Sunday 30 October 2011

Java Error: "Failed to validate certificate. The application will not be executed."

Someone got this issue while trying to run a scottrade.com applet.

To fix this
1: open java webstart by typing javaws -viewer,in a command prompt close the cache page and open up the security page. Click certificates and remove the one belonging to the application. If this doesn’t fix it …
2: Check the time and date on the PC.
3: Go to "C:\Users\YOUR USERNAME HERE\AppData\LocalLow\Sun\Java\Deployment\security" and delete trusted.certs.
4: Open control panel Open the Java control panel and go to the "Advanced" tab. Open Security and then General (if available), turn the option "Allow user to grant permissions to content from an untrusted authority" to on.

Google redirect - Removing Zeroaccess manually and without any tools.(except to scan)

Due to popular demand to comply with official policy on the non usage of tools such as hitman pro and tdss killer, I am releasing the guide for manual removal of the sirefef Trojan. Please note that this has been tested by me only on 32 bit systems and not on 64 bit systems.
The entries created by a zeroaccess infection are given below .The zeroccess configures a service as an autostart (Highlighted)which can be used to target it like a regular virus, instead of the kernel mode rootkit it is. The next step is determining the infected driver and finding a replacement. This can be sone by using a scanning tool such as GMER and TDSSKILLER (Please do not use these tools to remove the virus as it is against policy). Once the infected driver is determined we can replace it using a clean copy from either another location within the PC or elsewhere.
1: Delete the service from the list at HKLM\SYSTEM\ControlSet001\Services\
2: Delete the process file located at the %systemroot%( its usually numbered and the process can be viewed easily.)
3: Delete the file and it autstart from HKU\SID\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Where SID can be \S-1-5-21-2025429265-839522115-682003330-1003 or similar.
Delete the file listed in the autostart given above : its usually in the %appdata% folder and will need to be deleted forcefully.
Restart the computer and perform a full scan, you should be clean of zeroacces
Regshot 1.8.2
Comments:
Datetime:2011/10/30 17:57:17 , 2011/10/30 17:59:49
Computer:TAU-863929E6041 , TAU-863929E6041
Username:test , test
---------------------------------Keys added:5----------------------------------
HKLM\SYSTEM\ControlSet001\Services\c697803
HKLM\SYSTEM\CurrentControlSet\Services\c697803
HKU\S-1-5-21-2025429265-839522115-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1\0\1\2
HKU\S-1-5-21-2025429265-839522115-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\37
HKU\S-1-5-21-2025429265-839522115-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\37\Shell
----------------------------------Values added:14----------------------------------
HKLM\SYSTEM\ControlSet001\Services\c697803\Type: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\c697803\Start: 0x00000003
HKLM\SYSTEM\ControlSet001\Services\c697803\ImagePath: "\systemroot\58222860:4086728700.exe"
HKLM\SYSTEM\CurrentControlSet\Services\c697803\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\c697803\Start: 0x00000003
HKLM\SYSTEM\CurrentControlSet\Services\c697803\ImagePath: "\systemroot\58222860:4086728700.exe"
HKU\S-1-5-21-2025429265-839522115-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1\0\1\2: 4E 00 31 00 00 00 00 00 5E 3F A2 56 13 00 52 65 63 65 6E 74 00 00 38 00 03 00 04 00 EF BE 5E 3F 0B 52 5E 3F 39 87 14 00 22 00 52 00 65 00 63 00 65 00 6E 00 74 00 00 00 40 73 68 65 6C 6C 33 32 2E 64 6C 6C 2C 2D 31 32 36 39 31 00 16 00 00 00
HKU\S-1-5-21-2025429265-839522115-682003330-1003\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "C:\Documents and Settings\test\Local Settings\Application Data\0c697803\X"

