I am helping a friend with her computer. Apparantely her facebook has "done stuff" that she didn't do on it, which probably seems to lead to a infection problem.
When I asked her to run a anti-malware scan, the scan " found some worms (about 5000!) ", using http://housecall.trendmicro.com . Also, she used her copy of Spyware Terminator, which found and cleaned "a Trojan Horse, the kind that hackers use to controll your computer and the passwords (according to the Terminator). "
Some repeated scans I asked her to do sometimes resulted in the trojan still being there, which she said she deleted manually. However I have my doubts if the trojan is really actually completely gone, because later on she said that trojans have re-appeared:
Actually I had to reboot anyway, yesterday I found about 30 Trojans, and it was really bad. I found another one after the reinstall, deleted it, now, it looks like the whole comp is clean. I don't understand the quantity of the Trojans,
in the last few days I found 5 more trojans, I think they must replicate or something...my facebook page seems to be ok, however sometimes some old news still slip in.
She also tried this:
yesterday I found about 30 Trojans, and it was really bad. I found another one after the reinstall, deleted it, now, it looks like the whole comp is clean. I don't understand the quantity of the Trojans,
According to her she even tried a clean install of Windows:
Yes, I did a clean install, everything was erased, but I copied some of my stuff from disc C onto the disc D, some movies and stuff like that. After reinstall I found another trojan, but i erased it and since then the comp is clean (according to my antivirus).
But I found more strange things, for example I was chatting with my friend over the msn (the netstat was running at the time) and I could see his ip address despite the fact that no files were transferred (actually I'm not able to send him anything, file transferring is blocked on my msn for i don't know what reasons, we've tried it a few times long time ago), we were really just chatting, and his ip address was using a quite weird port number: 35631.
It seems like after trojans are found & deleted, more reappear on a later scan.
Lastly, she mentioned she found
port 139, netbios ssn... [she] found [it] among the active ports and according google it doesn't mean anything good.
So...any suggestions on how to clean this up?
Thanks in advance!