Windows 7 Virus or not a virus?

MikeHawthorne

Essential Member
Microsoft Community Contributor
Joined
May 25, 2009
Location
Ada Michigan
Hi

My friend Paul has a message keep popping up in the lower right hand corner of his monitor saying that it is Windows Security Essentials and that it has found a virus that needs to be removed.

The thing is it doesn't look quite right to me, the window is yellow and doesn't look like Microsoft.
So I didn't click on go ahead.

I ran Malwarebytes and it found some stuff so I rebooted and then I checked Windows Defender to run a scan from there and it was turned off, so was the Windows Firewall.

I couldn't restart the service for Defender but the Firewall restarted.
I finally removed Windows Security Essentials and then downloaded and re-installed them.
This got defender going and I had it run a scan, it came up clean.

I then ran Malwarebytes again and it came up clean as well, so did SuperAntiSpyware.

We think the computer was infected with something called Win32/bettersurf.
It also says that Malwarebytes will remove it.

I checked manually for indications of it after running several scans, and didn't find anything in the registry etc.

He called me today and told me he was getting the popup in the corner that says the Microsoft Security Essentials wants to remove something and I really don't know if it's legit or not.

He is getting random blue screens and when he boots his computer it blue screens the first time and then boots the second time.

Anyone have any suggestions this is about everything I know about what's happening.

Mike
 
I don't have answer to the described issue.
I just want to tell you that Microsoft Security Essentials is supposed to SHUT OFF Windows Defender.
Reason being, MSE has its own defender. Having 2 defenders running will create conflicts, not to mention redundancy.
 
What I did was to remove and reinstall Windows Security Essentials on his computer.

When I checked after doing so Windows Defender and the Firewall were both shown as running, before Windows Defender was shown as not running and I couldn't start the Windows Defender Service.

Or more correctly it would start and immediately shut off giving a message something like, "Something forced the Windows Defender Service to shut down".

I don't think that there are two different Windows Defenders running.

I'm beginning to think I'm going have to reinstall Windows 7 on his computer, I just don't know what is going on.

I can't decided if the notification he gets that "Windows Security Essentials has found a virus that needs to be removed" is real or not.
I've never seen a notification like that on any computer that I have used.

I don't see a distinction between Windows Defender and Windows Security Essentials, on his computer or my Windows 8 computer.
I'm running MSE as my antivirus and both show that the Windows Defender Service is running, along with the Windows Firewall.

If Windows Defender should not be running, then what should I see as running when I look at Security Settings.
On my Windows 8 computer which is running the standard Security Essentials setup, it show Windows Defender and the Windows Firewall as the running applications.

And the Windows Defender Service shown as running in Services.

Services_zpse4aed36a.jpg


Mike
 
Last edited:
What AV did he have on it before he installed MSE? Did he run the manufacturer's cleanup too after uninstalling? AV often leave troublesome stuff behind after a simple uninstall. Also check MS they have an AV program you burn to disk and boot from that and it does a scan.
Joe
 
Hi

He was running MSE before the problems started, but when I checked it was turned off and could not be restarted.
I assumed that some kind of malware turned it off.

I ran Malwarebytes several times but MSE still wouldn't turn on, that's when I removed it and reinstalled it.
After that I ran a scan and it came up clean, but he is still getting the popup that I think is not legit saying that he has a virus that needs to be removed.

He still got the problem with the computer blue screening the first time he booted it this morning.
After telling it to just start normally from the repair screen it started OK.

Mike
 
1. Go back to your 2nd reply. You said....
I don't think that there are two different Windows Defenders running.
Let me rephrase it...... MSE had its own defender in its program, and having 2 defenders running will create conflicts as well as redundant. Therefore, MSE is supposed to turn off Windows Defender. If you had uninstalled and reinstalled MSE, you will find Windows Defender being turned off. Maybe not right away, but it will.

2.You said....He was running MSE before the problems started, but when I checked it was turned off and could not be restarted.
What is " it " ? Windows Defender or MSE ?
If you meant "it" as in Windows Defender, then please reread my 2 replies. I have links provided with my 1st reply.
If you meant MSE being turned off, then I apologize. You did not say so in your original post which only mentioned Windows Defender being turned off, hence my reply.
Thank you.
 
Last edited:
Hi again

What was turned off originally was Windows Defender and it couldn't be restarted.

But it didn't show that anything else was protecting his computer in it's place.
Just the yellow bar saying that Windows Defender is not running.

After removing Windows Defender in add remove programs, and downloading and installing Windows Security Essentials what it showed running was Windows Defender, I assume the new version that is part of MSE.

Does Windows 7 run a different security setup then Windows 8?

It's been so long since I ran Windows 7 I don't remember what I was running anymore.
But what I see on his computer is essentially the same as what I see in W8, Windows Defender and Windows Firewall.

