Solved

"Internet Security Essentials" infection reappears after combofix and MBAM

Posted on 2011-02-22
29
1,279 Views
Last Modified: 2012-05-11
On a Windows 7 Home Premium PC, a customer had an infection with a fake antivirus program called "internet security essentials". It seemed to mimic "microsoft security essentials" which was on the same emachine.  ISE kept identifying fake results and then asking for money to fix them, and popped up constantly.

As part of the general preparation for cleanup, I tried to disable system restore (to get rid of restore points), but the system properties menu was MISSING the "System Protection" Tab. I googled this issue (for Windows 7 Home Premium) and found many responses, including running "SystemPropertiesProtection.exe". This openeed the system props tab (again) but the system protection tab was missing. I gave up on this issue to save client time, assuming it was unrelated to infection.  (Otherwise I would have tried sfc /scannow)

I ran HJT and then COMBOFIX, despite the warnings about Microsoft Security Essentials. Combofix found and removed a few items, but after rebooting, the virus kept appearing.

I ran MBAM and did a quick scan.  But again, the virus was still appearing.

I deleted the virus window's process exe to get it out of the way:
C:\ProgramData\ce5711\ISce5_2164.exe
after doing this the virus window didn't reappear for the rest of the period I was there.
Then went into safe mode, and ran COMBOFIX again. The MSE warnings were still there, to my annoyance, so I made sure the procs were gone, but the warnings were still there. I almost took the time to uninstall MSE before running combofix, but decided this was probably a red herring, and again, was trying to to save client money.  Combofix didn't find anything (I believe - but check the log). When I rebooted, I noticed the main ISE shortcut and old folder was still there. So went back into safe mode, and ran MBAM full scan, which found nothing, but triggered two positifves for MSE, whiched MSE removed.

The last MBAM and COMBOFIX scans I ran said they were clean.  (But pls look at logs to be sure)  They were both fully up to date.  After these scans I noticed some legitimate non-virus-related desktop icons were missing, and I tried to restore as many as I could remember.

When I left I told her to run a full updated MSE scan. I don't know yet what the outcome of that was.

Two days later the virus has reappeared.

FYI, the user uses incredimail, which I recommended against.  Also, I googled this infection title "ISE" and found nothing.

I don't know whether removing the restore points or uninstalling MSE would have many any difference.

What do you guys recommend?
a---hijackthis-log.txt
b---combofix.txt
c---mbam-quick-scan.txt
d---combofix.txt
e---mbam-full-scan.txt
0
Comment
Question by:dgrrr
  • 7
  • 4
  • 3
  • +7
29 Comments
 
LVL 4

Expert Comment

by:racastillojr
ID: 34958006
Try using another free Anti Virus like AVG or Avast.  Slave the hard drive to a different computer with autoplay disabled and scan it that way. When the hard drive shows up in the My Computer section, right click it and select "Scan with what every AV you have"

0
 
LVL 82

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 20 total points
ID: 34958454
I use a Linux live disk and remove the last few temporary internet directories/files and the last few system restore points.  Linux doesn't care about Windows file and directory permissions so it will willingly do that.  Yes, it can be a little dangerous.  Read twice or three times, delete once.
0
 

Author Comment

by:dgrrr
ID: 34958769
DaveBaldwin: REally? That's cool - would knoppix do the same thing?  (just boot with knoppix, then browse to the affected system drive X, then delete whats inside of
X:\System Volume Information
?
0
 
LVL 23

Assisted Solution

by:phototropic
phototropic earned 45 total points
ID: 34958969
Mbam is normally enough to get rid of this.

"...I googled this infection title "ISE" and found nothing..."  
There is plenty for "Internet Security Essentials":

http://www.myantispyware.com/2011/02/21/how-to-remove-internet-security-essentials-virus/
http://www.precisesecurity.com/rogue/internet-security-essentials/

As you can see, Mbam will usually get rid of this.  Did you fully update Mbam before running it?
The virus will often enable a proxy - have you checked this (IE -Tools - options - connections -LAN settings - uncheck proxy server)?

Your Hijackthis log appears to show the virus loading at startup.  Run it again and fix this entry:

O4 - HKCU\..\Run: [Internet Security Essentials] "C:\ProgramData\ce5711\ISce5_2164.exe" /s /d

Please double check that Mbam is fully updated, then run another scan and post the log.
0
 
LVL 6

Assisted Solution

by:RootsMan
RootsMan earned 45 total points
ID: 34961634

Try the Live BitDefender Rescue CD to boot and clean the system.

