How do I stop XP Antivirus Pro / Security Tool / Win 7 Antivirus from coming back?

Hello all,
  I'm a PC repair technician and we are getting bombarded w/ PC's that have the notorious XP Antivirus Pro or some form thereof.  We have been using Combofix, the free Malwarebytes, & Superantispyware to get rid of this infection with no problems.  
  However we are getting alot of repeat offenders.  Even though we show them how to do updates and weekly scans w/ Malwarebytes & Superantispyware their PC's are still getting reinfected.  My question is would the customer purchasing the full version of Malwarebytes stop this from re-occuring?
  I've searched through all the threads and need to find a permanent fix.  Even though we don't mind the repeat business.
Thanks in advance
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Honestly, if the solution is resolved, only Human action/error would cause it to come back on, correct?

So what are these users doing that are getting them this virus constantly?

If they are coming back the next day with the same issue, then maybe the issue isnt resolved, but if its every month, few months, then I dont think there is anything you can do , short of telling them to never get on the internet.
wcoilAuthor Commented:
lol  that sounds good to me, but i doubt my employers would allow me to tell our internet customers to no longer get on the internet.  I know for a fact that the PC's are free and clear of infections before they go out of our doors.  I just had one come back in today that was picked up on April 6th and was free and clear and when the customer brought it back in the infamous .exe files were no longer associated which i know is a by-product of this infection.
  Also on the same PC i used a history viewer program and found that the first time I pulled up the customers address from his history that i brought up a popup after loading the initial site (without me clicking on anything).  Once i closed both pages then the infection was instantly back.  Interesting that a prominent site like could have an infection like this.
MN, I pretty much use the same tools you are using; but once I get control of the machine and it has been rebooted, I run a full Antispyware scan with the CA Antispyware software removing all child viruses/spyware that are left, and are possibly dormant. Once that is done, I delete all the Temp files, and everything inside the Prefetch folder, and finally I remove any unknown entries in the Startup tab in the MSConfig configuration. Hope this helps.
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

If you are indeed making sure the virus is gone, by using multiple antivirus/spam/malware solutions and are able to browse the net while not getting anymore errors than Id say its something the user is doing or somewhere he is visiting.

Or he has an infected USB drive that he/she continually plugs into the machine. Thats also a possibility.
Thomas Zucker-ScharffSolution GuideCommented:
I wrote up a policy template that may help.  It basically says to use a good malware solution, install an alternate hosts file, disable autorun, and use a link scanner in your browser (WOT or linkextend).  You can see the article here:

I find along with extensive user education this works very well.
The re-infections are most likely comming back from the system restore. After you clean a system (hopefully you're doing this in safe mode), before you reboot the system, turn off the system restore. Reboot, and then turn system restore (if you so desire) back on again. I would also have to agree with ry berk's first post. It's entirely possible that some of your client's are getting themselves re-infected by not browsing safely.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Agreed on user education, but not all do listen!

>Paid Mbam does help

>Put a hosts manager on machines with their permission
Thomas Zucker-ScharffSolution GuideCommented:
In terms of System Restore, it is my understanding that SR files are benign unless used.  So if you don't use last known good or restore to previous date, you should be okay.  Turning off SR should be your last step in cleaning a system.  Be sure you can reboot into normal mode first, because an infected Restore point is better than none at all.

See this article on Disabling and reenabling System Restore:

Pay particular attention to the linked article in the first paragraph that describes more about SR.
wcoilAuthor Commented:
Thanks everyone for all the suggestions.  Will try the safe mode and the hosts list prog's and also give Mbam Pro a whirl!
Thanks Again
You're welcome :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.