Virus is trying to install immediately after logon and prompting for admin approval

One of my users clicked on an attachment with a virus. She didn't have admin privileges, but the program tries to install constantly until I kill the process. It has set itself to the highest priority and stops all the other apps. I can get the task manager up just long enough to kill the process after closing the popup several times.

What should I do? The command that it tries to run (via SysWow64\cmd.exe) is a file called msbom,exe in the users Roaming profile.

I don't think the virus was actually installed, but the install package was and it is making the PC unusable (until I kill the install process).
rpriebe2600Asked:
Who is Participating?
 
NVITCommented:
- Disconnect infected station from web.
- From a different station, download one of the antivirus cleanup tools. There are many to choose from. Here are some:
-- http://support.kaspersky.com/viruses/avptool2011
-- http://support.kaspersky.com/viruses/utility
- Follow cleanup tool instructions.
- If that doesn't work and since it looks like you know what to look for, you can try removing it manually. See my post here: http://www.experts-exchange.com/Software/Microsoft_Applications/Q_28591137.html#a40532588
0
 
Gabriel CliftonNet AdminCommented:
You can also boot to safe mode and run rkill and conbofix from bleepingcomputer.com
0
 
Natty GregIn Theory (IT)Commented:
shut down computer, remove the hard drive, attached hard drive to a working computer and use it to scan the affected drive, without affecting other systems
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
bbaoIT ConsultantCommented:
1. disconnect the network.

2. log off the infected user and restart the PC.

3. log on using administrator accout.

4. go to the infected user's profile folder, back up all DATA (not any executable) if necessary.

5. completely delete the user's profile folder and all sub-folders.

6. log off administrator

7. log on using the user's account.

8. check if everything is okay now.
0
 
JohnBusiness Consultant (Owner)Commented:
Try the following:

Download, install and run Process Explorer from Microsoft. Look down the left side tree under Explorer. Look for strange (alphanumeric) processes. Kill those processes, close out of Process Explorer but do NOT restart.

Now run Malwarebytes and remove any malware that it picks up. Follow by a scan of your own antivirus or one of the suggestions above.

Now restart and test.
0
 
serialbandCommented:
Since it's not yet installed:
Check the registry keys of the user for startup entries.  These are where automatic starting programs are generally place in the User's registry.  If you're logged in as the administrator or another use, you'll have to load the users profile into a temporary hive to manipulate them.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

It also doesn't hurt to check the local machine's keys, but most likely it's under the user's profile and not here.
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
   
Those keys are ignored in Safe Mode by default.

You can also check the startup menu, in case any programs put it there.  This is somewhat obsolete, but kept for older Windows Programs.
%userprofile%\Start Menu\Programs\Startup
0
 
NVITCommented:
Hi rpriebe2600,

Would you mind sharing what solution worked for you?
0
 
rpriebe2600Author Commented:
I used malwarebytes,  then autoruns,  and then malwarebytes again.
0
 
rpriebe2600Author Commented:
Thanks.
0
 
NVITCommented:
I'm glad it worked for you.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.