Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

Windows update keeps failing

Solved 
12K views 91 replies 5 participants last post by  DR.M 
#1 ·
I have been running into this problem for about a week, but the computer seems to be running fine otherwise. The Net Framework 3.5 & 4.8 21Hi x64 #KB5004331 keeps ending up as a failure with the error 0x80073712. I have retried this over and over and it does the same thing. It gave me an alternative to use KB5004296, but that also ended up as a failure. I attached screen shots of the notices


Tech Support Guy System Info Utility version 1.0.0.9
OS Version: Microsoft Windows 10 Home, 64 bit, Build 19043, Installed 20200807213151.000000-480
Processor: Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz, Intel64 Family 6 Model 58 Stepping 9, CPU Count: 8
Total Physical RAM: 16 GB
Graphics Card: NVIDIA GeForce GTX 1660
Hard Drives: C: 465 GB (76 GB Free); D: 931 GB (363 GB Free); F: 230 GB (226 GB Free);
Motherboard: Gigabyte Technology Co., Ltd. Z68A-D3H-B3
System: Award Software International, Inc., ver GBT - 42302e31
Antivirus: Norton Security Online, Enabled and Updated
 

Attachments

See less See more
4
#2 ·
According to your log, you're using a third-party antivirus app (Norton) with Windows 10.
Windows 10 can have various issues when a third-party antivirus app is used.
Windows updates failing to install is one of them.
That's why it's recommended to stick with Windows 10's built-in antivirus app (Windows Security).

-------------------------------------------------
 
#6 ·
Guys, I uninstalled all traces of Norton 360 beginning of the year when Comcast Xfinity informed me that they will no longer be giving it away anymore free and are switching over to their server based protection, so I don't have it installed on my PC at all. It was uninstalled and all files related to it were deleted. Locally I am using Windows 10 security/virus and firewall; it shows in my tray and see the screenshot I took of the window that it opens too.
When I run the techguy system info it shows Norton, I don't know why it does that???
 

Attachments

#10 ·
Hi, All.

Let me add my recommendation on this.

1. Run Deployment Image Servicing and Management (DISM)
  • Click on the Start button and in the search box, type Command Prompt
  • When you see Command Prompt on the list, right-click on it and select Run as administrator
  • Enter the command below and press on Enter;
Code:
DISM /Online /Cleanup-Image /RestoreHealth
  • Let the scan run until the end (100%). Depending on your system, it can take some time.

2. When DISM finishes, you can then run SFC from the same command prompt window, but full instructions as if starting fresh:
  • Click on the Start button and in the search box, type Command Prompt
  • When you see Command Prompt on the list, right-click on it and select Run as administrator
  • Enter the command below and press on Enter
Code:
sfc /scannow
  • Let the scan finish.
  • You will normally get one of the following results:
    Code:
    Windows Resource Protection did not find any integrity violations
    Windows Resource Protection found corrupt files and successfully repaired them
    Windows Resource Protection found corrupt files but was unable to fix some of them
    Windows Resource Protection could not perform the requested operation
  • Please post the result you got.

3. Reset Windows Update Components

Try Method 2 here

After the above, try to update again and let us know the result.
 
#13 ·
Unfortunately, I went through the 8 of 9 methods listed on this excellent APPULAS site, but none of them fixed the problem. https://appuals.com/error-code-800f0922-on-windows-7-8-1/ I didn't run his Method 9 because it looked too risky.

I kept getting the pop up about using Restoro, so I DL'd it from their website and ran the app... it's very impressive and listed multiple problems that could be fixed if you buy it, so I forked out the $41.95 that is guaranteed and supposedly includes tech support and I ran the app. When it finished I suddenly got a warning in the tray Windows Security and when I opened it I found that a adware program, PUA: Win32/Presenoker was caught. I ran Restoro again and I ended up with a second Win Security system catch, PUA: WIN32/Reimage a malware program. I called Restoro twice at 11am and was told someone would call me back in 5 minutes, it's almost 3pm now and I've had no call backs. I ended up deleting the two caught programs and uninstalled Restoro. I went on their site and filled out the forms for a refund with the reason why. I also noticed that none of the many entries for "Norton" in the registry were fixed by Restoro, so I'm pretty disappointed in that product.
I guess I'm just going to quit worrying about the Netframework 3.5 & 4.8 update, it doesn't seem to be affecting anything that I've noticed so far.
Unless someone has some other ideas, thanks all for the attempts to help.
 
#14 · (Edited)
BUT WHY DID YOU DO ALL THAT!

1. I told you to try Method 2, to reset Windows Update components, not everything suggested in the article, which is dealing with a completely different error than yours!

