Win32/DownWare.E and Win32/InstallCore.BN (Two Viruses)

[jphillips]

Just wanted to add something to my post.

 

I read on Webroot Threat Blog "Rogue Free Codec Pack ads lead to Win32/Install Core Potentially Unwanted Application (PUA)." I did download a Codec pack from Ultimate Codec; however, the program didn't work for what I wanted so I deleted it. However, after checking my back-up registry file, I found this listing: "C:\\DOCUMENTS AND SETTINGS\\admin\\APPLICATION DATA\\LAVFILTERS\\ULTIMATECODEC.EXE"="08/05/2013 8:26 PM" and found that the folder is still on my PC. Can I delete this folder?

[AdvancedSetup]

Yes you can delete the folder.

 

How is the computer running ?  Why are you in Safe Mode?

[jphillips]

I deleted the folder that contained the ultimatecodecs.exe file.

 

The reason I was in Safe Mode was because there was an issue with the Active Desktop Recovery function and the desktop changed to something I hadn't seen before. Once I figured out what happened and returned that function to normal, I went back to starting and rebooting the PC in Normal Mode.

 

As to how my computer is running, the pop-up window relating to Windows Explorer still comes up when the PC is started or rebooted and I'm having issue with using Windows Explorer. I can move or delete a file but I can't create a new folder. When I click on File, I get an hourglass and have to terminate the application in Task Manager. When that happens, I get another pop-up window and another listing of dwwin.exe in Task Manager. I currently have 4 pop-up windows on my desktop and 5 listings on dwwin.exe in Task Manager.

 

Should I run your processes again in Normal Mode and if so, which ones and in what order? Is there a possibility that I don't have malware at all and this is just an issue with Explorer/Windows XP? Thanks.

[AdvancedSetup]

Yes, its possible that at this point it's just Windows behaving badly from damage over time and infections.

 

Please review the following article and run the System File Checker on your system to ensure all the OS files are valid.

 

How To Use Sfc.exe To Repair System Files

[jphillips]

I've read the guide as to how to use SFC.EXE but before I do this, I do have some concerns. The instructions indicate that the program may (or may not) ask for the Windows XP Installation CD. I don't have the original Windows XP installation CD for this PC as it was given to me although I do have the Product Key. I do happen to have a Windows XP Installation CD for a much older PC and that CD is Windows XP Professional Version 2002 with Service Pack 2. My PC is running Windows XP Professional Version 2002 with Service Pack 3 so I believe there would be conflict.

 

If one doesn't have the CD, it is necessary to locate the i386 directory. I checked and there is no C:\I386 listing but I did find two directories (C:\WINDOWS\Driver Cache\i386 and C:\WINDOWS\inf\i386). I checked the registry (HKEY_LOCAL _MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup) and found the SourcePath identified as D:\I386. I checked Disk Management and can confirm that I only have a C drive listed (Disk 0) and the D drive is the CD or DVD drive. I did a diskpart but there doesn't appear to be a hidden partition.

 

I just want to be sure if I start the sfc.exe process and can't provide either the Windows XP Installation CD or the location of the i386 directory, that I will be able to safely exit and not get stuck being forced to do something drastic Iike a complete Windows XP reinstall or something that could make my PC inoperable. Per your post, it's only a possibility that the OS files in Windows might have been damaged and if this process will actually resolve the problem of my infamous "Windows Explorer has encountered a problem and needs to close" popup window. So, I'm a little hesitant to use SFC.EXE not knowing if it will run without asking for what I don't seem to have.

 

Your help is very much appreciated.

[AdvancedSetup]

No if it can't find what it's looking for then it simply won't run. Go ahead and try the other CD as it should work.

If not then we'll look at doing some manual file fixes using the CD

[jphillips]

Ran System File Checker with no problems using the CD. Upon reboot, same pop-up window (Windows Explorer has encountered a problem and needs to close) came up. Before taking your next step suggestion (doing manual file fixes using the CD), should I try using the System Configuration Utility (msconfig or autorun) to disable third party System Services that might be causing problems/conflicts? I found this suggestion specifically for the "Windows Explorer has encountered a problem and needs to close" pop-up window at many different tech-related forums. I just need to be sure I do it correctly.

 

I have been reading the logs in Event Viewer under Applications, System, and Security. Under Security, there is an abundance of Failure Audit events as well as a couple of Anonymous Log On entries. Needless to say, with the possibility of some type of malware infection on my PC, I'm concerned about entries that might not be normal. Is there any way to know if there has been any attempt to gain unauthorized access to my PC and are there some preventative measures that I can implement to make it difficult for this to happen?

[AdvancedSetup]

At this time I don't think you have any infection.  I think what you probably have is more related to Registry damage and conflicts with other software that may not be easy to fix.
 
Let's try a couple of other scans though and see what we can find.  Then at that point aside from reinstalling Windows you'll probably need to try running a couple of repair programs that I'll link you to.
 
For now please run the following.
 
Please download aswMBR ( 4.5MB ) to your desktop.

• Double click the aswMBR.exe icon, and click Run.
• When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
• Click the Scan button to start the scan.
• On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

[jphillips]

Just wanted to let you know that I started the PC in Safe Mode and logged in as Administrator instead of Admin (which is the User Account I always use). I did not get the "Windows Explorer has encountered a problem and needs to close" pop-up window until I swtiched over to the Admin User Account. As I mentioned in an earlier post, this PC was given to me and there have always been two User Accounts (Administrator and Admin). I actually would like to have just the one User Account but there are differences and not all programs are duplicated.

 

I also wanted to ask about something I noticed just recently. In the System Properites General Tab under Registered To there used to be ony two listings (with the same number) which correspond to the two User Accounts. Now there is a third listing with completely different numbers which I searched for and found in the Registry. Is this an additional User Account and if so, how did it get registered?

[AdvancedSetup]

Please create a new profile with Admin rights to use.  The review this article
Fix a corrupted user profile

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!