asked on

ALG.exe popup by Trend Micro Real Time Protection - can't remove

Trend micro 2006 real time protection reports alg.exe in c:\windows folder as part of sdbot.ik worm. Won't delete or quarantine it (have latest updates) even in safe mode. (The file is actually in the system32 folder.) Turned off system restore. (XP Home)

Can't shut down ALG process in Services - all stop options greyed out even when Manual is set.

Any way to remove this worm?

rpggamergirl

Can we look at your hijackthis log?

Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything.
Notepad will also open, copy its contents and paste it to either these sites:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or paste the log at --> http://www.hijackthis.de/
and click "Analyse", click "Save". Post the link to the saved list here.

You could also try MS Removal tool, it removes SDBot worms, but not sure that it has definition for that particular variant(sdbot.ik)
Info here:
http://support.microsoft.com/?kbid=890830

MS malicious software removal tool:
http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

rpggamergirl

alg.exe in system32 folder is the legit file, anywhere else would be the worm or virus.

It's better to turn your System Restore back on just incase you need those restore points.

curtismjr

ASKER

Here is the HiJackthis log. I tried removing the 023 - Application Gateway Mgr entry but it keeps coming back...Also, ran Msft Windows Malicious Software tool Quick scan turned up nothing - am running more complete scan now.
-C
..................................

Logfile of HijackThis v1.99.1
Scan saved at 3:05:13 PM, on 6/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\alg.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\AOL\1144100885\ee\AOLSoftware.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\WINDOWS\system32\cmd.exe
C:\My Music\HijackThis.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1144100885\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe SILENT
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143141346843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143141415515
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://webcam.sewanee.edu/activex/AxisCamControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Application Layer Gateway Manager (AppLayerGatewayMgr) - Unknown owner - C:\WINDOWS\alg.exe
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

curtismjr

ASKER

Sorry about the paste above - new to this and here is the link to the logfile (I think.)

http://www.hijackthis.de/logfiles/b0c984d66af99c059c12aa25800c3be1.html

-C

r-k

For future reference, you can post the HJT log to http://www.hijackthis.de/ and just post a link to the analyzed log.

I did this for you, and it is at:

http://www.hijackthis.de/logfiles/8162635dce2815d631f5927c54cb2e56.html

You should remove the following entries with HJT itself:

O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"

Also, do you know what this is:

O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe SILENT

To fix the O23 entry relating to alg.exe, do the following:

Start -> Control Panel -> Admin Tools -> Services

then find the Service named "Application Layer Gateway Manager (AppLayerGatewayMgr) " and right-click on it, select "Properties", then click on "Stop" to stop it, next change the startup type from "Automatic" to "Disabled"

Then reboot and run you AV program and it should be able to clean it up. In any case make sure alg.exe is not running in Task Manager.

curtismjr

ASKER

Msft malicious software tool - Full scan shows nothing found, also.
-C

ASKER CERTIFIED SOLUTION

r-k

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

curtismjr

ASKER

OK - I finally was able to stop App Gateway Service (and Mgr was stopped) (it was running from c:\windows folder) - before it was greyed out - but this time (maybe it was the reboot) Stop was available.

Blubster is an MP3 music sharing service - I can take it off, also.

Popups from Trend have already dropped off - I'm getting a few "Access Denied" on WebEenhancer trying to install but will take it off, also. This looks like a successful fix.

r-k

Yes, looks encouraging.

You don't have to remove Blubster, I just wasn't sure what that is.

When all is said and done, I would suggest renaming or deleting the file c:\windows\alg.exe (not the one in \system32\) unless Trend already did it for you.

Good luck.

curtismjr

ASKER

I tried taking the 023 - alg.exe entry off in Hijack this but it comes back when I do a Scan again. However, the Service is still stopped and no pop ups from Trend.

curtismjr

ASKER

Ok - on deleting alg.exe - the odd thing is that it is not in the c:\windows folder at all (nor has it been when I first started looking.) I am "Viewing system folders and hidden files" in Folder options.

r-k

To delete the O23 Service, use the following method:

http://www.theeldergeek.com/add_a_service_in_windows_xp.htm

I think the alg.exe in c:\windows was there, but was being hidden by the virus. Once you disabled it, then Trend probably deleted the file itself (from c:\windows)

The version in c:\windows\system32 is legit, part of the XP firewall, so leave that alone.

The malware is getting sneaky these days, using names similar to real files, making it hardder to spot.

curtismjr

ASKER

If it comes back as a Trend popup, I'll try theeldergeek suggestion - for now I'm leaving things as they are. Thanks for the help (and the possible explanation on the alg.exe not showing up - it was puzzling!) I have to leave for a while - will check back with my client (and this post) tommorrow.

-C

r-k

OK, good luck. Leaving the Service as is will cause no harm so long as it stays disabled. I am sure Trend warning will not return now that alg.exe itself is gone.

rpggamergirl

C:\WINDOWS\alg.exe <-- is this one gone?
Did you used explorer to look for it or you used "search"?
If you used "search", you need to reconfigure "search" function to search for hidden files? by default it is not, and by showing hidden files via explorer folder options will not show hidden files when using "search".
You need to reconfigure search to search for hidden files:

Start > Search >
Click "all files and folders" then scroll down
and click "more advanced options"
put a check next to "hidden files and folders"
scroll up, type --> alg.exe
and click Search.

About the 023 entry:
Once the service is stopped, hijackthis are able to delete the service,
Open Hijackthis > Open Misc Tools Section > Open "Delete an NT Service"
In the new window, copy and paste or type --> AppLayerGatewayMgr
into the Open field and hit OK.

Or you can also delete it here:
Start > Run

sc delete AppLayerGatewayMgr

curtismjr

ASKER

I used Explorer to look for it in c:\windows - didn't try Search.
Will try the 023 removal with Misc Tools later today. (Webhancer has been triggering Trend popups this am so I'm working on that. I Add/rem programs it and deleted the Program files but it is still out there - but alg.exe has not been OK.)

curtismjr

ASKER

Removed Webenhancer with Ad aware and popups have stopped.

r-k

Great. I think you're pretty much in the clear now.