2. Restoro indeed is a potentially unwanted program! You could ask before downloading and paying for that! Although you uninstalled it, there are still remnants in your computer and it needs to be cleaned.

I really don't have anything to suggest you right now, rather than post at the Malware Removal Forum to check your computer...
 
#15 ·
BUT WHY DID YOU DO ALL THAT!

1. I told you to try Method 2, to reset Windows Update components, not everything suggested in the article, which is dealing with a completely different error than yours!
You said to run the DISM and SFC which is Method 4 on Appuals site and I did it and I said in post 11 above that the SFC then didn't find any problems. I then told you I would move on to your step 3 which is Appuls Method 2 Resetting the Win Update component. You referred me to the Appuls site method 2 so I tried method 2 and the rest of his methods and none worked, which I told you in post 13. I take screen shots of most of what I do, I attached the appuls method 2 and 4 that I ran below.

2. Restoro indeed is a potentially unwanted program! You could ask before downloading and paying for that! Although you uninstalled it, there are still remnants in your computer and it needs to be cleaned.
I figured the site was safe with your recommendation and the Restoro kept popping up on their site. I did a search online and all I could find were positive reviews, including Microsoft, so I gave it a try.

I really don't have anything to suggest you right now, rather than post at the Malware Removal Forum to check your computer...
Thank you, I'll take a look at that, I think the MS security caught it and I deleted it, but I'll check further.
I really do appreciate all your help
 

Attachments

#16 ·
BTW, Dr.M.. I should have just done a search on this forum for Restoro and I would have found your excellent suggestion to avoid it. Hopefully no damage was done. I may have to contact my credit card company and have them block the payment if Restoro doesn't get back to me today.
 
#19 ·
That would be fine, and again, thanks for all your help.
I called my credit card company this morning and they are disputing the charge. The only response from Restoro was an automated email saying they are busy, they got my refund request and the reason for it and they will get back to me.
 
#23 ·
Hi, rhoag.

Thank you for the logs.

For a better assistance, please move the FRST tool on your Desktop. Now it is here:
D:\Documents\Computer Related\Problems\Update problem\Faber Recovery log
Just go to the above location, drag the FRST tool and place it on your Desktop.

My first comments/instructions regarding your logs:

1. Operating system question

Is the operating system (Windows) on Drive D?

2. Programs related question

You have several programs in their Pro/Premium/Payed version. Are they all legally activated? Here we say that having installed not legally activated programs is the easiest way to infect your computer.

For example, are those legally activated? If yes, that's perfect. If not, I will ask you to remove them (and any other program not legally activated), along with the program in Step 3.

ABBYY FineReader 6.0 Sprint
ACDSee Photo Studio Ultimate 2019
Adobe Photoshop CS5
Creative WaveStudio 7

3. Uninstall a program

We do not recommend registry cleaners, system optimizers, driver boosters and the like. With these programs the potential is ever present to cause more problems than they claim to fix. So please uninstall Driver Booster 8.
  • Press the Windows Key + R.
  • Type appwiz.cpl in the Run box and click OK.
  • The Add/Remove Programs list will open. Locate the following program on the list:
Code:
Driver Booster 8
  • Select the above program and click Uninstall.
  • Restart the computer.

4. Uninstall an Edge extension

Click on the Start button, find Norton Safe Web, right click and Uninstall.

5. Search for Norton remnants
  • Double-click FRST.exe/FRST64.exe to run it.
  • Copy and paste the following into the Search box:
Code:
 Norton
  • Press the Search Files button.
  • When complete, FRST will generate a log, named Search.txt, in the same location it was run from.
  • Please copy and paste its contents into your reply.

In your next reply please post:
  1. Your replyto the questions 1 and 2 above
  2. If uninstalling IOBit and the Edge extension went fine
  3. The Search.txt
 
#25 ·
Hi, rhoag.

Thank you for the logs.

For a better assistance, please move the FRST tool on your Desktop. Now it is here:
D:\Documents\Computer Related\Problems\Update problem\Faber Recovery log
Just go to the above location, drag the FRST tool and place it on your Desktop.
Okay, done

My first comments/instructions regarding your logs:

1. Operating system question
Is the operating system (Windows) on Drive D?

2. Programs related question
You have several programs in their Pro/Premium/Payed version. Are they all legally activated? Here we say that having installed not legally activated programs is the easiest way to infect your computer.

For example, are those legally activated? If yes, that's perfect. If not, I will ask you to remove them (and any other program not legally activated), along with the program in Step 3.

