?
Solved

Cannot remove spyware/trojan/virus

Posted on 2008-06-09
13
Medium Priority
?
1,992 Views
Last Modified: 2013-12-06
All of our users are receiving the 403 Forbidden message when trying to search Google.  I pinned it down to one user who was infected with some sort of trojan that runs a proxy server - called asprox.  I cleaned the trojan and have run all types of spyware removal and AV software, but I am still getting the same error from Google.  

When I turn off this user's computer, or disconnect his network cable, the error messages from Google go away.  When I bring back this user, the messages start again.  But I can't seem to figure out what is still running on his machine.

I have attached a logfile from Hijackthis.  He is running Windows XP Pro.
hijackthis-rex.txt
0
Comment
Question by:pleming
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
  • +1
13 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 21746759
Have you disabled IIS?
0
 
LVL 3

Expert Comment

by:polazarus
ID: 21746903
I looked around and instead of me disguising this as my brilliant solution I will just give you a link.

Looks like it lasts for about 24 hours.  In the meantime try dogpile.

http://www.mydigitallife.info/2007/11/27/were-sorry-google-error/
0
 
LVL 3

Expert Comment

by:polazarus
ID: 21746914
I checked out your Hi-jackthis log and I did not see anything out of the ordinary.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:pleming
ID: 21746959
dariusg:  I hadn't disabled IIS yet, but I've done so now.  No change ... still getting the Google error.

polazarus:  I checked out the link about the Google error.  However, we've been having this problem for way over 24 hours.  It started early last week.  

When I checked my internet filtering device, I noticed that this user was scoring thousands upon thousands of hits to google.com (50,000 vs. 400-500 for others!) each day.  

The only way this will stop is if I disconnect his network cable.  I'd rather not reformat and reinstall if I can help it.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 21747196
Have tried spybot? Make sure you look in the services and disable IIS. Go to the command prompt and do a netstat then paste the results to the post. Do you see any unsual errors in the Event Logs?
0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 1400 total points
ID: 21747278
Here are a couple of things to try:

1. http://www.2-spyware.com/remove-asprox.html


3. Removing Autostart Key from the Registry

This solution deletes registry keys added by this malware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs. Refer to this Microsoft article for more information about modifying your computer's registry.

Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services
Still in the left panel, locate and delete the key:
aspimgr
Close Registry Editor.
Deleting the Malware File(s)

Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
In the Named input box, type:
aspimgr.exe
In the Look In drop-down list, select My Computer, then press Enter.
Once located, select the file then press SHIFT+DELETE.
Repeat steps 2-4 for the following files:
" _check32.bat
" db32.txt
" g32.txt
" gs32.txt
" s32.txt
" ws386.ini
0
 
LVL 3

Assisted Solution

by:polazarus
polazarus earned 600 total points
ID: 21748024
Use your virus program in conjunction with Sys Internals rootkit revealer.  I will flush out the ones that are hard to find.
0
 
LVL 3

Expert Comment

by:polazarus
ID: 21748037
When you plug it back in is there any processes taking up an unusual amount of CPU cycles?  Also you can plug it in and then start killing off processes until you find the one that kills off the traffic.  Basically continue eliminating possiblities until you find out which one it was.  I am going to take a closer look at your hijack this log
0
 

Expert Comment

by:Elixs
ID: 21748762
run combofix http://download.bleepingcomputer.com/sUBs/combofix.exe
DO NOT CLICK IN THE COMBOFIX WINDOW WHEN RUNNING IT SINCE IT MIGHT CAUSE THE PROGRAM TO CRASH!

And post the log here!
0
 

Author Comment

by:pleming
ID: 21752240
This morning, I re-checked the registry and did a search for all those files.  I had done this before, and did find some entries and files, and deleted them at that time.  They didn't come back.  Ran combofix and have posted the results in this message.  Also ran rootkit revealer.  No change in CPU cycles or processes.  However, this morning after I plugged it back into the network, the problem hasn't returned.  I'm no longer getting Google 403 messages and everything seems to look fine, for now.  I'll still post my combofix log and keep this open for a little bit longer while I keep an eye on the computer and see if the problem comes back.
ComboFix-Rex.txt
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 21752305
The registry items were mostly likely the issue. I would still run this tool to check for all instantance http://www.2-spyware.com/remove-asprox.html. Google does block IP addresses that have virus or Malicious software coming from them.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 21778470
Any update on this issue?
0
 

Author Closing Comment

by:pleming
ID: 31465562
There's no repeat of the problem and it seems as if a combination of fixes (including spyware removal, manual editing of registry and removal of files, and combofix) did the trick.  Thanks for all the suggestions.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question