Solved

Cannot remove spyware/trojan/virus

Posted on 2008-06-09
13
1,985 Views
Last Modified: 2013-12-06
All of our users are receiving the 403 Forbidden message when trying to search Google.  I pinned it down to one user who was infected with some sort of trojan that runs a proxy server - called asprox.  I cleaned the trojan and have run all types of spyware removal and AV software, but I am still getting the same error from Google.  

When I turn off this user's computer, or disconnect his network cable, the error messages from Google go away.  When I bring back this user, the messages start again.  But I can't seem to figure out what is still running on his machine.

I have attached a logfile from Hijackthis.  He is running Windows XP Pro.
hijackthis-rex.txt
0
Comment
Question by:pleming
  • 5
  • 4
  • 3
  • +1
13 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 21746759
Have you disabled IIS?
0
 
LVL 3

Expert Comment

by:polazarus
ID: 21746903
I looked around and instead of me disguising this as my brilliant solution I will just give you a link.

Looks like it lasts for about 24 hours.  In the meantime try dogpile.

http://www.mydigitallife.info/2007/11/27/were-sorry-google-error/
0
 
LVL 3

Expert Comment

by:polazarus
ID: 21746914
I checked out your Hi-jackthis log and I did not see anything out of the ordinary.
0
 

Author Comment

by:pleming
ID: 21746959
dariusg:  I hadn't disabled IIS yet, but I've done so now.  No change ... still getting the Google error.

polazarus:  I checked out the link about the Google error.  However, we've been having this problem for way over 24 hours.  It started early last week.  

When I checked my internet filtering device, I noticed that this user was scoring thousands upon thousands of hits to google.com (50,000 vs. 400-500 for others!) each day.  

The only way this will stop is if I disconnect his network cable.  I'd rather not reformat and reinstall if I can help it.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 21747196
Have tried spybot? Make sure you look in the services and disable IIS. Go to the command prompt and do a netstat then paste the results to the post. Do you see any unsual errors in the Event Logs?
0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 350 total points
ID: 21747278
Here are a couple of things to try:

1. http://www.2-spyware.com/remove-asprox.html


3. Removing Autostart Key from the Registry

This solution deletes registry keys added by this malware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs. Refer to this Microsoft article for more information about modifying your computer's registry.

Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services
Still in the left panel, locate and delete the key:
aspimgr
Close Registry Editor.
Deleting the Malware File(s)

Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
In the Named input box, type:
aspimgr.exe
In the Look In drop-down list, select My Computer, then press Enter.
Once located, select the file then press SHIFT+DELETE.
Repeat steps 2-4 for the following files:
" _check32.bat
" db32.txt
" g32.txt
" gs32.txt
" s32.txt
" ws386.ini
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 3

Assisted Solution

by:polazarus
polazarus earned 150 total points
ID: 21748024
Use your virus program in conjunction with Sys Internals rootkit revealer.  I will flush out the ones that are hard to find.
0
 
LVL 3

Expert Comment

by:polazarus
ID: 21748037
When you plug it back in is there any processes taking up an unusual amount of CPU cycles?  Also you can plug it in and then start killing off processes until you find the one that kills off the traffic.  Basically continue eliminating possiblities until you find out which one it was.  I am going to take a closer look at your hijack this log
0
 

Expert Comment

by:Elixs
ID: 21748762
run combofix http://download.bleepingcomputer.com/sUBs/combofix.exe
DO NOT CLICK IN THE COMBOFIX WINDOW WHEN RUNNING IT SINCE IT MIGHT CAUSE THE PROGRAM TO CRASH!

And post the log here!
0
 

Author Comment

by:pleming
ID: 21752240
This morning, I re-checked the registry and did a search for all those files.  I had done this before, and did find some entries and files, and deleted them at that time.  They didn't come back.  Ran combofix and have posted the results in this message.  Also ran rootkit revealer.  No change in CPU cycles or processes.  However, this morning after I plugged it back into the network, the problem hasn't returned.  I'm no longer getting Google 403 messages and everything seems to look fine, for now.  I'll still post my combofix log and keep this open for a little bit longer while I keep an eye on the computer and see if the problem comes back.
ComboFix-Rex.txt
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 21752305
The registry items were mostly likely the issue. I would still run this tool to check for all instantance http://www.2-spyware.com/remove-asprox.html. Google does block IP addresses that have virus or Malicious software coming from them.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 21778470
Any update on this issue?
0
 

Author Closing Comment

by:pleming
ID: 31465562
There's no repeat of the problem and it seems as if a combination of fixes (including spyware removal, manual editing of registry and removal of files, and combofix) did the trick.  Thanks for all the suggestions.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Security, hackers 10 112
4 Android flaws that leave 900M devices at Risk 7 66
systemdown@india.com and McAfee 3 71
VMware Black Screen 13 30
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now