Windows 7 Can't Open Virus Software After Browser Redirect Malware

extion

New Member
I've been trying to repair the computer at work, so any requests for system information and such will have to wait until I get back there, which is why I want to post this now. Basically, it's running a 32bit Windows 7.

We were having a problem with browser redirects in IE and Firefox, so I ended up uninstalling and then reinstalling Firefox. I then deleted all the keys for any Internet Explorer addons using RegEdit. This seemed to fix the problem with redirects.

However, I notice that I some programs won't run. Particularly, Windows Security Essentials. When I click on it, it opens for a micro-second (trust me, I timed it - ok, not really) and then closes. I feel as if there's some code somewhere instantly shutting it down.

I'm wondering if something like Process Monitor would help if I were to start MSE and see what processes start to cause it to close immediately after. Would this be the proper way of going about troubleshooting this?

Prior to all of this, I had run Housecall, MalwareBytes, and CCleaner. CCleaner found a bunch of issues, but all my virus scans came up clean.

Any suggestions would be great as I will be able to put them to use as soon as I get back in to work. I'll also be able to find out if the browser redirect issue has been resolved or has come back since my absence.

Thanks!
 
Hello extion,
NJKHzvHa61pkWUe9HgBy.gif
to Windows 7 Forums;

Have you done a System Restore to a point before your issue started?
You may also want to run SFC /scannow, if you haven't already.

Hope this helps and keep us posted
Don
 
No, I haven't done either of those. I can try as soon as I get to work, but I was hoping I could fix it without system restore. lol

Any other things as I try before I get there? I'm not going to have long to work on it, and would like a few ideas before I get there.

Thanks for the quick reply!
 
Just an idea but try renaming the MSE executable (not the shortcut) to something different. I had a virus once that blocked AV programs from running by identifying their file name. As mentioned, MSE did lose its certification rating from AV labs, a great free alternative that isn't too heavy in system resources is a avast. If you're looking to spend some money I would definitely recommend ESET SmartSecurity.
 
Check at MS I think they make a Stand Alone Sweeper AV that you burn to CD and boot from that.
Joe
 
Check at MS I think they make a Stand Alone Sweeper AV that you burn to CD and boot from that.
Joe

I actually did try that last night. I forget what it was called. "Microsoft Safety Scan" perhaps? I loaded it to a USB and had it run from start-up. Again, it found nothing. I also ran MalwareBytes in normal and safe mode. Nothing.

Is my Process Monitor a bad idea?
 
If MSE is the only thing you are having problems with, I would just reinstall it.

Process Monitor might be able to help if you were able to dig through the log... But I am betting some component of MSE was corrupted/removed during your checks and modifications.

Hijack This might be a good way to catch the browser redirects.. I think it checks the hosts file, but you might if it doesn't.
 
Alright, so I'm at work now. When I got in, I was notified that the browser redirect issues have returned. Great! So, I've been trying to work with this all night. I ran a few scans again:

TDSSKiller
FixTDSS
MalwareBytes
Symantec Endpoint Protection

I also flushed the DNS and double-checked my Internet options on both IE and Firefox to be sure there weren't any tricky homepages or proxy servers set.

Everything came back clean except for Symantec pointing to "Suspicious.AD", as if that's not vague.

I also took Mitchell's advice and renamed the Microsoft Security Essentials' executable from "msseces.exe" to "msseces1.exe". lol And, it worked. I'm currently running a scan with it now. But, it looks like it's going to take a REALLY long time to finish.

However, it looks like it found something! "Exploit:Java/CVE-2013-1493"

I've just started searching this and watched some dude on YouTube run it through 32 virus programs and the only one that seemed to have stopped it was Kaspersky Antivirus 2013.

My plan for right now is to let this scan finish, see if it fixes the problem. Then, try to download the new Kaspersky to see if that finds any additional threats.

Do any of you have experience with this exploit? Any additional steps I should take here?
 
Well, I'm going to be leaving work in a bit. I'll have to work on this some more tomorrow night. But, before I go, I'm wondering now how I can be sure that "Exploit:Java/CVE-2013-1493" is the cause of the browser redirecting I've been experiencing and/or the issues with closing Microsoft Essential Security? Is there some kind of report on what this exploit will do to your machine?

Does this exploit mean that anyone is able to access your machine so that the results will vary depending on what you've been affected with through this exploit? I just don't understand the implications of this. From what I imagine, this exploit gives access to your machine. So, where is the virus? Because, I'm not having a problem with the virus, right? I'm having a problem with what has been done using the exploit. Is that right?
 
Before the MSE did you have other AV softwae installed? Most makers make a cleanup tool because junk frequently gets left behind. When you uninstall an AV program it's always a good idea to run the cleanup tool usually in safe mode.
Joe
 
ARGHHH!! It's back! I'm starting to get frustrated! More browser redirects! What's going on here?! Any help!?
 
Got any browser toolbars? They are in a lot of software and easy to install without realizing it. Is it redirecting to one specific site?
Joe
 
I just started looking, but see if this links helps any...

Security Alert CVE-2013-1493

There is also some stuff on the Symantec site, but it seems I can't read it since I do not have their software and I wasn't sure which version you had.
 
No toolbars or anything like that. It's sending me to a bunch of different sites. Sometimes it will direct me to [possible malware site - removed] and then quickly direct me to another site. I'm assuming the author of this site is generating money from each "visit" to the sites it's directing me to.

And, Saltgrass, that's about all you're going to get on this Java issue right now. I'm not getting any more information from Symantec for having their software.

I think this issue is a little more complex than I first thought because I believe we were infected THROUGH Java, which is what our virus protection is picking up. But the virus that we were infected WITH is still going under-the-radar. I'm assuming it's the virus that's giving us the redirection in the browsers.

Searching for resolutions to the "Google Redirect Virus" isn't helping because I think this is employed in a different way. People have been suggesting to change your home page settings or to clear your browser addons and such, but I just don't see any problems when checking these.

Does anyone know if I can delete my entire Java folder without consequence? Like I mentioned before, I had uninstalled Java, but I was left with a bunch of folders. I'd like to just delete them all. But, I'm sure that's not going to help anything. Java was being used to infect us, ...but, I've got to figure out what we've been infected with.
 
Last edited by a moderator:
It's beginning to sound like you may need to reformat and reinstall Windows to get rid of the problem.
Joe
 
What I read about the virus, indicated if it is successful in invading your system, it plants a Trojan. Maybe this one is new and the definitions have not dealt with it yet. I seem to remember Symantec was calling it Nrand or something like that. Oracle was supposed to be putting out an update to stop the infection, but if the Trojan has already been planted, that part won't help.

If you want to try Process Monitor, it is up to you. There is a demonstration about how one very nasty virus was dealt with, which might help you. Maybe when the redirect occurred you could spot something, but a virus will normally have ways to reproduce itself if part of it is found and removed.

Did you ever try Hijack This?

But Joe might be right in that it could be time to cut your losses and get rid of it for sure.
 
Back
Top