I use MBAM in full-scan mode. That has fixed the vast majority of my problems so far. I may run something else from my collection of malware-scrubbers if that doesn't work. I'm not familier with gmer or Process Explorer, but I'll look into them. I'm always up for useful tools.

UPDATE to OP: It turns out the virus the user had was a nasty one. It seems to have eaten the file association table somehow. I could still open things by going through some more complicated methods, but simple clicking was fouled up. Even self-installing .EXEs couldn't open themselves, so I supect registry tomfoolery. I've taken her computer to rebuild, as that will be faster and better in the long run considering the damage I've found so far. I'm also going to set her up on the proxy server with fairly severe lockdown settings.

Rogueware lately has been screwing with the .exe file association. Just merge the .reg files for affected file types from here: http://www.dougknox.com/xp/file_assoc.htm

Though if you're already going to nuke and pave that's probably certain. It's just that I get paid to do this stuff without that option. :P

Ah, that will be useful going forward. Thanks!

I already have the computer reloaded and set up. Off to the site to plug it back up!

Why not just give her a 10-key calculator and say, This is what you can use!

Cutenoob

PS Send out a memo sometime in the future reminding users Surfing Internet While Working Is Not Cool. And Lock when you Step Away from Desk.

Or do what <supervisor> at <cable company> did, send an email from the tech who didn't lock their computer not 15 minutes after being told to start doing so to the area manager with the email subject: "I love you!!!", or a similar embarrassing email. :-P

To the supervisor's credit, the tech never left his workstation without locking it again. This only worked because the area manager was a prankster himself, recognized the email for what it was, and played along.

We do that all the time. My personal favourite was the prank email (complete with the 'senders' usual spelling errors) asking for empty crisp (chips) packets in their intray for a charity collection

It took them a good couple of weeks to realise why they had so much rubbish in their tray!

Oh that's delightfully evil. I'm going to do that to the next tech I wander by in the call center who's left his workstation unlocked. :-D

That sounds a lot like the one that hit us a while ago, and STILL rears it's ugly head every few days. Our default action is to nuke and reload. Most of our computers have images that make it fairly quick though. When it comes to specialized stuff, they have to sit powered on overnight so SCCM can do the installs.

Heh. This would happen every so often back when I worked at a mutual fund company. An IT tech would leave his desk unlocked (which was against policy due to rights issues) and someone would put out an email offering to buy pizza for the entire department.


Eric the Grey

One of my cow-orkers spends alot of time on Facebook. My boss wandered past while said CW was out making a delivery run, noticed that he'd left it logged in, and posted a status message that said something like "I FEEL BLOATED LIKE I'M GETTING MY PERIOD".

Note that CW is male.

He doesn't do that anymore.

As for drive-by virusing (is that even a word?) I have one site I like to read which is chronic for that. (erstories.net, highly recommended if you like emergency room humor, but only if you have good AV protection.) They've been trying to track down which adserver is feeding these things for months now. Just today they served me a PDF that would have done God knows what, had not the AV (Symantec Corporate) snagged it. Several months ago we got Vundo from them, which was lots of fun removing. A good protection against rogue PDF files, besides the obvious of keeping Acrobat updated, is having your browser set to ask you what to do with a PDF each time one is loaded. If it's something you want to see, you tell it to go ahead and display it; if you weren't expecting a PDF, then you take extra precautions with it, like saving it with a different extension (how about .troj ?) so it won't do anything harmful in case someone clicks on it.

(edit: better yet, not saving the damn thing at all...)

Good advice. I don't let my system do anything without my ok first.

^-.-^