ABBYY FineReader 6.0 Sprint
ACDSee Photo Studio Ultimate 2019
Adobe Photoshop CS5
Creative WaveStudio 7
All programs are legally obtained and the operating system is on C: drive The D: drive is for documents and some other programs. F: drive is manly just used for Photoshop cashing at this point

3. Uninstall a program
We do not recommend registry cleaners, system optimizers, driver boosters and the like. With these programs the potential is ever present to cause more problems than they claim to fix. So please uninstall Driver Booster 8.
  • Press the Windows Key + R.
  • Type appwiz.cpl in the Run box and click OK.
  • The Add/Remove Programs list will open. Locate the following program on the list:
Code:
Driver Booster 8
  • Select the above program and click Uninstall.
  • Restart the computer.
Okay, done

4. Uninstall an Edge extension
Click on the Start button, find Norton Safe Web, right click and Uninstall.
Not finding this installed

5. Search for Norton remnants
  • Double-click FRST.exe/FRST64.exe to run it.
  • Copy and paste the following into the Search box:
Code:
 Norton
  • Press the Search Files button.
  • When complete, FRST will generate a log, named Search.txt, in the same location it was run from.
  • Please copy and paste its contents into your reply.
This is the result:
Farbar Recovery Scan Tool (x64) Version: 03-08-2021
Ran by doane (03-08-2021 16:30:29)
Running from C:\Users\doane\Desktop
Boot Mode: Normal

================== Search Files: "
Code:
 Norton
" =============

====== End of Search ======

In your next reply please post:
  1. Your replyto the questions 1 and 2 above
  2. If uninstalling IOBit and the Edge extension went fine
  3. The Search.txt
[/QUOTE]
 
#26 ·
Looking in the FRST64 Addition.txt file this is rather disturbing under Windows Defender:

Name: BrowserModifier:Win32/Xeelyak
Severity: High
Category: Browser Modifier

Name: Trojan:Script/Phonzy.A!ml
Severity: Severe
Category: Trojan

and a couple of "Severty: low" ones
 
#27 ·
Hi, rhoag.

Thank you for all the info provided.

The items detected by Windows Defender are potentially unwanted programs. They don't appear in your installed programs list, but you have their executable files in Drive D. It's up to you to keep them or not, but first read here for further information about this kind of programs.

Code:
D:\Documents\Computer Related\Media\Video Converters\Cnet free Any-Viceo-Converet\avc-free.exe
D:\Documents\Computer Related\Media\Video Converters\Cnet free Format Factory\FFSetup280.exe
D:\Documents\Computer Related\Media\Video Downloaders\Freemake\FreemakeVideoDownloaderSetup.exe
D:\Documents\Games\Forenza Horizon 4\Forza Horizon 4 Manager.rar
Let's continue:

1. Uninstall an Edge extension

Of course you didn't find Norton Safe Web. My mistake! It's an extension, not an application.

Open Edge, click on the three horizontal dots at the browser's top right and choose Extensions. Find Norton Safe Web and select Remove.

2. Search for Norton remnants (again)

  • Download the Revo Uninstaller (Free Download) and save it on your Desktop.
  • Double click on the exe file created on your Desktop to run the installer, and follow the instructions to install the program.
  • Double click the program's icon to open it.
  • Write in the search area, on the top left, the following program:
Code:
Norton Security Online
  • Choose the Uninstall tab from the menu and let the program to create a Restore point.
  • Choose Scan, and then the Advanced mode scan.
  • Select all the Norton items found, Delete and Next.
  • Let the procedure be completed and click on Finish.
  • Restart the computer.

3. Run AdwCleaner (Scan mode)

Download AdwCleaner and save it to your desktop.
  • Double click AdwCleaner.exe to run it.
  • Click Scan Now.
    • When the scan has finished, a Scan Results window will open.
    • Click Cancel (at this point do not attempt to Quarantine anything that is found)
  • Now click the Log Filestab.
    • Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number. The latest scan will have the largest number)
    • A Notepad file will open containing the results of the scan.
    • Please post the contents of the file in your next reply.

4. Run Malwarebytes (Scan mode)
  • Download Malwarebytes and save it to your Desktop.
  • Once downloaded, close all programs and Windows on your computer.
  • Double-click on the icon on your desktop named MBSetup.exe. This will start the installation of MBAM onto your computer.
  • Follow the instructions to install the program.
  • When finished, double click the program's icon created on your Desktop.
  • Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:
    Code:
    Under the title Scan Options, all the options are checked.
    Under the title Windows Security Center (Premium only) the option is NOT checked.
    Under the title Potentially unwanted items all options are set to Always.
  • Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
  • When finished, you will see the Threat Scan Summary window open.
If threats are not found, click View Report and proceed to the two last steps below.