The window he get's looks like this except it is yellow in the message panel instead of white...

http://i1238.photobucket.com/albums/ff491/nohjekim/MSE_Threat_Alert_zps9d1f7baf.png

I've never seen one that isn't just like this one?
The thing is that when I was there, I had Defender run a scan and it said it didn't find anything.

Then this message window appears again.
If it's Defender that's giving the message and I run a scan shouldn't it say there is a virus there?

As I said I've run Malwarebytes, SuperAntiSpyware, and a Windows Defender Scan and they all come up clean, but this message keep popping up.

Mike
 
Last edited:
When MSE does find something, a message will pop up asking you what you want to do with it....just select remove....and your done. Yes..the popup does come up in the bottom right corner...this is normal.

MSE...is built into windows 8, called windows defender. If you try to download and install MSE for windows 8 you'll get and error message saying it's not compatible or something real close to that, that I can remember.
 
1. quote from your last reply................What was turned off originally was Windows Defender and it couldn't be restarted.
But it didn't show that anything else was protecting his computer in it's place.
Just the yellow bar saying that Windows Defender is not running.

2. quote from your original post.....I finally removed Windows Security Essentials and then downloaded and re-installed them.

The 2 above means this.....
MSE has already been installed, and Paul saw a warning from MSE.
You tried to open Windows Defender and found the service was stopped. It is because MSE has stopped WD service.
WD did not show which program had taken its place because it is not programmed to tell you that. Users are supposed to know MSE replaces WD.

3. quote from your last reply.....After removing Windows Defender in add remove programs....
Impossible. You can NOT uninstall WD from your Win 7 operating system. WD is not even listed in Features and Programs.
(Please update your terminology. Add and Remove is XP jargon.)
This is Win 7 forum you are posting to.

4. The screenshot you posted is genuine MSE warning. Please do what it says.

5. To repeat......
In Windows 8/8.1 Windows defender is MSE , 2 of the same, and it is part of the operating system. You cannot install another copy of MSE. The system will not allow you to do that.
In Windows Vista and Windows 7, Windows Defender is part of the OS. MSE is an independent program which users have to install. Once installed MSE will eventually disable Windows Defender.
 
Hi

My problem is that because I didn't know if this was a legit message I ran other scans, Malwarebytes did find some issues and removed then, most notably "Win32/bettersurf" after that I ran SuperAntiSplyware, Windows Defender and Malwarebytes scans again.

They all said that nothing was there.

But the popup like this one, only Yellow is still popping up, so I'm still not sure that the message is real, or some kind of malware mimicking Windows.

MSE_Threat_Alert_zps9d1f7baf.png


All the MSE pop ups I've seen look like this one, the one he is getting is bright yellow?

Mike

It was Windows Security Essentials that I removed in the Add Remove Programs list.

This article describes how to uninstall Microsoft Security Essentials if you cannot uninstall it in Control Panel by using the Add or Remove Programs item or the Programs and Features item in Windows Vista and Windows 7. We recommend that you verify that you cannot uninstall by using Add or Remove Programs first.

Windows Security Essentials was listed in his add remove programs list and when I asked for it to be uninstalled it gave every indication that is was doing so.

Prior to doing this it told me that Security Essentials could not be installed because it was already installed.

After removing it and reinstalling it Windows Defender was shown as Working, and it ran a scan.
It hasn't turn off since and everything shown as green.

Before I did this it told me that the computer was unprotected, and that Windows Defender was not turned on .

And as I said the pop up he is getting does not look like the one I posted, that's why I was suspicions to start with, his is bright yellow.

If it's real why won't a scan of his computer by Defender show that something is there.

Anyway I'm about to give up and tell him to go ahead and click on it, we'll see if he gets another virus or not, and go from there.

I've found dozens of posts about fake MSI alerts but nothing that really tells me how to tell one way or the other if they are real, or not.
 
Last edited:
Have him take screen shot of the popup so when can have a look....but my guess about the color is the threat level of the infection it found.
 
I'll see if he can do that but he's not all that apt at stuff like that.

I did see the popup when I was there and it looked like this...
My simulation...

MSE_Threat_Alert_zpsd7e415a7.png


The message in the window was different but this is generally how it looked.

When I clicked on details it listed the Win32/betterbrows virus or something like that.

Personally I've seen these from time to time but never yellow like this.
It's what made him suspicious and I thought it didn't look right either.

I'll have him click on it and if he gets one of those download this to clean your computer things I'll have him ctrl, alt, delete out and shut down.

But as I've said I've run every scan that I use normally and they all come up clean.

Mike
 
Thanks Mike, but with out the exact copy of what it is....it's hard to guess as to if it's legit or not. What happens when he does click on "clean computer"?
 
Hi

He finally gave in and clicked on Clean Computer.
He said that the popup just went away and hasn't come back since.

Now I'm trying to get him to write down the error code he gets on the Blue Screens when his computer won't boot.

I'll tackle that next.

Mike
 
Back
Top Bottom