Malware Suspected

[calintexas]

I upgraded from win 8.0 to 8.1 last week. Everything seems to be running fine except only the Office updates were offered by Windows Update on patch Tuesday this week. I discovered that the Installed Updates file is only listing Office, 1 Silverlight, and 2 Visual C++2010 updates. The Microsoft Windows updates section is missing from the list. There is limited information on the web about this, but most of what I found points to malware activity. Norton, MBAM home premium, mbar all scan clean. The FARBAR results are attached (due to "topic too long" messages).

FRST.txt

Addition.txt

[AdvancedSetup]

Please read the following and post back the logs when ready and we'll see about getting you cleaned up.

General P2P/Piracy Warning:

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Before we proceed further, please read all of the following instructions carefully.

If there is anything that you do not understand kindly ask before proceeding.

If needed please print out these instructions.

• Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
• If the log is too large then you can use attachments by clicking on the More Reply Options button.
• Please enable your system to show hidden files: How to see hidden files in Windows
• Make sure you're subscribed to this topic:
  • Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly
• Removing malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive
• Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you.
• The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone.
• Perform everything in the correct order. Sometimes one step requires the previous one.
• If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue.
• You can check here if you're not sure if your computer is 32-bit or 64-bit
• Please disable your antivirus while running any requested scanners so that they do not interfere with the scanners.
• When we are done, I'll give you instructions on how to cleanup all the tools and logs
• Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.
• Your topic will be closed if you haven't replied within 3 days
• (If I have not responded within 24 hours, please send me a Private Message as a reminder)

STEP 0

RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes

so that your normal security software can then run and clean your computer of infections.

When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policies

that stop us from using certain tools. When finished it will display a log file that shows the processes that were

terminated while the program was running.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot

your computer as any malware processes that are configured to start automatically will just be started again.

Instead, after running RKill you should immediately scan your computer using the requested scans I've included.

Please download Rkill by Grinler from one of the links below and save it to your desktop.

Link 1

Link 2

• On Windows XP double-click on the Rkill desktop icon to run the tool.
• On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• If the tool does not run from any of the links provided, please let me know.
• Do not reboot the computer, you will need to run the application again.

STEP 01

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

• Please download ERUNT from one of the following links: Link1 | Link2 | Link3
• ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
• Double click on erunt-setup.exe to Install ERUNT by following the prompts.
• NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO.
• Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
• Choose a location for the backup.
  • Note: the default location is C:\Windows\ERDNT which is acceptable.
• Make sure that at least the first two check boxes are selected.
• Click on OK
• Then click on YES to create the folder.
• Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

STEP 02

Please run a Threat Scan with MBAM. If you're unable to run or complete the scan as shown below please see the following: MBAM Clean Removal Process 2x

When reinstalling the program please try the latest version.

Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link

Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.

Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.

Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

[calintexas]

Thanks for taking this topic Ron. Rkill ran without issues. To my untrained eye it didn't make any changes. I've attached the run log (Rkill.txt). The requested MBAM Threat Scan ran without issues (cleaning and re-installing MBAM was not required).

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2/14/2016
Scan Time: 11:08 AM
Logfile:
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2016.02.14.05
Rootkit Database: v2016.02.08.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Cal CA

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 433396
Time Elapsed: 16 min, 54 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

Rkill.txt

[AdvancedSetup]

Okay let me have you run the following please.

Please go ahead and run through the following steps and post back the logs when ready.

STEP 04

Please download Junkware Removal Tool to your desktop.

• Shutdown your antivirus to avoid any conflicts.
• Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next reply message
• When completed make sure to re-enable your antivirus

STEP 05

Lets clean out any adware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

• Double click on AdwCleaner.exe to run the tool.

  Vista/Windows 7/8 users right-click and select Run As Administrator

• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• When it's done you'll see: Pending: Please uncheck elements you don't want removed.
• Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
• Look over the log especially under Files/Folders for any program you want to save.
• If there's a program you may want to save, just uncheck it from AdwCleaner.
• If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
• If you're ready to clean it all up.....click the Clean button.
• After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
• Copy and paste the contents of that logfile in your next reply.
• A copy of that logfile will also be saved in the C:\AdwCleaner folder.
• Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
• To restore an item that has been deleted:
• Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.

STEP 06

Please open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link

Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkits, Under Non Malware Protection set both PUP and PUM to Treat detections as malware.

Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button. Remove any threats found

Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

STEP 07

Please go here to run the online antivirus scannner from ESET.

• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked
• Click on Advanced Settings and ensure these options are ticked:
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Click Scan
• Wait for the scan to finish
• If any threats were found, click the 'List of found threats' , then click Export to text file....
• Save it to your desktop, then please copy and paste that log as a reply to this topic.

STEP 08

Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

[calintexas]

Did you leave out Step 03 on purpose?

 

It's too late here for me to start Step 04. I'm going to shut the computer off and start Step 04 in the (for me) morning. Should I run Rkill after the startup before I begin Step 04?

 

I assume that re-running Rkill isn't required after the specified reboot in Step 05?

 

Thank you for your help.

[AdvancedSetup]

Step 3 was merged with another process. Please proceed starting with 4 and no you won't need to run rkilll again.

I'll check back on you again sometime tomorrow.

Thanks

[calintexas]

STEP 04:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.2 (01.06.2016)
Operating System: Windows 8.1 x64
Ran by Cal CA (Administrator) on Mon 02/15/2016 at  7:57:42.10
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 1

Successfully deleted: C:\Users\Cal CA\AppData\Roaming\Mozilla\Firefox\Profiles\zs7x4kug.default\searchplugins\safesearch.xml (File)



Registry: 2

Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} (Registry Key)
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E3C9BFF1-AEA7-4EB0-84E4-4BBF094FFE68} (Registry Key)




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 02/15/2016 at  8:00:32.99
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

STEP 05: No confidence in what to eliminate here. I'll take your advice. There wasn't much found.

 

# AdwCleaner v5.033 - Logfile created 15/02/2016 at 08:36:58
# Updated 07/02/2016 by Xplode
# Database : 2016-02-07.2 [server]
# Operating system : Windows 8.1  (x64)
# Username : Cal CA - 1_GENE
# Running from : C:\Users\Cal CA\Desktop\AdwCleaner.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****

[x] File Not Deleted : C:\Users\Gene\AppData\Roaming\Mozilla\Firefox\Profiles\62hdlfqv.default\searchplugins\safesearch.xml
***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[x] Key Not Deleted : HKCU\Software\APN PIP
[x] Key Not Deleted : HKLM\SOFTWARE\PIP
[x] Key Not Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8DBC5A0A-31C4-46C7-B252-6B593EA11A87}

***** [ Web browsers ] *****

[x] [C:\Users\Gene\AppData\Local\Google\Chrome\User Data\Default\Web Data] [search Provider] Not Deleted : aol.com
[x] [C:\Users\Gene\AppData\Local\Google\Chrome\User Data\Default\Web Data] [search Provider] Not Deleted : ask.com

*************************

:: "Tracing" keys removed
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1209 bytes] ##########
 

STEP 06:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2/15/2016
Scan Time: 9:15 AM
Logfile:
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2016.02.15.03
Rootkit Database: v2016.02.08.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Cal CA

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 433342
Time Elapsed: 14 min, 46 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

STEP 07:

C:\Users\Public\Documents\Downloads Shared\Google_Earth_Setup.exe    a variant of Win32/DownloadAssistant.C potentially unwanted application
C:\Users\Public\Documents\Downloads Shared\Installed\epson14552.exe    a variant of Win32/Bundled.Toolbar.Ask.C potentially unsafe application
C:\Users\Public\Documents\Hardware & Software Manuals & Information\Epson WF-3540 AIO Prntr\Epson WF-3540 Software\Silverlight_x64.exe    a variant of Win32/Bundled.Toolbar.Ask.C potentially unsafe application
F:\ABS & 1_gene & other Data from 06_13 and before\ABS 04_08_13\Shared\Documents\Internet Program Dnlds\ImgBurn 2550\SetupImgBurn_2.5.5.0.exe    a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
F:\ABS & 1_gene & other Data from 06_13 and before\Lenovo 1 05_06_13\Documents\Hardware & Software Manuals & Information\Epson WF-3540 AIO Prntr\Epson WF-3540 Software\Silverlight_x64.exe    a variant of Win32/Bundled.Toolbar.Ask.C potentially unsafe application
 

STEP 08: Files Attached - too long to paste due to recent update to Win 8.1

 

FRST.txt

Addition.txt

[AdvancedSetup]

The computer is not infected with anything that would prevent Windows updates.

