Can't Open Virus Software After Browser Redirect Malware

Discussion in 'Windows 7 Help and Support' started by extion, Apr 15, 2013.

  1. extion

    extion New Member

    Joined:
    Apr 15, 2013
    Messages:
    20
    Likes Received:
    1
    I've been trying to repair the computer at work, so any requests for system information and such will have to wait until I get back there, which is why I want to post this now. Basically, it's running a 32bit Windows 7.

    We were having a problem with browser redirects in IE and Firefox, so I ended up uninstalling and then reinstalling Firefox. I then deleted all the keys for any Internet Explorer addons using RegEdit. This seemed to fix the problem with redirects.

    However, I notice that I some programs won't run. Particularly, Windows Security Essentials. When I click on it, it opens for a micro-second (trust me, I timed it - ok, not really) and then closes. I feel as if there's some code somewhere instantly shutting it down.

    I'm wondering if something like Process Monitor would help if I were to start MSE and see what processes start to cause it to close immediately after. Would this be the proper way of going about troubleshooting this?

    Prior to all of this, I had run Housecall, MalwareBytes, and CCleaner. CCleaner found a bunch of issues, but all my virus scans came up clean.

    Any suggestions would be great as I will be able to put them to use as soon as I get back in to work. I'll also be able to find out if the browser redirect issue has been resolved or has come back since my absence.

    Thanks!
     
  2. Adamsappleone

    Adamsappleone U.S.Navy D.A.V.

    Joined:
    Aug 2, 2009
    Messages:
    1,662
    Likes Received:
    122
    Hello extion, [​IMG] to Windows 7 Forums;

    Have you done a System Restore to a point before your issue started?
    You may also want to run SFC /scannow, if you haven't already.

    Hope this helps and keep us posted
    Don
     
  3. extion

    extion New Member

    Joined:
    Apr 15, 2013
    Messages:
    20
    Likes Received:
    1
    No, I haven't done either of those. I can try as soon as I get to work, but I was hoping I could fix it without system restore. lol

    Any other things as I try before I get there? I'm not going to have long to work on it, and would like a few ideas before I get there.

    Thanks for the quick reply!
     
  4. Joe S

    Joe S Excellent Member

    Joined:
    Jan 12, 2009
    Messages:
    3,785
    Likes Received:
    113
  5. Mitchell_A

    Mitchell_A Excellent Member

    Joined:
    Feb 7, 2009
    Messages:
    5,068
    Likes Received:
    240
    Just an idea but try renaming the MSE executable (not the shortcut) to something different. I had a virus once that blocked AV programs from running by identifying their file name. As mentioned, MSE did lose its certification rating from AV labs, a great free alternative that isn't too heavy in system resources is a avast. If you're looking to spend some money I would definitely recommend ESET SmartSecurity.
     
  6. Joe S

    Joe S Excellent Member

    Joined:
    Jan 12, 2009
    Messages:
    3,785
    Likes Received:
    113
    Check at MS I think they make a Stand Alone Sweeper AV that you burn to CD and boot from that.
    Joe
     
  7. extion

    extion New Member

    Joined:
    Apr 15, 2013
    Messages:
    20
    Likes Received:
    1
    I actually did try that last night. I forget what it was called. "Microsoft Safety Scan" perhaps? I loaded it to a USB and had it run from start-up. Again, it found nothing. I also ran MalwareBytes in normal and safe mode. Nothing.

    Is my Process Monitor a bad idea?
     
  8. Saltgrass

    Saltgrass Excellent Member
    Microsoft Community Contributor

    Joined:
    Oct 16, 2009
    Messages:
    15,157
    Likes Received:
    393
    If MSE is the only thing you are having problems with, I would just reinstall it.

    Process Monitor might be able to help if you were able to dig through the log... But I am betting some component of MSE was corrupted/removed during your checks and modifications.

    Hijack This might be a good way to catch the browser redirects.. I think it checks the hosts file, but you might if it doesn't.
     
  9. Joe S

    Joe S Excellent Member

    Joined:
    Jan 12, 2009
    Messages:
    3,785
    Likes Received:
    113
  10. extion

    extion New Member

    Joined:
    Apr 15, 2013
    Messages:
    20
    Likes Received:
    1
    Alright, so I'm at work now. When I got in, I was notified that the browser redirect issues have returned. Great! So, I've been trying to work with this all night. I ran a few scans again:

    TDSSKiller
    FixTDSS
    MalwareBytes
    Symantec Endpoint Protection

    I also flushed the DNS and double-checked my Internet options on both IE and Firefox to be sure there weren't any tricky homepages or proxy servers set.

    Everything came back clean except for Symantec pointing to "Suspicious.AD", as if that's not vague.

    I also took Mitchell's advice and renamed the Microsoft Security Essentials' executable from "msseces.exe" to "msseces1.exe". lol And, it worked. I'm currently running a scan with it now. But, it looks like it's going to take a REALLY long time to finish.

