Solved

ALG.exe popup by Trend Micro Real Time Protection - can't remove

Posted on 2006-06-13
18
1,886 Views
Last Modified: 2012-08-13
Trend micro 2006 real time protection reports alg.exe in c:\windows folder  as part of sdbot.ik worm. Won't delete or quarantine it (have latest updates) even in safe mode. (The file is actually in the system32 folder.) Turned off system restore. (XP Home)

Can't shut down ALG process in Services - all stop options greyed out even when Manual is set.

Any way to remove this worm?
0
Comment
Question by:curtismjr
  • 9
  • 6
  • 3
18 Comments
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16898730
Can we look at your hijackthis log?

Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything.
Notepad will also open, copy its contents and paste it to either these sites:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or paste the log at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Post the link to the saved list here.


You could also try MS Removal tool, it removes SDBot worms, but not sure that it has definition for that particular variant(sdbot.ik)
Info here:
http://support.microsoft.com/?kbid=890830


MS malicious software removal tool:
http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16898760
alg.exe in system32 folder is the legit file, anywhere else would be the worm or virus.

It's better to turn your System Restore back on just incase you need those restore points.
0
 

Author Comment

by:curtismjr
ID: 16906377
Here is the HiJackthis log. I tried removing the 023 - Application Gateway Mgr entry but it keeps coming back...Also, ran Msft Windows Malicious Software tool Quick scan turned up nothing - am running more complete scan now.
-C
..................................

Logfile of HijackThis v1.99.1
Scan saved at 3:05:13 PM, on 6/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\alg.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\AOL\1144100885\ee\AOLSoftware.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\WINDOWS\system32\cmd.exe
C:\My Music\HijackThis.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1144100885\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe SILENT
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143141346843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143141415515
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://webcam.sewanee.edu/activex/AxisCamControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Application Layer Gateway Manager (AppLayerGatewayMgr) - Unknown owner - C:\WINDOWS\alg.exe
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:curtismjr
ID: 16906443
Sorry about the paste above - new to this and here is the link to the logfile (I think.)

http://www.hijackthis.de/logfiles/b0c984d66af99c059c12aa25800c3be1.html

-C
0
 
LVL 32

Expert Comment

by:r-k
ID: 16906503
For future reference, you can post the HJT log to http://www.hijackthis.de/ and just post a link to the analyzed log.

I did this for you, and it is at:

 http://www.hijackthis.de/logfiles/8162635dce2815d631f5927c54cb2e56.html

You should remove the following entries with HJT itself:

 O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
 O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"

Also, do you know what this is:

 O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe SILENT

To fix the O23 entry relating to alg.exe, do the following:

 Start -> Control Panel -> Admin Tools -> Services

then find the Service named "Application Layer Gateway Manager (AppLayerGatewayMgr) " and right-click on it, select "Properties", then click on "Stop" to stop it, next change the startup type from "Automatic" to "Disabled"

Then reboot and run you AV program and it should be able to clean it up. In any case make sure alg.exe is not running in Task Manager.
0
 

Author Comment

by:curtismjr
ID: 16906582
Msft malicious software tool - Full scan shows nothing found, also.
-C
0
 
LVL 32

Accepted Solution

by:
r-k earned 250 total points
ID: 16906642
If you look in the Services control panel, do you see "Application Layer Gateway Manager" there?

If you look at its properties, does it show as running from c:\windows\alg.exe ?

If so, stop and disable that. That file should only be in c:\windows\system32
0
 

Author Comment

by:curtismjr
ID: 16906964
OK - I finally was able to stop App Gateway Service (and Mgr was stopped) (it was running from c:\windows folder) - before it was greyed out - but this time (maybe it was the  reboot) Stop was available.

Blubster is an MP3 music sharing service -  I can take it off, also.

Popups from Trend have already dropped off - I'm getting a few "Access Denied" on WebEenhancer trying to install but will take it off, also. This looks like a successful fix.
0
 
LVL 32

Expert Comment

by:r-k
ID: 16907009
Yes, looks encouraging.

You don't have to remove Blubster, I just wasn't sure what that is.

When all is said and done, I would suggest renaming or deleting the file c:\windows\alg.exe (not the one in \system32\) unless Trend already did it for you.

Good luck.
0
 

Author Comment

by:curtismjr
ID: 16907034
I tried taking the 023  - alg.exe entry off in Hijack this but it comes back when I do a Scan again. However, the Service is still stopped and no pop ups from Trend.
0
 

Author Comment

by:curtismjr
ID: 16907056
Ok - on deleting alg.exe - the odd thing is that it is not in the c:\windows folder at all (nor has it been when I first started looking.) I am "Viewing system folders and hidden files" in Folder options.
0
 
LVL 32

Expert Comment

by:r-k
ID: 16907126
To delete the O23 Service, use the following method:

 http://www.theeldergeek.com/add_a_service_in_windows_xp.htm

I think the alg.exe in c:\windows was there, but was being hidden by the virus. Once you disabled it, then Trend probably deleted the file itself (from c:\windows)

The version in c:\windows\system32 is legit, part of the XP firewall, so leave that alone.

The malware is getting sneaky these days, using names similar to real files, making it hardder to spot.
0
 

Author Comment

by:curtismjr
ID: 16907167
If it comes back as a Trend popup, I'll try theeldergeek suggestion - for now I'm leaving things as they are. Thanks for the help (and the possible explanation on the alg.exe not showing up - it was puzzling!)  I have to leave for a while - will check back with my client (and this post) tommorrow.

-C
0
 
LVL 32

Expert Comment

by:r-k
ID: 16907198
OK, good luck. Leaving the Service as is will cause no harm so long as it stays disabled. I am sure Trend warning will not return now that alg.exe itself is gone.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16908286
C:\WINDOWS\alg.exe <-- is this one gone?
Did you used explorer to look for it or you used "search"?
If you used "search", you need to reconfigure "search" function to search for hidden files?  by default it is not, and by showing hidden files via explorer folder options will not show hidden files when using "search".
You need to reconfigure search to search for hidden files:

Start > Search >
Click "all files and folders" then scroll down
and click "more advanced options"
put a check next to "hidden files and folders"
scroll up, type --> alg.exe
and click Search.


About the 023 entry:
Once the service is stopped, hijackthis are able to delete the service,
Open Hijackthis > Open Misc Tools Section > Open  "Delete an NT Service"
In the new window, copy and paste or type -->  AppLayerGatewayMgr
into the Open field and hit OK.

Or you can also delete it here:
Start > Run

sc delete AppLayerGatewayMgr
0
 

Author Comment

by:curtismjr
ID: 16913101
I used Explorer to look for it in c:\windows - didn't try Search.
Will try the 023 removal with Misc Tools later today. (Webhancer has been triggering Trend popups this am so I'm working on that. I Add/rem programs it and deleted the Program files but it is still out there - but alg.exe has not been OK.)
0
 

Author Comment

by:curtismjr
ID: 16915150
Removed Webenhancer with Ad aware and popups have stopped.
0
 
LVL 32

Expert Comment

by:r-k
ID: 16915657
Great. I think you're pretty much in the clear now.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Enterprise Password Manager Suites as well as Local Password managers are covered in this article.
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question