Missing Windows update reported as a vulnerability by TMH and Bela

Hello.
Trend Micro Housecall reported as a vulnerability in my system the missing
update 'Vulnerability in Microsoft JScript Could Allow Remote Code Execution
(917344)'. See this screenshot:
http://forum.avast.com/index.php?act...0;attach=18579
The link on Housecall report directs to the Microsoft Security Bulletin
MS06-023, published in June 13, 2006. In the same Bulletin, under 'Affected
components', the one that corresponds to my OS is 'Microsoft JScript 5.6 on
Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2'.
In Windows Control Panel>Add and Remove programs.
I also downloaded and installed the utility 'Belarc Advisor', available in
http://www.belarc.com/. It also detected the same vulnerability in my System:

«Installed Microsoft Hotfixes
....
X KB917344 on 06-08-2007 (details...) Reinstall!»

I searched through all of my Windows updates installed and didn't found
KB917344. I also went to Microsoft Update Website and it doesn't detect any
priority update missing in my system.

I don't know if i should install manually this update, alone or with
'Cumulative Security Update for Internet Explorer (916281)' -see Caveats in
Microsoft Security Bulletin MS06-023. Question is, since these updates were
published on June 2006, how do i know if i have installed a more recent
Windows update or Windows component which replace the missing updates, and
are they really necessary? Is there the risk that they may deactivate or
conflict with an already installed update? Why aren't they detected as
priority updates to download in the Microsoft Update website?

> Question is, since these updates were
>> published on June 2006, how do i know if i have installed a more recent
>> Windows update or Windows component which replace the missing updates, and
>> are they really necessary? Is there the risk that they may deactivate or
>> conflict with an already installed update? Why aren't they detected as
>> priority updates to download in the Microsoft Update website?

Check the version of jscript.dll located in WINDOWS\system32
If it is at V.5.6.0.8831, then KB917344 is installed.
You can also check in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Wind ows
XP\SP3\KB917344\Filelist
There should be 3 subfolders under Filelist, 0,1, and 2

If the version of jscript.dll is not 5.6.0.8831, then suggest you
reinstall KB917344:
http://www.microsoft.com/downloads/d...3-939FD5D3CDE6

As to the Cumulative Update for IE, it is just that, cumulative. If
KB939653 is installed [the latest Cumulative update for IE] then there
is no need to install KB916281.

Did you delete folders from/or have you deleted WINDOWS\$hf_mig$ ?
That *may* be why the updates are detected as not being applied by TMH
and Belarc.

MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============



Hugo_Pt wrote:

> Hello.
> Trend Micro Housecall reported as a vulnerability in my system the missing
> update 'Vulnerability in Microsoft JScript Could Allow Remote Code Execution
> (917344)'. See this screenshot:
> http://forum.avast.com/index.php?act...0;attach=18579
> The link on Housecall report directs to the Microsoft Security Bulletin
> MS06-023, published in June 13, 2006. In the same Bulletin, under 'Affected
> components', the one that corresponds to my OS is 'Microsoft JScript 5.6 on
> Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2'.
> In Windows Control Panel>Add and Remove programs.
> I also downloaded and installed the utility 'Belarc Advisor', available in
> http://www.belarc.com/. It also detected the same vulnerability in my System:
>
> «Installed Microsoft Hotfixes
> ...
> X KB917344 on 06-08-2007 (details...) Reinstall!»
>
> I searched through all of my Windows updates installed and didn't found
> KB917344. I also went to Microsoft Update Website and it doesn't detect any
> priority update missing in my system.
>
> I don't know if i should install manually this update, alone or with
> 'Cumulative Security Update for Internet Explorer (916281)' -see Caveats in
> Microsoft Security Bulletin MS06-023. Question is, since these updates were
> published on June 2006, how do i know if i have installed a more recent
> Windows update or Windows component which replace the missing updates, and
> are they really necessary? Is there the risk that they may deactivate or
> conflict with an already installed update? Why aren't they detected as
> priority updates to download in the Microsoft Update website?

