Solved

SpamRelayer_Alpiok Trojan Horse found by SpySweeper?

Posted on 2006-06-24
7
919 Views
Last Modified: 2010-04-12
Hello,
I have Symantec AntiVirus, AdAware, and Webroot Spysweeper. I have successfully removed another virus from my computer, but I have had no luck with this one. Spysweeper says I have "SpamRelayer_Alpiok" and it wants me to subscribe to remove it, but I don't want to unless I need to.
First of all, is this even a trojan? If so, why didn't symantec catch it?
Second of all, is it as bad as they say? Does it need to be removed?
Third of all, how do I remove it manually?
Thanks in advance for your help!
Paix120


Description of virus from SpySweeper:
http://www.webroot.com/php/spysweeper_spydesc.php

0
Comment
Question by:paix120
  • 4
  • 3
7 Comments
 
LVL 3

Author Comment

by:paix120
Comment Utility
Sorry that link won't work unless I click it from SpySweeper - can't copy the link directly to the virus page. Here's what it says:

----------------------------------
TROJAN HORSE Description:

Name:
 SpamRelayer_Alpiok
 
Author:
 
 
Category:
 Trojan Horse
 
Threat Assessment:
 Critical
 

 

Description:

SpamRelayer_Alpiok is a backdoor Trojan horse that relays spam e-mail messages and blocks known security updates.

Characteristics:

SpamRelayer_Alpiok may manage files on your computer, including creating, deleting, renaming, viewing, or transferring files to or from your computer. It can utilize a program manager that allows a hacker to install, execute, open, or close programs. The hacker can gain remote control of your cursor and keyboard and can even send mass e-mails from your infected computer. It can run in the background, hiding its presence.

Method of Infection:

SpamRelayer_Alpiok is usually disguised as a harmless software program and is generally distributed as an e-mail attachment. Opening the attachment may cause an auto-installation process that loads the Trojan onto your computer without your knowledge or consent.

Additional Comments:

It is recommended that you change all of your passwords after removing this program. If you bank online, you might consider changing your credit card and bank account numbers. You should also monitor your credit card and bank statements carefully over the next several months for signs of fraudulent activity.


----------------------------------

Are they just trying to get me to buy SpySweeper, or is it actually dangerous?

0
 
LVL 97

Expert Comment

by:war1
Comment Utility
Greetings, paix120 !

1. Yes, SpamRelayer_Alpiok is a trojan.  Symantec looks for trojans related to virus.  This is trojan related to spyware.

2. Yes, the trojan needs to be removed. If you do not want to pay Spysweeper to remove it, try using Ewido trojan scanner and remover
http://www.ewido.net/en/

Download and istall Ewido. It has a free 14 day trial.  Update the definitions.  Then go to Safe Mode and run the Ewido scan on your computer.

3. If still no joy, download HijackThis

http://www.majorgeeks.com/download3155.html

Run the program and you will find many entries. Most are OK. Post the log at http://www.hijackthis.de/ and click Analyse, Save.  Post a link to the saved list here.

Best wishes!
0
 
LVL 3

Author Comment

by:paix120
Comment Utility
Thanks, I'll try Ewido. Spysweeper has a free trial, but only for scanning. I'll see if Ewido catches it.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 3

Author Comment

by:paix120
Comment Utility
OK Ewido found another trojan, "Trojan.Agent.fd", but had an "Error during cleaning".
It didn't catch the Spamrelayer Alpiok one, I ran SpySweeper again and it's still there. Here's my HijackThis log (my computer is fairly new, so I'm sure this list will double when I get everything installed!)

Any ideas? Should I just purchase SpySweeper?




Logfile of HijackThis v1.99.1
Scan saved at 4:35:11 PM, on 6/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\Service.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\mdm.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\Renee.RENEEDELL\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {CCFFBA06-345C-4D30-800D-D8740BC75C1c} - C:\WINDOWS\System32\vbhueagb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151051828968
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: IEFilter - {6B287F52-2F51-4EB7-823F-F953EC3AD936} - C:\WINDOWS\system32\IEFilter.dll (file missing)
O21 - SSODL: Protocol Connection - {C2450D46-9743-416D-9406-C1FAFD60397B} - C:\WINDOWS\System32\ipxrsxs.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Service - Unknown owner - C:\WINDOWS\System32\Service.exe (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

0
 
LVL 97

Accepted Solution

by:
war1 earned 150 total points
Comment Utility
paix120,

Here is a link to the analyzed log

http://hijackthis.de/logfiles/b5f1a15ded19e52385bb1bad4f83403a.html

1. Go to C:\WINDOWS\System32\Service.exe and delete Service.exe file.  
Go to C:\WINDOWS\system32\IEFilter.dll and delete IEFilter.dll if the file is there.
Go to C:\WINDOWS\System32\ipxrsxs.dll and delete ipxrsxs.dll if the file is there.

Use Use Killbox or Unlocker in Safe Mode to remove hard to remove file.

Killbox to remove stuborn files
http://www.scancomplete.com/download/killbox/
OR
Unlocker
http://www.majorgeeks.com/download4660.html


Check the box next to the following items and have HijackThis "Fix Checked".

O2 - BHO: (no name) - {CCFFBA06-345C-4D30-800D-D8740BC75C1c} - C:\WINDOWS\System32\vbhueagb.dll (file missing)
O21 - SSODL: IEFilter - {6B287F52-2F51-4EB7-823F-F953EC3AD936} - C:\WINDOWS\system32\IEFilter.dll (file missing)
O21 - SSODL: Protocol Connection - {C2450D46-9743-416D-9406-C1FAFD60397B} - C:\WINDOWS\System32\ipxrsxs.dll (file missing)
O23 - Service: Service - Unknown owner - C:\WINDOWS\System32\Service.exe (file missing)
0
 
LVL 3

Author Comment

by:paix120
Comment Utility
Thanks that seemed to work! It looks like the trojans are gone! Points to you.
0
 
LVL 97

Expert Comment

by:war1
Comment Utility
paix120, glad to help!
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Read about achieving the basic levels of HRIS security in the workplace.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now