On a Windows 7 Home Premium PC, a customer had an infection with a fake antivirus program called "internet security essentials". It seemed to mimic "microsoft security essentials" which was on the same emachine. ISE kept identifying fake results and then asking for money to fix them, and popped up constantly.
As part of the general preparation for cleanup, I tried to disable system restore (to get rid of restore points), but the system properties menu was MISSING the "System Protection" Tab. I googled this issue (for Windows 7 Home Premium) and found many responses, including running "SystemPropertiesProtectio
n.exe". This openeed the system props tab (again) but the system protection tab was missing. I gave up on this issue to save client time, assuming it was unrelated to infection. (Otherwise I would have tried sfc /scannow)
I ran HJT and then COMBOFIX, despite the warnings about Microsoft Security Essentials. Combofix found and removed a few items, but after rebooting, the virus kept appearing.
I ran MBAM and did a quick scan. But again, the virus was still appearing.
I deleted the virus window's process exe to get it out of the way:
after doing this the virus window didn't reappear for the rest of the period I was there.
Then went into safe mode, and ran COMBOFIX again. The MSE warnings were still there, to my annoyance, so I made sure the procs were gone, but the warnings were still there. I almost took the time to uninstall MSE before running combofix, but decided this was probably a red herring, and again, was trying to to save client money. Combofix didn't find anything (I believe - but check the log). When I rebooted, I noticed the main ISE shortcut and old folder was still there. So went back into safe mode, and ran MBAM full scan, which found nothing, but triggered two positifves for MSE, whiched MSE removed.
The last MBAM and COMBOFIX scans I ran said they were clean. (But pls look at logs to be sure) They were both fully up to date. After these scans I noticed some legitimate non-virus-related desktop icons were missing, and I tried to restore as many as I could remember.
When I left I told her to run a full updated MSE scan. I don't know yet what the outcome of that was.
Two days later the virus has reappeared.
FYI, the user uses incredimail, which I recommended against. Also, I googled this infection title "ISE" and found nothing.
I don't know whether removing the restore points or uninstalling MSE would have many any difference.
What do you guys recommend?