This is my first post on the forums. I run a small IT support co for small businesses and have a problem with one of my larger clients.
In the last month his static IP has been blacklisted by CBL 3 times for supposedly having the Torpig virus on a machine (see below). He runs a Windows server but does not run an email server, his email is hosted offsite by his ISP. He only has 5 workstations on the LAN.
This was detected by observing this IP attempting to make contact to a Torpig Command and Control server at 'x.x.x.x' (may be missing) on IP address 80, with contents unique to TorpigC&C command protocols.
The first time this happened I did as they suggested and ran TPSSKiller on all machines. I also ran Gmer and tried to use TPView all of which came up clean. In the last two instances I ran other scan tools and came up empty. However, this is all completely out of my experience, knowledge and skill set and I need help.
I understand enough about trojans and rootkits to be able to run scans and fix infected machines. however, this time around I am unable to detect any infection so obviously can't remove it! I guess my question is what steps should/could I take to ensure every machine is infection free?
I have downloaded and installed TDSSkiller, Gmer, Spybot, Sophos virus removal tool, Hijackthis, TCPView and even Wireshark (although I really don't know how to use the lat two).
Other than calling in an expert (where the hell would I find one anyway) what can I do?