Tuesday 25 October 2011

Google Redirect removal Consrv.dll Zeroaccess on 64 bit systems

Some people are getting issues with system stuck on launch startup repair and loss of connectivity after using Hitman pro to remove a file called consrv.dll detected as malware. I included instructions which worked for me. Good luck using these. Needless to say you have to remove all other malware before proceeding with these instructions
Google redirect: consrv.dll Nobelsearchsystem.com, get-fast-answers.com, surveyprizecenter Consrv.dll deletion causing loss of internet connectivity and No boot on 64 bit windows.
Consrv.dll is an infected dropper for zeroaccess MAXSS to corrupt DNS settings and redirect searches. Deleting the file using hitman pro will remove the file but alerts the Zaccess tripwire and hence does not let the computer go beyond the boot screen without launching startup repair in windows vista and 7. If the tripwire fails internet connectivity is lost. Using the Kaspersky Virus removal tool in full scan has proved effective. To fix it manually however, we will need to first disable the tripwire by resetting its autostart.
The driver runs off the registry key
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\Windows”
Heres a screeshot taken off an infected machine.

On opening the windows entry the infected machine had the data.
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=consrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

Whereas a clean machine has the data %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
Therefore should you happen to notice a consrv.dll showing up in Hitman Pro.
First change the ServerDll entry to winsrv if it is Windows vista
And sxssrv if it is windows 7.
Then use Kaspersky virus removal tool to do a full scan and remove it.
The infected modules have been found by researchers to be stored in the windir\system32\config folder and
The windir\assembly folder.
Use an effective antivirus to scan all modules thoroughly and double check before falling for false positives.
Update Java and Flash player to avoid further exploits.
For more info and detailed analysis: http://www.dataprotectioncenter.com/antivirus/kaspersky/max-sets-its-sights-on-x64-platforms/
http://weirdwindowsfixes.blogspot.com
Tausif

Sunday 23 October 2011

Unable to open hyperlinks from Windows Mail/Outlook/Office in Windows Vista

Unable to open hyperlinks from Windows Mail/Outlook/Office in Windows Vista

Error-” This operation has been canceled due to restrictions in effect on this computer. Please contact your system administrator.”
Error-“Windows cannot find”URL”

Resolution:

Open Control Panel
Open Default Programs
Click “Custom” and then Default Browser
Set Internet Explorer as the default browser
Click “OK”

Other options you can try:

Change the Default key value in Registry.
Open HKLM\Software\Classes\.html
The Default value of this registry should be “htmlfile” .
We can manually change this value. There is another way to change this value.
Click on Start >Programs >Default Programs.
Click on “Set program access and computer defaults”.
Under Choose a configuration , Click on “Custom” option.
In “Choose a default web browser” click on “Internet explorer” and click on OK.
Now close your IE and Outlook if they are open. Then open Outlook again to test.
1. Open Explorer
2. Select Tools and then Folder Options
3. Select the File Types tab
4. Select Extension: (NONE), File Type: HyperText Transfer Protocol
5. Click Advanced toward the bottom of the window
6. In the Edit File Type window, select open and click Edit
7. Clear the DDE message box (which should contain “%1″)
8. Click OK, Click OK
9. Repeat for File Type: HyperText Transfer Protocol with Privacy
OR This if the above steps don’t work.
1. Open Windows Explorer (or My Computer).
2. Go to Tools -> Folder Options -> File Types
3. Select Extension: “(NONE)” File Type: “URL:HyperText Transfer Protocol”
4. Click “Advanced”. In the “Edit File Type” window, select “open” and click “Edit”
5. Uncheck “Use DDE” (the dialog should then hide the lower part).
6. Click OK for that dialog and the next one (afterwards, the “Use DDE” box is still checked but the “DDE Message” box will be cleared, as shown here)
7. Repeat for Extension: “(NONE)” File Type: “URL:HyperText Transfer Protocol with Privacy” (and any other protocols you want to fix)
8. Repeat for Extension: “(NONE)” File Type: “Firefox URL”
9. Repeat for Extension: “HTM” (or “HTML”) File Type: “Firefox Document”

Reset Internet Explorer Settings in IE7.0
In Internet Explorer, click Tools menu > Internet Options.
Click Programs tab, click “Make Default” and check “Tell me if Internet Explorer is not the default web browser.”
Switch to Advanced tab, click Reset button and then click Reset to confirm.
Uncheck the “Enable third-party browser extensions” option in the Settings box
To fix this problem in Windows XP and Vista, you need to edit the registry.
Go to Start > Run > type regedit and click OK. Navigate to HKEY_CLASSES_ROOT\FirefoxURL\shell\open\ddeexec.
At the right pane, double click the (Default) name to bring up the Edit String window. You should see the data value “%1″,,0,0,,,,.