    However, it looks like it found something! "Exploit:Java/CVE-2013-1493"

    I've just started searching this and watched some dude on YouTube run it through 32 virus programs and the only one that seemed to have stopped it was Kaspersky Antivirus 2013.

    My plan for right now is to let this scan finish, see if it fixes the problem. Then, try to download the new Kaspersky to see if that finds any additional threats.

    Do any of you have experience with this exploit? Any additional steps I should take here?
     
    1 person likes this.
  11. extion

    extion New Member

    Joined:
    Apr 15, 2013
    Messages:
    20
    Likes Received:
    1
    Well, I'm going to be leaving work in a bit. I'll have to work on this some more tomorrow night. But, before I go, I'm wondering now how I can be sure that "Exploit:Java/CVE-2013-1493" is the cause of the browser redirecting I've been experiencing and/or the issues with closing Microsoft Essential Security? Is there some kind of report on what this exploit will do to your machine?

    Does this exploit mean that anyone is able to access your machine so that the results will vary depending on what you've been affected with through this exploit? I just don't understand the implications of this. From what I imagine, this exploit gives access to your machine. So, where is the virus? Because, I'm not having a problem with the virus, right? I'm having a problem with what has been done using the exploit. Is that right?
     
  12. Joe S

    Joe S Excellent Member

    Joined:
    Jan 12, 2009
    Messages:
    3,785
    Likes Received:
    113
    Before the MSE did you have other AV softwae installed? Most makers make a cleanup tool because junk frequently gets left behind. When you uninstall an AV program it's always a good idea to run the cleanup tool usually in safe mode.
    Joe
     
  13. extion

    extion New Member

    Joined:
    Apr 15, 2013
    Messages:
    20
    Likes Received:
    1
    Yeah, we were using Symantec Endpoint Protection.
     
  14. extion

    extion New Member

    Joined:
    Apr 15, 2013
    Messages:
    20
    Likes Received:
    1
    ARGHHH!! It's back! I'm starting to get frustrated! More browser redirects! What's going on here?! Any help!?
     
  15. Joe S

    Joe S Excellent Member

    Joined:
    Jan 12, 2009
    Messages:
    3,785
    Likes Received:
    113
    Got any browser toolbars? They are in a lot of software and easy to install without realizing it. Is it redirecting to one specific site?
    Joe
     
  16. Saltgrass

    Saltgrass Excellent Member
    Microsoft Community Contributor

    Joined:
    Oct 16, 2009
    Messages:
    15,157
    Likes Received:
    393
    I just started looking, but see if this links helps any...

    Security Alert CVE-2013-1493

    There is also some stuff on the Symantec site, but it seems I can't read it since I do not have their software and I wasn't sure which version you had.
     
  17. extion

    extion New Member

    Joined:
    Apr 15, 2013
    Messages:
    20
    Likes Received:
    1
    No toolbars or anything like that. It's sending me to a bunch of different sites. Sometimes it will direct me to [possible malware site - removed] and then quickly direct me to another site. I'm assuming the author of this site is generating money from each "visit" to the sites it's directing me to.

    And, Saltgrass, that's about all you're going to get on this Java issue right now. I'm not getting any more information from Symantec for having their software.

    I think this issue is a little more complex than I first thought because I believe we were infected THROUGH Java, which is what our virus protection is picking up. But the virus that we were infected WITH is still going under-the-radar. I'm assuming it's the virus that's giving us the redirection in the browsers.

    Searching for resolutions to the "Google Redirect Virus" isn't helping because I think this is employed in a different way. People have been suggesting to change your home page settings or to clear your browser addons and such, but I just don't see any problems when checking these.

    Does anyone know if I can delete my entire Java folder without consequence? Like I mentioned before, I had uninstalled Java, but I was left with a bunch of folders. I'd like to just delete them all. But, I'm sure that's not going to help anything. Java was being used to infect us, ...but, I've got to figure out what we've been infected with.
     
    #17 extion, Apr 17, 2013
    Last edited by a moderator: Apr 17, 2013
  18. Joe S

    Joe S Excellent Member

    Joined:
    Jan 12, 2009
    Messages:
    3,785
    Likes Received:
    113
    It's beginning to sound like you may need to reformat and reinstall Windows to get rid of the problem.
    Joe
     
  19. Saltgrass

    Saltgrass Excellent Member
    Microsoft Community Contributor

    Joined:
    Oct 16, 2009
    Messages:
    15,157
    Likes Received:
    393
    What I read about the virus, indicated if it is successful in invading your system, it plants a Trojan. Maybe this one is new and the definitions have not dealt with it yet. I seem to remember Symantec was calling it Nrand or something like that. Oracle was supposed to be putting out an update to stop the infection, but if the Trojan has already been planted, that part won't help.

    If you want to try Process Monitor, it is up to you. There is a demonstration about how one very nasty virus was dealt with, which might help you. Maybe when the redirect occurred you could spot something, but a virus will normally have ways to reproduce itself if part of it is found and removed.

    Did you ever try Hijack This?

    But Joe might be right in that it could be time to cut your losses and get rid of it for sure.
     

Share This Page

Loading...