If threats are found, make sure that all threats are not selected, close the program and proceed to the next steps below.
  • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
  • Find the report with the most recent date and double click on it.
  • Click on Export and then Copy to Clipboard.
  • Paste its content here, in your next reply.

In your next reply, please post:
  1. How the procedure went at steps 1 and 2
  2. The AdwCleaner[S0*].txt
  3. The Malwarebytes report
 
#28 ·
Hi, rhoag.

Thank you for all the info provided.

The items detected by Windows Defender are potentially unwanted programs. They don't appear in your installed programs list, but you have their executable files in Drive D. It's up to you to keep them or not, but first read here for further information about this kind of programs.

Code:
D:\Documents\Computer Related\Media\Video Converters\Cnet free Any-Viceo-Converet\avc-free.exe
D:\Documents\Computer Related\Media\Video Converters\Cnet free Format Factory\FFSetup280.exe
D:\Documents\Computer Related\Media\Video Downloaders\Freemake\FreemakeVideoDownloaderSetup.exe
D:\Documents\Games\Forenza Horizon 4\Forza Horizon 4 Manager.rar
I will delete the video converters, but I use video downloader, so will keep it unless there is a problem.
The Forenza Horizon 4 is a Windows game and is in the Windows uninstall list. I checked on the Manager on the D: drive as I wasn't familiar with it. I did a MS scan on it and it reported a "Severity Trojan:Win32/wacatac.B!ml so I quarantined it.

Let's continue:

1. Uninstall an Edge extension

Of course you didn't find Norton Safe Web. My mistake! It's an extension, not an application.

Open Edge, click on the three horizontal dots at the browser's top right and choose Extensions. Find Norton Safe Web and select Remove.
Thank you, done. I don't use Edge for browsing, I use Firefox.. wish I could just disable MS Edge, I can't find it in the Win Task manager strart up.

2. Search for Norton remnants (again)
  • Download the Revo Uninstaller (Free Download) and save it on your Desktop.
  • Double click on the exe file created on your Desktop to run the installer, and follow the instructions to install the program.
  • Double click the program's icon to open it.
  • Write in the search area, on the top left, the following program:
Code:
Norton Security Online
  • Choose the Uninstall tab from the menu and let the program to create a Restore point.
  • Choose Scan, and then the Advanced mode scan.
  • Select all the Norton items found, Delete and Next.
  • Let the procedure be completed and click on Finish.
  • Restart the computer.
Ran the Revo as instructed and the search for
Code:
Norton Security Online
and there were zero results, also scanned for "Norton" with no results

3. Run AdwCleaner (Scan mode)
Download AdwCleaner and save it to your desktop.
  • Double click AdwCleaner.exe to run it.
  • Click Scan Now.
    • When the scan has finished, a Scan Results window will open.
    • Click Cancel (at this point do not attempt to Quarantine anything that is found)
  • Now click the Log Filestab.
    • Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number. The latest scan will have the largest number)
    • A Notepad file will open containing the results of the scan.
    • Please post the contents of the file in your next reply.
# -------------------------------
# Malwarebytes AdwCleaner 8.3.0.0
# -------------------------------
# Build: 06-29-2021
# Database: 2021-06-29.1 (Local)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start: 08-04-2021
# Duration: 00:00:06
# OS: Windows 10 Home
# Scanned: 31972
# Detected: 18

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

PUP.Optional.AdvancedSystemCare C:\Users\doane\AppData\Roaming\IObit\Advanced SystemCare

***** [ Files ] *****

PUP.Optional.Restoro C:\Windows\restoro.ini

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

PUP.Optional.Legacy HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\dotomi.com
PUP.Optional.Legacy HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\dotomi.com
PUP.Optional.Legacy HKLM\Software\Classes\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}
PUP.Optional.Legacy HKLM\Software\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}
PUP.Optional.Legacy HKLM\Software\Wow6432Node\\Classes\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}
PUP.Optional.Legacy HKLM\Software\Wow6432Node\\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}
PUP.Optional.Restoro HKCU\Software\Local AppWizard-Generated Applications\Restoro
PUP.Optional.Restoro HKCU\Software\Restoro
PUP.Optional.Restoro HKLM\Software\Classes\CLSID\{AE198C69-7358-4856-9029-F4C0FAD524C1}
PUP.Optional.Restoro HKLM\Software\Classes\CLSID\{BA827421-E282-479E-AE60-34796877B8AE}
PUP.Optional.Restoro HKLM\Software\Classes\Restoro.Engine
PUP.Optional.Restoro HKLM\Software\Classes\TypeLib\{C661BE9A-11D8-47DD-A980-6494B09F3AF3}
PUP.Optional.Restoro HKLM\Software\Restoro
PUP.Optional.Restoro HKLM\Software\Wow6432Node\\Classes\TypeLib\{C661BE9A-11D8-47DD-A980-6494B09F3AF3}
PUP.Optional.TheBrightTag HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\thebrighttag.com
PUP.Optional.TheBrightTag HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\thebrighttag.com

