The Case of Messed-up Microsoft Security Essentials Install
I set out to respond to Mark Russinovich’s blog over his frustration in Installing Microsoft Security Essentials but my response got out of hand so I decided to blog it here as below:
Yes, a very recognizable situation Mark. I have faced this foe multiple times I can tell you there is nothing more frustrating to troubleshoot and more satisfying after you traced it and fixed it.
But first, my comment on Microsoft OEMs and Crapware: It is time Microsoft take the bull by the horn and stop this despicable activities on the part of the OEMs. They are destroying the Platform with the load of crapware they dump on new systems. One have to wonder if they do this out of malice. I don’t have any other explanation for their actions. They intentionally bog down a perfectly working system with load of things a user will never use. I don’t think its only as a result of financial remunerations. We need to wrest the platform from them and restore sanity.
Now back to MSSE: I have had to remove temporary AVs from family and friends systems so as to install MSSE, and I can confirm your frustration of broken uninstalls.
But where I face the most challenge is when they download trojans on their systems, and I am eventually called that the system is slow as snail, or downright BSoD on them. Which begs the question, how are they able to download virus and trojans on a system if MSSE is doing its job well? The answer is simple: Social Engineering.
I have made sure on every computer I manage for friends and family everyone run as Standard User! I always create a Single administrator Account called “Admin” in which I do installs and maintenance. But my problem is I always have to give them the Admin account password. I still can’t convince them that they should let me keep the account for them for their own good. Then you get the response, the PC is mine, why do I have to call you every time I have to install something.
So that is my dilemma, secured the OS, but have to give the key to the owner, and most of them are so susceptible to social engineering. The virus downloader always get them to enter the Admin account password. So they install Trojan as Admin, which promptly disables and messes up the AV install.
So, I have adopted a modus operandi, after cleaning out the virus/rootkit/trojan etc, the first thing I do is de-install MSSE with the option to remove all references to MSSE registry keys. Mark, all your efforts in this blog could have been saved if you ran the MSSE install with the /U key. Yup, just:
The /U option puts MSSE in uninstall mode, which removes the keys of the previous installs. After that you can run the Install file normally without the option. I have had success this way time and time again.
But just before the holidays, I got a call from my brother, and you guessed right, infected again. The kids have installed some stupid game via a P2P site. After I chided him for giving the kids the admin password, I got to work. Removed the virus by running MS Standalone System Sweeper, which removed the virus and rootkits with the offline scanning mode.
Then I proceeded to remove the old MSSE Reg keys and perform its cleanup. But no matter what I did, I couldn’t uninstall the old install, neither could I install MSSE anew. I noticed whatever I tried to install fails. I was suspecting the MSIExec was damaged, searched the net till I dropped, I couldn’t find any solution.
I dove into MSSE install log, got some cryptic information of failure, something about AppData. So I went online and perused MS KB sites. I found the gem! The AppData entries was intentionally corrupted by the virus/Trojan!
Normally your AppData key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData is set to the value: %USERPROFILE%\AppData\Roaming.
But in my brother’s case the virus set the value to “%AppData%”. So in a CMD prompt, if you try to verify you Shell Folders by typing: ECHO %APPData% you will get “%AppData%” back instead of the normal: C\Users\MyName\AppData\Roaming as shown in that cmd prompt screenshot above.
Clever little bastards! Just by changing that string, they made sure you can’t install anything, you can’t install Updates, you can’t install AVs that will remove the virus. It was a learning exercise for me, but it cost me 3 precious days of my life. I hope with this you guys don’t have to pull out you hairs trying to fix MSSE or MSIExec or any Install issues!