What you actually have tried?
Any information at all would be nice.
--
--------------------------------
TaurArian [MVP] 2005-2009
Update Services
http://taurarian.mvps.org
What is the error message on the failed installation of the Windows
Installer, for example, click on the failed update and advise what the error
code is?
http://support.microsoft.com/kb/910337/en-us
Scroll to: Error 5: Access is Denied
> Thats it, pretty much, here is what I got:
> KB942288-v3 setup could not backup registry key
> HKCR\{000C101D-0000-0000-C000-000000000046}\DllVersion to file
> C:\windows\$NtUninstallKB942288-v3$\reg00046. 5:Access is denied.
> Thats it.
The above registry needs to have it's Permissions changed.
KB942288-v3 refers to the files being installed by Windows Installer 4.5.
This location is where Windows Installer writes to the registry
regardless of Version:
HKEY_CLASSES_ROOT\CLSID\{000C101D-0000-0000-C000-000000000046}
So, open the Registry editor. [ Start > Run > type in
regedit
Click OK or press Enter ]
Click the plus sign next to HKEY_CLASSES_ROOT
Scroll all the way down to CLSID
Click the plus sign next to that.
Scroll down to 000C101D-0000-0000-C000-000000000046
Right click 000C101D-0000-0000-C000-000000000046 and choose Permissions
Under Group or user names click on Administrators to highlight it and
then check to see if Permissions for Administrators shows
Full Control and Read.
Same for System.
Now click the Advanced button under Permissions for Administrators and
System.
Both Admin and Sys have 2 entries, one is inherited from
CLSID and one applies to the subkeys under
000C101D-0000-0000-C000-000000000046.
Is that what you're seeing, Terry ?
Please use the Export function before changing any Permissions here.
*Right* click 000C101D-0000-0000-C000-000000000046, click Export.
Name it Installer.reg and Save it to the Desktop for now.
Now scroll all the way up back to CLSID, right click it and choose
Permissions. SYSTEM and Administrators should show these Permissions:
Full Control
Read
For Advanced, under Applies to, it should show This key and subkeys and
NOT be inherited.
Close the registry editor.
We'll go over what you find prior to recommending any editing of
Permissions.
MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============
> All that you asked me to check, was as you wrote. Only difference in entries
> was under Permissions for Administrators and system, there were two entries
> but labled "classes_root\clsid" and the other was "parentobject". Other than
> that, everything else was normal.
To be totally clear on this, for
HKEY_CLASSES_ROOT\CLSID
the Permissions are inherited from here and are both Full and Read for
Administrators and System
For Advanced Perms, Administrators and System AND your User account
name, show Full Control and Read.
HKEY_CLASSES_ROOT\CLSID\{000C101D-0000-0000-C000-000000000046}
Groups or user names: Administrators and System
Clicking Advanced perms shows:
2 listings of Administrators with the 2 entries you cited
2 listings of System with the 2 entries you cited, both with Full Control
We need to check the Security setting of the location for the backup
files of the update. See if this folder is present:
C:\windows\$NtUninstallKB942288-v3$ < ---- this folder
If it is, right click it and click Properties
Click the Security tab
Administrators and System should show all the boxes checked except for
Special Permissions
Then right click
C:\windows\$NtUninstallKB942288-v3$\reg00004 <-- this *file*
Check the settings by following the above steps, too.
If the settings are different, please change them.
--
blarn...@aim.com
------------------------------------------------------------------------
blarn...@aim.com's Profile: http://forums.techarena.in/members/blarney1234-aim-com.htm
View this thread: http://forums.techarena.in/windows-update/1022118.htm
I too am having this exact issue. Likewise, any suggestions greatly
appreciated.
--
bert_agt
------------------------------------------------------------------------
bert_agt's Profile: http://forums.techarena.in/members/bert_agt.htm
Does that clear up any confusion ?
MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============
> I did both a visual and computer search, there is no file under that name, I
> did look in hidden files also.
What about the folder, does it exist ?
C:\windows\$NtUninstallKB942288-v3$ <---- this one
How to show hidden files, folders, and *system files*
http://www.bleepingcomputer.com/tutorials/tutorial62.html#winxp
The file is a *system* file, Terry.
Hi MowGreen,
Permissions are set correctly on the
HKEY_CLASSES_ROOT\CLSID\{000C101D-0000-0000-C000-000000000046} registry
entry. I am unable to access the permissions of the DllVersion subkey.
