Short version: I ran a program I shouldn’t have and some strange things happened.

Long version: Someone recommended Notepad 2 to me. I did a Google search and the first result was for;

h**p://notepad2.com

The site looked legit, so I downloaded the 32-bit version of the program (I have an old system), which claimed no installation was necessary. I manually scanned it with Avast just to make sure, then ran it. My firewall immediately alerted me that an installer wanted to connect to the net. I blocked it and that seemed to be the end of it. Apparently I downloaded something with “InstallCore” adware in it. When I uploaded it to the VirusTotal website, their version of Avast said it was a malicious program, as did several other AV programs.

To be safe, I figured I’d do a system restore. When the system booted back up, my firewall informed me that “update.exe” located in directory "4395042020b1d3f74db18b90\update" on my external drive wanted access to the net. I blocked it. Avast says this file and the others with it are safe and VirusTotal claims that they’re from Microsoft. A Google search seems to indicate that there are leftover files from Windows XP SP1 or SP2, which get written to the drive with the most free space (which was my external). This system already has SP3 on it.

I can’t delete these files as the system claims they’re write protected. I even plugged the drive into another system, and tried safe mode, but I still can’t delete the files.

It seems awfully coincidental that this directory and files would show up after I ran a program that tries to install adware. My local copy of Avast doesn’t seem to think there’s anything wrong with my system, but the fact that it didn’t detect the original file as a threat and that these files showed up wanting access to the net right afterward has me worried.

I was able to delete the files in the base "4395042020b1d3f74db18b90" directory, but the following files in the “update” subdir can’t be deleted;

Size     Name                MD5 Checksum
------------------------------------------------------------- 
 47,104  kmdfcustom.dll    - c6a8082aaaf8fcbf2019e3bf191e9811
    177  update.ver        - a35cf266ea5462a5ede4df500be29745
755,744  update.exe        - da0e3d534e0ef9fdf86e9d2c61c84bd2
  8,607  update_srv2k3.inf - d90dc3e1930d7171a647db6ef3c4efaf
  4,936  update_win2k.inf  - 80e6d169eb7c900ad7f4141fa2549d4e
  4,926  update_winxp.inf  - 5510c2d9bc00ee848b9ffa3e1fa32f34
    464  updatebr.inf      - 9b52a6c4d6bed5f8901b05ef0772d20a
382,496  updspapi.dll      - db7fb3c54a52567ce958f4672c75c8b8
  8,481  wdf01009.cat      - 26ab136a5cb8b2a3f04b30027ea66cd5

Please, no comments about how I should be using Windows 7/8/10. That doesn’t help me. If I could afford a new system, I’d have a state of the art system. Right now, I’m just concerned with whether the piece of crap that I ran has infected my system.

Also, any suggestions for getting rid of the above files would be appreciated. I tried SysInternals Process Explorer to search for the handles, but it didn’t find anything. I downloaded a copy of Unlocker from Softpedia, but after installation, it claimed it wasn’t a valid Win32 program. I was going to try the iObit unlocker, but that shows as a potentially malicious program in several of the AVs at VirusTotal. I backed up everything else on the drive and I’m going to try formatting it, but I have a feeling that’s not going to work either.

Can someone please look at the file from that site and tell me if I should be worried? I mean is it just typical annoying adware or something more dangerous?

Attach your basic diagnostic logs. (MBAM and FRST)
Instructions: https://forum.avast.com/index.php?topic=194892

OK, I will do that. In the mean time I wanted to report that formatting the drive got rid of those files and they didn’t re-appear after a reboot. I’ll run those programs and post the logs.

Probably a bit late for that as the evidence should be gone after formatting your drive, unless you have multiple drives.

I only formatted one external USB drive that had the update.exe files on it. I preserved a copy of those files just in case. I was more concerned with an infection on my boot drive. After all, if something has installed itself on my system, it will be on the boot drive.

I couldn’t install the latest version of MalwareBytes since it no longer supports XP. I know companies don’t want to support old versions of Windows forever, but is it really too much to ask that they list the OS requirements on the download page? I installed an older version that I had from 2016. It happily updated the definitions so I did a scan with that. It found a few issues, which I cleaned. I saved the pre-cleaning info as well as the scan and protection logs.

I tried to run a scan with FRST, but it only ran for a moment before saying that a variable was undeclared and exiting. It’s supposed to be compatible with XP. It generated a partial log, but I’m not sure how helpful it is. I’m attaching it anyway.

