SP3, unable to install

Hello,
Just went through the virus removal progress with sign-off by your Tim W.

My SP3 problem pre-dates that. Tried again just now with results attached.

After install failed, I got a dialog "Access is denied." The Start button would not work and the desktop was in chaos.

While trying to shut down, got "The instruction at 0x01073ad7"
"The instruction at 0x004192af".

These may match the two screen caps attached. Even if so, I don't know what to do.

I'll check Add / Remove programs to see whether anything there might be blocking the install.

Thanks for considering my problem! I would like to be able to install -- for employment skill testing -- MS Office 10, but I can't without SP3.

--Peter

 

You could try working through the procedure here or here. As always, read it thoroughly before attempting it.

 

Thank you satrow,

I tried the 2nd option, then tried SP3 again. It seems like the same results -- those two messages that SP3 could not back up the registry keys. Here's one of them.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}

Googling GPExtensions got this thread

http://forums.techarena.in/windows-xp-support/1036331.htm​

which associates a similar message with installation of IE8, which has always failed on this machine. Not a big deal since I prefer Chrome or FF. This thread seems to indicate I might safely backup the registry and remove the key -- instructions in post #13.

What are your thoughts, please?

Thank you,
Peter

 

Hmm, interesting, I just fired up an XP SP3 IE8 laptop and drilled down to the Registry entry listed in that Thread and found it, the (Default) REG_SZ entry here is Internet Explorer User Accelerators (I also have a (CF76 ... ) in which the default REG_SZ is the same.

BUT, your key/folder I don't see - is there a description for the (Default)?.

Maybe you can take screenshots of the contents of each of the GPExtensions subfolders and attach them in a zip? Anything listed under Winlogon has potential to be, or to trigger, malware I think.

 

Thanks satrow,

Here are 3 screen caps of the registry Winlogon\GPExtensions.

the default with a description
one that won't open and matches one of my two error messages from SP3
and another that won't open and matches the other error description from SP3
​

I'll get the other descriptions and attach them in a zip.

 

Maybe you can take screenshots of the contents of each of the GPExtensions subfolders and attach them in a zip? Anything listed under Winlogon has potential to be, or to trigger, malware I think.

attached

Thanks!

 

That's a strange one, Peter, I just created a new limited User account and I can open all folders under GPExtensions. I can't think of any legit software that would completely lock them, but that may be the answer.

Do you know the full history of the PC as in older software that was installed previously?

Have you tried creating a new User with Administrative rights and tried to access them from the newly created account?

 

Just now created a new user and SP3 failed in the same way.

The machine was made by an acquaintance and given to me some years ago, so I know most but not all of the history.

How about if I back up the registry and delete those two keys? My post of 9:36 this morning has a link that describes how.

This one​

It's not something I've done before.

Thanks for any advice, and thanks for your time!

 

You can try it - back it up as a *.reg file on your Desktop first.

 

Okay thanks for the go-ahead.

Understand that I want to be cautious about this. For example, exporting the registry to "*.reg" just hung up, so I exported to "star.reg" which is now on my desktop. I'm trusting that I can click on it in Safe Mode to restore the registry. Is it that simple? I ask because the instruction set which I'm following is condensed and condescending. Make sure I am reading it right.
From http://forums.techarena.in/windows-xp-support/1036331.htm

You are going to be editing the registry so incase anything goes wrong you should backup the registry:

1. Click Start, and then click Run.
2. In the Open box, type regedit, and then click OK.
3. Make sure the tree on the left is closed five (5) folders with + in front of them.
4. On the File menu, click Export.
5. In the Save in box, select a location where you want to save the .reg file, desktop is a good location. In the File name box, type a file name, and then click Save.

If the wrong thing was deleted go in safe mode and click that file on your desktop. When all is good you can delete that file.

With the folders in the tree on the left all closed up high light My Computer.
Click on edit choose find, fill in your class error :
7B849a69-220F-451E-B3FE-2CB811AF94AE

Hit find next button. When you find that entry and nothing is on the right pane hit the delete key yes to conferm. Hit f-3 key until you see the finished searching the registry window If you have any other class errors close the tree again (left arrow does a fast job) click on the + in front of My computer and close any others that might be open. Click on edit choose find, fill in your class error. When don Ex out of regedit. Go back in event viewer right click on application choose "clear all events."

I wrote this so my 90 year old grandmother can understand this, that way everyone can.

Terry

I think that's what I posted in other words ... I said that already..

Terry​

Where Terry says, "high light My Computer" instead of "Click on edit choose find" I propose to navigate via Start\Run\regedit to each of the two keys -- as shared this morning -- and press the Delete key.

How's that as a plan? Will the the Delete key work in this context?

When I'm done do I need to 'Go back in event viewer right click on application choose "clear all events." '?

Thanks again!