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

No malicious Chromium URLs found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

***** [ Hosts File Entries ] *****

No malicious hosts file entries found.

***** [ Preinstalled Software ] *****

No Preinstalled Software found.

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ##########

4. Run Malwarebytes (Scan mode)
  • Download Malwarebytes and save it to your Desktop.
  • Once downloaded, close all programs and Windows on your computer.
  • Double-click on the icon on your desktop named MBSetup.exe. This will start the installation of MBAM onto your computer.
  • Follow the instructions to install the program.
During the install it reported unable to load AntiRootKit DDA driver and suggested a reboot to install it. I did that and started the program.
  • When finished, double click the program's icon created on your Desktop.
  • Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:
    Code:
    Under the title Scan Options, all the options are checked.
    Under the title Windows Security Center (Premium only) the option is NOT checked.
    Under the title Potentially unwanted items all options are set to Always.
  • Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
Set the options above. The scan froze with no indication of action. I tried several times. I uninstalled the program and reinstalled it, set the options and it now works.
  • When finished, you will see the Threat Scan Summary window open.
If threats are not found, click View Report and proceed to the two last steps below.

If threats are found, make sure that all threats are not selected, close the program and proceed to the next steps below.
  • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
  • Find the report with the most recent date and double click on it.
  • Click on Export and then Copy to Clipboard.
  • Paste its content here, in your next reply.

In your next reply, please post:
  1. How the procedure went at steps 1 and 2
  2. The AdwCleaner[S0*].txt
  3. The Malwarebytes report
Okay, I athink I got this all right above, really appreciate all the help, Professor ;-)
Malwarebytes summary:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 8/4/21
Scan Time: 9:36 AM
Log File: 10cb5914-f542-11eb-ab5a-50e549c0216d.json

-Software Information-
Version: 4.4.4.126
Components Version: 1.0.1413
Update Package Version: 1.0.43862
License: Trial

-System Information-
OS: Windows 10 (Build 19043.1151)
CPU: x64
File System: NTFS
User: Doane-PC\doane

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 331083
Threats Detected: 8
Threats Quarantined: 0
Time Elapsed: 2 min, 52 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)
Module: 0
(No malicious items detected)

Registry Key: 6
PUP.Optional.Restoro, HKLM\SOFTWARE\CLASSES\CLSID\{BA827421-E282-479E-AE60-34796877B8AE}, No Action By User, 842, 551619, , , , , ,
PUP.Optional.Restoro, HKLM\SOFTWARE\CLASSES\Restoro.Engine.1, No Action By User, 842, 551619, , , , , ,
PUP.Optional.Restoro, HKLM\SOFTWARE\CLASSES\Restoro.Engine, No Action By User, 842, 551619, 1.0.43862, , ame, , ,
PUP.Optional.Restoro, HKLM\SOFTWARE\Restoro, No Action By User, 842, 551614, 1.0.43862, , ame, , ,
PUP.Optional.Restoro, HKU\S-1-5-21-2159283933-1585630817-402555402-1001\SOFTWARE\Restoro, No Action By User, 842, 551610, 1.0.43862, , ame, , ,
PUP.Optional.Restoro, HKU\S-1-5-21-2159283933-1585630817-402555402-1001\SOFTWARE\Local AppWizard-Generated Applications\Restoro, No Action By User, 842, 551612, 1.0.43862, , ame, , ,

Registry Value: 0
(No malicious items detected)
Registry Data: 0
(No malicious items detected)
Data Stream: 0
(No malicious items detected)
Folder: 0
(No malicious items detected)

File: 2
PUP.Optional.Restoro, C:\WINDOWS\RESTORO.INI, No Action By User, 842, 551609, 1.0.43862, , ame, , 598FAEEB808113E58C7D89A03ECCED39, 1D39D9534C2B88081582CE350BA75072FD492E718B3621BE9BBB68B95C7DAECC
PUP.Optional.Restoro, C:\WINDOWS\SYSTEM32\NATIVE.EXE, No Action By User, 842, 551621, 1.0.43862, , ame, , A1E5E09208F19DE7AD33554E9627D5E4, E4F2EBA8E47DA66A0794A9FF41D2764C05B089C5706586345BA417F4DAAA7430

Physical Sector: 0
(No malicious items detected)
WMI: 0
(No malicious items detected)
(end)
 
#30 ·
Hi, rhoag.

