0
One of the administrators in our company has recently had a trojan (Upatre.A), they managed to detect this with Microsoft Security Essentials and it told us it was removed. She continued to report her PC was working slowly, so last night I had a look at the PC. I noticed some updates were waiting so I went ahead and installed them, including an update for MSE. At the end of the install process it told me it had failed, this left MSE uninstalled from the machine and attempting to reinstall the program fails with error code 0x80070643, I also tried installing Microsoft Forefront Protection which gave me the same error code or 0x8004FF01.
I have done some research and have found some suggestions online, which I have been looking in to, this post advises that you should run the command in an elevated Command Prompt while running Procmon, while doing this if you see any ACCESS DENIED results you should look in to them further. When doing this I saw no ACCESS DENIED returns, I see some "FILE LOCKED WITH ONLY READERS", "NAME NOT FOUND", "NAME COLLISION", "BUFFER OVERFLOW", "END OF FILE" and "REPARSE". Since this is the first time I have had to use Procmon I am not sure what I should be looking for here, a lot of those responses worry me, but none are ACCESS DENIED, and the post doesn't explain what to do if you see no ACCESS DENIED responses. Plus there are thousands of entries and I could spend all week looking in to these and I doubt it would help.
I have also tried rebooting the machine (a number of times normally without being then able to install MSE or FEP) using msconfig to disable all startup items except the Microsoft ones and selective startup selected, disabling start items. This hasn't helped either.
I have in the past used the Windows Installer Cleanup Utility to fix similar issues, but according to this post this has been withdrawn and replaced with a FixIt. I tried the FixIt a number of times, and tried selecting the "having trouble installing software" path (at the end I find the software is not listed) after this it can't find any issues, and attempts no fixes.
I have since run a Trend Micro Housecall quick scan, which found no threats, and I am about to run a full scan just to try to rule out that there is still something on the machine causing the issue.
I believe the issue is most likely down to registry keys being corrupt in some way, but I am not sure, and I don't really want to start ripping out keys without knowing they are the cause. Any suggestions on where to go from here would be appreciated. Since I cannot restore the machine to a previous system state the only option left to me at this point would be to reinstall Windows on the machine, which is pretty much my last option.
I'm asking here before going to Technet, as I find the responses on Technet to be so unhelpful it hurts, while most of the time I find what I'm looking for on stack exchange sites, but this post only advises to reboot and this one is more about XP than Windows 7.
EDIT
Probably also worth noting I have run Malware Bytes on the machine which found some cookies but no Malware
Sounds like for a valid reason to wipe from orbit. – Ramhound – 2014-11-04T11:55:53.613
Hehe, thanks, that is currently my next step, I was just wondering if someone here had a better idea before I went beyond the point of no return, if I can't figure something out before lunch I will go and get some Windows discs :) – Rumbles – 2014-11-04T11:58:13.693