Virus or not a virus?

Discussion in 'Windows 7 Help and Support' started by MikeHawthorne, Feb 4, 2014.

  1. MikeHawthorne

    MikeHawthorne Essential Member
    Microsoft Community Contributor

    Joined:
    May 25, 2009
    Messages:
    6,046
    Likes Received:
    300
    Hi

    My friend Paul has a message keep popping up in the lower right hand corner of his monitor saying that it is Windows Security Essentials and that it has found a virus that needs to be removed.

    The thing is it doesn't look quite right to me, the window is yellow and doesn't look like Microsoft.
    So I didn't click on go ahead.

    I ran Malwarebytes and it found some stuff so I rebooted and then I checked Windows Defender to run a scan from there and it was turned off, so was the Windows Firewall.

    I couldn't restart the service for Defender but the Firewall restarted.
    I finally removed Windows Security Essentials and then downloaded and re-installed them.
    This got defender going and I had it run a scan, it came up clean.

    I then ran Malwarebytes again and it came up clean as well, so did SuperAntiSpyware.

    We think the computer was infected with something called Win32/bettersurf.
    It also says that Malwarebytes will remove it.

    I checked manually for indications of it after running several scans, and didn't find anything in the registry etc.

    He called me today and told me he was getting the popup in the corner that says the Microsoft Security Essentials wants to remove something and I really don't know if it's legit or not.

    He is getting random blue screens and when he boots his computer it blue screens the first time and then boots the second time.

    Anyone have any suggestions this is about everything I know about what's happening.

    Mike
     
  2. davidhk129

    davidhk129 Senior Member

    Joined:
    May 19, 2012
    Messages:
    1,337
    Likes Received:
    99
    I don't have answer to the described issue.
    I just want to tell you that Microsoft Security Essentials is supposed to SHUT OFF Windows Defender.
    Reason being, MSE has its own defender. Having 2 defenders running will create conflicts, not to mention redundancy.
     
  3. MikeHawthorne

    MikeHawthorne Essential Member
    Microsoft Community Contributor

    Joined:
    May 25, 2009
    Messages:
    6,046
    Likes Received:
    300
    What I did was to remove and reinstall Windows Security Essentials on his computer.

    When I checked after doing so Windows Defender and the Firewall were both shown as running, before Windows Defender was shown as not running and I couldn't start the Windows Defender Service.

    Or more correctly it would start and immediately shut off giving a message something like, "Something forced the Windows Defender Service to shut down".

    I don't think that there are two different Windows Defenders running.

    I'm beginning to think I'm going have to reinstall Windows 7 on his computer, I just don't know what is going on.

    I can't decided if the notification he gets that "Windows Security Essentials has found a virus that needs to be removed" is real or not.
    I've never seen a notification like that on any computer that I have used.

    I don't see a distinction between Windows Defender and Windows Security Essentials, on his computer or my Windows 8 computer.
    I'm running MSE as my antivirus and both show that the Windows Defender Service is running, along with the Windows Firewall.

    If Windows Defender should not be running, then what should I see as running when I look at Security Settings.
    On my Windows 8 computer which is running the standard Security Essentials setup, it show Windows Defender and the Windows Firewall as the running applications.

    And the Windows Defender Service shown as running in Services.

    [​IMG]

    Mike
     
    #3 MikeHawthorne, Feb 4, 2014
    Last edited: Feb 4, 2014
  4. Joe S

    Joe S Excellent Member

    Joined:
    Jan 12, 2009
    Messages:
    3,785
    Likes Received:
    113
    What AV did he have on it before he installed MSE? Did he run the manufacturer's cleanup too after uninstalling? AV often leave troublesome stuff behind after a simple uninstall. Also check MS they have an AV program you burn to disk and boot from that and it does a scan.
    Joe
     
  5. davidhk129

    davidhk129 Senior Member

    Joined:
    May 19, 2012
    Messages:
    1,337
    Likes Received:
    99
    I am not talking about Windows 8. You are in Win 7 forum.

    In Win 8/8.1 Windows Defender IS MSE. In fact, you can NOT install MSE into the system because it is already included as part of the OS
    Please read this: http://answers.microsoft.com/en-us/protect/forum/mse-protect_start/can-i-use-microsoft-security-essentials-with/34b26e6f-12a0-4bc7-b160-f3b2ff70b910

    In Win 7, Windows Defender is part of the OS. Users will have to install MSE if they want it.
    Please read this: http://blogs.msdn.com/b/securitytipstalk/archive/2010/08/26/microsoft-security-essentials-vs-windows-defender.aspx
     
  6. MikeHawthorne

    MikeHawthorne Essential Member
    Microsoft Community Contributor

    Joined:
    May 25, 2009
    Messages:
    6,046
    Likes Received:
    300
    Hi

    He was running MSE before the problems started, but when I checked it was turned off and could not be restarted.
    I assumed that some kind of malware turned it off.

