Unsuccessful application reconfiguration?

Qibbler · January 6, 2012, 4:15pm

Hi. Routine peek in Action Center > Maintenance revealed a warning never seen before (for any app):

COMODO Firewall
[i]Problem
Unsuccessful application reconfiguration

Description
Windows Installer reconfigured the product. Product Name: COMODO Firewall. Product Version: 5.9.23255.2196. Product Language: 1033. Manufacturer: COMODO Security Solutions Inc… Reconfiguration success or error status: 1602.[/i]

I wasn’t doing anything to CIS and got no update alerts yesterday. CIS Diagnostics report no issues so no idea what this warning expects me to do. (see pics)

Was this a quiet Comodo-initiated “reconfiguration” that somehow went wrong or what? I’m paranoid enough. This ain’t fair. (All usual scans say my system is clean as usual - not that this ever reassures me).

Also, when I logged into forums.comodo.com just now, IE opened to the attached info (pic 3). Nothing to do with me, far as I can see (I don’t have explorer.exe ‘Trusted’ for one thing and a lot more than 6 policies). Not my year… ???

[attachment deleted by admin]

Radaghast · January 6, 2012, 9:36pm

Curious, the 1602 exit code is usually associated with a cancelled installation, does this ring any bells? Other than that, does this message coincide, time wise, with the recent .NET updates from MS?

Edit: Just a thought. Are there any related entries in the Windows log files?

Also, when I logged into forums.comodo.com just now, IE opened to the attached info (pic 3). Nothing to do with me, far as I can see (I don't have explorer.exe 'Trusted' for one thing and a lot more than 6 policies). Not my year... ???

There’s certainly something odd happening, what with this and the rssfafa.jpg. Is there any additional information you can provide about either of these events? I’m curious about how/when the image(s) appeared?

Edit: Another thought. Have you ever used Comodo Firewall Pro/CIS Configuration Reporting Script (image)

[attachment deleted by admin]

Citizen_K · January 7, 2012, 1:38am

I did not know Windows Installer could repair apparently broken installations. It is known that a broken installation of program A can block the installation of other programs that are using Windows/MSI installer.

Other than that for now I am curious to your finding to Radaghast’s questions.

Qibbler · January 7, 2012, 1:51pm

Hi, sorry for delay, been offline urgently getting to know Sandboxie… >:(

No, never used Comodo Firewall Pro/CIS Configuration Reporting Script. Was that what I was presented with?

For what it helps…

Two times in as many weeks I’ve been invited to save/open jpgs immediately after entering my ID and clicking to log into the forum. From your answers it ought not to be happening, eh? I usually get to the forum from a favorites link and after log in get bounced to the forum home page.

The latest screen of ‘stuff’ appeared the same way. I ‘High’ block pop-ups and get asked to allow any - no notification. No download manager Open/Save either (unlike with the two jpgs).

Sadly I was too slow-witted to look at the address bar, only took a snipping tool image, then hit IE’s go-back arrow and got the usual page — so it wasn’t a tab and I can’t see IE would offer me a local html (even if it existed on my drive) in the same tab as a live webpage? The info doesn’t match my CIS setup anyway. Does the diagnostic widgit generate a html report?

Re. Windows Installer’s failed ‘reconfig’ of CIS:-

This happened on 5 Jan at 09:56, well after Msoft’s .NET updates. Event Viewer shows two related logs for MSInstaller and matching Service Control Manager logs. Shamed to admit I’ve wasted months in the past trying to read sense from these type of logs and failed. The PIDs etc don’t help because I’ve usually rebooted since the logs were generated, as this time.

I downloaded Comodo Dragon’s installer (but didn’t install CD) around that time but can’t remember exactly. I moved CD’s installer soon after and that file shows a ‘modified’ time of 10:06, so I probably downloaded just before the problem at 09:56.

I’ve copy/pasted the Event Viewer logs into txt files for what use they are. Just once I’d like to understand!

BTW, should Rundll32 being using CIS’s notification tray icon? See pic.

[attachment deleted by admin]

Citizen_K · January 7, 2012, 5:20pm

Can you scan your computer with several antimlaware scanners just to be sure it is not an infection bugging you. Try scanning with Hitman Pro, Malwarebytes Anti Malware, Super Antispyware and Comodo Cleaning Essentials.

Radaghast · January 8, 2012, 4:02am

Unfortunately, the 1035 and related 7035/7036 events are quite common and are generally caused by a bit of sloppy programming, in an application you have installed. I have exactly the same events on one of my PC’s. I keep meaning to find out which application is causing the issue, but I haven’t got around to it yet.

Basically, when the ‘rogue’ application queries a WMI object called Win32_Product class, it causes Windows Installer to run a consistency check on all installed applications, hence the events. The only way to stop this, is to find the application responsible and either get the developer to update it, or use something else. Incidentally, it’s doesn’t appear to be CIS causing this.

As far as tracking down the culprit, there is a Powershell script you could use, or you could probably use something like Process Monitor to see which applications are calling Win32_Product class.

With regard to the phantom images, it seems you’re not alone, as Boris has replied with a similar issue in your RSSfafa thread. On the face of it, it would seem you’re both getting some ‘bleed through’ of images posted on the forums. Quite why, is anybodies guess at the moment.

The tray icon thing is interesting, what did you use to determine the rundll32 association?

Qibbler · January 8, 2012, 3:25pm

Hi. Thanks both for advice. Hadn’t used Comodo Cleaning Essentials before. Got me all excited when it found a threat:-

Uninst_ZA_cpes_clean.exe
Heur.Corrupt.PE@4294967295 VIRUS UnKnown

Had that old ZoneAlarm cleaner for a year. Carried over from a previous OS installation. Never bothered MBAM or Hitman Pro etc. No loss to zap it, though.

(CCE is a bit quirky. I run as SUA. On first launch it asked to reboot to rootkit scan then failed to reappear. Opened it again and it ran a full scan and wanted to reboot again to look for ‘hidden services’. Never reappeared. Plays its cards close to its malware chest, eh? ‘No news is good news’, I suppose).

Anway, per advice also ran MBAM, Hitman Pro, SAS and Windows Defender and Avast (which I think uses GMER and certainly does rootkit boot scans). Nothing else wrong — not that’s ready to own up anyway.

As for the icon… see pic for update. Seems Rundll32 has now decided to hang out with the email icon? Fickle little beggars these notification icons. Just happened to open Control Panel\All Control Panel Items\Notification Area Icons. Beats me why they change partners, but if it makes them happy… :-\

I’ll have a root around with ProcMon as suggested. :-TU

[attachment deleted by admin]

Qibbler · January 9, 2012, 11:52am

Just to update on the tray icon. Used CCleaner to clear the tray cache and all’s back in order. Who knew? :-[