One of our users is having a recurring problem with a virus. It has happened to this user on two different machines, in each instance infecting the same program with the same virus.
Malware bytes detects the malware, and yesterday I cleaned the system. Note that MSE doesn't find anything. Malware bytes real-time scanner is running too, but I checked again today and the system is re-infected.
It's a Win 7 Pro SP1 system, it has the latest updates, it's running Windows firewall (as well as being behind a corporate firewall), MSE and MBAM on the system, and still it gets re-infected!
I've scanned the user's network drives in case they're picking it up from there, but so far nothing's been found.
How can I get to the bottom of this recurring virus problem and stop the system from getting infected once and for all?
Trojan.Agent.Gen is a Generic signature. It means that Malwarebytes' heuristics found something, but the application is not sure what it is, so it removes the application only, so any backup or masked copies can still be left on the system. There's even a small chance that this is not a virus at all. If it is a virus, we need to establish a signature first.
Please, kindly do the following:
P.S. Microsoft Essentials and Malwarebytes are not a substitute for good endpoint security products. They can't handle a lot of viruses because they lack sophisticated security components needed to catch them. If you don't want to run into such problems again, consider bying an industry standard endpoint software by either McAffee, Kaspersky or ESET. Especially if you work in an Enterprise environment.
The usual suspects:
The logged-on user has inappropriate elevated permissions or rights.
There is a vulnerable and outdated Adobe Flash browser helper installed.
There is a vulnerable and outdated PDF reader installed.
There is a vulnerable and outdated Java runtime installed.
Use of an infected removable media (USB drive).
Note that for many APT's (advanced persistent threats), it is trivial to build a one-off, custom, unique hostile application that can be downloaded by a victim. These may not be flagged by a scan due to encryption of the binary. In some cases, it is necessary to profile the network activity to detect an incursion. This is one of the ways that products such as FireEye and Trend Deep Security differ from a traditional client-based antivirus application.
In addition to Greg Askew's answer, here are some thoughts.
If the user has this infection following him, it has to be something that is particular to this user's habits or account.
Normally it could be roaming profiles, which you said isn't in use.
To get re-infected, it would imply a dropper of some kind or rootkit-hidden program that is re-downloading software after a cloak; is the user running with elevated privileges? In which case the only way to get rid of the re-infection is to reformat the computer and completely start over, even blowing away the boot sector. If something is cloaked in the background and re-downloading software that is detected, this would wipe it completely.
Otherwise you would have to resort to checking the user's browsing habits. Do you have a proxy system that monitors web browsing activity? Can its logs tell you what sites your user is visiting around the time of the infection? (If the software is being downloaded via http your proxy may also be possibly configured to block the download site, depending on what it is...that can help prevent some re-infection vectors)
Another thought; it's a false positive. Take the executable and upload it to an online virus scanner that tests executables against multiple AV engines and see if it actually triggers most of them. I've had trouble with false positives in the past. Again the proxy server, or a packet sniffer, can help determine if the computer is actually doing something it shouldn't be. Just having an AV trigger an alarm doesn't mean the computer is actually doing anything it shouldn't.
You said the infection is causing the computer to lock up; to me, that's kind of strange, since the goal of most malware today isn't to go out of its way to be detected by making the computer outrightly act strange and call attention to itself. Could it be something is corrupting the executable? Could it be coincidence that the machine is locking up?
The reinfection and inability to find a remote install (like the shares or home directory having the infecter) would mean monitoring the user's habits, nuking the install on the workstation and reinstalling from scratch to eliminate hidden kits, and using privilege limits so the user can only "infect" his own directories to which he has access, and verify that the infected executable is really infected by using a third-party website to scan.
My recommendation is to find any backup copies of the malicious software by running HijackThis with admin privileges and using the log analysis tool to find out any suspicious entries in the windows registry. In addition, a scan with Adwcleaner and an anti-rootkit tool would be great.