CORRECTED in post #1: In Windows Control Panel>Add and remove programs, i
searched through all of my Windows updates installed and didn't found
KB917344. I also went to Microsoft Update Website and it doesn't detect any
priority update missing in my system.
ADDED to post #1: Don't know if it's relevant to this thread, but my OS is
Windows XP Home, Service Pack 2 (Build 2600), and i have Internet Explorer 7.
_______________________________________________
Thank you, MowGreen. I was glad to see your reply. I believe it will be
meaningfull for the resolution of this problem.
I searched and found the file jscript.dll in WINDOWS\system32. I
rick-clicked it, selected properties, and checked its version: it’s V.
5.6.0.8825, not V. 5.6.0.8831.
However, I think that the Windows registry does not match my jscript.dll
version. I checked HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Wind ows
XP\SP3\KB917344\Filelist. Under Filelist, I have 3 subfolders: 0, 1, and 2.
If I click each of this subfolders, I see in the last line of the right pane:
Version REG_SZ 5.6.0.8831
I exported the registry branch, opened it with Notepad, and copied it. I’m
pasting it here:

«Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Wind ows
XP\SP3\KB917344\Filelist]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Wind ows
XP\SP3\KB917344\Filelist\0]
"FileName"="jscript.dll"
"Version"="5.6.0.8831"
"BuildDate"="Thu May 18 06:31:27 2006"
"BuildCheckSum"="74cd3"
"Location"="C:\\WINDOWS\\system32"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Wind ows
XP\SP3\KB917344\Filelist\1]
"FileName"="jscript.dll"
"Version"="5.6.0.8831"
"BuildDate"="Thu May 18 06:31:27 2006"
"BuildCheckSum"="74cd3"
"Location"="C:\\WINDOWS\\system32\\DllCache"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Wind ows
XP\SP3\KB917344\Filelist\2]
"FileName"="jscript.dll"
"Version"="5.6.0.8831"
"BuildDate"="Thu May 18 06:46:54 2006"
"BuildCheckSum"="73b06"
"Location"="c:\\windows\\$hf_mig$\\KB917344\\SP2QF E"»

I believe that my Windows registry keys correspond to version 5.6.0.8831,
and not to the version I have, and perhaps that’s the reason why the
Microsoft Update website doesn’t prompt me to install KB917344. Is this right
? Should I download and reinstall manually KB917344 ?

There’s another thing I haven’t told in post#1: Belarc Advisor but not TM
Housecall failed also the verification of the last IE7 cumulative update
KB939653. However, I searched in Control Panel>Add/Remove Programs and I
found it under ‘Windows Internet Explorer 7 – Software Updates’. I think it’s
probably a false detection of security vulnerability by Belarc. But how can I
confirm if KB939653-IE7 is correctly installed in my system ?

Finally, and answering to your last question, I didn’t delete any folders
from nor have deleted WINDOWS\$hf_mig$.
Any help is appreciated.

Hugo_Pt

Check system32\dllcache for the Version of jscript.dll, please. It
appears that 'something' did not allow the file to be updated but did
allow the change in the registry.
If the copy of jscript.dll is V. 5.6.0.8831 then see if you can copy it
over to WINDOWS\system32 and replace the older V.

If the V. in system32/dllcache is the older one, then yes, reinstall the
update. Make sure that THM is temporarily disabled prior to installing
it, including any service that monitors the system.
Remember to reenable THM after installing the update.

As for the IE Cumulative Update, you can compare file versions of the
system with the file versions of the update here:
http://www.microsoft.com/technet/sec.../MS07-057.mspx

Under 'Update Information', click the plus sign next to 'Security Update
Deployment'
Then click on 'Windows XP (all editions)' and, finally, 'File Information'
It's a rather long list and the page is loading slowly here.