Good job! Bravo! (y)

Windows Security caught it as I mentioned and I quarantined it, but is that enough?
Since Defender detected it, no other action is needed. I saw the Forenza Horizon 4 in your installed Windows applications and was also surprised about the specific detection. Then I noticed the path of the detected item in D and it seems that you may also downloaded it from somewhere else. Have you payed for it?

Now let's clean what AdwCleaner and Malwarebytes found, mostly Restoro remnants.

1. AdwCleaner (Clean mode)

To proceed, please do the following:
  • Double click AdwCleaner.exe on your Desktop, to run it as you did before.
  • Click Scan Now.
  • When the scan has finished a Scan Results window will open.
  • Please check all the boxes and then click Quarantine.
  • Click Next.
    • If any pre-installed software was found on your machine, a prompt window will open. Click OK to close it.
    • Check any pre-installed software items you want to remove.
    • Click Quarantine.
  • A prompt to save your work will appear.
    • Click Continue when you're ready to proceed.
  • A prompt to restart your computer will appear.
    • Click Restart Now.
  • Once your computer has restarted:
    • If it doesn't open automatically, please start AdwCleaner.
    • Click the Log Files tab.
    • Double click on the latest Clean log (Clean logs have a [C0*] suffix, where * is replaced by a number, the latest scan will have the largest number)
    • A Notepad file will open containing the results of the removal.
    • Please post the contents of the file in your next reply.

2. Run Malwarebytes (Clean mode)
  • Double click the program's icon on your Desktop, as you did before.
  • Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:
    Code:
    Under the title Scan Options, all the options are checked.
    Under the title Windows Security Center (Premium only) the option is unchecked.
    Under the title Potentially unwanted items all options are set to Always.
  • Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
  • When finished, you will see the Threat Scan Summary window open.
  • If threats are not found, click View Report and proceed to the two last steps below.
  • If threats are found, make sure that all threats are selected, and click on Quarantine/Remove selected.
  • You may need to restart the computer.
  • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
  • Find the report with the most recent date and double click on it.
  • Click on Export and then Copy to Clipboard.
  • Paste its content here, in your next reply.

3. Fresh FRST logs
  • Double-click on the FRST icon to run it, as you did before. When the tool opens click Yes to disclaimer.
  • Press Scan button and wait for a while.
  • The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
  • Please attach the content of these two logs in your next reply.

In your next reply, please post:
  1. The AdwCleaner[C0*].txt
  2. The Malwarebytes report
  3. The fresh FRST logs, Addition and FRST.
P.S. Please do not press the Reply button to quote parts of my posts into your reply. Just put points/numbers. It's easier for me to read what you write.
 
#31 ·
Hi, rhoag.

Good job! Bravo! (y)
Since Defender detected it, no other action is needed. I saw the Forenza Horizon 4 in your installed Windows applications and was also surprised about the specific detection. Then I noticed the path of the detected item in D and it seems that you may also downloaded it from somewhere else. Have you payed for it?
Oh Boy.. I checked on the Forza Horizon 4 folder in D: and it listed a link to the DL at Reworkedgames.eu back in 2018. I vaguely remember now that at the time the game was just coming out with the PC version having been only Xbox before that and they offered a free intro dl of it... so I went for it. I always buy games on Steam, or Uplay or directly from the game company, but not that time. After Notre Dame in Paris burned I was given a free DL of Assassin's Creed Unity for donating to the restoration. The game is staged in Paris and was actually used to help in the restoration of the church. I don't believe in free hacked software or games, I made a mistake.

Now let's clean what AdwCleaner and Malwarebytes found, mostly Restoro remnants.

