This KBA is targeted at AVG users (as of July 2017) seeing failures to install or update the Umbrella roaming client. AVG experienced a false positive detection which removed the critical Windows Installer file C:\Windows\SysWOW64\rundll32.exe (64-bit systems) or C:\Windows\System32\rundll.exe which permanently breaks MSI installation.
If the file is not caught and restored from the AVG quarantine within 30 days, the file is lost and will need to be restored manually.
Impacted workstations will fail to install the roaming client or its updates. Interactive installs will fail immediately and background installs will fail. To identify, re-run the installation MSI and check the installation log for the bolded line.
To generate an install log, use the following syntax: "msiexec /i Setup.msi /L*V C:\Logfile.txt"
Action start 15:34:10: CA.ReadOrgInfo.SetProperty.
Action ended 15:34:10: CA.ReadOrgInfo.SetProperty. Return value 1.
Action start 15:34:10: CA.ReadOrgInfo.
SFXCA: Failed to create new CA process via RUNDLL32. Error code: 2
CustomAction CA.ReadOrgInfo returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 15:34:10: CA.ReadOrgInfo. Return value 3.
Action start 15:34:10: CA.LogFailureOnError.
If running via the interactive installer (GUI), the following error will appear immediately:
An AVG false positive flagged and removed C:\Windows\SysWOW64\rundll32.exe from Windows machines in July 2017. To confirm impact, verify if C:\Windows\SysWOW64\rundll32.exe is present on the affected system. If the file is not present, the workstation was impacted.
This FP was removed by AVG; however, flagged and removed files were not returned out of quarantine unless an administrator did so manually. Attempts to contact AVG for a missing file are answered with "The False Positive have been addressed"; however, AVG has not addressed the impact of the file being removed from those impacted before the False Positive detection was removed. For more information, see this AVG Community Thread.
An example alert is included below.