Cannot remove spyware/trojan/virus

All of our users are receiving the 403 Forbidden message when trying to search Google.  I pinned it down to one user who was infected with some sort of trojan that runs a proxy server - called asprox.  I cleaned the trojan and have run all types of spyware removal and AV software, but I am still getting the same error from Google.  

When I turn off this user's computer, or disconnect his network cable, the error messages from Google go away.  When I bring back this user, the messages start again.  But I can't seem to figure out what is still running on his machine.

I have attached a logfile from Hijackthis.  He is running Windows XP Pro.
Who is Participating?
Darius GhassemConnect With a Mentor Commented:
Here are a couple of things to try:


3. Removing Autostart Key from the Registry

This solution deletes registry keys added by this malware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs. Refer to this Microsoft article for more information about modifying your computer's registry.

Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
Still in the left panel, locate and delete the key:
Close Registry Editor.
Deleting the Malware File(s)

Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
In the Named input box, type:
In the Look In drop-down list, select My Computer, then press Enter.
Once located, select the file then press SHIFT+DELETE.
Repeat steps 2-4 for the following files:
" _check32.bat
" db32.txt
" g32.txt
" gs32.txt
" s32.txt
" ws386.ini
Darius GhassemCommented:
Have you disabled IIS?
I looked around and instead of me disguising this as my brilliant solution I will just give you a link.

Looks like it lasts for about 24 hours.  In the meantime try dogpile.
Managed Security Services Webinar - March 15

Selecting the right managed security services platform to grow your business can be a huge undertaking. Join WatchGuard and Frost & Sullivan in an upcoming webinar as we dive into the key elements of selecting a vendor platform and partnership to fuel a successful MSSP business.

I checked out your Hi-jackthis log and I did not see anything out of the ordinary.
plemingAuthor Commented:
dariusg:  I hadn't disabled IIS yet, but I've done so now.  No change ... still getting the Google error.

polazarus:  I checked out the link about the Google error.  However, we've been having this problem for way over 24 hours.  It started early last week.  

When I checked my internet filtering device, I noticed that this user was scoring thousands upon thousands of hits to (50,000 vs. 400-500 for others!) each day.  

The only way this will stop is if I disconnect his network cable.  I'd rather not reformat and reinstall if I can help it.
Darius GhassemCommented:
Have tried spybot? Make sure you look in the services and disable IIS. Go to the command prompt and do a netstat then paste the results to the post. Do you see any unsual errors in the Event Logs?
polazarusConnect With a Mentor Commented:
Use your virus program in conjunction with Sys Internals rootkit revealer.  I will flush out the ones that are hard to find.
When you plug it back in is there any processes taking up an unusual amount of CPU cycles?  Also you can plug it in and then start killing off processes until you find the one that kills off the traffic.  Basically continue eliminating possiblities until you find out which one it was.  I am going to take a closer look at your hijack this log
run combofix

And post the log here!
plemingAuthor Commented:
This morning, I re-checked the registry and did a search for all those files.  I had done this before, and did find some entries and files, and deleted them at that time.  They didn't come back.  Ran combofix and have posted the results in this message.  Also ran rootkit revealer.  No change in CPU cycles or processes.  However, this morning after I plugged it back into the network, the problem hasn't returned.  I'm no longer getting Google 403 messages and everything seems to look fine, for now.  I'll still post my combofix log and keep this open for a little bit longer while I keep an eye on the computer and see if the problem comes back.
Darius GhassemCommented:
The registry items were mostly likely the issue. I would still run this tool to check for all instantance Google does block IP addresses that have virus or Malicious software coming from them.
Darius GhassemCommented:
Any update on this issue?
plemingAuthor Commented:
There's no repeat of the problem and it seems as if a combination of fixes (including spyware removal, manual editing of registry and removal of files, and combofix) did the trick.  Thanks for all the suggestions.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.