PC Question

[LowRyter]

I have a pop up box on the bottom right on my desktop screen:

Software download complete.

Install Now __         Install Later __


I have no idea what is refers to.  I have no idea to see what's pending the que.  I've checked on Task Manager and Control Panel.  I've looked in the download file.  Nothing there.

I don't know what to do or how to get ride of it.

[rodekyll]

If you don't know what did the download you are right in being suspicious.

It's a windows system, but you don't say which one, so I'll go generic:

do the cntrl-alt-del.  A menu will comme up.  choose task manager and go to PROCESSES.  There might be a short list and the option to see processes from all users.  Enable the 'all processes' choice and look for processes suggesting they are iexplore, install, setup, installshield, or odd, random characters (odd random characters are most easily identified if you look at processes all the time -- feel free to list any suspicious-looking processes here and we'll go through them).  At some point of stopping process trees (not just the process -- it's entire tree) the message should go away. 

IF the message does not go away, the safest thing to do is close out the open programs you might have running and pull the power plug while the machine is running (desktop) or eject the battery and then pull the power plug (laptop).  This is not a recommended shutdown procedure for situations where you can kill the process.  We only do this when nothing else is stopping the process and we're worried that a proper shutdown will trigger the rogue install.

Once shut down, restart in safe mode and examine the msconfig (startup config) for the process source, unchecking the box beside anything that looks suspicious.  There are also some registry edits thaet might have to be made if the process got embedded.  Once you think it's clean, attempt to do an antivirus sweep in safe mode.


Even if you can make the message go away, all you're doing is silencing it -- the process remains on the computer.  You are going to have to find it and kill it somehow or it will continue to harass you.  Sometimes this cannot be done with the opsys hard drive in the infected computer.  I earn my keep eradicating the stubborn and hidden/invisible malware.  It can be a challenge.

Good luck.

[LowRyter]

I've got Win 8.  I've been through the task mgr list.  I can't find anything that seems odd.

[rodekyll]

Then a safe mode boot and examination of the msconfig and registry entries is going to be the best bet on finding the lines.  Also, if you go to your hard drive, drill down to users/[your login]/appdata/local/temp an remove everything that can be removed you might get the source files.  appdata/local/Microsoft/windows/temporary internet files will have some cookies in it that can go away.  Then go to the address bar and ADD to the address: \content.ie5 you will see your folders of temp internet files.  Select and delete all the directories.  They will be rebuilt when you next start your browser.

Still in safe mode, try launching your antivirus.  Let me know what happens.

[LowRyter]

I can't find appdata.   I might try safe mode but it's tricky. 

[rodekyll]

You need to go to the control panel/folder options/ and tell it to show all files, show hidden and system files, unhide empty drives, unhide extensions, and unhide protected files.  Suddenly the number of files in the users section grows exponentially.

What we're trying to do here is get the system stable enough to launch your antivirus.  If we can't do it at this level, we need a lab rat computer to chase it with.  I generally cut to this chase as my first or second line of attack -- remove the hdd from the infected computer and install it in my lab rat.  On the lab rat are a crapload of software tools for just this situation.  Once I have as much of the operational viral bits removed or disabled I chase with antivirus/antimalware until it comes up clean.  Then I return the drive to the host computer and sweep with that computer's antivirus until it comes up clean.

A lot of your success comes from recognizing bad files or processes when you see them in a list.  I've been doing this long enough that I can scan a list and they pop right out at me.  If you have a second computer, googling the process names you don't recognize will often give you clues.  Be careful though -- some search results try to direct you to infected websites or websites that insist anything you search for is viral and their expensive fix is your only hope. 

It's a jungle out there I tells ya, a JUNGLE!!!!

[LowRyter]

I've been running CCleaner. 

This one won't go away:

C:\Users\Jml100aol.com\AppData\Local\Microsoft\Windows\INetCache\Low

Suggested DAT Files  5152KB  (date is 30 March) 

when I clicked on it went to Norton Studio (I make a point of never loading any Norton or Macfee products)

I manually deleted it. 

Also to more empty folders (antiphishing and flash)

[LowRyter]

doing restore

restore didn't take due likely anti virus s/w

CCleaner won't do away with Internet Explorer Temp file 5121KB (1 file).  I don't use IE.  Going to the files shows Norton Sudio.  It won't go away.  I delete it and kill in recycle bin, it comes back.

[rodekyll]

You could send me the drive and let me try cleaning it up.  The recurring files will keep doing that if a viral process is in memory.  The only way to ensure no processes active is to not boot from that drive.  Then nothing on the drive is active and it can all be deleted.  That's almost SOP anymore.

Also, if your system restore is working, it's also probably infected.  That way the virus restores itself every time you fix it.

[charlie b]

RK,

If I don't have access to an external bootable HD could I boot Linux from a USB stick drive and do the search and delete from there?

[rodekyll]

No.  It needs to be an NTFS filesystem.  Windows XP or better when working on a windows 8 hard drive.  If you can remove your hard drive and mount it as an external drive (needs usb/SATA adapter) on another windows machine then you can get full access to the filesystem.

[charlie b]

Thanks.  Think I am going to get another drive to use as a recovery disk.  They are cheap enough these days.

[rodekyll]

What brand of computer?

If you got disks with the computer you can do that -- simply load the opsys to the new drive, attach the old one externally and do the cleanup.  If the opsys recovery is on a hidden partition on the old drive, it may not be possible to direct the load to the new drive -- it might insist on loading over your existing opsys.

[charlie b]

win7 pc and win8 pc

I'd have to make a boot drive with both.  So will have to get the disks.

[rodekyll]

I'm confused.  Have we been discussing more than one computer?  You have two computers both infected, or does one of them work?  If so, which one?

[charlie b]

They both work.  The wife's picks up malware every now and then when she surfs different places (hers is the win8).  So far malewarebytes has been good for us.

I am just preparing for any issues in the future.

[rbond]

I am a hardware tech for the City of Alexandria, La. I have PLENTY of PC's to work on, with our users, I HAVE job security. Anyway, backup all your docs, pics, music,etc. then use the restore function (usually F11 during bootup) or restore disks to put it back in fresh from the box state. What you describe IS an infection you will not get rid of any other way. Do a virus and malware scan of your backed up stuff before you copy it back. We have had the gamut of infections to deal with despite firewalls, content, filters, etc. bad users seem to circumvent all our protections anyway. It is simply quicker and greatly improves you odds of getting rid of most virii and very bad malware.