We noticed our SBS server was sending out a ton of SPAM and was listed on SPAMhaus, etc.
We used Malwarebytes and it found some items and deleted them the SPAMMing stopped. Then a couple days later it started again. Malwarebytes had caught a couple more items.
After some more research we noticed a few new accounts (Symantec, Scaner, Staff and services) which were not there before. In fact the services account was logged in to the Remote Desktop. We have deleted these accounts, examined the Domain Admin, Administrator and Enterprise Admin groups and changed passwords.
We have deleted some suspicious folders. There are some folders we cannot delete such as c:\Users\Temp\AppData\Local\Microsoft\Credentials and other folders inside the the Appdata for Temp. We cannot take ownership and cannot delete. It says the file is in use. I know we can use BartPE and such to boot up and delete these files, but are there any other better ideas so we don't have to take the server down?
What other items/tasks can we do?
We have ran Malwarebytes using Chameleon mode a few times with nothing else found.