Improve company productivity with a Business Account.Sign Up

x
?
Solved

Virus is trying to install immediately after logon and prompting for admin approval

Posted on 2015-02-17
10
Medium Priority
?
172 Views
Last Modified: 2015-02-20
One of my users clicked on an attachment with a virus. She didn't have admin privileges, but the program tries to install constantly until I kill the process. It has set itself to the highest priority and stops all the other apps. I can get the task manager up just long enough to kill the process after closing the popup several times.

What should I do? The command that it tries to run (via SysWow64\cmd.exe) is a file called msbom,exe in the users Roaming profile.

I don't think the virus was actually installed, but the install package was and it is making the PC unusable (until I kill the install process).
0
Comment
Question by:rpriebe2600
10 Comments
 
LVL 26

Accepted Solution

by:
NVIT earned 2000 total points
ID: 40615844
- Disconnect infected station from web.
- From a different station, download one of the antivirus cleanup tools. There are many to choose from. Here are some:
-- http://support.kaspersky.com/viruses/avptool2011
-- http://support.kaspersky.com/viruses/utility
- Follow cleanup tool instructions.
- If that doesn't work and since it looks like you know what to look for, you can try removing it manually. See my post here: http://www.experts-exchange.com/Software/Microsoft_Applications/Q_28591137.html#a40532588
0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40615857
You can also boot to safe mode and run rkill and conbofix from bleepingcomputer.com
0
 
LVL 14

Expert Comment

by:Natty Greg
ID: 40615882
shut down computer, remove the hard drive, attached hard drive to a working computer and use it to scan the affected drive, without affecting other systems
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
LVL 37

Expert Comment

by:bbao
ID: 40615909
1. disconnect the network.

2. log off the infected user and restart the PC.

3. log on using administrator accout.

4. go to the infected user's profile folder, back up all DATA (not any executable) if necessary.

5. completely delete the user's profile folder and all sub-folders.

6. log off administrator

7. log on using the user's account.

8. check if everything is okay now.
0
 
LVL 102

Expert Comment

by:John
ID: 40616244
Try the following:

Download, install and run Process Explorer from Microsoft. Look down the left side tree under Explorer. Look for strange (alphanumeric) processes. Kill those processes, close out of Process Explorer but do NOT restart.

Now run Malwarebytes and remove any malware that it picks up. Follow by a scan of your own antivirus or one of the suggestions above.

Now restart and test.
0
 
LVL 32

Expert Comment

by:serialband
ID: 40618270
Since it's not yet installed:
Check the registry keys of the user for startup entries.  These are where automatic starting programs are generally place in the User's registry.  If you're logged in as the administrator or another use, you'll have to load the users profile into a temporary hive to manipulate them.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

It also doesn't hurt to check the local machine's keys, but most likely it's under the user's profile and not here.
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
   
Those keys are ignored in Safe Mode by default.

You can also check the startup menu, in case any programs put it there.  This is somewhat obsolete, but kept for older Windows Programs.
%userprofile%\Start Menu\Programs\Startup
0
 
LVL 26

Expert Comment

by:NVIT
ID: 40622474
Hi rpriebe2600,

Would you mind sharing what solution worked for you?
0
 

Author Comment

by:rpriebe2600
ID: 40622480
I used malwarebytes,  then autoruns,  and then malwarebytes again.
0
 

Author Comment

by:rpriebe2600
ID: 40622481
Thanks.
0
 
LVL 26

Expert Comment

by:NVIT
ID: 40622484
I'm glad it worked for you.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
There are many software programs on offer that will claim to magically speed up your computer. The best advice I can give you is to avoid them like the plague, because they will often cause far more problems than they solve. Try some of these "do it…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question