Virus is trying to install immediately after logon and prompting for admin approval
One of my users clicked on an attachment with a virus. She didn't have admin privileges, but the program tries to install constantly until I kill the process. It has set itself to the highest priority and stops all the other apps. I can get the task manager up just long enough to kill the process after closing the popup several times.
What should I do? The command that it tries to run (via SysWow64\cmd.exe) is a file called msbom,exe in the users Roaming profile.
I don't think the virus was actually installed, but the install package was and it is making the PC unusable (until I kill the install process).
What should I do? The command that it tries to run (via SysWow64\cmd.exe) is a file called msbom,exe in the users Roaming profile.
I don't think the virus was actually installed, but the install package was and it is making the PC unusable (until I kill the install process).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Gabriel Clifton
You can also boot to safe mode and run rkill and conbofix from bleepingcomputer.com
shut down computer, remove the hard drive, attached hard drive to a working computer and use it to scan the affected drive, without affecting other systems
1. disconnect the network.
2. log off the infected user and restart the PC.
3. log on using administrator accout.
4. go to the infected user's profile folder, back up all DATA (not any executable) if necessary.
5. completely delete the user's profile folder and all sub-folders.
6. log off administrator
7. log on using the user's account.
8. check if everything is okay now.
2. log off the infected user and restart the PC.
3. log on using administrator accout.
4. go to the infected user's profile folder, back up all DATA (not any executable) if necessary.
5. completely delete the user's profile folder and all sub-folders.
6. log off administrator
7. log on using the user's account.
8. check if everything is okay now.
Try the following:
Download, install and run Process Explorer from Microsoft. Look down the left side tree under Explorer. Look for strange (alphanumeric) processes. Kill those processes, close out of Process Explorer but do NOT restart.
Now run Malwarebytes and remove any malware that it picks up. Follow by a scan of your own antivirus or one of the suggestions above.
Now restart and test.
Download, install and run Process Explorer from Microsoft. Look down the left side tree under Explorer. Look for strange (alphanumeric) processes. Kill those processes, close out of Process Explorer but do NOT restart.
Now run Malwarebytes and remove any malware that it picks up. Follow by a scan of your own antivirus or one of the suggestions above.
Now restart and test.
Since it's not yet installed:
Check the registry keys of the user for startup entries. These are where automatic starting programs are generally place in the User's registry. If you're logged in as the administrator or another use, you'll have to load the users profile into a temporary hive to manipulate them.
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software
It also doesn't hurt to check the local machine's keys, but most likely it's under the user's profile and not here.
HKEY_LOCAL_MACHINE\Softwar
HKEY_LOCAL_MACHINE\Softwar
HKEY_LOCAL_MACHINE\Softwar
Those keys are ignored in Safe Mode by default.
You can also check the startup menu, in case any programs put it there. This is somewhat obsolete, but kept for older Windows Programs.
%userprofile%\Start Menu\Programs\Startup
Check the registry keys of the user for startup entries. These are where automatic starting programs are generally place in the User's registry. If you're logged in as the administrator or another use, you'll have to load the users profile into a temporary hive to manipulate them.
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software
It also doesn't hurt to check the local machine's keys, but most likely it's under the user's profile and not here.
HKEY_LOCAL_MACHINE\Softwar
HKEY_LOCAL_MACHINE\Softwar
HKEY_LOCAL_MACHINE\Softwar
Those keys are ignored in Safe Mode by default.
You can also check the startup menu, in case any programs put it there. This is somewhat obsolete, but kept for older Windows Programs.
%userprofile%\Start Menu\Programs\Startup
Hi rpriebe2600,
Would you mind sharing what solution worked for you?
Would you mind sharing what solution worked for you?
ASKER
I used malwarebytes, then autoruns, and then malwarebytes again.
ASKER
Thanks.
I'm glad it worked for you.