2, 2017 Share Posted June 2, 2017 Good! Downloaded & installed. Now if M$ would just fix the EsteemAudit vulnerability (since it affects XP and Server 2003, it's a good bet it affects POSReady '09 too).... Link to comment Share on other sites More sharing options...
heinoganda Posted June 3, 2017 Share Posted June 3, 2017 Reading about EsteemAudit:https://researchcenter.paloaltonetworks.com/2017/05/unit42-dissection-esteemaudit-windows-remote-desktop-exploit/ Possible Countermeasure: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services] "fEnableSmartCard"=dword:00000000 To test:https://github.com/BlackMathIT/Esteemaudit-Metasploit Link to comment Share on other sites More sharing options...
glnz Posted June 3, 2017 Author Share Posted June 3, 2017 So is all good with this new KB4018556? Mathwiz - you OK? Link to comment Share on other sites More sharing options...
glnz Posted June 3, 2017 Author Share Posted June 3, 2017 (edited) Mathwiz and heinoganda - For those of us with typical XP machines at home or small offices - workgroup, not domain - do we need to worry about EsteemAudit? Heinoganda - your researchcenter article has a comment at bottom that non-domain PCs need not worry. My system32 folder has these files: scardsvr.exe, scarddlg.dll, scardssp.dll and winscard.dll. In services.msc, my Smart Card service is set to "Manual". In regedit, the key [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services] has nothing in it - no entries at all. In Accessories, Control Panel and Open Network Connections, I have not found anything related to Smart Cards. Thanks. PS - you both OK after installing the new KB4018556 ? Edited June 3, 2017 by glnz Link to comment Share on other sites More sharing options...
heinoganda Posted June 3, 2017 Share Posted June 3, 2017 (edited) 1 hour ago, glnz said: In regedit, the key [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services] has nothing in it - no entries at all. The entry does not exist, but if this key is entered this, the smart card authentication is disabled in RDP and thus the authentication at EsteemAudit stopped. Specifically, it is about a vulnerability in the file gpkrsrc.dll (resources for Gemplus cryptographic service providers). This makes EsteemAudit ineffective. Even I use RDP to access some computers in the internal network. KB4018556 (KB4018556-v2) works perfectly for me, no problems. Edited June 3, 2017 by heinoganda Link to comment Share on other sites More sharing options...
glnz Posted June 3, 2017 Author Share Posted June 3, 2017 heinoganda - I just installed KB4018556, and it also solved a problem I was having. This morning, my CD-DVD unit had an error! in Device Manager, it was not showing in Explorer, I couldn't fix it, but after installing KB4018556, that is fixed. Same for a virtual CD function in my Western Digital external drive - exact same symptoms and fix. Very nice !!!! Thanks, as always. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now