ok update time:

It looks like we were being hit by a new variant of the spybot.worm. Nortons did not detect it during the initial infection, but it was preventing the virus from turning the machine into a zombie terminal. We DID have some systems that were not patched and were infected. Those systems have been cleaned / patched / updated.

Fsecure.com did find the new variant (woo hoo). Once we knew what we were dealing with, the cleaning process was simple on most of the machines.

We also updated our firewall traffic to stop any chance of reinfection from infected machines. We think we found the point of origin, but since we can't prove who was sitting at the system at the time, and we know it was not malicious on the users end, there is little we can do.

We do plan on impleminting a proxy server with a whitelist of approved sites for business use since users have to use the internet in the course of their job.

fun fun fun.

~Halv