Solved

Cannot remove spyware/trojan/virus

Posted on 2008-06-09
13
1,986 Views
Last Modified: 2013-12-06
All of our users are receiving the 403 Forbidden message when trying to search Google.  I pinned it down to one user who was infected with some sort of trojan that runs a proxy server - called asprox.  I cleaned the trojan and have run all types of spyware removal and AV software, but I am still getting the same error from Google.  

When I turn off this user's computer, or disconnect his network cable, the error messages from Google go away.  When I bring back this user, the messages start again.  But I can't seem to figure out what is still running on his machine.

I have attached a logfile from Hijackthis.  He is running Windows XP Pro.
hijackthis-rex.txt
0
Comment
Question by:pleming
  • 5
  • 4
  • 3
  • +1
13 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 21746759
Have you disabled IIS?
0
 
LVL 3

Expert Comment

by:polazarus
ID: 21746903
I looked around and instead of me disguising this as my brilliant solution I will just give you a link.

Looks like it lasts for about 24 hours.  In the meantime try dogpile.

http://www.mydigitallife.info/2007/11/27/were-sorry-google-error/
0
 
LVL 3

Expert Comment

by:polazarus
ID: 21746914
I checked out your Hi-jackthis log and I did not see anything out of the ordinary.
0
 

Author Comment

by:pleming
ID: 21746959
dariusg:  I hadn't disabled IIS yet, but I've done so now.  No change ... still getting the Google error.

polazarus:  I checked out the link about the Google error.  However, we've been having this problem for way over 24 hours.  It started early last week.  

When I checked my internet filtering device, I noticed that this user was scoring thousands upon thousands of hits to google.com (50,000 vs. 400-500 for others!) each day.  

The only way this will stop is if I disconnect his network cable.  I'd rather not reformat and reinstall if I can help it.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 21747196
Have tried spybot? Make sure you look in the services and disable IIS. Go to the command prompt and do a netstat then paste the results to the post. Do you see any unsual errors in the Event Logs?
0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 350 total points
ID: 21747278
Here are a couple of things to try:

1. http://www.2-spyware.com/remove-asprox.html


3. Removing Autostart Key from the Registry

This solution deletes registry keys added by this malware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs. Refer to this Microsoft article for more information about modifying your computer's registry.

Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services
Still in the left panel, locate and delete the key:
aspimgr
Close Registry Editor.
Deleting the Malware File(s)

Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
In the Named input box, type:
aspimgr.exe
In the Look In drop-down list, select My Computer, then press Enter.
Once located, select the file then press SHIFT+DELETE.
Repeat steps 2-4 for the following files:
" _check32.bat
" db32.txt
" g32.txt
" gs32.txt
" s32.txt
" ws386.ini
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 3

Assisted Solution

by:polazarus
polazarus earned 150 total points
ID: 21748024
Use your virus program in conjunction with Sys Internals rootkit revealer.  I will flush out the ones that are hard to find.
0
 
LVL 3

Expert Comment

by:polazarus
ID: 21748037
When you plug it back in is there any processes taking up an unusual amount of CPU cycles?  Also you can plug it in and then start killing off processes until you find the one that kills off the traffic.  Basically continue eliminating possiblities until you find out which one it was.  I am going to take a closer look at your hijack this log
0
 

Expert Comment

by:Elixs
ID: 21748762
run combofix http://download.bleepingcomputer.com/sUBs/combofix.exe
DO NOT CLICK IN THE COMBOFIX WINDOW WHEN RUNNING IT SINCE IT MIGHT CAUSE THE PROGRAM TO CRASH!

And post the log here!
0
 

Author Comment

by:pleming
ID: 21752240
This morning, I re-checked the registry and did a search for all those files.  I had done this before, and did find some entries and files, and deleted them at that time.  They didn't come back.  Ran combofix and have posted the results in this message.  Also ran rootkit revealer.  No change in CPU cycles or processes.  However, this morning after I plugged it back into the network, the problem hasn't returned.  I'm no longer getting Google 403 messages and everything seems to look fine, for now.  I'll still post my combofix log and keep this open for a little bit longer while I keep an eye on the computer and see if the problem comes back.
ComboFix-Rex.txt
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 21752305
The registry items were mostly likely the issue. I would still run this tool to check for all instantance http://www.2-spyware.com/remove-asprox.html. Google does block IP addresses that have virus or Malicious software coming from them.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 21778470
Any update on this issue?
0
 

Author Closing Comment

by:pleming
ID: 31465562
There's no repeat of the problem and it seems as if a combination of fixes (including spyware removal, manual editing of registry and removal of files, and combofix) did the trick.  Thanks for all the suggestions.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Help me determine a Spam Email 3 71
vMware vShield Endpoint 6.0 4 62
GPO for weekly scan with Microsoft Security Essentials 1 65
Twitching screen 11 74
The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now