Windows Image restored, virus still there

My friend's computer started getting multiple pop-ups like "Your video player is out of date...." so I restored it using the Windows Image I had created shortly after he bought it. But it almost immediately started getting the popups again.

Is it possible that the infection persisted through the image restore? Does a Windows image restoration recover the master boot record too, or could a virus/rootkit have remained in there?

His hard drive is partitioned into C: (system) and E: (data files). The image was only for the C: drive and most likely the system reserved partition.

I did scan the E: drive with Norton, found nothing there.

Thanks

It is possible that the problem was there when you made the image backup otherwise the infection would not have persisted through the image restore.

Download and run Malwarebytes Free on the whole computer. I would remove Norton entirely using their removal tool as it presents there own problems. Just use Windows Defender.

Since rootkits write a cloaked partition, it is possible for a rootkit to survive a restore.

Run TDSSKiller & see if it finds anything. Before running the program, click on the "Change Parameters" text & check the box next to "Detect TDLFS File system." Then run a scan.

Malwarebytes also makes a rootkit scanner.

Malwarebytes | Anti-Rootkit BETA - Free Rootkit Scanner & Remover

It sounds like you may have some stubborn adware, so after the rootkit scan, run AdwCleaner.

I ran ADWCleaner, it came up clean.

The new version of MBAM has the rootkit scanning option built in, and I ran the Custom Scan using that. It found nothing.

I also ran Hitman Pro, came up clean.

I'll give TDSSKiller a run today. Thanks

Good advice here! Good luck!

TDSSKiller found nothing.

I did change his DNS settings in adapter properties to use Google for DNS. He has not had any issues in the day or so since I've done that. I am wondering if his router has been compromised, and is doing DNS misdirects. I'm going to give it another day or two before I reset his router.

Resetting the router certainly wouldn't hurt. Get a fresh start.

Might be a case of DNS Cache poisoning.

How DNS cache poisoning works

You can find a DNS flush tool towards the bottom of the page here:

DNS Cache Poisoning Attack - ESET Knowledgebase

Or you can do it from the command line

Flush and reset a client resolver cache using the ipconfig command: Domain Name System(DNS)

My friend's computer has been running without the misdirects and popups for 3 days now, since I started using Google DNS. He seems content to just let it be for now. I am not so sure.

If his computer's DNS cache had been poisoned, wouldn't setting it to use Google DNS have no effect?

Seems like it would have to be his router's DNS cache that is poisoned. Am I correct here?

I asked him if other computers in the house are having problems, he seems unsure about that.

Thanks

It is possible the router got compromised.

Cybercriminals compromise home routers to attack online banking users | PCWorld

I've seen multiple instances of this in 7 forums where people had the same problem your friend did (pop ups that won't go away, misdirections, etc.) & in most instances, flushing the DNS solved the problem. That's the reason I suggested it might be DNS poisoning. If you changed the settings to Google DNS, then it would set up new parameters that void the original DNS settings.

If everything is running fine, then you can either leave it or follow through with your plan & reset the router as well as flush the cache. Also check to see if there are any firmware updates for the router.

Your friend needs to let you know if the other PC's are indeed running fine. Malware (if present) can easily spread from one PC to the other.