This started a few weeks ago and we thought it was a virus so we checked every computer and all though 50%(Yeah, that's right) were infected once they were cleaned the problem didn't go away. It's really frustrating so I want to figure it out so I need suggestions on how to find the culprit. I think the router has logging but it logs everyone so it's hard to tell and I might be able to setup a proxy but again it's hard to tell when and what to monitor. What are your suggestions?
I wasn't going to post and answer until I got to the end of the question where you ask for suggestions. I have only two and if they seem a little harsh just remember, you did ask.
The best way to check for this kind of issue is at your gateway to your Internet connection.
Do you have any kind of a firewall? If so, you should be able to filter the logs (on the box) easier then on a router.
If not, depending on your router, you could still do some basic log filtering on the router-Ideally you would log all the traffic to a syslog server/Splunk, and filter and search from there.
You should also check out this link, which had some good suggestions & ideas. (Possible Firefox extensions, Firefox bug, etc)
How long has it been since you 'cleaned' the systems? I expect that Google has a threshold that once you trip the alarm, a certain amount of time need to pass before they reset the threshold.
Also I agree with Chris S, simply scanning all the computers once is not likely to have cleaned everything, with an infection rate as high as yours, the likelihood of re-infection of cleaned computers by yet-to-be cleaned computers is high. I'd want to do several passes until I got a completely clean pass (no detections), then monitor it regularly for a while. When I managed a network that used Symantec, I'd put infected computers into a "typhoid-mary" group in Symantec, which meant that they got scanned twice as often (or more if I was mad) than regular PCs.
Here is what you can do.
Like Josh said, try looking at your firewall logs to see what's going out on PORT 80 dump to a syslog server.
This is kind of a work-around. Install Fiddler on the machine(s) and look at the fiddler live view for HTTP traffic while no one is using that machine. That might be able to give you a clue as to which machine is making HTTP request(s) when no one is at the wheel. Fiddler is used by developers to debug HTTP issues.
Look into OpenDNS. There is a paid service which I believe can block spyware activity.
Hope that helps.
I'm not sure how Google handles large numbers of hosts behind the same public IP, but there are innocent ways that Google's bot-blocking algorithm can be unknowingly tripped by well-intentioned users. So if one person on your network does either of the following, they could get your IP flagged:
Using Google as a thesaurus. Now, bear with me on this one... Due to the large quantities of a particular plant from the hops family consumed in my college days, I have terrible memory recall, to the point that I have difficulty remembering even common words or phrases. In many cases, if the thesaurus doesn't turn up what I'm searching for, I'll do a Google search for a phrase with a wildcard in place of the word slipping my mind, e.g.
"police use of agent *". Sometimes the search parameters are very broad, and I may have to wade through 40-50 pages of search results (why yes, I do have OCD). And this unfortunately triggers the bot-filter, especially when I'm skimming through 10-12 pages per minute. This has happened to me on more than one occasion, but I'm usually flagged for only an hour or two.Gmail has become a really popular email service, and by now most of the obvious good usernames/addresses have been taken. So the last time I tried signing up for a Gmail account, I went through probably 30 different usernames before finding an available email address that was half decent. By then my IP had been flagged, and Google would allow me to sign up for an account. And after a few more tries, all my Captcha responses were rejected. I didn't perform any Google searches during this period, but it's possible that this could cause an IP to be flagged for all Google services.