See Live AntiVirus and Recovery Discs.
0
 
LVL 1

Assisted Solution

by:hw45
hw45 earned 45 total points
ID: 34961724
Try TDSSKiller from here.
0
 
LVL 22

Accepted Solution

by:
optoma earned 45 total points
ID: 34961779
1>Get user to run these quick scanners and save logs
TdssKiller and Hitmanpro.
http://support.kaspersky.com/viruses/solutions?qid=208280684
http://www.surfright.nl/en/hitmanpro

2>Remove these after if present(evident in last CF log)
c:\windows\isRS-000.tmp
c:\programdata\ISCEZNQVTE
c:\programdata\ce5711

3>Re run Hijackthis to  if proxy is removed
127.0.0.1:25428

4>Personally, I leave system restore alone until machine is "clean", in working order etc... Then remove all restore points and create one "clean" point.

5>If any scanners complain of an AV being active etc... , if its a free AV, uninstall it first. If paid AV, get subscription info first(obviously :)!)
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 34962782
I use Knoppix to clean up things like 'Internet Security 2011" or whatever today's rogue AV is.  As always, you want to be careful when deleting things.  I look at the dates and remove things that occur after the date that the infection started.
0
 
LVL 22

Expert Comment

by:optoma
ID: 34963511
Sorry hw45  . Didn't refresh page :( ...  Not a blatant repost .
0
 
LVL 1

Expert Comment

by:hw45
ID: 34964110
No problem optoma, that can happen.
0
 

Author Comment

by:dgrrr
ID: 34967463
I see you guys suggesting lots of good programs - and I assume you're recommending these despite the fact that I did run fully updated versions of combofix and also malwarebytes (full and quick scan)?

I ask because I'm trying to avoid wasting time - can you folks tell me if any of the boot discs recommended above (bitdefender, kaspersky, hitmanpro, tdsskiller) are specifically recommended where "updated malwarebytes" has failed?

(I also understand that sometimes you have to try different scanners, because the viruses are always evolving.. right?)
0
 

Author Comment

by:dgrrr
ID: 34967475
I also see that some of you specifically found files and folders to remove, which I will do as well - thank you!
0
 
LVL 1

Expert Comment

by:hw45
ID: 34967717
TDSSKiller is not a boot disk, it is a Rootkit Removal Tool for certain infections (you can read on Kasperskys page) and it takes just a couple of minutes to scan the computer. Combofix and Malwarebytes won't detect this kind of infection (yet?).
0
 
LVL 23

Expert Comment

by:phototropic
ID: 34968067
Hitman Pro is also not a boot disk - it is a cloud-based antimalware scanner which accesses five seperate databases when it scans. It will find and remove  TDL3/TDL4 rootkit vatiants and it has the added advantage of an option to run from removable media (ie. you do not have to actually install it on youre pc).
It routinely runs quickly (quicker than Mbam or SAS, but not as quick as TDSSKiller). It is a great all purpose anti-malware scanner.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 6

Expert Comment

by:RootsMan
ID: 34971103
Running a cleaner within the compromised OS may not find everything. A rootkit can hide itself very well.  Using a live boot disc, bypasses the compromised OS and any rootkit/malware, thus not being affected by any hidden malware on your hard disc drive.
0
 
LVL 38

Expert Comment

by:younghv
ID: 34983576
Booting to CD and attempting a scan will only do a 'file search' and cannot address the processes that malware runs.
The same is true of of 'slaving' the HDD off another computer.

Those kinds of fixes worked in years past, but will miss most current malware. The 'random naming standard' of much malware will defeat your attempts.
****************

I am finding the same thing that others have mentioned (Malwarebytes will work).

First, download, install, and run
CCleaner (www.ccleaner.com)

Then download Malwarebytes (MBAM) again  (http://www.malwarebytes.org/mbam.php)

NOTE: When downloading, save to your "Desktop" and use the "Save As" function (Internet Explorer) to rename the file.

When finished with MBAM (Full Scan - not Quick Scan), post the new log that is generated and let us look at it for you.

IF NEEDED, we may ask you do download ComboFix again (using the same "Save As" process).

0
 
LVL 38

Expert Comment

by:younghv
ID: 34983643
It does occur to me that this would be (kind of) funny if your customer simply installed the legitimate program and that is what you're seeing.

I realize that you're an IT technician, but did you check in the actual Program listing to see if it is registered?

Also - good discussion here on not turning off System Restore until after the system has been repaired.
Any restore point (even if infected) is better than none at all.

Viruses in System Volume Information (System Restore)
http://www.experts-exchange.com/A_1934.html
0
 
LVL 1

Expert Comment

by:ForLoop5
ID: 34985077
I used an updated mbam quick scan on a computer with the same problem.  It did not detect the virus that time.  So I installed our latest mcafee client 8.7 and it cleaned it up.  Had I run the mbam full scan it might have removed it.  I always create a new admin user profile and run the scans from that profile.  
0
 

Author Comment

by:dgrrr
ID: 34985883
OK, sorry to confuse the boot disc progs with the ones that run from within the affected OS.