There are some errors that may be due to some possible corruption. Please review the following article and try scanning and if needed repairing the OS

http://www.eightforums.com/tutorials/26512-dism-fixing-component-store-corruption-windows-8-a.html

Let me know how that goes

[calintexas]

Thanks Ron. I ran SFC /SCANNOW multiple times as suggested on the linked page you provided, but the only items it identified are related to an AMD 64 processor (my pc has an Intel i7 (run log attached). The DISM /Cleanup-Image tool failed as it gave an error (0x000f0906) with a "The source files could not be downloaded." message (image attached). I'm out of my depth here. I'm thinking I should see if Win 10 is different enough that the upgrade will solve the problem, and if not, start back clean with 8 that came with the PC (in a partition on the hard disc) then upgrade to 8.1 with minimal apps loaded and go from there.

 

It looks like the only items actually installed in our efforts to find an infection are ERUNT and Eset. Everything else should be just a matter of deleting the files on the desktop? Is there anything that was found that I really should get rid of?

sfcdetails.txt

[AdvancedSetup]

Unless you're in some immediate rush then please just hold off and I'm sure we can help you get through this. Let me check with a colleague that does this sort of repair work often on some of the Microsoft Support forums.

 

Thanks

[calintexas]

Ok, there is no immediate rush. Now that I know the box is basically clean, I can wait. I do really appreciate your help.

[Maurice Naggar]

Hello Cal,

I am pitching in with Ron to help you.  I am understanding that this pc was very recently upgraded to WIN 8.1.  It has been determined that no infection is aboard.

 

We can run a couple of report sets and get information about the status of recent Windows updates and the service status of Windows Update.

As I recall, DDS will list for us recent MS updates in its report.   This tool will run in Windows 8.1, even if you have to do it thru an elevated command prompt.

 

1: Please download & Save DDS from this link  and save it to your desktop:

Don't click any flashing ads  ( if any show up).   The download will begin on its own thru your browser.

2: Before running DDS, please disable any security software (excluding Malwarebytes Anti-Malware). If you are unsure of how to disable your security software, please skip this step and continue without doing so.

3: RIGHT-click dds.com and select Run as Administrator and reply YES and allow to run the tool. This scan will produce 2 logs, DDS.txt and Attach.txt, and save them to your desktop.

4: Please attach the two logs created to your next reply.

 

 

 

This next diagnostic will shed some lights about the Windows Update service state.

Download   Farbar's Service Scanner utility from this link

and Save to your Desktop.

Right-Click on fss.exe and select Run As Administrator.
Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are checkmarked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other services
 
Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Attach FSS.txt into your reply.

[calintexas]

Maurice, thank you for your help.

 

I'll need more direction to run FSS.com. I did not have the "run as administrator" choice when I right clicked on the FSS.com Icon (see attached image). I clicked open and got a "DDS is not meant to run in compatibility mode" message (image attached). Please advise.

 

The requested FSS scan is attached. 

 

 

FSS.txt

[Maurice Naggar]

Where do you have dds.com ?   On the desktop, I hope?   Double click on dds.com and follow the onscreen prompts and reply YES to the Windows UAC prompt and allow it to proceed.

 

otherwise, we will need to first get into a elevated command prompt window.  Do a right click on the Windows-flag-logo on the taskbar and select Command prompt admin.  

that should be do-able.  Then give it these commands   ( press Enter-key after each)

 

cd \

cd %userprofile%\desktop

 

 

dds.com

 

[calintexas]

Thank you Maurice. Yes, dds.com is on my administrator account desk top. The technique using the Administrator Command Prompt worked. The dds output files are attached.

 

FFS.txt was attached to the previous response. 

dds.txt

attach.txt

[Maurice Naggar]

Thanks for the DDS reports.   Yes, it seems strange there is not a mention of Windows Security Updates.

Let us reset Windows Update components.  There is a automated FixIt for Windows 8.1   at the top of the page ( listed below) at Microsoft.

Close all open browsers at this point. You must restart IE in elevated mode with administrator-rights.

Start Internet Explorer (fresh) by pressing Start  >> type in Internet Explorer >> Right-Click and select Run As Administrator.
Using Internet Explorer browser only, go to this MS webpage and RUN the automated FIX-IT
http://support.microsoft.com/kb/971058

Then when done, Logoff and Restart the system.
Then retry Windows Update one more time.

 

Have lots of patience during all that.

[calintexas]

I'm pretty sure 8.1 doesn't have the Start feature you described. What I did was re-start the computer and login to an administrator account. I then right clicked on the IE icon on the desktop and selected "run as administrator". I then navigated to this thread and clicked on the link you provided. I then clicked on the button to start the 8.1 automated FIX-IT tool.

