Solved

Virus is trying to install immediately after logon and prompting for admin approval

Posted on 2015-02-17
10
158 Views
Last Modified: 2015-02-20
One of my users clicked on an attachment with a virus. She didn't have admin privileges, but the program tries to install constantly until I kill the process. It has set itself to the highest priority and stops all the other apps. I can get the task manager up just long enough to kill the process after closing the popup several times.

What should I do? The command that it tries to run (via SysWow64\cmd.exe) is a file called msbom,exe in the users Roaming profile.

I don't think the virus was actually installed, but the install package was and it is making the PC unusable (until I kill the install process).
0
Comment
Question by:rpriebe2600
10 Comments
 
LVL 23

Accepted Solution

by:
NVIT earned 500 total points
ID: 40615844
- Disconnect infected station from web.
- From a different station, download one of the antivirus cleanup tools. There are many to choose from. Here are some:
-- http://support.kaspersky.com/viruses/avptool2011
-- http://support.kaspersky.com/viruses/utility
- Follow cleanup tool instructions.
- If that doesn't work and since it looks like you know what to look for, you can try removing it manually. See my post here: http://www.experts-exchange.com/Software/Microsoft_Applications/Q_28591137.html#a40532588
0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40615857
You can also boot to safe mode and run rkill and conbofix from bleepingcomputer.com
0
 
LVL 9

Expert Comment

by:nattygreg
ID: 40615882
shut down computer, remove the hard drive, attached hard drive to a working computer and use it to scan the affected drive, without affecting other systems
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 40615909
1. disconnect the network.

2. log off the infected user and restart the PC.

3. log on using administrator accout.

4. go to the infected user's profile folder, back up all DATA (not any executable) if necessary.

5. completely delete the user's profile folder and all sub-folders.

6. log off administrator

7. log on using the user's account.

8. check if everything is okay now.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40616244
Try the following:

Download, install and run Process Explorer from Microsoft. Look down the left side tree under Explorer. Look for strange (alphanumeric) processes. Kill those processes, close out of Process Explorer but do NOT restart.

Now run Malwarebytes and remove any malware that it picks up. Follow by a scan of your own antivirus or one of the suggestions above.

Now restart and test.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 27

Expert Comment

by:serialband
ID: 40618270
Since it's not yet installed:
Check the registry keys of the user for startup entries.  These are where automatic starting programs are generally place in the User's registry.  If you're logged in as the administrator or another use, you'll have to load the users profile into a temporary hive to manipulate them.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

It also doesn't hurt to check the local machine's keys, but most likely it's under the user's profile and not here.
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
   
Those keys are ignored in Safe Mode by default.

You can also check the startup menu, in case any programs put it there.  This is somewhat obsolete, but kept for older Windows Programs.
%userprofile%\Start Menu\Programs\Startup
0
 
LVL 23

Expert Comment

by:NVIT
ID: 40622474
Hi rpriebe2600,

Would you mind sharing what solution worked for you?
0
 

Author Comment

by:rpriebe2600
ID: 40622480
I used malwarebytes,  then autoruns,  and then malwarebytes again.
0
 

Author Comment

by:rpriebe2600
ID: 40622481
Thanks.
0
 
LVL 23

Expert Comment

by:NVIT
ID: 40622484
I'm glad it worked for you.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
how to copy from computer to usb drive 7 68
Files in temp directory 16 37
ost file to pst 10 59
cannot unmapped a network drive 10 51
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now