Clicking on it just results in a message "Access is denied....." and
likewise trying to change/view permissions is as futile... nothing is
displayed in the permissions list yet it is set to inherit permissions
from parent, and I cannot explicitly add any permissions. When clicking
'Apply' again same "Access is denied" error message.
I have tried exporting the entire key into a registry file and
re-importing it. I can export it succesfully but importing it results
in access denied - only on the DllVersion sub key.
I have also deleted the {000C101D-0000-0000-C000-000000000046} from the
registry and then re-imported using the reg file mentioned above. Same
result. {000C101D-0000-0000-C000-000000000046} is restored,
{000C101D-0000-0000-C000-000000000046}\DllVersion is not. Access is
denied.
I have upgraded to Windows Installer v4.5 for XP SP3, still no joy.
I have checked that RPC and the Windows Installer services are set to
run as LocalSystem. They both are.
Have used regmon and see the access denied message when the Windows
Installer service is called when a setup program is called (either
installing or uninstalling windows installer based programs).
Have disabled all non-MSFT services and startup entries, rebooted,
still no joy.
It would appear the "XP Antispyware 2008" malware has left its mark on
Windows and the only solution is to reformat and reload all software
on.
Sorry for the rant, a tad frustrated :)
Any assistance appreciated.
Bert
After repeated failure to install V3 step one here fixed it for me :
http://support.microsoft.com/kb/943144
--
Terry in Help
Solving setup errors by using the SubInACL tool to repair file and
registry permissions
http://blogs.msdn.com/astebner/archive/2006/09/04/739820.aspx
MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============
> First let me say, thanks for all the help you are giving me. I can see a few
> people are having this problem....
> Now, even afte showing all hidden files, per the instructions you sent me
> to, there is no "C:\windows\$NtUninstallKB942288-v3$" in my Windows
> directory. I conducted a search, looking in hidden and system files.
> Anything else to try?
>
haloterry *previously* wrote:
> I have XP Meida but the trouble started after Norton remoted into my
> computer to fix viruses. Now I can't install anything because I get error
> messages on anything I try to install referring to the windows installer. I
> went to Microsoft to get a new version and it won't install, just stops and
> saids it failed.
> -- Terry in Help
You could try repairing registry and file permissions using SubInACL:
Solving setup errors by using the SubInACL tool to repair file and
registry permissions
http://blogs.msdn.com/astebner/archive/2006/09/04/739820.aspx
Sorry to tell you this but the best avenue now would be to format the HD
and reinstall MCE at this point. That's the only way to trust the system
after an infestation by malware and the attempted removal of same by the
Norton 'tech'. Who knows what the tech did or if they even got the
system totally cleaned up.
Check to see if the Windows Installer service is in a running state in
the services console. If it is, Stop it and see if you can access the
DllVersion subkey to check the Perms.
There's also the possibility that there's an issue with DCOM.
Will wait on that as the steps are a tad involved.
HijackThis Logs
http://aumha.net/viewforum.php?f=30
At the very least, we'll determine if the system has been cleaned up and
what damage was done.
MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============
the solution for this problem is to remove a hidden PNP driver.
Open XP Device Manager.
Select "Show Hidden Devices" from Menue.
Open PNP Tree and look for a driver named lime "swuurqlm.sys".
Disable or delete this driver and Reboot.
Voila.
Regards
Martin
Regarding uninstalling it from device manager, I had the problem return
again on the next reboot. For some reason it didn't remove the
cooresponding file from %windir%\system32\drivers. To get the uninstall
to stick, I booted Safe Mode, deleted the file first, and then
uninstalled the entry in Device Manager.
Cheers
--
jacksonej1972
------------------------------------------------------------------------
jacksonej1972's Profile: http://forums.techarena.in/members/jacksonej1972.htm
Are you trying to install the latest Version of Windows Installer and
has the system been compromised by malware, specifically, Antivirus
2008/09 ?
MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============
>> Open PNP Tree and look for a driver named lime "swuurqlm.sys".
You meant Non-Plug and Play Drivers, right ?
MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============
Was it infected with the latest 'Antivirus 200x' malware ?
MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============
" > the solution for this problem is to remove a hidden PNP driver.
> Open XP Device Manager.
> Select "Show Hidden Devices" from Menue.