You won’t see the Notepad2 EXE file I downloaded listed in the MalwareBytes scan because I had already deleted it by the time I ran the scan. That file is the installer, so I saw no reason to keep it just so that the scan could find a file I already knew was bad. Besides, I’d already run it, so whatever damage it was going to do had already been done. I did re-download a copy of it just to see if MalwareBytes would detect it as a threat and it did, labeling it a PUP. Avast still says that the file is A-OK, even though the version of Avast used on the VirusTotal website says it’s a threat. Explain that one. Shouldn’t my local, up-to-date copy of Avast be better at detecting threats than an online copy?

In any case I scanned my boot drive with Avast again and it said there were no problems.

Avast still says that the file is A-OK, even though the version of Avast used on the VirusTotal website says it's a threat. Explain that one. Shouldn't my local, up-to-date copy of Avast be better at detecting threats than an online copy?

Is your VirusTotal scan fresh or a cashed result? see analysis date at top in VT
If cashed, click the blue button at top right and rescan for a fresh result

Apparently I downloaded something with [b]"InstallCore"[/b] adware in it.

No, I didn’t know it needed to be turned on. I just dug through the settings, found that option and enabled it. Now when I right-click and manually scan the Notepad2 EXE file with Avast, absolutely nothing happens. No progress indicator, no post scan report, nothing.

This has been a bug in Avast for a while now. It always used to give me a progress window that would show the results either way. Now, about 75% of the time, I get absolutely nothing when I scan a file. And yes, Avast says my program is up to date. I have version 18.1.2326.

If I put that file in a directory and run a targeted scan on just that directory, Avast says that everything is great. Even when I enable the option to scan entire files, it says there’s nothing wrong with that file.

It’s a fresh scan;

https://www.virustotal.com/#/file/c7c780f3d22ca2443bb5385e62067adb0db1e2af55e9736a568def66eceb62dc/detection

Yes, that part is obvious. The question is, how bad is the extra crap that they added to the installer? Is it just run of the mill, annoying, but relatively harmless adware, or is it something more serious like a key logger or an actual virus?

PUP = Possible Unwanted Program is usually crap, annoyware / ads / toolbars / searchengines / bitcoin miners …

https://www.howtogeek.com/232791/pups-explained-what-is-a-potentially-unwanted-program/

The key word being “usually”. I want to be sure.

You can alaways install it and see what crap that arrive.

Anyway the names given in your VT scan should give an idea

Application.AdInstall (A) / Win32/Virus.Adware.a71 / PUP/Multitoolbar

The only way to be 100% sure is to have somone anayse the file (i doubt anyone at avast has time )

You formatted its gone …

I formatted an EXTERNAL drive that had what appeared to Windows update files on it that I couldn’t delete. There hasn’t been an update for Windows XP in a few years now. Looking at restore points in CCleaner shows one for Windows XP WDF01009, which a Google search seems to indicate is related to Avast. Which doesn’t surprise me since every time I update Avast it seems to want to install something new.

I never formatted my C drive, which is where any potential malware would have been installed to. Malware, viruses, etc, get installed to the boot drive, not external drives full of pictures and videos. They can infect executable files on external drives, but in order to ensure that the software is executed every time the system boots, it needs to be on the C drive.

Update to the latest version (18.6.2349): https://forum.avast.com/index.php?topic=221320.0

When Avast says your program is up to date, yet the version number displayed is different, this out of sync condition between what is displayed and what you have is often fixed by an Avast Repair.

I never formatted my C drive, which is where any potential malware would have been installed to. Malware, viruses, etc, get installed to the boot drive, not external drives full of pictures and videos. They can infect executable files on external drives, but in order to ensure that the software is executed every time the system boots, it needs to be on the C drive.

You are using Windows XP. Consider upgrade to newer versions of Windows.

• Open Notepad (click Start button → type notepad.exe → press Enter)
• Copy text from code block below and paste it into Notepad

ProxyServer: [S-1-5-21-321803341-1280003371-2099921806-1003] => http=127.0.0.1:57758
AutoConfigURL: [S-1-5-21-321803341-1280003371-2099921806-1003] => http=127.0.0.1:57758

• Go to File → Save As
• Make sure that UTF-8 is selected as Encoding (left side of Save button)
• Save it as fixlist.txt on Desktop
• Open again FRST and click on button Fix
• Wait until FRST finishes
• fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.