If this doesn’t work try this:

Go to "Start -> Run" (or press the windows key+R) then type regedit and click OK
Use the directory tree hierarchy to navigate to "HKEY_CLASSES_ROOT\HTTP\shell\open\ddeexec"
Delete the "ddeexec" registry key
Repeat for "HKEY_CLASSES_ROOT\HTTPS\shell\open\ddeexec" (and any other protocols you want to fix)
Repeat for "HKEY_CLASSES_ROOT\FirefoxURL\shell\open\ddeexec"
Repeat for "HKEY_CLASSES_ROOT\FirefoxHTML\shell\open\ddeexec"

OR
Create a *.reg with the following contents

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\FirefoxHTML\shell\open\ddeexec]

@=""

[HKEY_CLASSES_ROOT\FirefoxHTML\shell\open\ddeexec\Application]

@="Firefox"

[HKEY_CLASSES_ROOT\FirefoxHTML\shell\open\ddeexec\Topic]

@="System"

[HKEY_CLASSES_ROOT\FirefoxURL\shell\open\ddeexec]

@=""

[HKEY_CLASSES_ROOT\FirefoxURL\shell\open\ddeexec\Application]

@="Firefox"

[HKEY_CLASSES_ROOT\FirefoxURL\shell\open\ddeexec\Topic]

@="System"

[HKEY_CLASSES_ROOT\HTTP\shell\open\ddeexec]

@=""

"NoActivateHandler"=""

[HKEY_CLASSES_ROOT\HTTP\shell\open\ddeexec\Application]

@="Firefox"

[HKEY_CLASSES_ROOT\HTTP\shell\open\ddeexec\Topic]

@="System"

[HKEY_CLASSES_ROOT\https\shell\open\ddeexec]

@=""

"NoActivateHandler"=""

[HKEY_CLASSES_ROOT\https\shell\open\ddeexec\Application]

@="Firefox"

[HKEY_CLASSES_ROOT\https\shell\open\ddeexec\Topic]

@="System"

[HKEY_CLASSES_ROOT\ftp\shell\open\ddeexec]

@=""

"NoActivateHandler"=""

[HKEY_CLASSES_ROOT\ftp\shell\open\ddeexec\Application]

@="Firefox"

[HKEY_CLASSES_ROOT\ftp\shell\open\ddeexec\ifExec]

@="*"

[HKEY_CLASSES_ROOT\ftp\shell\open\ddeexec\Topic]

@="System"

[HKEY_CLASSES_ROOT\gopher\shell\open\ddeexec]

@=""

"NoActivateHandler"=""

[HKEY_CLASSES_ROOT\gopher\shell\open\ddeexec\Application]

@="Firefox"

[HKEY_CLASSES_ROOT\gopher\shell\open\ddeexec\Topic]

@="System"

----cut----

Or Just install the latest version of firefox and uninstall it using revo uninstaller. Installation of a newer version of firefox will create the following subkeys which should fix the problem.

[HKEY_CLASSES_ROOT\HTTP\shell\open\ddeexec]

@="\"%1\",,0,0,,,,"

"NoActivateHandler"=""

and

[HKEY_CLASSES_ROOT\https\shell\open\ddeexec]

@="\"%1\",,0,0,,,,"

"NoActivateHandler"=""

I tested very small changes and found that resetting (AGAIN)

these two entries to:

[HKEY_CLASSES_ROOT\HTTP\shell\open\ddeexec]

@=""

"NoActivateHandler"=""

and

[HKEY_CLASSES_ROOT\https\shell\open\ddeexec]

@=""

"NoActivateHandler"=""

If nothing else works follow the following steps to perform a repair of Windows Mail in Vista

Saturday 15 October 2011

Google redirect-Quick and dirty guide to zeroaccess removal.