 

The FIX-IT tool's been running for 2.5+ hours now. Under the Header "Detecting Problems" is the message "Checking registry keys", and there is a green bar scrolling repeatedly below the message. I've checked the Task Manager, and there's 0% CPU activity being used by the Diagnostics Troubleshooting Wizard. Should I let it run, or try to run the FIX-IT tool again? 

 

[AdvancedSetup]

Please see the following on how to open an elevated Admin command prompt

 

http://www.howtogeek.com/194041/how-to-open-the-command-prompt-as-administrator-in-windows-8.1/

[Maurice Naggar]

Hello Cal,

If by now that Fix-it has not finished, then lets close that window.   We can try something else later.

[calintexas]

Please see the following on how to open an elevated Admin command prompt

 

http://www.howtogeek.com/194041/how-to-open-the-command-prompt-as-administrator-in-windows-8.1/

 

I learned how to do that yesterday. Today, Maurice lead me through how to run a .com file from the administrator cmd window. The current issue is that the Windows Update FIX-IT Tool seems to be stuck in process. It's possible that I've done something procedurally wrong. To clarify, pressing the "Run Now" button on the page that Maurice provided a link to results a window (image attached) offering to open WindowsUpdateDiagnostic.diagcab with the Diagnostics Troubleshooting Wizard (which I did).

 

It's been years since I've done anything with DOS, and I was far from an ace back in the day. If I was supposed to somehow use the Administrator Command Prompt to open IE or run the Windows Update FIX-IT tool, then I need to be lead step by step through that with reference to commands that are available in Windows 8.1.

[calintexas]

Hello Cal,

If by now that Fix-it has not finished, then lets close that window.   We can try something else later.

 

Ok Maurice. It was still running; so, I cancelled it.

[Maurice Naggar]

ok.  Let us try some manual tasks.    By the way, lets make sure you are logged in to Windows with an administrator-level account.

This is to flush your Automatic Updates download folder.
Housekeeping and cleanup steps:
Bring up Windows Explorer / Tools / Folder Options/ select VIEW Tab and  look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* )  Show hidden files and folders.
Next un-check  Hide protected operating system files.

Use Windows Explorer.  Go to C:\Windows\System32
Your machine has a sub-folder Catroot2

Rename that sub-folder to CR2OLD.  Or delete everything in that folder.   Just make sure you do the right one.

(to clean up downloaded files for Automatic updates / Windows Update)
From main Windows Start menu, select RUN, type in

CMD

  <Enter-key>

 type in

net stop wuauserv

  <Enter-key>

Go to Windows Explorer.
Look on your system drive (usually C ) and look at the Windows folder name. Like Windows or WINNT.
Modify following as appropriate.
If your  Windows folder is C:\Windows.  Look at this folder
C:\Windows\SoftwareDistribution\Download

If you find files in there, delete them.  That folder is where files are stored from Windows  Update downloads.

Go back to the command-prompt window and type in

net start wuauserv

<Enter-key>

When that finishes, close the window. Now try a new run at Windows Update.

[Maurice Naggar]

Do do the steps above.  B.T.W.   I noticed on the prior page, that whilst you went for the windows diagnostic page, you were using the FIREFOX browser.

 

alas, it should have been instead while using Microsoft Internet Explorer.  MS I.E.  would have handled that cab file.

[calintexas]

Do do the steps above.  B.T.W.   I noticed on the prior page, that whilst you went for the windows diagnostic page, you were using the FIREFOX browser.

 

alas, it should have been instead while using Microsoft Internet Explorer.  MS I.E.  would have handled that cab file.

 

I did use IE (with run as administrator) as you directed. I was in Firefox on another computer when I responded to Ron  and used the pop up window from Firefox to show the choice I had. I realised after I posted it that the windows were different. I've attached an image of the choice IE gave me. I've gotten the FIX-IT tool to run a couple of times after I stopped it (images attached). It say everything is all fixed, but nothing has changed in the way Windows Update has been working. I'll try your requested manual changes now.

[calintexas]

The Catroot2 folder contained several files that were in use by Cryptographic Services and could not be re-named. I turned off Cryptographic Services using the Administrative Tools, but I was still unable to change the name of the Catroot2 folder. Use by Cryptographic Services was still given as the reason. I wasn't willing to disable Cryptograhic Services and try a re-start without asking what now?

 

I was able to delete C:\Windows\SoftwareDistribution\Download without issue. It only had 3 files in it. Wuauserv wasn't running in the first place.