Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

SpamRelayer_Alpiok Trojan Horse found by SpySweeper?

Posted on 2006-06-24
7
Medium Priority
?
934 Views
Last Modified: 2010-04-12
Hello,
I have Symantec AntiVirus, AdAware, and Webroot Spysweeper. I have successfully removed another virus from my computer, but I have had no luck with this one. Spysweeper says I have "SpamRelayer_Alpiok" and it wants me to subscribe to remove it, but I don't want to unless I need to.
First of all, is this even a trojan? If so, why didn't symantec catch it?
Second of all, is it as bad as they say? Does it need to be removed?
Third of all, how do I remove it manually?
Thanks in advance for your help!
Paix120


Description of virus from SpySweeper:
http://www.webroot.com/php/spysweeper_spydesc.php

0
Comment
Question by:paix120
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 3

Author Comment

by:paix120
ID: 16977640
Sorry that link won't work unless I click it from SpySweeper - can't copy the link directly to the virus page. Here's what it says:

----------------------------------
TROJAN HORSE Description:

Name:
 SpamRelayer_Alpiok
 
Author:
 
 
Category:
 Trojan Horse
 
Threat Assessment:
 Critical
 

 

Description:

SpamRelayer_Alpiok is a backdoor Trojan horse that relays spam e-mail messages and blocks known security updates.

Characteristics:

SpamRelayer_Alpiok may manage files on your computer, including creating, deleting, renaming, viewing, or transferring files to or from your computer. It can utilize a program manager that allows a hacker to install, execute, open, or close programs. The hacker can gain remote control of your cursor and keyboard and can even send mass e-mails from your infected computer. It can run in the background, hiding its presence.

Method of Infection:

SpamRelayer_Alpiok is usually disguised as a harmless software program and is generally distributed as an e-mail attachment. Opening the attachment may cause an auto-installation process that loads the Trojan onto your computer without your knowledge or consent.

Additional Comments:

It is recommended that you change all of your passwords after removing this program. If you bank online, you might consider changing your credit card and bank account numbers. You should also monitor your credit card and bank statements carefully over the next several months for signs of fraudulent activity.


----------------------------------

Are they just trying to get me to buy SpySweeper, or is it actually dangerous?

0
 
LVL 97

Expert Comment

by:war1
ID: 16978998
Greetings, paix120 !

1. Yes, SpamRelayer_Alpiok is a trojan.  Symantec looks for trojans related to virus.  This is trojan related to spyware.

2. Yes, the trojan needs to be removed. If you do not want to pay Spysweeper to remove it, try using Ewido trojan scanner and remover
http://www.ewido.net/en/

Download and istall Ewido. It has a free 14 day trial.  Update the definitions.  Then go to Safe Mode and run the Ewido scan on your computer.

3. If still no joy, download HijackThis

http://www.majorgeeks.com/download3155.html

Run the program and you will find many entries. Most are OK. Post the log at http://www.hijackthis.de/ and click Analyse, Save.  Post a link to the saved list here.

Best wishes!
0
 
LVL 3

Author Comment

by:paix120
ID: 16979766
Thanks, I'll try Ewido. Spysweeper has a free trial, but only for scanning. I'll see if Ewido catches it.
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 3

Author Comment

by:paix120
ID: 16979975
OK Ewido found another trojan, "Trojan.Agent.fd", but had an "Error during cleaning".
It didn't catch the Spamrelayer Alpiok one, I ran SpySweeper again and it's still there. Here's my HijackThis log (my computer is fairly new, so I'm sure this list will double when I get everything installed!)

Any ideas? Should I just purchase SpySweeper?




Logfile of HijackThis v1.99.1
Scan saved at 4:35:11 PM, on 6/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\Service.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\mdm.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\Renee.RENEEDELL\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {CCFFBA06-345C-4D30-800D-D8740BC75C1c} - C:\WINDOWS\System32\vbhueagb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151051828968
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: IEFilter - {6B287F52-2F51-4EB7-823F-F953EC3AD936} - C:\WINDOWS\system32\IEFilter.dll (file missing)
O21 - SSODL: Protocol Connection - {C2450D46-9743-416D-9406-C1FAFD60397B} - C:\WINDOWS\System32\ipxrsxs.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Service - Unknown owner - C:\WINDOWS\System32\Service.exe (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

0
 
LVL 97

Accepted Solution

by:
war1 earned 600 total points
ID: 16980324
paix120,

Here is a link to the analyzed log

http://hijackthis.de/logfiles/b5f1a15ded19e52385bb1bad4f83403a.html

1. Go to C:\WINDOWS\System32\Service.exe and delete Service.exe file.  
Go to C:\WINDOWS\system32\IEFilter.dll and delete IEFilter.dll if the file is there.
Go to C:\WINDOWS\System32\ipxrsxs.dll and delete ipxrsxs.dll if the file is there.

Use Use Killbox or Unlocker in Safe Mode to remove hard to remove file.

Killbox to remove stuborn files
http://www.scancomplete.com/download/killbox/
OR
Unlocker
http://www.majorgeeks.com/download4660.html


Check the box next to the following items and have HijackThis "Fix Checked".

O2 - BHO: (no name) - {CCFFBA06-345C-4D30-800D-D8740BC75C1c} - C:\WINDOWS\System32\vbhueagb.dll (file missing)
O21 - SSODL: IEFilter - {6B287F52-2F51-4EB7-823F-F953EC3AD936} - C:\WINDOWS\system32\IEFilter.dll (file missing)
O21 - SSODL: Protocol Connection - {C2450D46-9743-416D-9406-C1FAFD60397B} - C:\WINDOWS\System32\ipxrsxs.dll (file missing)
O23 - Service: Service - Unknown owner - C:\WINDOWS\System32\Service.exe (file missing)
0
 
LVL 3

Author Comment

by:paix120
ID: 16981182
Thanks that seemed to work! It looks like the trojans are gone! Points to you.
0
 
LVL 97

Expert Comment

by:war1
ID: 16981351
paix120, glad to help!
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question