How to determine if the infection is by the Zeroaccess/sirefef rootkit.
1: The continuous resetting of ACLs for any most regularly used malware scanners.

2: The Presence of this process in the infected computer which runs off this autostart service.

- Once the computer is known to be infected by zeroaccess assume that it has been compromised, and more infections are present as the Trojan opens a backdoor on the infected machine. The most common FAKE AVs found so far on computers infected with zeroaccess are open cloud and guard AVguard, Wolfram etc.
Here are the activation code for most of the associated FAKEAVs which might make disinfection
Less distracting
Code for AV Guard online, guard online, cloud protection(NEW), try any of these:
9992665263
1148762586
1171249582
1186796371
1196121858
1225242171
1354156739
1579859198
1789847197
1835437232
1837663686
1961232582
Open Cloud antivirus Code:
DB038748-B4659586-4A1071AF-32E768CD-36005B1B-F4520642-3000BF2A-04FC910B
-The presence of a FAKE AV can complicate removal, as none of the approved removal tools except combofix can defy the ACL modifications of the rootkit and therefore be protected from any regular scanners.
-Removal of zeroaccess then has to be quick and dirty, and of necessity involve a broad spectrum of scanners.
The ideal method of remediation would be as follows.
*Unless specified otherwise run all of these tools simultaneously.*
Start the computer in safe mode with networking and remove the FAKEAV autostarts manually and if possible infected files manually. We need to do this so that we can concentrate completely on removing the main infection. RESTART THE COMPUTER IN NORMAL MODE, **very important**
FYI
Using GMER to determine the infected files is possible however requires a practiced hand and can often lead to errorneous conclusions, but it is still useful to identify the driver that zaccess infects, unless the options circled in red are unchecked however the malware soon shuts down GMER and disables it.

As of now the only unpatched tool which is able to defend itself against the sort of techniques zeroaccess employs is TDSS Killer. However do not use TDSS Killer to try and cure the zaccess infected driver. Use it to target the service which runs as the numbered process, and to identify the infected driver.

Hitman pro can resist the ACL modification only once and does not survive a reboot, therefore it has to be run simultaneously. Running hitman pro gives us the chance to identify and remove autostarts and other infections which might possibly prove dangerous, it also gives us the option to try and replace the infected driver, use this but make sure that it is not set to delete the infected file.

The infected driver now needs to be replaced we can use these tools by McAfee or ESET who have made standalone removal utilities for the Zeroaccess rootkit only. Manually replacing these is possible but is not advised as it may result in loss of functionality. Both utilities are excellent however the ESET utility has been observed to have a better detection and disinfection rate. Download links for these are at end.

McAfee sirefef removal tool: http://vil.nai.com/images/562354_2.zip
Eset Sirefef removal tool: http://download.eset.com/special/encyclopaedia/ESETSirefefRemover.exe
Tausif

Sunday 9 October 2011

Open Cloud AV- removal guide

Getting Rid of Open cloud FakeAV:
Open Cloud antivirus is from the same family of as wolfram and PC security shield and therefore may be just the symptom of a much more Malignant infection, Lately, the infection comes bundled with a SpinCAV or ZeroAccess dropper. Therefore the steps given here assume to deal only with neutralizing only the open cloud AV infection. Please be sure to use a broad spectrum of tools to remove any further infections that are present.
Now on with the kill.
Let’s drop the infected file into my computer

Open Cloud starts up

And soon locks down the computer.

Click on leave to get here

Enter this code into the activation box and click on activate
DB038748-B4659586-4A1071AF-32E768CD-36005B1B-F4520642-3000BF2A-04FC910B
After this it should give you this screen.

The major part is done now run any major tool to remove the infection completely after suspending it using process explorer.