    I ran Malwarebytes several times but MSE still wouldn't turn on, that's when I removed it and reinstalled it.
    After that I ran a scan and it came up clean, but he is still getting the popup that I think is not legit saying that he has a virus that needs to be removed.

    He still got the problem with the computer blue screening the first time he booted it this morning.
    After telling it to just start normally from the repair screen it started OK.

    Mike
     
  7. davidhk129

    davidhk129 Senior Member

    Joined:
    May 19, 2012
    Messages:
    1,337
    Likes Received:
    99
    1. Go back to your 2nd reply. You said....
    I don't think that there are two different Windows Defenders running.
    Let me rephrase it...... MSE had its own defender in its program, and having 2 defenders running will create conflicts as well as redundant. Therefore, MSE is supposed to turn off Windows Defender. If you had uninstalled and reinstalled MSE, you will find Windows Defender being turned off. Maybe not right away, but it will.

    2.You said....He was running MSE before the problems started, but when I checked it was turned off and could not be restarted.
    What is " it " ? Windows Defender or MSE ?
    If you meant "it" as in Windows Defender, then please reread my 2 replies. I have links provided with my 1st reply.
    If you meant MSE being turned off, then I apologize. You did not say so in your original post which only mentioned Windows Defender being turned off, hence my reply.
    Thank you.
     
    #7 davidhk129, Feb 4, 2014
    Last edited: Feb 4, 2014
  8. MikeHawthorne

    MikeHawthorne Essential Member
    Microsoft Community Contributor

    Joined:
    May 25, 2009
    Messages:
    6,046
    Likes Received:
    300
    Hi again

    What was turned off originally was Windows Defender and it couldn't be restarted.

    But it didn't show that anything else was protecting his computer in it's place.
    Just the yellow bar saying that Windows Defender is not running.

    After removing Windows Defender in add remove programs, and downloading and installing Windows Security Essentials what it showed running was Windows Defender, I assume the new version that is part of MSE.

    Does Windows 7 run a different security setup then Windows 8?

    It's been so long since I ran Windows 7 I don't remember what I was running anymore.
    But what I see on his computer is essentially the same as what I see in W8, Windows Defender and Windows Firewall.

    The window he get's looks like this except it is yellow in the message panel instead of white...

    http://i1238.photobucket.com/albums/ff491/nohjekim/MSE_Threat_Alert_zps9d1f7baf.png

    I've never seen one that isn't just like this one?
    The thing is that when I was there, I had Defender run a scan and it said it didn't find anything.

    Then this message window appears again.
    If it's Defender that's giving the message and I run a scan shouldn't it say there is a virus there?

    As I said I've run Malwarebytes, SuperAntiSpyware, and a Windows Defender Scan and they all come up clean, but this message keep popping up.

    Mike
     
    #8 MikeHawthorne, Feb 4, 2014
    Last edited: Feb 4, 2014
  9. bassfisher6522

    bassfisher6522 Essential Member

    Joined:
    Aug 27, 2008
    Messages:
    4,878
    Likes Received:
    317
    When MSE does find something, a message will pop up asking you what you want to do with it....just select remove....and your done. Yes..the popup does come up in the bottom right corner...this is normal.

    MSE...is built into windows 8, called windows defender. If you try to download and install MSE for windows 8 you'll get and error message saying it's not compatible or something real close to that, that I can remember.
     
  10. davidhk129

    davidhk129 Senior Member

    Joined:
    May 19, 2012
    Messages:
    1,337
    Likes Received:
    99
    1. quote from your last reply................What was turned off originally was Windows Defender and it couldn't be restarted.
    But it didn't show that anything else was protecting his computer in it's place.
    Just the yellow bar saying that Windows Defender is not running.

    2. quote from your original post.....I finally removed Windows Security Essentials and then downloaded and re-installed them.

    The 2 above means this.....
    MSE has already been installed, and Paul saw a warning from MSE.
    You tried to open Windows Defender and found the service was stopped. It is because MSE has stopped WD service.
    WD did not show which program had taken its place because it is not programmed to tell you that. Users are supposed to know MSE replaces WD.

