Solved

SpamRelayer_Alpiok Trojan Horse found by SpySweeper?

Posted on 2006-06-24
7
930 Views
Last Modified: 2010-04-12
Hello,
I have Symantec AntiVirus, AdAware, and Webroot Spysweeper. I have successfully removed another virus from my computer, but I have had no luck with this one. Spysweeper says I have "SpamRelayer_Alpiok" and it wants me to subscribe to remove it, but I don't want to unless I need to.
First of all, is this even a trojan? If so, why didn't symantec catch it?
Second of all, is it as bad as they say? Does it need to be removed?
Third of all, how do I remove it manually?
Thanks in advance for your help!
Paix120


Description of virus from SpySweeper:
http://www.webroot.com/php/spysweeper_spydesc.php

0
Comment
Question by:paix120
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 3

Author Comment

by:paix120
ID: 16977640
Sorry that link won't work unless I click it from SpySweeper - can't copy the link directly to the virus page. Here's what it says:

----------------------------------
TROJAN HORSE Description:

Name:
 SpamRelayer_Alpiok
 
Author:
 
 
Category:
 Trojan Horse
 
Threat Assessment:
 Critical
 

 

Description:

SpamRelayer_Alpiok is a backdoor Trojan horse that relays spam e-mail messages and blocks known security updates.

Characteristics:

SpamRelayer_Alpiok may manage files on your computer, including creating, deleting, renaming, viewing, or transferring files to or from your computer. It can utilize a program manager that allows a hacker to install, execute, open, or close programs. The hacker can gain remote control of your cursor and keyboard and can even send mass e-mails from your infected computer. It can run in the background, hiding its presence.

Method of Infection:

SpamRelayer_Alpiok is usually disguised as a harmless software program and is generally distributed as an e-mail attachment. Opening the attachment may cause an auto-installation process that loads the Trojan onto your computer without your knowledge or consent.

Additional Comments:

It is recommended that you change all of your passwords after removing this program. If you bank online, you might consider changing your credit card and bank account numbers. You should also monitor your credit card and bank statements carefully over the next several months for signs of fraudulent activity.


----------------------------------

Are they just trying to get me to buy SpySweeper, or is it actually dangerous?

0
 
LVL 97

Expert Comment

by:war1
ID: 16978998
Greetings, paix120 !

1. Yes, SpamRelayer_Alpiok is a trojan.  Symantec looks for trojans related to virus.  This is trojan related to spyware.

2. Yes, the trojan needs to be removed. If you do not want to pay Spysweeper to remove it, try using Ewido trojan scanner and remover
http://www.ewido.net/en/

Download and istall Ewido. It has a free 14 day trial.  Update the definitions.  Then go to Safe Mode and run the Ewido scan on your computer.

3. If still no joy, download HijackThis

http://www.majorgeeks.com/download3155.html

Run the program and you will find many entries. Most are OK. Post the log at http://www.hijackthis.de/ and click Analyse, Save.  Post a link to the saved list here.

Best wishes!
0
 
LVL 3

Author Comment

by:paix120
ID: 16979766
Thanks, I'll try Ewido. Spysweeper has a free trial, but only for scanning. I'll see if Ewido catches it.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Author Comment

by:paix120
ID: 16979975
OK Ewido found another trojan, "Trojan.Agent.fd", but had an "Error during cleaning".
It didn't catch the Spamrelayer Alpiok one, I ran SpySweeper again and it's still there. Here's my HijackThis log (my computer is fairly new, so I'm sure this list will double when I get everything installed!)

Any ideas? Should I just purchase SpySweeper?




Logfile of HijackThis v1.99.1
Scan saved at 4:35:11 PM, on 6/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\Service.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\mdm.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\Renee.RENEEDELL\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {CCFFBA06-345C-4D30-800D-D8740BC75C1c} - C:\WINDOWS\System32\vbhueagb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151051828968
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: IEFilter - {6B287F52-2F51-4EB7-823F-F953EC3AD936} - C:\WINDOWS\system32\IEFilter.dll (file missing)
O21 - SSODL: Protocol Connection - {C2450D46-9743-416D-9406-C1FAFD60397B} - C:\WINDOWS\System32\ipxrsxs.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Service - Unknown owner - C:\WINDOWS\System32\Service.exe (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

0
 
LVL 97

Accepted Solution

by:
war1 earned 150 total points
ID: 16980324
paix120,

Here is a link to the analyzed log

http://hijackthis.de/logfiles/b5f1a15ded19e52385bb1bad4f83403a.html

1. Go to C:\WINDOWS\System32\Service.exe and delete Service.exe file.  
Go to C:\WINDOWS\system32\IEFilter.dll and delete IEFilter.dll if the file is there.
Go to C:\WINDOWS\System32\ipxrsxs.dll and delete ipxrsxs.dll if the file is there.

Use Use Killbox or Unlocker in Safe Mode to remove hard to remove file.

Killbox to remove stuborn files
http://www.scancomplete.com/download/killbox/
OR
Unlocker
http://www.majorgeeks.com/download4660.html


Check the box next to the following items and have HijackThis "Fix Checked".

O2 - BHO: (no name) - {CCFFBA06-345C-4D30-800D-D8740BC75C1c} - C:\WINDOWS\System32\vbhueagb.dll (file missing)
O21 - SSODL: IEFilter - {6B287F52-2F51-4EB7-823F-F953EC3AD936} - C:\WINDOWS\system32\IEFilter.dll (file missing)
O21 - SSODL: Protocol Connection - {C2450D46-9743-416D-9406-C1FAFD60397B} - C:\WINDOWS\System32\ipxrsxs.dll (file missing)
O23 - Service: Service - Unknown owner - C:\WINDOWS\System32\Service.exe (file missing)
0
 
LVL 3

Author Comment

by:paix120
ID: 16981182
Thanks that seemed to work! It looks like the trojans are gone! Points to you.
0
 
LVL 97

Expert Comment

by:war1
ID: 16981351
paix120, glad to help!
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question