Associated OpenCloud Security files and registry values:
Windows XP:

C:\Documents and Settings\[UserName]\Application Data\OpenCloud Security\OpenCloud Security.exe
C:\Documents and Settings\[UserName]\Application Data\OpenCloud Security\csrss.exe
C:\Documents and Settings\[UserName]\Application Data\OpenCloud Security\wf.conf
C:\Documents and Settings\[UserName]\Application Data\OpenCloud Security\sysl32.dll
Windows Vista/7:

C:\Users\[UserName]\AppData\Roaming\OpenCloud Security\OpenCloud Security.exe
C:\Users\[UserName]\AppData\Roaming\OpenCloud Security\csrss.exe
C:\Users\[UserName]\AppData\Roaming\OpenCloud Security\wf.conf
C:\Users\[UserName]\AppData\Roaming\OpenCloud Security\sysl32.dll

Registry values:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows "load"="%Temp%\csrss.exe"

Oh and one more thing if it does not allow exe files to run reset shell keys using the following fixes one after another into a reg file.
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"
Then Paste this into notepad safe as inf and install it.
[Version]
Signature="$Chicago$"
Provider=tausif
[DefaultInstall]
AddReg=UnhookRegKey
[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe ""%1"""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools,0x00000020,0
The shell Keys should be reset now and allow you to run any exe files. If you’re still unable to run any AV applications then hunt for a different infection on the PC.

Weird Outlook Issues.

Outlook 2007 -Removing an add-in that no longer exists

When you get an addin error like this

and you are not able to remove it from the trust center addins manager use this method.

Make sure Outlook is not running

Click OK

Delete the Extend.dat addins cache. Restart outlook.

Delete a Message Stuck in Outlook’s Outbox

Method 1:

Find the Message using Instant Search

Messages deleted using this method are permanently deleted and bypass the Deleted Items folder.

Close Outlook and wait a few minutes for it to close completely.
Type outbox in the Start menu’s search field.
Wait for Search to finish then find the message, select it and press Delete

Method 2:

Set Outlook to work offline using the File, Offline menu. Wait about 5 minutes or so before trying to delete the stuck message.

Save password setting not retained in Outlook or Outlook Express

When you connect to your Internet service provider (ISP) to retrieve messages from a Post Office Protocol 3 (POP3) server, your password is not retained even though you chose to save the password. Entering the correct password again does not resolve the issue.

The Safest workaround for this is to manually recreate a new profile and identity, but this article describes a shorter path to flush the password cache which is corrupted and might be the original cause of the issue.

Navigate to HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider

Take ownership of the key and subkeys.

Double-click the Protected Storage System Provider key to expand the key. Click the user subkey folder that is directly underneath the Protected Storage System Providerkey, click Delete on the Edit menu, and then click Yes in the warning message dialog box.
The user subkey folder resembles the following example:
S-1-5-21-124525095-708259637-1543119021-16701
Note For every identity that you have, there may be a subkey under theProtected Storage System Providerkey. To resolve this issue in all identities, you must delete all the user subkeys folders that are under theProtected Storage System Providerkey.  On the Registry menu, click Exit. Then, restart the computer.

Wednesday 5 October 2011

Can't right click anything in ie

open in new tab/window not working

Find on this page "empty"

tabs on Favorites pane missing

about screen and other dialogs "empty"

IE8 closes immediately (not if caused by an add-on!)

can't print (interface not registered)

Facebook/Hotmail page blank after Login.

Follow the following steps in the described order.

1: Open the run window by pressing the Windows key + R and type in inetcpl.cpl then click on OK. Be sure to close any open internet explorer windows and end any iexplore.exe processes in the task manager

.

2: The internet options box should open up. Navigate to the Advanced tab and click on reset, and check the box to delete any personal browser customizations and click on reset to reset the Internet Explorer to factory Defaults. You'll lose all saved history and clear out temporary files and folders after doing this so if you'd rather not lose your saved history and login passwords skip to step 3.

Restart the internet explorer if you are able to the right click on the page, if not go to the next step.

3: Download this zip file, extract it to the desktop and run the .cmd in it applicable to your PC. If your PC is a 32 - bit PC, use only the file named ie8-rereg.cmd, if you have a 64 bit PC run the other two .cmd files. Please note that you have to run them both using administrative priviliges if your OS is Windows Vista or 7.

