Windows installer V3
haloterry
installer. I attempted to update my installer to v3 but I keep getting a
message "unable to load", any ideas?
--
Terry in Help
TaurArian
What you actually have tried?
Any information at all would be nice.
--
--------------------------------
TaurArian [MVP] 2005-2009
Update Services
http://taurarian.mvps.org
haloterry
computer to fix viruses. Now I can't install anything because I get error
messages on anything I try to install referring to the windows installer. I
went to Microsoft to get a new version and it won't install, just stops and
saids it failed.
--
Terry in Help
haloterry
and when I attempt to load the new version, it goes up to the point where it
can't back up registry and stops loading.
--
Terry in Help
TaurArian
the virus. Now Windows Installer will not work.
What is the error message on the failed installation of the Windows
Installer, for example, click on the failed update and advise what the error
code is?
haloterry
KB942288-v3 setup could not backup registry key
HKCR\{000C101D-0000-0000-C000-000000000046}\DllVersion to file
C:\windows\$NtUninstallKB942288-v3$\reg00046. 5:Access is denied.
Thats it.
TaurArian
preventing the installer from modifying the same.
http://support.microsoft.com/kb/910337/en-us
Scroll to: Error 5: Access is Denied
MowGreen [MVP]
> Thats it, pretty much, here is what I got:
> KB942288-v3 setup could not backup registry key
> HKCR\{000C101D-0000-0000-C000-000000000046}\DllVersion to file
> C:\windows\$NtUninstallKB942288-v3$\reg00046. 5:Access is denied.
> Thats it.
The above registry needs to have it's Permissions changed.
KB942288-v3 refers to the files being installed by Windows Installer 4.5.
This location is where Windows Installer writes to the registry
regardless of Version:
HKEY_CLASSES_ROOT\CLSID\{000C101D-0000-0000-C000-000000000046}
So, open the Registry editor. [ Start > Run > type in
regedit
Click OK or press Enter ]
Click the plus sign next to HKEY_CLASSES_ROOT
Scroll all the way down to CLSID
Click the plus sign next to that.
Scroll down to 000C101D-0000-0000-C000-000000000046
Right click 000C101D-0000-0000-C000-000000000046 and choose Permissions
Under Group or user names click on Administrators to highlight it and
then check to see if Permissions for Administrators shows
Full Control and Read.
Same for System.
Now click the Advanced button under Permissions for Administrators and
System.
Both Admin and Sys have 2 entries, one is inherited from
CLSID and one applies to the subkeys under
000C101D-0000-0000-C000-000000000046.
Is that what you're seeing, Terry ?
Please use the Export function before changing any Permissions here.
*Right* click 000C101D-0000-0000-C000-000000000046, click Export.
Name it Installer.reg and Save it to the Desktop for now.
Now scroll all the way up back to CLSID, right click it and choose
Permissions. SYSTEM and Administrators should show these Permissions:
Full Control
Read
For Advanced, under Applies to, it should show This key and subkeys and
NOT be inherited.
Close the registry editor.
We'll go over what you find prior to recommending any editing of
Permissions.
MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============
haloterry
root, but there is no CLSID in there, it goes from".CLR" to ".CMD". I am
really going nuts here! But please don't lose patience with me, keep helping!
--
Terry in Help
haloterry
--
Terry in Help
haloterry
was under Permissions for Administrators and system, there were two entries
but labled "classes_root\clsid" and the other was "parentobject". Other than
that, everything else was normal.
--
Terry in Help
MowGreen [MVP]
> All that you asked me to check, was as you wrote. Only difference in entries
> was under Permissions for Administrators and system, there were two entries
> but labled "classes_root\clsid" and the other was "parentobject". Other than
> that, everything else was normal.
To be totally clear on this, for
HKEY_CLASSES_ROOT\CLSID
the Permissions are inherited from here and are both Full and Read for
Administrators and System
For Advanced Perms, Administrators and System AND your User account
name, show Full Control and Read.
