?
Solved

SpamRelayer_Alpiok Trojan Horse found by SpySweeper?

Posted on 2006-06-24
7
Medium Priority
?
933 Views
Last Modified: 2010-04-12
Hello,
I have Symantec AntiVirus, AdAware, and Webroot Spysweeper. I have successfully removed another virus from my computer, but I have had no luck with this one. Spysweeper says I have "SpamRelayer_Alpiok" and it wants me to subscribe to remove it, but I don't want to unless I need to.
First of all, is this even a trojan? If so, why didn't symantec catch it?
Second of all, is it as bad as they say? Does it need to be removed?
Third of all, how do I remove it manually?
Thanks in advance for your help!
Paix120


Description of virus from SpySweeper:
http://www.webroot.com/php/spysweeper_spydesc.php

0
Comment
Question by:paix120
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 3

Author Comment

by:paix120
ID: 16977640
Sorry that link won't work unless I click it from SpySweeper - can't copy the link directly to the virus page. Here's what it says:

----------------------------------
TROJAN HORSE Description:

Name:
 SpamRelayer_Alpiok
 
Author:
 
 
Category:
 Trojan Horse
 
Threat Assessment:
 Critical
 

 

Description:

SpamRelayer_Alpiok is a backdoor Trojan horse that relays spam e-mail messages and blocks known security updates.

Characteristics:

SpamRelayer_Alpiok may manage files on your computer, including creating, deleting, renaming, viewing, or transferring files to or from your computer. It can utilize a program manager that allows a hacker to install, execute, open, or close programs. The hacker can gain remote control of your cursor and keyboard and can even send mass e-mails from your infected computer. It can run in the background, hiding its presence.

Method of Infection:

SpamRelayer_Alpiok is usually disguised as a harmless software program and is generally distributed as an e-mail attachment. Opening the attachment may cause an auto-installation process that loads the Trojan onto your computer without your knowledge or consent.

Additional Comments:

It is recommended that you change all of your passwords after removing this program. If you bank online, you might consider changing your credit card and bank account numbers. You should also monitor your credit card and bank statements carefully over the next several months for signs of fraudulent activity.


----------------------------------

Are they just trying to get me to buy SpySweeper, or is it actually dangerous?

0
 
LVL 97

Expert Comment

by:war1
ID: 16978998
Greetings, paix120 !

1. Yes, SpamRelayer_Alpiok is a trojan.  Symantec looks for trojans related to virus.  This is trojan related to spyware.

2. Yes, the trojan needs to be removed. If you do not want to pay Spysweeper to remove it, try using Ewido trojan scanner and remover
http://www.ewido.net/en/

Download and istall Ewido. It has a free 14 day trial.  Update the definitions.  Then go to Safe Mode and run the Ewido scan on your computer.

3. If still no joy, download HijackThis

http://www.majorgeeks.com/download3155.html

Run the program and you will find many entries. Most are OK. Post the log at http://www.hijackthis.de/ and click Analyse, Save.  Post a link to the saved list here.

Best wishes!
0
 
LVL 3

Author Comment

by:paix120
ID: 16979766
Thanks, I'll try Ewido. Spysweeper has a free trial, but only for scanning. I'll see if Ewido catches it.
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
LVL 3

Author Comment

by:paix120
ID: 16979975
OK Ewido found another trojan, "Trojan.Agent.fd", but had an "Error during cleaning".
It didn't catch the Spamrelayer Alpiok one, I ran SpySweeper again and it's still there. Here's my HijackThis log (my computer is fairly new, so I'm sure this list will double when I get everything installed!)

Any ideas? Should I just purchase SpySweeper?




Logfile of HijackThis v1.99.1
Scan saved at 4:35:11 PM, on 6/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\Service.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\mdm.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\Renee.RENEEDELL\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {CCFFBA06-345C-4D30-800D-D8740BC75C1c} - C:\WINDOWS\System32\vbhueagb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151051828968
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: IEFilter - {6B287F52-2F51-4EB7-823F-F953EC3AD936} - C:\WINDOWS\system32\IEFilter.dll (file missing)
O21 - SSODL: Protocol Connection - {C2450D46-9743-416D-9406-C1FAFD60397B} - C:\WINDOWS\System32\ipxrsxs.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Service - Unknown owner - C:\WINDOWS\System32\Service.exe (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

0
 
LVL 97

Accepted Solution

by:
war1 earned 600 total points
ID: 16980324
paix120,

Here is a link to the analyzed log

http://hijackthis.de/logfiles/b5f1a15ded19e52385bb1bad4f83403a.html

1. Go to C:\WINDOWS\System32\Service.exe and delete Service.exe file.  
Go to C:\WINDOWS\system32\IEFilter.dll and delete IEFilter.dll if the file is there.
Go to C:\WINDOWS\System32\ipxrsxs.dll and delete ipxrsxs.dll if the file is there.

Use Use Killbox or Unlocker in Safe Mode to remove hard to remove file.

Killbox to remove stuborn files
http://www.scancomplete.com/download/killbox/
OR
Unlocker
http://www.majorgeeks.com/download4660.html


Check the box next to the following items and have HijackThis "Fix Checked".

O2 - BHO: (no name) - {CCFFBA06-345C-4D30-800D-D8740BC75C1c} - C:\WINDOWS\System32\vbhueagb.dll (file missing)
O21 - SSODL: IEFilter - {6B287F52-2F51-4EB7-823F-F953EC3AD936} - C:\WINDOWS\system32\IEFilter.dll (file missing)
O21 - SSODL: Protocol Connection - {C2450D46-9743-416D-9406-C1FAFD60397B} - C:\WINDOWS\System32\ipxrsxs.dll (file missing)
O23 - Service: Service - Unknown owner - C:\WINDOWS\System32\Service.exe (file missing)
0
 
LVL 3

Author Comment

by:paix120
ID: 16981182
Thanks that seemed to work! It looks like the trojans are gone! Points to you.
0
 
LVL 97

Expert Comment

by:war1
ID: 16981351
paix120, glad to help!
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question