Ironically, in the most recent posts above, if I understand correctly, some of you are saying that Virus Cleaner / AV / AntiMalware "boot discs" are better because they don't depend on the affected OS to operate, whereas others here are saying that running the Virus Cleaner / AV AntiMalware prog from within the affected OS allows the program to better identify the infection...   I'm betting its a good idea to do both?
0
 

Author Comment

by:dgrrr
ID: 34985886
BTW the customer is currently away but will have me return in a few days.
0
 
LVL 38

Expert Comment

by:younghv
ID: 34986723
@dgrrr,
You will find that opinions will sometimes fly like fur in a cat fight about "best process/procedure" around here.

I find that almost all malware variants have a known (and published) procedure for effecting the repair. My procedure is to find and follow that procedure.

The over-arching rule is that "Less is better" and I get a little nervous when a wide variety of applications get recommended. There have definitely been times when I have slaved a hard drive (or used on IDE/SATA adapter), used a boot CD, etc - but that MAY BE a waste of time,

You're going to have to eventually boot the system in Normal Mode to run, so why not just fix it in Normal Mode - if you can?

I have noticed a real disturbing trend in the "Virus & Spyware" Zones over the past couple of years where people will drive-by all of the open questions and post the same "Try www.xyz.com" comment in every question they see - and then move on.

Some of them have managed to grab a significant number of "Expert Points" by doing this, but their knowledge appears to be about a mile wide and an inch deep.

I will unsubscribe from this question and move on myself, but I know from years of personal observation than "phototropic" knows what he is talking about and you would do well to follow his recommendations.

Good luck with resolving this.

/unsubscribe
0
 
LVL 23

Expert Comment

by:phototropic
ID: 34986850
As stated above, Mbam should deal with this.

There are numerous generic removal procedures online.

The consenus seems to be:

1) Download and run rKill (or Boot to safe mode with networking) ;
http://www.bleepingcomputer.com/forums/topic308364.html

2) Reset Internet Explorer proxy settings (Tools  - Options - Connections - LAN settings - Untick “Use a proxy server");

3) Download Mbam from here:
http://www.malwarebytes.org/mbam.php
Use younghv's procedure at 34983576 to rename the file;
Fully update Mbam;

4) Reboot to normal mode if you were in safe mode before and run a full scan; Remove selected and save a log;

5) Reset hosts file (using Hostsxpert or MVPS Hosts):
http://www.funkytoad.com/index.php?option=com_content&id=13
http://www.mvps.org/winhelp2002/hosts.htm

Please follow these steps and post a log.

0
 
LVL 6

Expert Comment

by:RootsMan
ID: 34987490
I'd recommend you do both the Live disc scan and the in-OS cleaners.

Remember though, that once a system has been compromised, you can never be certain that it is 100% clean. There may still be a zero-day rootkit that the AV/malware cleaning companies don't know about yet.

If that was my compromised system, I'd backup the data, reformat the hard drive, and do a clean install of the OS from disc.  Then after doing a clean install, and installing all the current OS updates, create an image of the hard drive, just-in-case.
0
 
LVL 1

Expert Comment

by:hw45
ID: 34991743
I recommanded TDSSKiller, because I cleaned up a couple computers lately with "Alureon" - infections and Mbam didn't find them, even it found lot of other stuff like Trojans and Adware. The last ten years of cleaning up computers I could keep the system to about 97%, the rest I had to reinstall again because of corrupted systemfiles or failing HDDs.
0
 
LVL 2

Expert Comment

by:Robert Snow
ID: 34994121
If you have an extra blank CD-R, CD-RW, flash drive, etc. you can go here http://www.freedrweb.com/livecd/how_it_works/ and it will show you how to boot from the cd/flash drive and allow you to scan the entire computer without booting windows, allowing you to access files that would be protected/invisible if you let windows load. AVG also has one that is similar.

I posted the help page instead of the download page because it will teach you how to create/use it, and it also has a download link.

If you do not have an extra flash drive or CD, you can still download this http://www.freedrweb.com/cureit/ and run it from within windows.
0
 

Author Comment

by:dgrrr
ID: 35044777
(FYI I'm waiting for the computer owner to have me come over again. She had to leave area for some funerals.)
0
 

Author Comment

by:dgrrr
ID: 35141375
I will not be able to return to the affected computer, so I'm assigning points based on what seem to be the earliest, most responsive and and probably most effective posts.  (I added points as well)

Hope it's fair.
0
 
LVL 2

Expert Comment

by:Robert Snow
ID: 35142027
Sorry you weren't able to help her... guess it just happens sometimes
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now