Possible malware?

I've been unable to install KB 4054530 (.NET 4.7.2.) Maybe it's malware related.
Additionally, the MBAM log shows it's blocking outbound packets to
Domain: www.demoptimize.com

Thanks in advance.

 

Update. An Emsisoft Antimalware scan found these, but did not quarantine them.

C:\Program Files\Common Files\System\ado\msrtm.dll
c:\program files\common files\system\ado\winsysbp.dll

I uploaded them to VirusTotal and received a mixed response.

 

Hi Tony,

Sorry for the late reply..... it's been one of those weeks.

It doesn't look like it.
Net Framework updates can be a pain anyway.
They're normally an 'Optional' update.
Basically, If a piece of software needs a newer version of .NET Framework it will either ask you to install it or it'll install it itself.
Have seen a few workarounds on the net but they're not always successful.

This probably explains that....

Legit files, but they're not signed .... but you would have thought that M$ files would be.

Can't find out much about this site.
My system can't connect to it.... just get a timeout error all the time.
Whois, doesn't have much on it either..

This is adware related, it needs uninstalling.

There are a few things we should address in the FRST report..... will write a fix after I've got cleaned up (only just in from work)

Back soon.

 

Yes, I did see that those two items were not signed. I don't know how things get signed, but you'd think they would be if they were legitimate.

Looking forward to see your fix.

 

Hi Tony,

The problem is.... what should happen and what does happen are 2 different things.
Notice that even Dell has a lot of unsigned files.
These probably got thrown up because they're system files.
Looking around this evening I see a few log reports that have the same unsigned files .... but no 'helper' has ever commented on them or addressed them.
But not all Win7 systems have these files.... even stranger.

Step 1
This entry....
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
means that the Windows 7 Action Center has been disabled.
Quite a few users do disable this.
If it's been disabled on purpose then that's ok.
If not and you want it turned back on.... just add that line to the fix.

Please download the attached fixlist.txt file (bottom of this post) and save it to the Desktop.
NOTE.
It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system

Re-run FRST/FRST64 (which ever is installed ) and press the Fix button just once and wait.



The tool will make a log on the Desktop (Fixlog.txt).
Please post this in your next reply.

this fix will also clear the Hosts file redirect

Step 2
These entries in the event log.....

Error code 1603..........
Make sure that the Windows Installer service has started:
Press Win + R and enter services.msc
Find and double click on Windows Installer
Hit Start button under Service status and hit OK.
(If its service status is running, you should click on Stop first and then hit Start.)

Then re-register the Windows Installer service:
Press Win + R, type in msiexec /unregister and click OK.

Press Win + R again and enter msiexec /regserver and click OK.

---------------------

A M$ fix for Error 997 was added to Windows update quite awhile ago.
Make sure that you have all available windows updates.

Step 3
Now for a double check.

Please download RogueKiller Anti-malware (Free) onto your desktop.

• Close all open programs and internet browsers.
• Double click on RogueKiller Anti-malware to install the tool.
  Vista/Windows 7/8/10 users right-click and select Run As Administrator.
• Select Accept the User Agreement then continue to click Next then finally click Install
• Click Finish
  .
• When the program opens..... click Scan
  
  
  
  
• Click Start Scan
  
  
  
  
  
• Double check anything found and tick to select items to be removed
  
  
  
• Click Remove Selected
• When the items have been removed.... Click Open Report >> Open TXT.
• Copy and paste that report into your next reply.

In your next reply, please submit:
fixlog.txt
and the report from RK



Thanks.

 

Here are the log files.

I checked the registry entry for the Action Center and it agrees with the FRST log. However, it looks as if the Action Center is enabled. See screen shot. Please advise.

Next I'll work on the updates. I did run the Update Troubleshooter. It fixed some issues, but it couldn't fix everything. I'd get different error messages when I ran it. 8007002, 80070643 were two of the notices. I also deleted the Software Distribution directory. Still was not able to install that .NET Framework.

 

Hi Tony,

Did you take the screen shot after running RogueKiller?
if so.... that will be why it appears to be enabled, RK enabled it.
[PUM.Policies (Potentially Malicious)] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System|ConsentPromptBehaviorAdmin -- -> Replaced (2)

RK would have assumed that an outside force might have disabled it and make the correction. [PUM... potentially unwanted modification]

As curiosity got the better of me, I have checked 2 Win7 desktops and a Win7 laptop that I have.
Desktops are running different versions of Net Framework ..... 4.5.5 and the other 4.7.0
Curiously the laptop doesn't even have it installed at all .... although Windows is meant to have this installed by default.
All systems working fine with no problems with any programs.
So to be honest, It's not really a big problem that it won't update ..... more of an annoyance as to why.

Have all the Win updates been downloaded and installed now?
Sometimes a particular win update will need to be installed before a net framework update is installed.
Also, Net Framework will need full Admin privileges for installation..... check that this is so for the target folder as well.

 

Thanks Starbuck, I can't remember exactly when I took that screen shot. It may have been before or after the RogueKiller run.

Current registry shows:

HideSCAHealth is still set to 1.
ConsentPromptBehaviourAdmin is set to 2.​

The .Net 4.7.2 (KB 4054530) is still failing. Other updates are still coming in and installing properly. Today it downloaded and installed KB4493132 and KB2310138.

This machine has .NET 4.5.1 installed. I'm fine with not continuing to work on the .NET issue.

Not sure what you mean by that. Please explain.

 

Checkout method 4 in the following link.
https://www.drivereasy.com/knowledge/error-1603-fatal-error-during-installation-fixed/

Just checked the laptop that didn't have Net Framework installed, for updates.
6 important and 65 optional ( I don't normally bother with 'optional updates' ) decided to check the optional and Net Framework was there.
Am running every update to see what happens and what version it gives.
Should be interesting.

 

Using method #4: I noted that the Administrators didn't have Full control or Modified boxes checked. So I went to enable those boxes.

Initially I got errors stating c:\hiberfil.sys and pagefile.sys processes cannot access the file because it is being used by another process.

Also received notice that Access was denied for: C:\Program files and Program files (x86) and Windows.

However, maybe something took because now when I try, I only get a notice that c:\ has access denied.

I tried again to install the .NET 4.7.2, this time using the installer I downloaded from MS. It's still not going in. Code 0x80070643.

It's not worth beating any longer.

You did fix other issues and I do appreciate your efforts.

Thanks for all your help.

 

2 1/2 hours and 71 updates later .... Net Framework 4.7.2 has been installed on the laptop that previously had no Net Framework installed.

 

That's the way it goes sometimes. I checked my W7 machine. It has 4.7.2.