Cannot remove spyware/trojan/virus
All of our users are receiving the 403 Forbidden message when trying to search Google. I pinned it down to one user who was infected with some sort of trojan that runs a proxy server - called asprox. I cleaned the trojan and have run all types of spyware removal and AV software, but I am still getting the same error from Google.
When I turn off this user's computer, or disconnect his network cable, the error messages from Google go away. When I bring back this user, the messages start again. But I can't seem to figure out what is still running on his machine.
I have attached a logfile from Hijackthis. He is running Windows XP Pro.
hijackthis-rex.txt
When I turn off this user's computer, or disconnect his network cable, the error messages from Google go away. When I bring back this user, the messages start again. But I can't seem to figure out what is still running on his machine.
I have attached a logfile from Hijackthis. He is running Windows XP Pro.
hijackthis-rex.txt
Darius Ghassem
Have you disabled IIS?
I looked around and instead of me disguising this as my brilliant solution I will just give you a link.
Looks like it lasts for about 24 hours. In the meantime try dogpile.
http://www.mydigitallife.info/2007/11/27/were-sorry-google-error/
Looks like it lasts for about 24 hours. In the meantime try dogpile.
http://www.mydigitallife.info/2007/11/27/were-sorry-google-error/
I checked out your Hi-jackthis log and I did not see anything out of the ordinary.
ASKER
dariusg: I hadn't disabled IIS yet, but I've done so now. No change ... still getting the Google error.
polazarus: I checked out the link about the Google error. However, we've been having this problem for way over 24 hours. It started early last week.
When I checked my internet filtering device, I noticed that this user was scoring thousands upon thousands of hits to google.com (50,000 vs. 400-500 for others!) each day.
The only way this will stop is if I disconnect his network cable. I'd rather not reformat and reinstall if I can help it.
polazarus: I checked out the link about the Google error. However, we've been having this problem for way over 24 hours. It started early last week.
When I checked my internet filtering device, I noticed that this user was scoring thousands upon thousands of hits to google.com (50,000 vs. 400-500 for others!) each day.
The only way this will stop is if I disconnect his network cable. I'd rather not reformat and reinstall if I can help it.
Have tried spybot? Make sure you look in the services and disable IIS. Go to the command prompt and do a netstat then paste the results to the post. Do you see any unsual errors in the Event Logs?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
When you plug it back in is there any processes taking up an unusual amount of CPU cycles? Also you can plug it in and then start killing off processes until you find the one that kills off the traffic. Basically continue eliminating possiblities until you find out which one it was. I am going to take a closer look at your hijack this log
run combofix http://download.bleepingcomputer.com/sUBs/combofix.exe
DO NOT CLICK IN THE COMBOFIX WINDOW WHEN RUNNING IT SINCE IT MIGHT CAUSE THE PROGRAM TO CRASH!
And post the log here!
DO NOT CLICK IN THE COMBOFIX WINDOW WHEN RUNNING IT SINCE IT MIGHT CAUSE THE PROGRAM TO CRASH!
And post the log here!
ASKER
This morning, I re-checked the registry and did a search for all those files. I had done this before, and did find some entries and files, and deleted them at that time. They didn't come back. Ran combofix and have posted the results in this message. Also ran rootkit revealer. No change in CPU cycles or processes. However, this morning after I plugged it back into the network, the problem hasn't returned. I'm no longer getting Google 403 messages and everything seems to look fine, for now. I'll still post my combofix log and keep this open for a little bit longer while I keep an eye on the computer and see if the problem comes back.
ComboFix-Rex.txt
ComboFix-Rex.txt
The registry items were mostly likely the issue. I would still run this tool to check for all instantance http://www.2-spyware.com/remove-asprox.html. Google does block IP addresses that have virus or Malicious software coming from them.
Any update on this issue?
ASKER
There's no repeat of the problem and it seems as if a combination of fixes (including spyware removal, manual editing of registry and removal of files, and combofix) did the trick. Thanks for all the suggestions.