I've been drafted to informally investigate an infection of the curwail virus on my office network. We are relatively certain that one of our 20 or so computers has the trojan as our IP has been delisted and receive a spamhaus.org notice when using local email delivery.http://www.spamhaus.org/query/bl?ip=22.214.171.124
is the url that pops up with the notice:
my problem is two fold.
1) I don't know what I should be running to detect which computer is infected (i've sporadically tried AdAware, AVG 8.0 and SpybotS&D) but have not found positive identification of the trojan. Also what methodology should I be employing to isolate and locate the infected machine. Can I leave my network up while testing each machine or is it necessary to disable the network and test each computer individually?
2) if/when it is located what steps should I take to remove it. I've seen the thread for applying ComboFix.exe but that seems like a nuclear option especially if I am dubious about it's location.
We are currently running windows XP pro 5.1 on the majority of machines, there is one mac running OSX 10.4.10, and our network server is running Linux