Solved

Virus is trying to install immediately after logon and prompting for admin approval

Posted on 2015-02-17
10
162 Views
Last Modified: 2015-02-20
One of my users clicked on an attachment with a virus. She didn't have admin privileges, but the program tries to install constantly until I kill the process. It has set itself to the highest priority and stops all the other apps. I can get the task manager up just long enough to kill the process after closing the popup several times.

What should I do? The command that it tries to run (via SysWow64\cmd.exe) is a file called msbom,exe in the users Roaming profile.

I don't think the virus was actually installed, but the install package was and it is making the PC unusable (until I kill the install process).
0
Comment
Question by:rpriebe2600
10 Comments
 
LVL 24

Accepted Solution

by:
NVIT earned 500 total points
ID: 40615844
- Disconnect infected station from web.
- From a different station, download one of the antivirus cleanup tools. There are many to choose from. Here are some:
-- http://support.kaspersky.com/viruses/avptool2011
-- http://support.kaspersky.com/viruses/utility
- Follow cleanup tool instructions.
- If that doesn't work and since it looks like you know what to look for, you can try removing it manually. See my post here: http://www.experts-exchange.com/Software/Microsoft_Applications/Q_28591137.html#a40532588
0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40615857
You can also boot to safe mode and run rkill and conbofix from bleepingcomputer.com
0
 
LVL 11

Expert Comment

by:Natty Greg
ID: 40615882
shut down computer, remove the hard drive, attached hard drive to a working computer and use it to scan the affected drive, without affecting other systems
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 37

Expert Comment

by:bbao
ID: 40615909
1. disconnect the network.

2. log off the infected user and restart the PC.

3. log on using administrator accout.

4. go to the infected user's profile folder, back up all DATA (not any executable) if necessary.

5. completely delete the user's profile folder and all sub-folders.

6. log off administrator

7. log on using the user's account.

8. check if everything is okay now.
0
 
LVL 94

Expert Comment

by:John Hurst
ID: 40616244
Try the following:

Download, install and run Process Explorer from Microsoft. Look down the left side tree under Explorer. Look for strange (alphanumeric) processes. Kill those processes, close out of Process Explorer but do NOT restart.

Now run Malwarebytes and remove any malware that it picks up. Follow by a scan of your own antivirus or one of the suggestions above.

Now restart and test.
0
 
LVL 29

Expert Comment

by:serialband
ID: 40618270
Since it's not yet installed:
Check the registry keys of the user for startup entries.  These are where automatic starting programs are generally place in the User's registry.  If you're logged in as the administrator or another use, you'll have to load the users profile into a temporary hive to manipulate them.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

It also doesn't hurt to check the local machine's keys, but most likely it's under the user's profile and not here.
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
   
Those keys are ignored in Safe Mode by default.

You can also check the startup menu, in case any programs put it there.  This is somewhat obsolete, but kept for older Windows Programs.
%userprofile%\Start Menu\Programs\Startup
0
 
LVL 24

Expert Comment

by:NVIT
ID: 40622474
Hi rpriebe2600,

Would you mind sharing what solution worked for you?
0
 

Author Comment

by:rpriebe2600
ID: 40622480
I used malwarebytes,  then autoruns,  and then malwarebytes again.
0
 

Author Comment

by:rpriebe2600
ID: 40622481
Thanks.
0
 
LVL 24

Expert Comment

by:NVIT
ID: 40622484
I'm glad it worked for you.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
When you try to extract and to view the contents of a Microsoft Update Standalone Package (MSU) for Windows Vista, you cannot extract the files from the MSU. Here we are going to explain how to extract those hotfix details without using any third pa…
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question