HKEY_CLASSES_ROOT\CLSID\{000C101D-0000-0000-C000-000000000046}
Groups or user names: Administrators and System
Clicking Advanced perms shows:
2 listings of Administrators with the 2 entries you cited
2 listings of System with the 2 entries you cited, both with Full Control
We need to check the Security setting of the location for the backup
files of the update. See if this folder is present:
C:\windows\$NtUninstallKB942288-v3$ < ---- this folder
If it is, right click it and click Properties
Click the Security tab
Administrators and System should show all the boxes checked except for
Special Permissions
Then right click
C:\windows\$NtUninstallKB942288-v3$\reg00004 <-- this *file*
Check the settings by following the above steps, too.
If the settings are different, please change them.
blarney1234a...@donotspam.com
I have several computers that have recently been infected with XP
Antivirus 2008. I've been able to remove the virus, howerver, it
appears that it modifies the permissions on the registry key you
reference:
HKEY_CLASES_ROOT\CLSID\{000C101D-0000-0000-C000-000000000046}\DllVersion
If I right-click the key and try to display the permissions, I get
access denied. I believe this is what's preventing installer from
installing. I've tried renaming the key, deleting/creating a new one,
importing, exporting to no avail. Any suggestions would be greatly
appreciated. All machines are XP Pro - service pack 2 or 3.
--
blarn...@aim.com
------------------------------------------------------------------------
blarn...@aim.com's Profile: http://forums.techarena.in/members/blarney1234-aim-com.htm
View this thread: http://forums.techarena.in/windows-update/1022118.htm
bert_agt
blarn...@aim.com;3928875 Wrote:
> I have several computers that have recently been infected with XP
> Antivirus 2008. I've been able to remove the virus, howerver, it
> appears that it modifies the permissions on the registry key you
> reference:
> HKEY_CLASES_ROOT\CLSID\{000C101D-0000-0000-C000-000000000046}\DllVersion
> If I right-click the key and try to display the permissions, I get
> access denied. I believe this is what's preventing installer from
> installing. I've tried renaming the key, deleting/creating a new one,
> importing, exporting to no avail. Any suggestions would be greatly
> appreciated. All machines are XP Pro - service pack 2 or 3.
I too am having this exact issue. Likewise, any suggestions greatly
appreciated.
--
bert_agt
------------------------------------------------------------------------
bert_agt's Profile: http://forums.techarena.in/members/bert_agt.htm
MowGreen [MVP]
Permissions for both Administrator and SYSTEM.
Both have Inherited perms for CLASSES_ROOT\CLSID with Full Control and
all of the Permissions boxes checked.
They also have Full Control for Parent Object, with Full Control and all
of the Permissions boxes checked.
Does that clear up any confusion ?
MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============
haloterry
did look in hidden files also.
--
Terry in Help
MowGreen [MVP]
> I did both a visual and computer search, there is no file under that name, I
> did look in hidden files also.
What about the folder, does it exist ?
C:\windows\$NtUninstallKB942288-v3$ <---- this one
How to show hidden files, folders, and *system files*
http://www.bleepingcomputer.com/tutorials/tutorial62.html#winxp
The file is a *system* file, Terry.
bert_agt
'MowGreen [MVP Wrote:
> ;3930324']HKEY_CLASSES_ROOT\CLSID\{000C101D-0000-0000-C000-000000000046}
> has two
> Permissions for both Administrator and SYSTEM.
> Both have Inherited perms for CLASSES_ROOT\CLSID with Full Control and
> all of the Permissions boxes checked.
> They also have Full Control for Parent Object, with Full Control and
> all
> of the Permissions boxes checked.
>
> Does that clear up any confusion ?
>
> MowGreen [MVP 2003-2008]
Hi MowGreen,
Permissions are set correctly on the
HKEY_CLASSES_ROOT\CLSID\{000C101D-0000-0000-C000-000000000046} registry
entry. I am unable to access the permissions of the DllVersion subkey.
