I had an employee's computer get hit with the CryptoLocker malware. Fortunately, we have good backups of everything, so no data was lost. I restored her entire desktop using an image backup made before the infection. That should have cleared the local copy of her profile, her registry settings, her data, and all. I also restored, from backup, her roaming profile folder on our file server, as well as her home folder on the server. We also redirect the AppData folder to the server, so I restored that as well.
Lo and behold, the next time she logged in, CryptoLocker re-appeared and started encrypting things again. I've done a complete scan of her computer and our file server using MalwareBytes, and can't find anything outside of the locations I mentioned.
What am I missing? How could CryptoLocker still be tied to her login in some way, and how can I manage to get rid of it once and for all?