There is a Known Issue with some AVs in regards to the update that
states that IE 7 can not display web pages:
http://support.microsoft.com/kb/942818

It is possible that the update did not install properly. So, suggest you
uninstall it, reboot, redownload it from here, and do the temp disabling
of THM prior to installing it, too:
http://www.microsoft.com/downloads/d...A-CB3E0A36D8B5

MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============


Hugo_Pt wrote:

> CORRECTED in post #1: In Windows Control Panel>Add and remove programs, i
> searched through all of my Windows updates installed and didn't found
> KB917344. I also went to Microsoft Update Website and it doesn't detect any
> priority update missing in my system.
> ADDED to post #1: Don't know if it's relevant to this thread, but my OS is
> Windows XP Home, Service Pack 2 (Build 2600), and i have Internet Explorer 7.
> _______________________________________________
> Thank you, MowGreen. I was glad to see your reply. I believe it will be
> meaningfull for the resolution of this problem.
> I searched and found the file jscript.dll in WINDOWS\system32. I
> rick-clicked it, selected properties, and checked its version: it’s V.
> 5.6.0.8825, not V. 5.6.0.8831.
> However, I think that the Windows registry does not match my jscript.dll
> version. I checked HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Wind ows
> XP\SP3\KB917344\Filelist. Under Filelist, I have 3 subfolders: 0, 1, and 2.
> If I click each of this subfolders, I see in the last line of the right pane:
> Version REG_SZ 5.6.0.8831
> I exported the registry branch, opened it with Notepad, and copied it. I’m
> pasting it here:
>
> «Windows Registry Editor Version 5.00
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Wind ows
> XP\SP3\KB917344\Filelist]
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Wind ows
> XP\SP3\KB917344\Filelist\0]
> "FileName"="jscript.dll"
> "Version"="5.6.0.8831"
> "BuildDate"="Thu May 18 06:31:27 2006"
> "BuildCheckSum"="74cd3"
> "Location"="C:\\WINDOWS\\system32"
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Wind ows
> XP\SP3\KB917344\Filelist\1]
> "FileName"="jscript.dll"
> "Version"="5.6.0.8831"
> "BuildDate"="Thu May 18 06:31:27 2006"
> "BuildCheckSum"="74cd3"
> "Location"="C:\\WINDOWS\\system32\\DllCache"
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Wind ows
> XP\SP3\KB917344\Filelist\2]
> "FileName"="jscript.dll"
> "Version"="5.6.0.8831"
> "BuildDate"="Thu May 18 06:46:54 2006"
> "BuildCheckSum"="73b06"
> "Location"="c:\\windows\\$hf_mig$\\KB917344\\SP2QF E"»
>
> I believe that my Windows registry keys correspond to version 5.6.0.8831,
> and not to the version I have, and perhaps that’s the reason why the
> Microsoft Update website doesn’t prompt me to install KB917344. Is this right
> ? Should I download and reinstall manually KB917344 ?
>
> There’s another thing I haven’t told in post#1: Belarc Advisor but not TM
> Housecall failed also the verification of the last IE7 cumulative update
> KB939653. However, I searched in Control Panel>Add/Remove Programs and I
> found it under ‘Windows Internet Explorer 7 – Software Updates’. I think it’s
> probably a false detection of security vulnerability by Belarc. But how can I
> confirm if KB939653-IE7 is correctly installed in my system ?
>
> Finally, and answering to your last question, I didn’t delete any folders
> from nor have deleted WINDOWS\$hf_mig$.
> Any help is appreciated.
>
> Hugo_Pt
>
>

I can't find system32\dllcache ! Is it a subfolder of C:\Windows\system32 ? I
searched the entire hard drive for it.
Can you please specify what do you mean by 'THM' and 'AVs' ? Sorry about my
lack of knowledge. I'm just a regular user;-)

"MowGreen [MVP]" wrote:

> Check system32\dllcache for the Version of jscript.dll, please. It
> appears that 'something' did not allow the file to be updated but did
> allow the change in the registry.
> If the copy of jscript.dll is V. 5.6.0.8831 then see if you can copy it
> over to WINDOWS\system32 and replace the older V.
>
> If the V. in system32/dllcache is the older one, then yes, reinstall the
> update. Make sure that THM is temporarily disabled prior to installing
> it, including any service that monitors the system.
> Remember to reenable THM after installing the update.
(...)
> There is a Known Issue with some AVs in regards to the update that
> states that IE 7 can not display web pages:
> http://support.microsoft.com/kb/942818
>
> It is possible that the update did not install properly. So, suggest you
> uninstall it, reboot, redownload it from here, and do the temp disabling
> of THM prior to installing it, too:
> http://www.microsoft.com/downloads/d...A-CB3E0A36D8B5