Clicking on it just results in a message "Access is denied....." and
likewise trying to change/view permissions is as futile... nothing is
displayed in the permissions list yet it is set to inherit permissions
from parent, and I cannot explicitly add any permissions. When clicking
'Apply' again same "Access is denied" error message.
I have tried exporting the entire key into a registry file and
re-importing it. I can export it succesfully but importing it results
in access denied - only on the DllVersion sub key.
I have also deleted the {000C101D-0000-0000-C000-000000000046} from the
registry and then re-imported using the reg file mentioned above. Same
result. {000C101D-0000-0000-C000-000000000046} is restored,
{000C101D-0000-0000-C000-000000000046}\DllVersion is not. Access is
denied.
I have upgraded to Windows Installer v4.5 for XP SP3, still no joy.
I have checked that RPC and the Windows Installer services are set to
run as LocalSystem. They both are.
Have used regmon and see the access denied message when the Windows
Installer service is called when a setup program is called (either
installing or uninstalling windows installer based programs).
Have disabled all non-MSFT services and startup entries, rebooted,
still no joy.
It would appear the "XP Antispyware 2008" malware has left its mark on
Windows and the only solution is to reformat and reload all software
on.
Sorry for the rant, a tad frustrated :)
Any assistance appreciated.
Bert
Sunny
"blarn...@aim.com" <blarney1234a...@DoNotSpam.com> wrote in
message news:blarney1234a...@DoNotSpam.com...
>
> I have several computers that have recently been infected with XP
> Antivirus 2008. I've been able to remove the virus, howerver, it
> appears that it modifies the permissions on the registry key you
> reference:
> HKEY_CLASES_ROOT\CLSID\{000C101D-0000-0000-C000-000000000046}\DllVersion
> If I right-click the key and try to display the permissions, I get
> access denied. I believe this is what's preventing installer from
> installing. I've tried renaming the key, deleting/creating a new one,
> importing, exporting to no avail. Any suggestions would be greatly
> appreciated. All machines are XP Pro - service pack 2 or 3.
After repeated failure to install V3 step one here fixed it for me :
http://support.microsoft.com/kb/943144
haloterry
people are having this problem....
Now, even afte showing all hidden files, per the instructions you sent me
to, there is no "C:\windows\$NtUninstallKB942288-v3$" in my Windows
directory. I conducted a search, looking in hidden and system files.
Anything else to try?
--
Terry in Help
MowGreen [MVP]
Solving setup errors by using the SubInACL tool to repair file and
registry permissions
http://blogs.msdn.com/astebner/archive/2006/09/04/739820.aspx
MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============
MowGreen [MVP]
> First let me say, thanks for all the help you are giving me. I can see a few
> people are having this problem....
> Now, even afte showing all hidden files, per the instructions you sent me
> to, there is no "C:\windows\$NtUninstallKB942288-v3$" in my Windows
> directory. I conducted a search, looking in hidden and system files.
> Anything else to try?
>
haloterry *previously* wrote:
> I have XP Meida but the trouble started after Norton remoted into my
> computer to fix viruses. Now I can't install anything because I get error
> messages on anything I try to install referring to the windows installer. I
> went to Microsoft to get a new version and it won't install, just stops and
> saids it failed.
> -- Terry in Help
You could try repairing registry and file permissions using SubInACL:
Solving setup errors by using the SubInACL tool to repair file and
registry permissions
http://blogs.msdn.com/astebner/archive/2006/09/04/739820.aspx
Sorry to tell you this but the best avenue now would be to format the HD
and reinstall MCE at this point. That's the only way to trust the system
after an infestation by malware and the attempted removal of same by the
Norton 'tech'. Who knows what the tech did or if they even got the
system totally cleaned up.