1. AdwCleaner (Clean mode)

To proceed, please do the following:
  • Double click AdwCleaner.exe on your Desktop, to run it as you did before.
  • Click Scan Now.
  • When the scan has finished a Scan Results window will open.
  • Please check all the boxes and then click Quarantine.
  • Click Next.
    • If any pre-installed software was found on your machine, a prompt window will open. Click OK to close it.
    • Check any pre-installed software items you want to remove.
    • Click Quarantine.
  • A prompt to save your work will appear.
    • Click Continue when you're ready to proceed.
  • A prompt to restart your computer will appear.
    • Click Restart Now.
  • Once your computer has restarted:
    • If it doesn't open automatically, please start AdwCleaner.
    • Click the Log Files tab.
    • Double click on the latest Clean log (Clean logs have a [C0*] suffix, where * is replaced by a number, the latest scan will have the largest number)
    • A Notepad file will open containing the results of the removal.
    • Please post the contents of the file in your next reply.
# -------------------------------
# Malwarebytes AdwCleaner 8.3.0.0
# -------------------------------
# Build: 06-29-2021
# Database: 2021-06-29.1 (Local)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start: 08-04-2021
# Duration: 00:00:01
# OS: Windows 10 Home
# Cleaned: 18
# Failed: 0

***** [ Services ] *****
No malicious services cleaned.

***** [ Folders ] *****
Deleted C:\Users\doane\AppData\Roaming\IObit\Advanced SystemCare

***** [ Files ] *****
Deleted C:\Windows\restoro.ini

***** [ DLL ] *****
No malicious DLLs cleaned.
***** [ WMI ] *****
No malicious WMI cleaned.
***** [ Shortcuts ] *****
No malicious shortcuts cleaned.
***** [ Tasks ] *****
No malicious tasks cleaned.

***** [ Registry ] *****

Deleted HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\dotomi.com
Deleted HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\thebrighttag.com
Deleted HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\dotomi.com
Deleted HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\thebrighttag.com
Deleted HKCU\Software\Local AppWizard-Generated Applications\Restoro
Deleted HKCU\Software\Restoro
Deleted HKLM\Software\Classes\CLSID\{AE198C69-7358-4856-9029-F4C0FAD524C1}
Deleted HKLM\Software\Classes\CLSID\{BA827421-E282-479E-AE60-34796877B8AE}
Deleted HKLM\Software\Classes\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}
Deleted HKLM\Software\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}
Deleted HKLM\Software\Classes\Restoro.Engine
Deleted HKLM\Software\Classes\TypeLib\{C661BE9A-11D8-47DD-A980-6494B09F3AF3}
Deleted HKLM\Software\Restoro
Deleted HKLM\Software\Wow6432Node\\Classes\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}
Deleted HKLM\Software\Wow6432Node\\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}
Deleted HKLM\Software\Wow6432Node\\Classes\TypeLib\{C661BE9A-11D8-47DD-A980-6494B09F3AF3}

***** [ Chromium (and derivatives) ] *****
No malicious Chromium entries cleaned.
***** [ Chromium URLs ] *****
No malicious Chromium URLs cleaned.
***** [ Firefox (and derivatives) ] *****
No malicious Firefox entries cleaned.
***** [ Firefox URLs ] *****
No malicious Firefox URLs cleaned.
***** [ Hosts File Entries ] *****
No malicious hosts file entries cleaned.
***** [ Preinstalled Software ] *****
No Preinstalled Software cleaned.
*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************
AdwCleaner[S00].txt - [3506 octets] - [04/08/2021 08:22:04]
AdwCleaner[S01].txt - [3567 octets] - [04/08/2021 14:15:01]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C01].txt ##########

2. Run Malwarebytes (Clean mode)
  • Double click the program's icon on your Desktop, as you did before.
  • Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:
    Code:
    Under the title Scan Options, all the options are checked.
    Under the title Windows Security Center (Premium only) the option is unchecked.
    Under the title Potentially unwanted items all options are set to Always.
  • Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
  • When finished, you will see the Threat Scan Summary window open.
  • If threats are not found, click View Report and proceed to the two last steps below.
  • If threats are found, make sure that all threats are selected, and click on Quarantine/Remove selected.
  • You may need to restart the computer.
  • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
  • Find the report with the most recent date and double click on it.
  • Click on Export and then Copy to Clipboard.
  • Paste its content here, in your next reply.
Will do your step 3 after the computer restarts

3. Fresh FRST logs
  • Double-click on the FRST icon to run it, as you did before. When the tool opens click Yes to disclaimer.
  • Press Scan button and wait for a while.
  • The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
  • Please attach the content of these two logs in your next reply.

In your next reply, please post:
  1. The AdwCleaner[C0*].txt
  2. The Malwarebytes report
  3. The fresh FRST logs, Addition and FRST.
P.S. Please do not press the Reply button to quote parts of my posts into your reply. Just put points/numbers. It's easier for me to read what you write.
 
#34 ·
Hi, rhoag.

I asked this before but I'm sure you didn't notice:

P.S. Please do not press the Reply button to quote parts of my posts into your reply. Just put points/numbers. It's easier for me to read what you write.