No problemo. I 'meant' TMH ... Trend Micro Housecall, not THM.
AVs means antivirus software ...
In order to view the dllcache folder you will have to show hidden files,
folders, and sytem files:
http://www.bleepingcomputer.com/tuto...l62.html#winxp

MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============


Hugo_Pt wrote:

> I can't find system32\dllcache ! Is it a subfolder of C:\Windows\system32 ? I
> searched the entire hard drive for it.
> Can you please specify what do you mean by 'THM' and 'AVs' ? Sorry about my
> lack of knowledge. I'm just a regular user;-)
>
> "MowGreen [MVP]" wrote:
>
>
>>Check system32\dllcache for the Version of jscript.dll, please. It
>>appears that 'something' did not allow the file to be updated but did
>>allow the change in the registry.
>>If the copy of jscript.dll is V. 5.6.0.8831 then see if you can copy it
>>over to WINDOWS\system32 and replace the older V.
>>
>>If the V. in system32/dllcache is the older one, then yes, reinstall the
>>update. Make sure that THM is temporarily disabled prior to installing
>>it, including any service that monitors the system.
>>Remember to reenable THM after installing the update.
>
> (...)
>
>>There is a Known Issue with some AVs in regards to the update that
>>states that IE 7 can not display web pages:
>>http://support.microsoft.com/kb/942818
>>
>>It is possible that the update did not install properly. So, suggest you
>>uninstall it, reboot, redownload it from here, and do the temp disabling
>>of THM prior to installing it, too:
>>http://www.microsoft.com/downloads/d...A-CB3E0A36D8B5
>
>

OK, while i was waiting for your last reply, i did a google search on
"dllcache" and found that to access the dllcache folder, i only had to click
on the 'Start' button, then 'Run' and type C:\Windows\system32\dllcache. That
worked. In there, i found a jscript.dll file. It is v. 5.6.0.8825, so i'm
gonna download and install manually the KB917344 update.

About TMH, i've used the Java-based Housecall kernel (not the "Browser
plug-in" Housecall kernel), so that Housecall could run on my system and scan
it. I don't know how to disable or uninstall it. But since Housecall is just
an online scanner, it is used only "on-demand", it doesn't permanently
monitors my system. Do i really have to disable it ?
I only used TMH once, to complement my installed antivirus application, and
scan a suspicious file in my system.

About KB939653-IE7, before starting this thread, i already uninstalled and
reinstalled it (through Microsoft Update site), but even after that, Belarc
Advisor still failed verification of that update, it couldn't find it
installed (altough i could found it in "Add/Remove" programs). However, i
believe i didn't disabled my avast AV before reinstalling the update.
I tried also to compare file versions in my system with the file versions of
the files contained in the update for only 2 or 3 files, using the 'File
Information' in
http://www.microsoft.com/technet/sec.../MS07-057.mspx (i'm not
willing to ckeck version for ALL the files listed under 'File Information' as
they're too many !). But it's difficult, because when i search in my system
for, say, advpack.dll, 11 files with the same filename appear in the search
results. Among them, advpack.dll located in C:\WINDOWS\ie7 is v.
6.0.2900.2180, but advpack.dll located in C:\WINDOWS\system32 is v.
7.0.6000.16544 (the latter match the version of the one listed in MS07-057
bulletin). Isn't there a simpler way to do this, and verify if KB939653 is
correctly applied in my system ?

Thanks in advance...

"MowGreen [MVP]" wrote:

> Check system32\dllcache for the Version of jscript.dll, please. It
> appears that 'something' did not allow the file to be updated but did
> allow the change in the registry.
> If the copy of jscript.dll is V. 5.6.0.8831 then see if you can copy it
> over to WINDOWS\system32 and replace the older V.
>
> If the V. in system32/dllcache is the older one, then yes, reinstall the
> update. Make sure that THM is temporarily disabled prior to installing
> it, including any service that monitors the system.
> Remember to reenable THM after installing the update.
>
> As for the IE Cumulative Update, you can compare file versions of the
> system with the file versions of the update here:
> http://www.microsoft.com/technet/sec.../MS07-057.mspx
>
> Under 'Update Information', click the plus sign next to 'Security Update
> Deployment'
> Then click on 'Windows XP (all editions)' and, finally, 'File Information'
> It's a rather long list and the page is loading slowly here.
>
> There is a Known Issue with some AVs in regards to the update that
> states that IE 7 can not display web pages:
> http://support.microsoft.com/kb/942818
>
> It is possible that the update did not install properly. So, suggest you
> uninstall it, reboot, redownload it from here, and do the temp disabling
> of THM prior to installing it, too:
> http://www.microsoft.com/downloads/d...A-CB3E0A36D8B5