MowGreen [MVP]
Check to see if the Windows Installer service is in a running state in
the services console. If it is, Stop it and see if you can access the
DllVersion subkey to check the Perms.
There's also the possibility that there's an issue with DCOM.
Will wait on that as the steps are a tad involved.
MowGreen [MVP]
the HijackThis Logs forum:
http://aumha.net/viewtopic.php?f=30&t=4075
HijackThis Logs
http://aumha.net/viewforum.php?f=30
At the very least, we'll determine if the system has been cleaned up and
what damage was done.
MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============
ron123
safe mode but you still get the error message when installing the installer.
perhaps the access is being trapped before the register.
Martin
the solution for this problem is to remove a hidden PNP driver.
Open XP Device Manager.
Select "Show Hidden Devices" from Menue.
Open PNP Tree and look for a driver named lime "swuurqlm.sys".
Disable or delete this driver and Reboot.
Voila.
Regards
Martin
jacksonej1972
THANK YOU MARTIN! The device manager entry you listed didn't apply to
the computer I had a problem with, but you pointed me in the right
direction. In my case the entry was named "ogpyovrz". I think it's
safe to assume that people should look for a gibberish-looking entry
which would be typical for malware. When I Google'd the name and no
search results were returned, I was certain I had the problem entry. I
disabled it and Windows Installer worked again.
Regarding uninstalling it from device manager, I had the problem return
again on the next reboot. For some reason it didn't remove the
cooresponding file from %windir%\system32\drivers. To get the uninstall
to stick, I booted Safe Mode, deleted the file first, and then
uninstalled the entry in Device Manager.
Cheers
--
jacksonej1972
------------------------------------------------------------------------
jacksonej1972's Profile: http://forums.techarena.in/members/jacksonej1972.htm
MowGreen [MVP]
key can not be accessed in normal Windows mode.
Are you trying to install the latest Version of Windows Installer and
has the system been compromised by malware, specifically, Antivirus
2008/09 ?
MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============
MowGreen [MVP]
>> Open PNP Tree and look for a driver named lime "swuurqlm.sys".
You meant Non-Plug and Play Drivers, right ?
MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============
MowGreen [MVP]
system then the likelihood that there may be other other hidden drivers,
basically a Rootkit or a rootkit-like component, present, too.
There's really no way to be 100% certain that all RKs have been removed.
Either *never* enter any personal information on this system, never do
any online banking, or better yet, *flatten it and reinstall the OS.*
Was it infected with the latest 'Antivirus 200x' malware ?
MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============
ron123
registry access. It hides in sys32\drivers as a legacy driver, I used Root
Kit Analyzer(free) to find it. Find the name then delete it in safe mode and
tidy up the registry.
Ron
haloterry
--
Terry in Help
MowGreen [MVP]
" > the solution for this problem is to remove a hidden PNP driver.
> Open XP Device Manager.
> Select "Show Hidden Devices" from Menue.
> Open PNP Tree and look for a driver named lime "swuurqlm.sys".
> Disable or delete this driver and Reboot.
He meant Non-Plug and Play driver
*Right* click My Computer either on the Desktop or Start Menu and choose
Manage [ this is the Computer Management module ]
In the left frame, click the plus sign next to System Tools
Click on Device Manager
On the menu bar at the top, click View, Show hidden devices
Click the plus sign next to Non-Plug and Play Drivers
Look for a randomly named driver, such as the one Martin listed above,
swuurqlm.sys. When you locate any of such, go to Google and see if there
are any hits for it. IF *none* appear or all the hits lead to
anti-malware forums then that's the culprit.
Boot to Safe Mode to delete the malware-related driver.
It should be located in WINDOWS\system32.
IF there is *no* hidden driver [s], then suggest you stop the Windows
Installer service prior to another attempt at installing Windows
Installer 4.5.
The Services and Applications module is in Computer Management, the same
place that Device Manager is, Terry.
Look for it in the left frame.
