One of the administrators in our company has recently had a trojan (Upatre.A), they managed to detect this with Microsoft Security Essentials and it told us it was removed. She continued to report her PC was working slowly, so last night I had a look at the PC. I noticed some updates were waiting so I went ahead and installed them, including an update for MSE. At the end of the install process it told me it had failed, this left MSE uninstalled from the machine and attempting to reinstall the program fails with error code 0x80070643, I also tried installing Microsoft Forefront Protection which gave me the same error code or 0x8004FF01.
I have done some research and have found some suggestions online, which I have been looking in to, this post advises that you should run the command in an elevated Command Prompt while running Procmon, while doing this if you see any ACCESS DENIED results you should look in to them further. When doing this I saw no ACCESS DENIED returns, I see some "FILE LOCKED WITH ONLY READERS", "NAME NOT FOUND", "NAME COLLISION", "BUFFER OVERFLOW", "END OF FILE" and "REPARSE". Since this is the first time I have had to use Procmon I am not sure what I should be looking for here, a lot of those responses worry me, but none are ACCESS DENIED, and the post doesn't explain what to do if you see no ACCESS DENIED responses. Plus there are thousands of entries and I could spend all week looking in to these and I doubt it would help.
I have also tried rebooting the machine (a number of times normally without being then able to install MSE or FEP) using msconfig to disable all startup items except the Microsoft ones and selective startup selected, disabling start items. This hasn't helped either.
I have in the past used the Windows Installer Cleanup Utility to fix similar issues, but according to this post this has been withdrawn and replaced with a FixIt. I tried the FixIt a number of times, and tried selecting the "having trouble installing software" path (at the end I find the software is not listed) after this it can't find any issues, and attempts no fixes.
I have since run a Trend Micro Housecall quick scan, which found no threats, and I am about to run a full scan just to try to rule out that there is still something on the machine causing the issue.
I believe the issue is most likely down to registry keys being corrupt in some way, but I am not sure, and I don't really want to start ripping out keys without knowing they are the cause. Any suggestions on where to go from here would be appreciated. Since I cannot restore the machine to a previous system state the only option left to me at this point would be to reinstall Windows on the machine, which is pretty much my last option.
I'm asking here before going to Technet, as I find the responses on Technet to be so unhelpful it hurts, while most of the time I find what I'm looking for on stack exchange sites, but this post only advises to reboot and this one is more about XP than Windows 7.
Probably also worth noting I have run Malware Bytes on the machine which found some cookies but no Malware
I can't explain how this fixed anything, but I have just managed to get Forefront Endpoint Protection to install.
I started running the Trend Micro full Scan and it caused a BSOD, the error I saw in the top left was "kernel data inpage error" but I didn't manage to get any more than that before the PC rebooted itself. At this point I thought I should do a chkdsk /R /F on the system drive. After this had finished I tried installing FEP again (just for jollies) and it completed, it's currently running a scan on the PC.
No idea how that solved the issue, unless there was a corrupt file on the drive which was fixed, or Trend Micro found something and fixed it before the BSOD (but I wouldn't have expected any actions to be taken until the end of the scan). Either way it seems to be okay now, I'm going to do some further scans on the machine before I let the user go back on it this afternoon.
User contributions licensed under CC BY-SA 3.0