> Open PNP Tree and look for a driver named lime "swuurqlm.sys".
> Disable or delete this driver and Reboot.
He meant Non-Plug and Play driver
*Right* click My Computer either on the Desktop or Start Menu and choose
Manage [ this is the Computer Management module ]
In the left frame, click the plus sign next to System Tools
Click on Device Manager
On the menu bar at the top, click View, Show hidden devices
Click the plus sign next to Non-Plug and Play Drivers
Look for a randomly named driver, such as the one Martin listed above,
swuurqlm.sys. When you locate any of such, go to Google and see if there
are any hits for it. IF *none* appear or all the hits lead to
anti-malware forums then that's the culprit.
Boot to Safe Mode to delete the malware-related driver.
It should be located in WINDOWS\system32.
IF there is *no* hidden driver [s], then suggest you stop the Windows
Installer service prior to another attempt at installing Windows
Installer 4.5.
The Services and Applications module is in Computer Management, the same
place that Device Manager is, Terry.
Look for it in the left frame.
IF you're having difficulty removing this 'driver', than suggest you
read this, and then post to the HijackThis Logs forum for expert
assistance: http://aumha.net/viewtopic.php?f=30&t=4075
Forum: http://aumha.net/viewforum.php?f=30
MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============
If you need any recommendations as to what to do next, just ask CBNY01.
MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============
First of all the Non PNP driver name is random - on my system it was ZJZRRRR
- which makes it easy to spot (fortunately!)
Secondly, for those that are confused by the existence, or otherwise, of the
"C:\windows\$NtUninstallKB942288-v3$" directory this is created when you run
the Windows Installer install program but gets removed afterwards.
On my system even after disabling the driver, removing the offending file
and re-booting, I still couldn't edit the DllVersion registry key but then,
suddenly, Norton popped up and re-discovered the offending file which seems
to have found its way back onto the system so beware. The filename was the
same in this case.
Once I was able to edit the registry key I thought I could then go ahead and
re-install the Windows Installer but it wasn't that simple. I tried this in
Safe mode and it appeared to work but still the installer was not working.
Starting the Installer server resulted in in stopping again straight away
which is not correct. Although this service is set to manual, it should
start, and stay running. The cure for this was to de-register and then
re-register the service. Please see; http://support.microsoft.com/kb/555175
for details of how to do this.
I now have this system working in all but one respect, the Win Installer
does not appear in the list of Add/Remove programs for some reason.
My final comment is that nowhere have I seen reference to what causes this
problem i.e. what virus or trojan can be accredited (if that's the right
word!) with this thorn in the side (polite version)? Any ideas?
Then you haven't looked very hard. It's mentioned in this thread and
numerous others that cite a disabled Automatic|Windows update service,
which apparently you can't see because you are using a "Web-based
newsreader". From the headers of your post:
> X-newsreader: Microsoft CDO for Windows 2000
The malware in question is Vundo/Virtumonde/Zlob.
The randomly named Non PnP 'driver' is a rootkit-like component.
> Secondly, for those that are confused by the existence, or otherwise, of the
> "C:\windows\$NtUninstallKB942288-v3$" directory this is created when you run
> the Windows Installer install program but gets removed afterwards.
No, that's incorrect. The subfolder you've cited is the UNinstall folder
for Windows Installer. There is no mention on either the Download page
nor the KB article that it can be uninstalled from Add/Remove Programs.
The previous version of Windows Installer could be uninstalled from ARP.
MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============
thanks to everyone, this saved me...
also thanks for the headsup on rootkit analyzer...
btw, yeah it was infected with antivirus 2008, I have found everything
and removed it with hijackthis, than lost a lot of time to kill
nortons s**t and then install new antivirus - can't? - wtf - registry
corrupted - search around the net
I should have realized it my self - when in safe mode registry works
ok, when in normal mode it does not
anyway thanks again
Boris
THANKS! I spend about 12 hours on this problem, tried everything,
couldnt reinstall xp because our costumer had alot of software installed
on his computer and didnt had all the original CD's.
I searched the hidden "non plug and play devices" for abnormal service
names, mine called "TMOXVJRV" i disabled it, restart the computer,
everything was normal again!!!!
I LOVE YOU!
--
michiel.peeters
------------------------------------------------------------------------
michiel.peeters's Profile: http://forums.techarena.in/members/michiel-peeters.htm