This fix can also repair multiple internet explorer problems suck as being unable to print from internet explorer, secure sites browsing and unable to open new tabs in internet explorer and similar such issues. All credit goes to Kai Schätzl of IEfaq.info for this fix.

Restart internet explorer to check for any more issues. If you are still facing issues with Internet explorer perform a malware scan using

a) Malwarebytes antimalware

b) Hitman pro

c) ESET online scanner.

and remove threats if any are found.

4: If none of this fixes the problem. Downgrade internet explorer fom your current version to the previous one using the steps detailed here.

Please let me Know if any of this helps you out so that i can improve it accordingly.

Monday 3 October 2011

Windows Installer Running all the time

Why does Windows Installer run every time I restart my system/start my application?

This behavior is part of the resiliency or self-repair feature of Windows Installer. When MSI fails to find a resource it needs, it displays a configuration dialog box similar to the one given above.

To see details about the missing resource, open the Event Viewer (Control Panel > Administrative Tools); the details are in the Application section.

The details of the repair are the MsiInstaller entries in the Application section of the event viewer.Double-clicking the warning event reveals the event properties; the details of the event list the product code, feature name, and component code involved, as well as the missing resource.

How can I fix this?

The ProductCode is a unique identifier for the particular product release, represented as a string GUID, for example {12345678-1234-1234-1234-123456789012}. This ID usually varies for different versions or a product.

Finding the corresponding Application name, using the ProductCode

To tackle the problem, one must first find the matching application name, given the ProductCode. As the event log reveals only the ProductCode GUID of the application involved, the name of the program can be queried by editing the registry using Regedit.exe. To do this use the following code and pasting it into a text editor save it as a .vbs file and run as administrator.

'-----------------------------------------------------------------------

'Description : Determine Application name from MSI ProductCode

'File name : anything.vbs

'Author name :GPL

'-----------------------------------------------------------------------

Option Explicit

Const HKEY_CURRENT_USER = &H80000001

Const HKEY_LOCAL_MACHINE = &H80000002

Dim fso, b, WshShell, strUninstallString, strInstallSource, ret, LogFileName

Set WshShell = CreateObject("Wscript.Shell")

Set fso = Wscript.CreateObject("Scripting.FilesystemObject")

LogFileName= WshShell.SpecialFolders("Desktop") & "\ProdCode_AppName.txt"

set b = fso.CreateTextFile (LogFileName,true)

ret = Trim(InputBox("Enter the Product Code GUID, including the braces. Example: {90170409-6000-11D3-8CFE-0150048383C9}", " ProductCode to App Name by Tausif"))

If ret = "" Then

WScript.Quit

Else

If Left(ret, 1) <> "{" Then ret = "{" & ret

If Right(ret, 1) <> "}" Then ret = ret & "}"

b.writeline String(71,"=")

b.Writeline "Description : Determine Application name from MSI ProductCode"

b.Writeline "File name : Getappname.vbs"

b.Writeline "Author name : Tausif [Windows XP Shell\User]"

b.writeline String(71,"=")

b.writeblanklines 2

b.writeline "Application Details"

b.writeline String(19,"-")

b.writeblanklines 1

b.writeline "ProductCode : " & ret

b.writeline "Application Name : " & GetAppName(ret)

b.writeline "Uninstall String : " & strUninstallString

b.writeline "Install source : " & strInstallSource

b.writeblanklines 1

b.writeline "----- (End of log) -----"

End If

Function GetAppName(strProdCode)

On Error Resume Next

GetAppName = WshShell.RegRead("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\" & strProdCode & "\DisplayName")

strUninstallString = WshShell.RegRead("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\" & strProdCode & "\UninstallString")

strInstallSource = WshShell.RegRead("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\" & strProdCode & "\InstallSource")

If Trim(GetAppName) = "" Then

Dim strProdCode2

strProdCode2 = Left(strProdCode,Len(strProdCode)-1)

strProdCode2 = Right(strProdCode2,Len(strProdCode2)-1)

GetAppName = WshShell.RegRead("HKLM\SOFTWARE\Classes\Installer\Products\" & strProdCode2 & "\ProductName")

End If

On Error Goto 0

End Function

b.Close

WshShell.Run "notepad " & LogFileName, 1

Set fso = Nothing

set Wshshell = Nothing

Use the product Code from the event log to determine the product and uninstall it completely using Windows Installer cleanup utility. This should fix the issue.