 

For additional security, I created a restore point as described here so that I can follow up as described below:

Manual steps to restore the registry in Windows XP
Use System Restore to undo registry changes in in Windows XP
Click Start, click Run, type %SystemRoot%\System32\Restore\Rstrui.exe, and then click OK.
On the Welcome to System Restore page, click Restore my computer to an earlier time (if it is not already selected), and then click Next .
On the Select a Restore Point page, click the system checkpoint. In the On this list select the restore point area, click an entry that is named "Guided Help (Registry Backup)," and then click Next. If a System Restore message appears that lists configuration changes that System Restore will make, click OK.
On the Confirm Restore Point Selection page, click Next. System Restore restores the previous Windows XP configuration and then restarts the computer.
Log on to the computer. When the System Restore confirmation page appears, click OK..​

So, here goes! TY!

 

Aargh -- after all of that, cannot delete.
Attached.​

What do you recommend? Recall the recent antivirus process where Malwarebytes and others did not even see these.

Thanks a lot for your expertise, which I know takes years and dedication to acquire.

--Peter

 

I wonder what your permissions are on that key. Right click the troublesome issue, and select permissions.

Post here the screen shot. I won't be around after this post, just wanted to give my input.

 

Okay, now we need some "down and dirty" AKA literal, bitwise registry editing.

Look at these results.

Hey, theefool -- your question was right on point.

 

Do you guys/gals see any anomalies here?

I'm not familiar with the norms for this list. For example, "ANONYMOUS LOGON" or BATCH.

If so, how to delete them?

Thanks again!!​

 

So the "ight-click the key, click security, click advanced, click owner, click other users or groups, click advanced, click find now, select your account, click ok, click ok, select your account, click ok" scenario doesn't fix it.

Did you try this from the earlier link?:

And then check the entries?

Can you list the security software that you have installed?

 

Thanks for reminding me of subinacl and the reset command. This morning downloaded both. While on the page at WinHelpOnline blog I saw a link to RegASSASSIN from Malwarebytes.

Turned off Windows Firewall and Avast.

Subinacl was unable to install, alert attached.

Reset.cmd caused a DOS window to flash.

Navigated regedit and found the two keys still locked.

RegASSASSIN? Other thought?

Thanks!

 

Sure, run with it; ideally, we need access to see what those keys currently contain rather than just deleting them.

 

Running RegASSASSIN

stop Windows Firewall and Avast
first, tried to reset permissions so we might see what's in those keys

when that failed, ran again to delete them

received message that RegASSASSIN could not see them, proceed anyway? yes.

alerts said each was deleted -- attached

restarted computer

​

regedit shows both GPExt keys still there and locked.

Thanks for any ideas and for advising on this frustrating challenge!

 

Sorry Peter, I can't think where to go next except to ask one of the Malware team to take a look > I'm not being helped my end by the bloody zombie botnet controller who keeps scanning my IP address and blocking my access to the 'net :hammer

 

Unless I missed it, did you try to take ownership of that key? (not permissions)

Another thing to try is to reset permissions to default in the registry:
http://support.microsoft.com/kb/313222

From the command prompt (click START, then RUN, then type in cmd (press enter))

type in:
secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

 

Lastly, though, not recommended, but I'll post it anyway, you can install service pack 3 without backing up. Though, you won't be able to uninstall it...

You can use the /nobackup option to well, not backup the files before install....

 

What is the best way to do this? Is it the case that you know some major geeks here, whom you could ask to view this thread? Or should I take the initiative?

That sounds awful. Good luck with it!

For my 2 stubborn keys, I imagine opening the registry in NP++ and doing some bitwise editing. I've seen it done with database files. Not sure I remember how we did it exactly. Surely don't know how one would proceed to open the registry in NP++.

Hey satrow, thanks very much for your help along the way!

 

Hi theefool,

"Ownership" is new to me. How to do this? I went deep into permissions in the registry as in previous screen caps.

Also, I did this or something very similar. Will verify

secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose​

Thanks for your replies!
Peter

 

I'll be picking up a new router and switching ISP's soon, that should get me a little respite

I've tracked down the contents of your mystery Registry entires:

Code:

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
@DACL=(02 0000)
@="Wireless"
"DllName"=expand:"gptext.dll"
"NoGPOListChanges"=dword:00000001
"NoUserPolicy"=dword:00000001
"ProcessGroupPolicy"="ProcessWIRELESSPolicy"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@="Internet Explorer Zonemapping"
"DllName"=expand:"iedkcs32.dll"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"=expand:"@iedkcs32.dll,-3051"

from your combofix logs in the Malware forum, under the LOCKED REGISTRY KEYS section. I'm assuming these will be useful to rebuild the locked ones after deletion - provided these are still safe. The other locked Reg. keys are all there, too.