For your information, with my IE7:
KB917344 does not show in the add/remove under Windows Updates.
That is because installation of IE7 hides it, as it updates the jscript.dll to
5.7.
Belarc does show for me as installed properly.


Check it here:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\KB917344]
"RegistryLocation"="HKLM\\SOFTWARE\\Microsoft\\Upd ates\\Windows
XP\\SP3\\KB917344"
"HiddenByIE7Setup"=dword:00000001

Also examine the ie7.log and see if you have something like this:
IECUSTOM: Hiding update 'KB917344' MS06-023: Vulnerability in Microsoft JScript
Copied file: C:\WINDOWS\system32\jscript.dll
Copied file (delayed): C:\WINDOWS\system32\SET73.tmp
Source:C:\WINDOWS\system32\SET73.tmp (5.7.0.5730)
Destination:C:\WINDOWS\system32\jscript.dll (5.6.0.8831)

The "C:\WINDOWS\ie7" folder is the uninstall IE7 information.
They represent your files they would restore.
They also show the jscript.dll that they would restore (should be v.5.6.08831)
The "C:\WINDOWS\ie7updates" folder shows current ie7updates.

I don't know what caused your problem but maybe this will help explain.
--
mae

"Hugo_Pt" <> wrote in message
news:7120113E-4D54-4875-9495-...
| CORRECTED in post #1: In Windows Control Panel>Add and remove programs, i
| searched through all of my Windows updates installed and didn't found
| KB917344. I also went to Microsoft Update Website and it doesn't detect any
| priority update missing in my system.
| ADDED to post #1: Don't know if it's relevant to this thread, but my OS is
| Windows XP Home, Service Pack 2 (Build 2600), and i have Internet Explorer 7.
| _______________________________________________
| Thank you, MowGreen. I was glad to see your reply. I believe it will be
| meaningfull for the resolution of this problem.
| I searched and found the file jscript.dll in WINDOWS\system32. I
| rick-clicked it, selected properties, and checked its version: it’s V.
| 5.6.0.8825, not V. 5.6.0.8831.
| However, I think that the Windows registry does not match my jscript.dll
| version. I checked HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Wind ows
| XP\SP3\KB917344\Filelist. Under Filelist, I have 3 subfolders: 0, 1, and 2.
| If I click each of this subfolders, I see in the last line of the right pane:
| Version REG_SZ 5.6.0.8831
| I exported the registry branch, opened it with Notepad, and copied it. I’m
| pasting it here:
|
| «Windows Registry Editor Version 5.00
|
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Wind ows
| XP\SP3\KB917344\Filelist]
|
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Wind ows
| XP\SP3\KB917344\Filelist\0]
| "FileName"="jscript.dll"
| "Version"="5.6.0.8831"
| "BuildDate"="Thu May 18 06:31:27 2006"
| "BuildCheckSum"="74cd3"
| "Location"="C:\\WINDOWS\\system32"
|
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Wind ows
| XP\SP3\KB917344\Filelist\1]
| "FileName"="jscript.dll"
| "Version"="5.6.0.8831"
| "BuildDate"="Thu May 18 06:31:27 2006"
| "BuildCheckSum"="74cd3"
| "Location"="C:\\WINDOWS\\system32\\DllCache"
|
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Wind ows
| XP\SP3\KB917344\Filelist\2]
| "FileName"="jscript.dll"
| "Version"="5.6.0.8831"
| "BuildDate"="Thu May 18 06:46:54 2006"
| "BuildCheckSum"="73b06"
| "Location"="c:\\windows\\$hf_mig$\\KB917344\\SP2QF E"»
|
| I believe that my Windows registry keys correspond to version 5.6.0.8831,
| and not to the version I have, and perhaps that’s the reason why the
| Microsoft Update website doesn’t prompt me to install KB917344. Is this right
| ? Should I download and reinstall manually KB917344 ?
|
| There’s another thing I haven’t told in post#1: Belarc Advisor but not TM
| Housecall failed also the verification of the last IE7 cumulative update
| KB939653. However, I searched in Control Panel>Add/Remove Programs and I
| found it under ‘Windows Internet Explorer 7 – Software Updates’. I think it’s
| probably a false detection of security vulnerability by Belarc. But how can I
| confirm if KB939653-IE7 is correctly installed in my system ?
|
| Finally, and answering to your last question, I didn’t delete any folders
| from nor have deleted WINDOWS\$hf_mig$.
| Any help is appreciated.
|
| Hugo_Pt
|
|