Windows installer could not be accessed windows Vista

- Copy the following keys into a text editor and save it with a .reg extension

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msiserver]

"DisplayName"="@%SystemRoot%\\system32\\msimsg.dll,-27"

"ImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6d,\

00,73,00,69,00,65,00,78,00,65,00,63,00,20,00,2f,00,56,00,00,00

"Description"="@%SystemRoot%\\system32\\msimsg.dll,-32"

"ObjectName"="LocalSystem"

"ErrorControl"=dword:00000001

"Start"=dword:00000003

"Type"=dword:00000010

"DependOnService"=hex(7):72,00,70,00,63,00,73,00,73,00,00,00,00,00

"ServiceSidType"=dword:00000001

"RequiredPrivileges"=hex(7):53,00,65,00,54,00,63,00,62,00,50,00,72,00,69,00,76,\

00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,43,00,72,00,65,00,61,00,\

74,00,65,00,50,00,61,00,67,00,65,00,66,00,69,00,6c,00,65,00,50,00,72,00,69,\

00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,4c,00,6f,00,63,00,\

6b,00,4d,00,65,00,6d,00,6f,00,72,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,\

00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6e,00,63,00,72,00,65,00,61,00,\

73,00,65,00,42,00,61,00,73,00,65,00,50,00,72,00,69,00,6f,00,72,00,69,00,74,\

00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,\

65,00,43,00,72,00,65,00,61,00,74,00,65,00,50,00,65,00,72,00,6d,00,61,00,6e,\

00,65,00,6e,00,74,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\

00,00,53,00,65,00,41,00,75,00,64,00,69,00,74,00,50,00,72,00,69,00,76,00,69,\

00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,53,00,65,00,63,00,75,00,72,00,\

69,00,74,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,\

00,53,00,65,00,43,00,68,00,61,00,6e,00,67,00,65,00,4e,00,6f,00,74,00,69,00,\

66,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,\

00,65,00,50,00,72,00,6f,00,66,00,69,00,6c,00,65,00,53,00,69,00,6e,00,67,00,\

6c,00,65,00,50,00,72,00,6f,00,63,00,65,00,73,00,73,00,50,00,72,00,69,00,76,\

00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,\

72,00,73,00,6f,00,6e,00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,\

00,65,00,67,00,65,00,00,00,53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,\

47,00,6c,00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,\

00,67,00,65,00,00,00,53,00,65,00,41,00,73,00,73,00,69,00,67,00,6e,00,50,00,\

72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,00,65,00,6e,00,50,00,72,\

00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,52,00,65,00,\

73,00,74,00,6f,00,72,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,\

00,65,00,00,00,53,00,65,00,49,00,6e,00,63,00,72,00,65,00,61,00,73,00,65,00,\

51,00,75,00,6f,00,74,00,61,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,\

00,65,00,00,00,53,00,65,00,53,00,68,00,75,00,74,00,64,00,6f,00,77,00,6e,00,\

50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,54,\

00,61,00,6b,00,65,00,4f,00,77,00,6e,00,65,00,72,00,73,00,68,00,69,00,70,00,\

50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,4c,\

00,6f,00,61,00,64,00,44,00,72,00,69,00,76,00,65,00,72,00,50,00,72,00,69,00,\

76,00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00

"FailureActions"=hex:84,03,00,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\

00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msiserver\Enum]

"0"="Root\\LEGACY_MSISERVER\\0000"

"Count"=dword:00000001

"NextInstance"=dword:00000001

For the same issue in Windows 7 use – this code in a .reg file and run it.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver]

"DisplayName"="@%SystemRoot%\\system32\\msimsg.dll,-27"

"ImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6d,\

00,73,00,69,00,65,00,78,00,65,00,63,00,2e,00,65,00,78,00,65,00,20,00,2f,00,\

56,00,00,00