I am having trouble with one employee's computer infected by either a legitimate virus or scare-ware. It is a computer running Windows XP SP3. I have TrendMicro Worry-Free Business anti-virus installed on it. Updates for TrendMicro are pushed out as the arrive from TrendMicro. Windows Updates are done on a weekly basis.
On Monday morning, the employee was unable to log into his computer. After getting through the XP start-up screen, a message box popped up saying there was an invalid object reference. I tracked down the issue and found that he somehow had the Sasser virus. I was unable to boot into Windows even in Safe Mode. I removed the hard drive from the desktop and plugged it into a spare desktop. I ran a scan on the hard drive and it found nothing. I then ran Malwarebyte's Anti-Malware and it didn't find anything. I tried to follow some instructions on removing the Sasser worm and did not succeed since we were hindered by the fact that we could not log in. I am confused on how the Sasser virus even got on the computer in the first place since we have current anti-virus software and the computer is always up-to-date on Windows Updates. And it is not like this is a new virus, it has been well documented and patched by Microsoft since like 2004. I finally decided it was just easier to pull the documents off the hard drive and wipe the computer. We use Exchange, so email wouldn't be lost with erasing the computer.
I reformatted the hard drive and installed Windows XP. I ran all updates, reinstalled TrendMicro. Everything was working fine until today. The same employee called me and said that some program said that he had viruses on his computer. I was not at the office, so I was unable to look at it myself, but he said that it was a software called "Best M Security". (I have searched the internet and couldn't find anything on it.) I told him that it sounded like scare-ware and to not click or install anything. He said that he just closed out of it.
I scanned the computer again and Trend didn't find anything. I am running the Malwarebytes software again and will post the results when it is finished.
My question is this: The only things transferred to the new computer were his documents and his emails. I scanned his documents before transferring them using Trend and Windows Security Essentials and neither caught anything. We have TrendMicro installed on the Exchange server, but could some macro-based virus be lodged in his email? If so, how do I find it and remove it? If not, what should my next course of action be? Thank you for your help, I am lost and confused.