How to detect and clean malware sending spam on Windows XP and 2003 server

A client has been disconnected by their ISP for sending spam.
They have 3 pcs running XP, and a 2003 server. The PCs are not in a domain. They don't use exchange. They use outlook for their email using the ISPs mail servers. They host their website on the 2003 server and that seems to be about the only server function they are really using. Their router is a DLink DSL-504T which is a basic ADSL 4 port router with only basic firewall.
The service provider says their is a huge amount of spam coming from their IP, and has disconnected their ADSL service.
A technician went to the site and used combofix and malware bytes to scan and clean each computer and has installed AVG also. The ISP the reconnected their ADSL but says spam was still coming from their IP and so has disconnected it again. That technician has now given up and the issue has been assigned to me.
The ISP is saying that if I ask them to reconnect the ADSL and more spam comes from the site they will disconnect again and not reconnect it.
I have scanned the PCs with the free version of Avast with a boot time scan and found a few more bits of malware, but that version wouldn't run on the server. Without an internet connection on-site I couldn't google the names of the programs found but my guess is that they were not the culprits.

So my questions are: what else can I use to scan and remove the offending malware, both workstations and server? Do I need to boot from another source to do so?
is there anything I can do as far as blocking ports on a firewall to stop this spam from being sent? Is the firewall on a Dlink dsl504t adequate?
And most importantly is there anyway I can test and verify that it is fixed before getting the ADSL connection reinstated so the ISP doesn't disconnect it yet again?
Who is Participating?

Improve company productivity with a Business Account.Sign Up

younghvConnect With a Mentor Commented:
If AVAST found something after an MBAM scan, then something was wrong with the way MBAM was used.

Download it again to your USB stick (rename it to xyz.exe) and download the update too.

Malwarebytes (MBAM) (
When downloading, save to your "Desktop" and use the "Save As" function (Internet Explorer) to rename the file.
The instructions are included right in that link.

If you need to manually download the latest update, use this link:

When finished with MBAM, post the log that is generated and let us look at it for you.

Make sure that the DLink admin account password is not still sitting on the 'Default' - it could be a case of a compromised router causing this.

I'll get a link that one of our other Experts provided for the fix on that.
This link was provided by the Expert known as sjklein42 - if he checks in to this question (and it works) please give him the credit. 
yarwellConnect With a Mentor Commented:
netstat from a command line will show you established connections and similar tools are around for tracking down what process is using what port.

Do they have a static IP address ?

AVG and Kaspersky both do bootable live CD AV / rescue CDs - download the iso, burn to CD and boot into it to check the machines.

A software firewall such as Comodo our Outpost set into a strict mode requiring each process to be positively authorised would be a good place to start, I'm not that hands-on with the router you mention though the manual is at and on p36 you can see how to set up a rule to block outbound access on a particular port.

You should also check the sent items folders on your mail clients to see if they have been sent that way.
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

rgssAuthor Commented:
Is there any particular port range I can block outbound traffic for that will stop the spam but allow the valid email to be sent?
yarwellConnect With a Mentor Commented:
It depends how the spam is being sent ! If it's using regular ports you're stuck. Netstat should give you a clue what's happening.

Do they have a static IP address ?
rgssAuthor Commented:
I used netstat and also tcpview but I couldn't see any sign of the offending program. Will it show up as a connection if there is no internet connection?
They do have a static IP address.
Today: AVG rescue boot disk scan, Malware bytes, AVG rootkit scan, AVG full scan and Spybot search and destroy all found nothing, as well as not finding anythin with netstat and tcpview. Does this mean that they are clean and can be reconnected to the ISP or does it meaan that the offending program is hiding very well?
Also, we ordered a Cisco 887 router to replace the  old dlink router.
If you had a running process trying to send out spam then yes it should show up even if only in the wait state. I assume the machine was connected to the LAN at the time.

Presumably you checked all the machines at the site ?

The DLink will allow you to block port 25, I would ask the ISP to reconnect you on a test basis and monitor what happens when the internet becomes available.

You should also ask them to supply the logs that show evidence of the problem, as there may be additional clues in there for example the name of the machine making the SMTP connection.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.