IF you're having difficulty removing this 'driver', than suggest you
read this, and then post to the HijackThis Logs forum for expert
assistance: http://aumha.net/viewtopic.php?f=30&t=4075
Forum: http://aumha.net/viewforum.php?f=30
MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============
CBNY01
all the articles. Here is what fixed it for me. In the hidden devices under
the 'Non PNP' tree, there was a driver named XQIXWOPP. Once i removed this
and rebooted, I could access the registry keys again.
MowGreen [MVP]
hidden malware on the system. If not, suggest this system
*** NOT be Trusted *** as you've already found one hidden driver.
If you need any recommendations as to what to do next, just ask CBNY01.
MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============
GrahamD
may be of assistance to others;
First of all the Non PNP driver name is random - on my system it was ZJZRRRR
- which makes it easy to spot (fortunately!)
Secondly, for those that are confused by the existence, or otherwise, of the
"C:\windows\$NtUninstallKB942288-v3$" directory this is created when you run
the Windows Installer install program but gets removed afterwards.
On my system even after disabling the driver, removing the offending file
and re-booting, I still couldn't edit the DllVersion registry key but then,
suddenly, Norton popped up and re-discovered the offending file which seems
to have found its way back onto the system so beware. The filename was the
same in this case.
Once I was able to edit the registry key I thought I could then go ahead and
re-install the Windows Installer but it wasn't that simple. I tried this in
Safe mode and it appeared to work but still the installer was not working.
Starting the Installer server resulted in in stopping again straight away
which is not correct. Although this service is set to manual, it should
start, and stay running. The cure for this was to de-register and then
re-register the service. Please see; http://support.microsoft.com/kb/555175
for details of how to do this.
I now have this system working in all but one respect, the Win Installer
does not appear in the list of Add/Remove programs for some reason.
My final comment is that nowhere have I seen reference to what causes this
problem i.e. what virus or trojan can be accredited (if that's the right
word!) with this thorn in the side (polite version)? Any ideas?
MowGreen [MVP]
>> problem i.e. what virus or trojan can be accredited (if that's the right
>> word!) with this thorn in the side (polite version)? Any ideas?
Then you haven't looked very hard. It's mentioned in this thread and
numerous others that cite a disabled Automatic|Windows update service,
which apparently you can't see because you are using a "Web-based
newsreader". From the headers of your post:
> X-newsreader: Microsoft CDO for Windows 2000
The malware in question is Vundo/Virtumonde/Zlob.
The randomly named Non PnP 'driver' is a rootkit-like component.
> Secondly, for those that are confused by the existence, or otherwise, of the
> "C:\windows\$NtUninstallKB942288-v3$" directory this is created when you run
> the Windows Installer install program but gets removed afterwards.
No, that's incorrect. The subfolder you've cited is the UNinstall folder
for Windows Installer. There is no mention on either the Download page
nor the KB article that it can be uninstalled from Add/Remove Programs.
The previous version of Windows Installer could be uninstalled from ARP.
MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============
bpet...@gmail.com
outdated norton security something
thanks to everyone, this saved me...
also thanks for the headsup on rootkit analyzer...
btw, yeah it was infected with antivirus 2008, I have found everything
and removed it with hijackthis, than lost a lot of time to kill
nortons s**t and then install new antivirus - can't? - wtf - registry
corrupted - search around the net
I should have realized it my self - when in safe mode registry works
ok, when in normal mode it does not
anyway thanks again
Boris
michiel.peeters
THANKS! I spend about 12 hours on this problem, tried everything,
couldnt reinstall xp because our costumer had alot of software installed
on his computer and didnt had all the original CD's.
I searched the hidden "non plug and play devices" for abnormal service
names, mine called "TMOXVJRV" i disabled it, restart the computer,
everything was normal again!!!!
I LOVE YOU!
--
michiel.peeters
------------------------------------------------------------------------
michiel.peeters's Profile: http://forums.techarena.in/members/michiel-peeters.htm