You didn't attach the Malwarebytes report and I would like to see it please. I hope you ran it before the new FRST scan, as I want fresh FRST logs after the Malwarebytes scan.

As for the updates issue, please wait. First we clean and then we deal with everything else.

1. Search for Norton
  • Copy and paste the following into the Search box: SearchAll: Norton
  • Click on the Search Files button.
  • When complete, FRST will generate a log, named Search.txt, in the same location it was run from.
  • Please copy and paste its contents into your reply.

2. FRST fix

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
Code:
Start::
CreateRestorePoint:
CloseProcesses:
AV: Norton Security Online (Enabled - Up to date) {1122B19A-E671-38EC-8EAC-87048FD4528D}
AV: Norton Security Online (Enabled - Up to date) {A2708B76-6835-6565-CB96-694212954A75}
FW: Norton Security Online (Enabled) {9A4B0A53-225A-643D-E0C9-C077EC460D0E}
FW: Norton Security Online (Enabled) {291930BF-AC1E-39B4-A5F3-2E31710715F6}
CustomCLSID: HKU\S-1-5-21-2159283933-1585630817-402555402-1001_Classes\CLSID\{e1a7f602-67b7-44f7-ad19-439e41f06cd8}\localserver32 -> "C:\Program Files\Global Delight\Boom 3D\Boom3D.exe" -ToastActivated => No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
SearchScopes: HKU\S-1-5-21-2159283933-1585630817-402555402-1001 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxps://searchsafe.norton.com/search?q={searchTerms}&l=dis&prt=NGC&chn=1122&geo=US&ver=22.20.5.39&locale=US_en&guid=766617C2-8CAC-440B-88DA-B1049616EE6B&doi=2016-09-01&o=ds&hspart=symantec&hsimp=yhs-ext_onb&doa=2020-08-18&gct=kwd&qsrc=2869
Toolbar: HKU\S-1-5-21-2159283933-1585630817-402555402-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
FirewallRules: [{C8954E9B-6679-41F6-81F4-D22081EBF299}] => (Allow) C:\Users\doane\AppData\Local\Temp\7zS896E.tmp\SymNRT.exe => No File
FirewallRules: [{3FAB3107-82D9-49BF-8F71-93F80C850127}] => (Allow) C:\Users\doane\AppData\Local\Temp\7zS896E.tmp\SymNRT.exe => No File
FirewallRules: [{832B25A8-367B-4E02-9C39-8AAD7DC64209}] => (Allow) C:\Users\doane\AppData\Local\Temp\7zS5899.tmp\SymNRT.exe => No File
FirewallRules: [{6B00653A-C1D0-41E3-86A5-30E8653EECEF}] => (Allow) C:\Users\doane\AppData\Local\Temp\7zS5899.tmp\SymNRT.exe => No File
Edge Extension: (No Name) -> AutoFormFill_5ED10D46BD7E47DEB1F3685D2C0FCE08 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\AutoFormFill [not found]
Edge Extension: (No Name) -> BookReader_B171F20233094AC88D05A8EF7B9763E8 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\BookViewer [not found]
Edge Extension: (No Name) -> LearningTools_7706F933-971C-41D1-9899-8A026EB5D824 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\LearningTools [not found]
Edge Extension: (No Name) -> PinJSAPI_EC01B57063BE468FAB6DB7EBFC3BF368 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\PinJSAPI [not found]
2021-08-02 14:09 - 2021-08-02 14:09 - 000000743 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows 10 Update Assistant.lnk
2021-08-02 10:07 - 2021-08-02 10:29 - 000000098 _____ C:\WINDOWS\system32\Restoro.rep
2021-08-01 21:22 - 2021-08-01 21:22 - 000000000 ____D C:\ProgramData\Norton
2021-08-04 14:18 - 2021-02-02 13:05 - 000000000 ____D C:\Users\doane\AppData\Roaming\IObit
D:\Documents\Computer Related\Media\Video Converters\Cnet free Any-Viceo-Converet\avc-free.exe
D:\Documents\Computer Related\Media\Video Converters\Cnet free Format Factory\FFSetup280.exe
D:\Documents\Computer Related\Media\Video Downloaders\Freemake\FreemakeVideoDownloaderSetup.exe
D:\Documents\Games\Forenza Horizon 4\Forza Horizon 4 Manager.rar
CMD: DISM /Online /Cleanup-Image /RestoreHealth
CMD: SFC /scannow
EmptyTemp:
End::
  • Please right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Please post the log in your next reply.

In your next reply please post:
  1. The Malwarebytes report
  2. The Search.txt
  3. The fixlog.txt
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top