Solved

Virus is trying to install immediately after logon and prompting for admin approval

Posted on 2015-02-17
10
165 Views
Last Modified: 2015-02-20
One of my users clicked on an attachment with a virus. She didn't have admin privileges, but the program tries to install constantly until I kill the process. It has set itself to the highest priority and stops all the other apps. I can get the task manager up just long enough to kill the process after closing the popup several times.

What should I do? The command that it tries to run (via SysWow64\cmd.exe) is a file called msbom,exe in the users Roaming profile.

I don't think the virus was actually installed, but the install package was and it is making the PC unusable (until I kill the install process).
0
Comment
Question by:rpriebe2600
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 25

Accepted Solution

by:
NVIT earned 500 total points
ID: 40615844
- Disconnect infected station from web.
- From a different station, download one of the antivirus cleanup tools. There are many to choose from. Here are some:
-- http://support.kaspersky.com/viruses/avptool2011
-- http://support.kaspersky.com/viruses/utility
- Follow cleanup tool instructions.
- If that doesn't work and since it looks like you know what to look for, you can try removing it manually. See my post here: http://www.experts-exchange.com/Software/Microsoft_Applications/Q_28591137.html#a40532588
0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40615857
You can also boot to safe mode and run rkill and conbofix from bleepingcomputer.com
0
 
LVL 14

Expert Comment

by:Natty Greg
ID: 40615882
shut down computer, remove the hard drive, attached hard drive to a working computer and use it to scan the affected drive, without affecting other systems
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 37

Expert Comment

by:bbao
ID: 40615909
1. disconnect the network.

2. log off the infected user and restart the PC.

3. log on using administrator accout.

4. go to the infected user's profile folder, back up all DATA (not any executable) if necessary.

5. completely delete the user's profile folder and all sub-folders.

6. log off administrator

7. log on using the user's account.

8. check if everything is okay now.
0
 
LVL 96

Expert Comment

by:Experienced Member
ID: 40616244
Try the following:

Download, install and run Process Explorer from Microsoft. Look down the left side tree under Explorer. Look for strange (alphanumeric) processes. Kill those processes, close out of Process Explorer but do NOT restart.

Now run Malwarebytes and remove any malware that it picks up. Follow by a scan of your own antivirus or one of the suggestions above.

Now restart and test.
0
 
LVL 30

Expert Comment

by:serialband
ID: 40618270
Since it's not yet installed:
Check the registry keys of the user for startup entries.  These are where automatic starting programs are generally place in the User's registry.  If you're logged in as the administrator or another use, you'll have to load the users profile into a temporary hive to manipulate them.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

It also doesn't hurt to check the local machine's keys, but most likely it's under the user's profile and not here.
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
   
Those keys are ignored in Safe Mode by default.

You can also check the startup menu, in case any programs put it there.  This is somewhat obsolete, but kept for older Windows Programs.
%userprofile%\Start Menu\Programs\Startup
0
 
LVL 25

Expert Comment

by:NVIT
ID: 40622474
Hi rpriebe2600,

Would you mind sharing what solution worked for you?
0
 

Author Comment

by:rpriebe2600
ID: 40622480
I used malwarebytes,  then autoruns,  and then malwarebytes again.
0
 

Author Comment

by:rpriebe2600
ID: 40622481
Thanks.
0
 
LVL 25

Expert Comment

by:NVIT
ID: 40622484
I'm glad it worked for you.
0

Featured Post

IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
When you try to extract and to view the contents of a Microsoft Update Standalone Package (MSU) for Windows Vista, you cannot extract the files from the MSU. Here we are going to explain how to extract those hotfix details without using any third pa…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question