> But since Housecall is just
> an online scanner, it is used only "on-demand", it doesn't permanently
> monitors my system. Do i really have to disable it ?
> I only used TMH once, to complement my installed antivirus application, and
> scan a suspicious file in my system.

You do not have to disable TMH. You *should* disable the installed
antivirus software as apparently it has prevented jscript.dll from being
updated properly. Which AV is installed ?

Trend offers no guidance for uninstalling TMH, isn't that special <w>?
I played with the ActiveX and java based versions of it, but do not
recall specifically how I uninstalled both.
If it's not listed in Add/Remove Programs than look in the Documents and
Settings\All Users\Application Data subfolder or, in
Docs&Settings\<YourUserAccount>\Application Data,
Local Settings\Application Data, and Temp subfolders for a Trend folder
Deleting the Trend folder will remove the download definition files

As to the IE update ... once again, *strongly* advise you to disable the
installed antivirus software prior to installing it. Consult the Help
file or the manufacturer's web site to learn how this is accomplished.
ALL services of the installed AV should be temp disabled, too.

You can download a 'fresh' KB939653 from here:

Cumulative Security Update for Internet Explorer 7 for Windows XP
Service Pack 2 (KB939653)
http://www.microsoft.com/downloads/i...splayLang%3den

The files that are updated are located in system32. Don't worry about
the other ones, it's hard enough going over the Versions listed in system32.
Disabling the AV *should* allow the files to be updated to the proper
Version and allow the updating of jscript.dll.

MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============


Hugo_Pt wrote:

> OK, while i was waiting for your last reply, i did a google search on
> "dllcache" and found that to access the dllcache folder, i only had to click
> on the 'Start' button, then 'Run' and type C:\Windows\system32\dllcache. That
> worked. In there, i found a jscript.dll file. It is v. 5.6.0.8825, so i'm
> gonna download and install manually the KB917344 update.
>
> About TMH, i've used the Java-based Housecall kernel (not the "Browser
> plug-in" Housecall kernel), so that Housecall could run on my system and scan
> it. I don't know how to disable or uninstall it. But since Housecall is just
> an online scanner, it is used only "on-demand", it doesn't permanently
> monitors my system. Do i really have to disable it ?
> I only used TMH once, to complement my installed antivirus application, and
> scan a suspicious file in my system.
>
> About KB939653-IE7, before starting this thread, i already uninstalled and
> reinstalled it (through Microsoft Update site), but even after that, Belarc
> Advisor still failed verification of that update, it couldn't find it
> installed (altough i could found it in "Add/Remove" programs). However, i
> believe i didn't disabled my avast AV before reinstalling the update.
> I tried also to compare file versions in my system with the file versions of
> the files contained in the update for only 2 or 3 files, using the 'File
> Information' in
> http://www.microsoft.com/technet/sec.../MS07-057.mspx (i'm not
> willing to ckeck version for ALL the files listed under 'File Information' as
> they're too many !). But it's difficult, because when i search in my system
> for, say, advpack.dll, 11 files with the same filename appear in the search
> results. Among them, advpack.dll located in C:\WINDOWS\ie7 is v.
> 6.0.2900.2180, but advpack.dll located in C:\WINDOWS\system32 is v.
> 7.0.6000.16544 (the latter match the version of the one listed in MS07-057
> bulletin). Isn't there a simpler way to do this, and verify if KB939653 is
> correctly applied in my system ?
>
> Thanks in advance...
>
> "MowGreen [MVP]" wrote:
>
>
>>Check system32\dllcache for the Version of jscript.dll, please. It
>>appears that 'something' did not allow the file to be updated but did
>>allow the change in the registry.
>>If the copy of jscript.dll is V. 5.6.0.8831 then see if you can copy it
>>over to WINDOWS\system32 and replace the older V.
>>
>>If the V. in system32/dllcache is the older one, then yes, reinstall the
>>update. Make sure that THM is temporarily disabled prior to installing
>>it, including any service that monitors the system.
>>Remember to reenable THM after installing the update.
>>
>>As for the IE Cumulative Update, you can compare file versions of the
>>system with the file versions of the update here:
>>http://www.microsoft.com/technet/sec.../MS07-057.mspx
>>
>>Under 'Update Information', click the plus sign next to 'Security Update
>>Deployment'
>>Then click on 'Windows XP (all editions)' and, finally, 'File Information'
>>It's a rather long list and the page is loading slowly here.
>>
>>There is a Known Issue with some AVs in regards to the update that
>>states that IE 7 can not display web pages:
>>http://support.microsoft.com/kb/942818
>>
>>It is possible that the update did not install properly. So, suggest you
>>uninstall it, reboot, redownload it from here, and do the temp disabling
>>of THM prior to installing it, too:
>>http://www.microsoft.com/downloads/d...A-CB3E0A36D8B5
>
>

To mae:

I followed the instructions on
http://www.bleepingcomputer.com/tuto...l62.html#winxp , then
searched for ie7.log using the Windows search tool. The only file found in C:
containing 'ie7.log' in the filename was KB939653-IE7.log, located in
C:\WINDOWS. I opened it and searched for 'IECUSTOM' and 'jscript.dll' using
'CTRL+F', but found none of those words.

In "C:\WINDOWS\ie7updates", there is a subfolder "KB939653-IE7". In there, i
looked version number of 'Iexplore.exe', 'Advpack.dll', and 'Dxtrans.dll',
and none of them is v. 7.0.6000.16544, which is the right version number of
'Iexplore.exe', 'Advpack.dll', and 'Dxtrans.dll' contained in the
KB939653-IE7 update ("for Internet Explorer 7 for all supported 32-bit
editions of Windows XP"), according to Microsoft MS07-057 Bulletin. So, I
suppose that the files in "C:\WINDOWS\ie7updates\KB939653-IE7" are the ones
to be restored, replacing my present files in the case i uninstall KB939653.
Is that right ?

Likewise: In "C:\WINDOWS\ie7", I have a jscript.dll file and it is
v.5.6.0.8831. So, if i uninstalled IE7, my jscript.dll file in
"C:\WINDOWS\system32" would be replaced by this version, right ? But if you
say that the installation of IE7 updates jscript.dll to 5.7, then how would
you explain that presently, and having IE7 installed, my version of
jscript.dll in "C:\WINDOWS\system32" is only v.5.6.0.8825 ? Your jscript.dll
is version 5.7, right ?

I believe my situation is different than yours...

And your post raises yet another problem: If i reinstall manually KB917344
as i intended, then my jscript.dll would become v.5.6.0.8831, but since i
have IE7 installed, it should be v.5.7. Isn't that so ?

"mae" wrote:

> For your information, with my IE7:
> KB917344 does not show in the add/remove under Windows Updates.
> That is because installation of IE7 hides it, as it updates the jscript.dll to
> 5.7.
> Belarc does show for me as installed properly.
>
>
> Check it here:
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\KB917344]
> "RegistryLocation"="HKLM\\SOFTWARE\\Microsoft\\Upd ates\\Windows
> XP\\SP3\\KB917344"
> "HiddenByIE7Setup"=dword:00000001
>
> Also examine the ie7.log and see if you have something like this:
> IECUSTOM: Hiding update 'KB917344' MS06-023: Vulnerability in Microsoft JScript
> Copied file: C:\WINDOWS\system32\jscript.dll
> Copied file (delayed): C:\WINDOWS\system32\SET73.tmp
> Source:C:\WINDOWS\system32\SET73.tmp (5.7.0.5730)
> Destination:C:\WINDOWS\system32\jscript.dll (5.6.0.8831)
>
> The "C:\WINDOWS\ie7" folder is the uninstall IE7 information.
> They represent your files they would restore.
> They also show the jscript.dll that they would restore (should be v.5.6.08831)
> The "C:\WINDOWS\ie7updates" folder shows current ie7updates.
>
> I don't know what caused your problem but maybe this will help explain.
> --
> mae
>
> "Hugo_Pt" <> wrote in message
> news:7120113E-4D54-4875-9495-...
> | CORRECTED in post #1: In Windows Control Panel>Add and remove programs, i
> | searched through all of my Windows updates installed and didn't found
> | KB917344. I also went to Microsoft Update Website and it doesn't detect any
> | priority update missing in my system.
> | ADDED to post #1: Don't know if it's relevant to this thread, but my OS is
> | Windows XP Home, Service Pack 2 (Build 2600), and i have Internet Explorer 7.
> | _______________________________________________
> | Thank you, MowGreen. I was glad to see your reply. I believe it will be
> | meaningfull for the resolution of this problem.
> | I searched and found the file jscript.dll in WINDOWS\system32. I
> | rick-clicked it, selected properties, and checked its version: it’s V.
> | 5.6.0.8825, not V. 5.6.0.8831.
> | However, I think that the Windows registry does not match my jscript.dll
> | version. I checked HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Wind ows
> | XP\SP3\KB917344\Filelist. Under Filelist, I have 3 subfolders: 0, 1, and 2.
> | If I click each of this subfolders, I see in the last line of the right pane:
> | Version REG_SZ 5.6.0.8831
> | I exported the registry branch, opened it with Notepad, and copied it. I’m
> | pasting it here:
> |
> | «Windows Registry Editor Version 5.00
> |
> | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Wind ows
> | XP\SP3\KB917344\Filelist]
> |
> | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Wind ows
> | XP\SP3\KB917344\Filelist\0]
> | "FileName"="jscript.dll"
> | "Version"="5.6.0.8831"
> | "BuildDate"="Thu May 18 06:31:27 2006"
> | "BuildCheckSum"="74cd3"
> | "Location"="C:\\WINDOWS\\system32"
> |
> | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Wind ows
> | XP\SP3\KB917344\Filelist\1]
> | "FileName"="jscript.dll"
> | "Version"="5.6.0.8831"
> | "BuildDate"="Thu May 18 06:31:27 2006"
> | "BuildCheckSum"="74cd3"
> | "Location"="C:\\WINDOWS\\system32\\DllCache"
> |
> | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Wind ows
> | XP\SP3\KB917344\Filelist\2]
> | "FileName"="jscript.dll"
> | "Version"="5.6.0.8831"
> | "BuildDate"="Thu May 18 06:46:54 2006"
> | "BuildCheckSum"="73b06"
> | "Location"="c:\\windows\\$hf_mig$\\KB917344\\SP2QF E"»
> |
> | I believe that my Windows registry keys correspond to version 5.6.0.8831,
> | and not to the version I have, and perhaps that’s the reason why the
> | Microsoft Update website doesn’t prompt me to install KB917344. Is this right
> | ? Should I download and reinstall manually KB917344 ?
> |
> | There’s another thing I haven’t told in post#1: Belarc Advisor but not TM
> | Housecall failed also the verification of the last IE7 cumulative update
> | KB939653. However, I searched in Control Panel>Add/Remove Programs and I
> | found it under ‘Windows Internet Explorer 7 – Software Updates’. I think it’s
> | probably a false detection of security vulnerability by Belarc. But how can I
> | confirm if KB939653-IE7 is correctly installed in my system ?
> |
> | Finally, and answering to your last question, I didn’t delete any folders
> | from nor have deleted WINDOWS\$hf_mig$.
> | Any help is appreciated.
> |
> | Hugo_Pt
> |
> |
>
>