Solved

SpamRelayer_Alpiok Trojan Horse found by SpySweeper?

Posted on 2006-06-24
7
925 Views
Last Modified: 2010-04-12
Hello,
I have Symantec AntiVirus, AdAware, and Webroot Spysweeper. I have successfully removed another virus from my computer, but I have had no luck with this one. Spysweeper says I have "SpamRelayer_Alpiok" and it wants me to subscribe to remove it, but I don't want to unless I need to.
First of all, is this even a trojan? If so, why didn't symantec catch it?
Second of all, is it as bad as they say? Does it need to be removed?
Third of all, how do I remove it manually?
Thanks in advance for your help!
Paix120


Description of virus from SpySweeper:
http://www.webroot.com/php/spysweeper_spydesc.php

0
Comment
Question by:paix120
  • 4
  • 3
7 Comments
 
LVL 3

Author Comment

by:paix120
ID: 16977640
Sorry that link won't work unless I click it from SpySweeper - can't copy the link directly to the virus page. Here's what it says:

----------------------------------
TROJAN HORSE Description:

Name:
 SpamRelayer_Alpiok
 
Author:
 
 
Category:
 Trojan Horse
 
Threat Assessment:
 Critical
 

 

Description:

SpamRelayer_Alpiok is a backdoor Trojan horse that relays spam e-mail messages and blocks known security updates.

Characteristics:

SpamRelayer_Alpiok may manage files on your computer, including creating, deleting, renaming, viewing, or transferring files to or from your computer. It can utilize a program manager that allows a hacker to install, execute, open, or close programs. The hacker can gain remote control of your cursor and keyboard and can even send mass e-mails from your infected computer. It can run in the background, hiding its presence.

Method of Infection:

SpamRelayer_Alpiok is usually disguised as a harmless software program and is generally distributed as an e-mail attachment. Opening the attachment may cause an auto-installation process that loads the Trojan onto your computer without your knowledge or consent.

Additional Comments:

It is recommended that you change all of your passwords after removing this program. If you bank online, you might consider changing your credit card and bank account numbers. You should also monitor your credit card and bank statements carefully over the next several months for signs of fraudulent activity.


----------------------------------

Are they just trying to get me to buy SpySweeper, or is it actually dangerous?

0
 
LVL 97

Expert Comment

by:war1
ID: 16978998
Greetings, paix120 !

1. Yes, SpamRelayer_Alpiok is a trojan.  Symantec looks for trojans related to virus.  This is trojan related to spyware.

2. Yes, the trojan needs to be removed. If you do not want to pay Spysweeper to remove it, try using Ewido trojan scanner and remover
http://www.ewido.net/en/

Download and istall Ewido. It has a free 14 day trial.  Update the definitions.  Then go to Safe Mode and run the Ewido scan on your computer.

3. If still no joy, download HijackThis

http://www.majorgeeks.com/download3155.html

Run the program and you will find many entries. Most are OK. Post the log at http://www.hijackthis.de/ and click Analyse, Save.  Post a link to the saved list here.

Best wishes!
0
 
LVL 3

Author Comment

by:paix120
ID: 16979766
Thanks, I'll try Ewido. Spysweeper has a free trial, but only for scanning. I'll see if Ewido catches it.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 3

Author Comment

by:paix120
ID: 16979975
OK Ewido found another trojan, "Trojan.Agent.fd", but had an "Error during cleaning".
It didn't catch the Spamrelayer Alpiok one, I ran SpySweeper again and it's still there. Here's my HijackThis log (my computer is fairly new, so I'm sure this list will double when I get everything installed!)

Any ideas? Should I just purchase SpySweeper?




Logfile of HijackThis v1.99.1
Scan saved at 4:35:11 PM, on 6/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\Service.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\mdm.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\Renee.RENEEDELL\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {CCFFBA06-345C-4D30-800D-D8740BC75C1c} - C:\WINDOWS\System32\vbhueagb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151051828968
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: IEFilter - {6B287F52-2F51-4EB7-823F-F953EC3AD936} - C:\WINDOWS\system32\IEFilter.dll (file missing)
O21 - SSODL: Protocol Connection - {C2450D46-9743-416D-9406-C1FAFD60397B} - C:\WINDOWS\System32\ipxrsxs.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Service - Unknown owner - C:\WINDOWS\System32\Service.exe (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

0
 
LVL 97

Accepted Solution

by:
war1 earned 150 total points
ID: 16980324
paix120,

Here is a link to the analyzed log

http://hijackthis.de/logfiles/b5f1a15ded19e52385bb1bad4f83403a.html

1. Go to C:\WINDOWS\System32\Service.exe and delete Service.exe file.  
Go to C:\WINDOWS\system32\IEFilter.dll and delete IEFilter.dll if the file is there.
Go to C:\WINDOWS\System32\ipxrsxs.dll and delete ipxrsxs.dll if the file is there.

Use Use Killbox or Unlocker in Safe Mode to remove hard to remove file.

Killbox to remove stuborn files
http://www.scancomplete.com/download/killbox/
OR
Unlocker
http://www.majorgeeks.com/download4660.html


Check the box next to the following items and have HijackThis "Fix Checked".

O2 - BHO: (no name) - {CCFFBA06-345C-4D30-800D-D8740BC75C1c} - C:\WINDOWS\System32\vbhueagb.dll (file missing)
O21 - SSODL: IEFilter - {6B287F52-2F51-4EB7-823F-F953EC3AD936} - C:\WINDOWS\system32\IEFilter.dll (file missing)
O21 - SSODL: Protocol Connection - {C2450D46-9743-416D-9406-C1FAFD60397B} - C:\WINDOWS\System32\ipxrsxs.dll (file missing)
O23 - Service: Service - Unknown owner - C:\WINDOWS\System32\Service.exe (file missing)
0
 
LVL 3

Author Comment

by:paix120
ID: 16981182
Thanks that seemed to work! It looks like the trojans are gone! Points to you.
0
 
LVL 97

Expert Comment

by:war1
ID: 16981351
paix120, glad to help!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VPN is causing router to be non-PCI compliant 4 80
Is  Microsoft IIS 7 retired? 4 114
PUP or Virus 6 71
NFS Improper UID & NFS Exported Share Read Access 7 55
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Read about achieving the basic levels of HRIS security in the workplace.
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now