A client has been disconnected by their ISP for sending spam.
They have 3 pcs running XP, and a 2003 server. The PCs are not in a domain. They don't use exchange. They use outlook for their email using the ISPs mail servers. They host their website on the 2003 server and that seems to be about the only server function they are really using. Their router is a DLink DSL-504T which is a basic ADSL 4 port router with only basic firewall.
The service provider says their is a huge amount of spam coming from their IP, and has disconnected their ADSL service.
A technician went to the site and used combofix and malware bytes to scan and clean each computer and has installed AVG also. The ISP the reconnected their ADSL but says spam was still coming from their IP and so has disconnected it again. That technician has now given up and the issue has been assigned to me.
The ISP is saying that if I ask them to reconnect the ADSL and more spam comes from the site they will disconnect again and not reconnect it.
I have scanned the PCs with the free version of Avast with a boot time scan and found a few more bits of malware, but that version wouldn't run on the server. Without an internet connection on-site I couldn't google the names of the programs found but my guess is that they were not the culprits.
So my questions are: what else can I use to scan and remove the offending malware, both workstations and server? Do I need to boot from another source to do so?
is there anything I can do as far as blocking ports on a firewall to stop this spam from being sent? Is the firewall on a Dlink dsl504t adequate?
And most importantly is there anyway I can test and verify that it is fixed before getting the ADSL connection reinstated so the ISP doesn't disconnect it yet again?