I have a user who was having an intermittant problem getting online with her browser, tho her computer would still be connected and I was able to log on to her using VNC (though Hamachi). She is a Firefox user, who has BOClean and Avira on her system and up to date. She (or I) periodically runs SuperAntiSpyware and Spybot.
When she tried to browse she was getting a plain white screen in Firefox. IE would do the equivalent, saying that the server was unavailable no matter where she tried to go. If she rebooted her system, everything would work correctly until the same problem would return.
When I remoted into her system I found that an old version of Netscape had been installed along with WinRAR and a version of WSFTP. A version of "mailbomber" had also been installed.
There was also a bogus subfolder in her IE folder called "explorer" with subs that had numbers for name and an "explorer.exe" file that had a heart for an icon. The description of the exe read ICE211 Microsoft???? or something very similar. I didn't find this the first time I was troubleshooting her system.
On my first pass through her system I had found and deleted all the above mentioned folders files and logs but I had missed the errant explorer.exe and it's parent folder, stuck in the IE hierarchy. She continued to have intermittent browsing problems that were temporarily cured by rebooting. None of the other folders or files came back. Then I found and removed the fake explorer directories and I am hoping the browsing problem is 'solved'.
This user is quite distant from me and it will be some time before I can access the machine directly. She does not have her install disks, nor the money to pay for a rebuild. I understand that after this kind of event she needs a wipe and rebuild, but that isn't too likely to happen, at least any time soon. I don't mind working on her system remotely at no cost. She does not shop, bank, or trade stocks on her computer, so the practical danger of a RAT on her system is limited to a privacy risk to her email. She doesn't seem terribly concerned about that.
I'm wondering if anyone recognizes the details I have described and/or has any further suggestions on how I might be able to manage her problem from here. If her system doesn't continue to have a browsing problem I will probably just let it go for now. If her browsing problem continues I will continue to look for solutions.
Edit: I forgot to include that I ran MalwareBytes and Cureit on the system and they found nothing.
Edited by cyberhelp, 13 February 2009 - 07:07 PM.