    3. quote from your last reply.....After removing Windows Defender in add remove programs....
    Impossible. You can NOT uninstall WD from your Win 7 operating system. WD is not even listed in Features and Programs.
    (Please update your terminology. Add and Remove is XP jargon.)
    This is Win 7 forum you are posting to.

    4. The screenshot you posted is genuine MSE warning. Please do what it says.

    5. To repeat......
    In Windows 8/8.1 Windows defender is MSE , 2 of the same, and it is part of the operating system. You cannot install another copy of MSE. The system will not allow you to do that.
    In Windows Vista and Windows 7, Windows Defender is part of the OS. MSE is an independent program which users have to install. Once installed MSE will eventually disable Windows Defender.
     
  11. MikeHawthorne

    MikeHawthorne Essential Member
    Microsoft Community Contributor

    Joined:
    May 25, 2009
    Messages:
    6,046
    Likes Received:
    300
    Hi

    My problem is that because I didn't know if this was a legit message I ran other scans, Malwarebytes did find some issues and removed then, most notably "Win32/bettersurf" after that I ran SuperAntiSplyware, Windows Defender and Malwarebytes scans again.

    They all said that nothing was there.

    But the popup like this one, only Yellow is still popping up, so I'm still not sure that the message is real, or some kind of malware mimicking Windows.

    [​IMG]

    All the MSE pop ups I've seen look like this one, the one he is getting is bright yellow?

    Mike

    It was Windows Security Essentials that I removed in the Add Remove Programs list.

    This article describes how to uninstall Microsoft Security Essentials if you cannot uninstall it in Control Panel by using the Add or Remove Programs item or the Programs and Features item in Windows Vista and Windows 7. We recommend that you verify that you cannot uninstall by using Add or Remove Programs first.

    Windows Security Essentials was listed in his add remove programs list and when I asked for it to be uninstalled it gave every indication that is was doing so.

    Prior to doing this it told me that Security Essentials could not be installed because it was already installed.

    After removing it and reinstalling it Windows Defender was shown as Working, and it ran a scan.
    It hasn't turn off since and everything shown as green.

    Before I did this it told me that the computer was unprotected, and that Windows Defender was not turned on .

    And as I said the pop up he is getting does not look like the one I posted, that's why I was suspicions to start with, his is bright yellow.

    If it's real why won't a scan of his computer by Defender show that something is there.

    Anyway I'm about to give up and tell him to go ahead and click on it, we'll see if he gets another virus or not, and go from there.

    I've found dozens of posts about fake MSI alerts but nothing that really tells me how to tell one way or the other if they are real, or not.
     
    #11 MikeHawthorne, Feb 4, 2014
    Last edited: Feb 4, 2014
  12. bassfisher6522

    bassfisher6522 Essential Member

    Joined:
    Aug 27, 2008
    Messages:
    4,878
    Likes Received:
    317
    Have him take screen shot of the popup so when can have a look....but my guess about the color is the threat level of the infection it found.
     
  13. MikeHawthorne

    MikeHawthorne Essential Member
    Microsoft Community Contributor

    Joined:
    May 25, 2009
    Messages:
    6,046
    Likes Received:
    300
    I'll see if he can do that but he's not all that apt at stuff like that.

    I did see the popup when I was there and it looked like this...
    My simulation...

    [​IMG]

    The message in the window was different but this is generally how it looked.

    When I clicked on details it listed the Win32/betterbrows virus or something like that.

    Personally I've seen these from time to time but never yellow like this.
    It's what made him suspicious and I thought it didn't look right either.

    I'll have him click on it and if he gets one of those download this to clean your computer things I'll have him ctrl, alt, delete out and shut down.

    But as I've said I've run every scan that I use normally and they all come up clean.

    Mike
     
  14. bassfisher6522

    bassfisher6522 Essential Member

    Joined:
    Aug 27, 2008
    Messages:
    4,878
    Likes Received:
    317
    Thanks Mike, but with out the exact copy of what it is....it's hard to guess as to if it's legit or not. What happens when he does click on "clean computer"?
     
  15. MikeHawthorne

    MikeHawthorne Essential Member
    Microsoft Community Contributor

    Joined:
    May 25, 2009
    Messages:
    6,046
    Likes Received:
    300
    Hi

    He finally gave in and clicked on Clean Computer.
    He said that the popup just went away and hasn't come back since.

    Now I'm trying to get him to write down the error code he gets on the Blue Screens when his computer won't boot.

    I'll tackle that next.

    Mike
     

Share This Page

Loading...