I've spent some time scanning through a Google search = "locked registry keys" 0ACDD40C SP3 nothing definitive on cause or resolution yet though. I've a feeling it's either a malware change, perhaps to stop you changing the IE Zone security settings or an old security program that was badly installed/uninstalled.

Bed time now, good luck

 

Very interesting

combofix logs in the Malware forum, under the LOCKED REGISTRY KEYS section​

but what to do with it?

Good luck with the new router and ISP!

 

Thanks Peter.

The only thing to do until we find the cause and/or resolution, is to umm, save it <shrug>

 

Hi theefool,
Some follow-up.

Result: Unable to change owner on{KEY}. Access is denied.

"Reset permissions to default" was the first thing I tried.
______________________________________________
Some new inquiries:

Is there a way to create a super user with pre-emptive privileges?

Looking at these contents of the keys provided by satrow, is there something "upstream" that I could change or delete, such as "Internet Explorer zonemapping"? Maybe replace one of the dll's listed below?

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
@DACL=(02 0000)
@="Wireless"
"DllName"=expand:"gptext.dll"
"NoGPOListChanges"=dword:00000001
"NoUserPolicy"=dword:00000001
"ProcessGroupPolicy"="ProcessWIRELESSPolicy"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@="Internet Explorer Zonemapping"
"DllName"=expand:"iedkcs32.dll"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"=expand:"@iedkcs32.dll,-3051"


What about Group Policy Object Editor? Where to access? What to do?

Thanks for consideration and advice!
Peter

 

Zone remapping should be part of the standard IE Internet options, is my guess. Open it from the Control Panel > Internet options > Security tab > reset all zones to default level.

As far as I know, the highest level user is the built-in Administrator account that should be available from Safe Mode. It does have higher privileges than any created user with Admin.

GP is only available in XP Pro, iirc, is it under Administrative Tools?

 

Okay thanks! will try re-setting defaults in IE.
In XP Pro, Start/Run gpedit.msc.

Whew, then what?!

Hey satrow, do you think I should create a new thread in the Malware Forum and ask to move this one over? I recall you suggested something like this and I wasn't sure how.

 

SUCCESS!
​

After re-setting to IE zone defaults, I was able to manage the first key. I added myself with full permissions.

The 2nd locked key, actually 6th in the list is still locked. I copied it to clipboard, pasted into Google and got a link to a malware discussion.

I need to prepare for a jQuery test this afternoon, so don't have time to follow-up til later.

That's very interesting about Safe Mode user.

I want to return to the descriptions you provided of those keys and identify the second, finding another access to control of it like we did with IE.

Thanks, satrow!​

 

Maybe you could just add a question in the malware thread relating to this machine, along the lines of 'take a look at my current thread, do you know of any cause, malware or security app, perhaps, that would cause this, if so, do you know of a fix'?

Umm, I don't do GP, maybe that's a good candidate for a new thread? GP expert needed ...

If the IE reset zones works, it won't clear all of the locked Reg. entries, maybe a full IE reset would clear more. Did you see how many there were in your ComboFix logs?!

EDIT: That's great news - a little progress works wonders for confidence

 

Thanks for the how-to. I added a question to the existing thread in Malware.

No I didn't see how many locked keys there were. During SP3 install, I would get access error messages and after I selected ignore for the 1st and 2nd, SP3 would fail.

Well, it's encouraging to have one unlocked! Thanks!

 

Hey TimW -- thank you for this!

On the first try, with Avast and Windows Firewall turned off, it seemed all was going well.
Then came the re-boot with Avast turned on. It wanted to control things like my netgear, then combofix. I used the X in the upper right to close each window.
The ComboFix DOS window reported twice, Access is denied. After the machine sat for 3 minutes, I looked for the log file on C:\ not finding it.
So I un-installed Avast to try again.

-- Peter

 

Hey TimW,

new CF log attached. Thanks!

 

After posting the CF log and re-installing Avast, SP3 installed.

Joy and Gratitude​

Now MS Office 10 Trial is installing, which I need for job application tests.

Thanks TimW!​

 

Are you just needing a Word processor to write up resumes? Try openoffice.org. It's free, fully compatible with Office 2010 formats.

 

motc7,
Testing for jobs requiring MS Office skills.
I, too recommend Open Office and have used it for a few years.
TY

 

Wow, took awhile. Awesome that you finally got it working.

 

theefool,
You had good suggestions. Thanks for getting involved!
I learned some stuff. Enjoyed it except for that one day/night when it seemed hopeless.
It's very satisfying!

 

Hi!! I'm always trying to learn new things. I've been following this thread. I would like to ask Tim if the solution to this problem was all related to malware. I would also like to say well done. I'm glad the results were positive. There are a lot of people that have problems installing SP3 and this is a very interesting and informative thread.

 

No problem. I've been on a WoW kick for quite some time. Got bored with it, after a few years. Now, I'm back to what I love. Attempting to help others that need help. Though, now I'm also playing Rift. :banghead