I have received botnet detection warnings from my firewall. I get about one warning every 3 days. They are always found on one of my 5 Citrix servers or on a Windows XP used by my tech employee. Additionally, my public IP address used for sending email has been blacklisted twice by spamhaus. I managed to bandaid this issue by blocking all outbound port 25 traffic from my LAN except for from my email Spam Filter appliance which is where all email is routed from my Exchange server for delivery.
What I have done so far:
I have run Malwarebytes, Spybot, and TrendMicro ServerProtect. Malwarebytes found an infection in one of the roaming profile directories of one of my users and deleted it. However, I am still getting a botnet detection every 3 days or so. My TrendMicro antivirus is not finding anything and the above mentioned scan tools have not been able to fully remove the bot.
Below is the output that I received from MalwareBytes when it found the infection in a roaming userprofile:
C:\Program Files\Trend\SProtect\x64\Virus\58cb65c7-20955042 (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\Program Files\Trend\SProtect\x64\Virus\d5LSAoeSjME_79c.VIR (Trojan.Agent.ZB) -> Quarantined and deleted successfully.
C:\Users\nbarcl\AppData\Local\uejxchpr.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Users\nbarcl\AppData\Local\wwtgxebf.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Users\nbarcl\AppData\Local\xhxkvtfo.exe (Trojan.Zbot.ED) -> Quarantined and deleted successfully.
Additionally, MalwareBytes seems to find the below item on about every machine I have scanned on my network:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop|NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
Thank you for your help,