First step is correctly to specify the system's properties.
Yours is not a technical issue but one of user negligence. You have
to build the solution around this fact.
Curative measures that have worked elsewhere are:
1-Scan every client when it accesses
2-Disconnect compromised clients or route only to a warning page
allowing access only to your tech support
3-First cleanup and advice to owner of compromised machine on how to be
a good internet member is free; second costs $100; third results in
permanent discontinuance of service and refusal to accept back as
a client.
These measures will fix your problem.
Jeffrey Race