curtismjr
asked on
ALG.exe popup by Trend Micro Real Time Protection - can't remove
Trend micro 2006 real time protection reports alg.exe in c:\windows folder as part of sdbot.ik worm. Won't delete or quarantine it (have latest updates) even in safe mode. (The file is actually in the system32 folder.) Turned off system restore. (XP Home)
Can't shut down ALG process in Services - all stop options greyed out even when Manual is set.
Any way to remove this worm?
Can't shut down ALG process in Services - all stop options greyed out even when Manual is set.
Any way to remove this worm?
alg.exe in system32 folder is the legit file, anywhere else would be the worm or virus.
It's better to turn your System Restore back on just incase you need those restore points.
It's better to turn your System Restore back on just incase you need those restore points.
ASKER
Here is the HiJackthis log. I tried removing the 023 - Application Gateway Mgr entry but it keeps coming back...Also, ran Msft Windows Malicious Software tool Quick scan turned up nothing - am running more complete scan now.
-C
.......................... ........
Logfile of HijackThis v1.99.1
Scan saved at 3:05:13 PM, on 6/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aol tsmon.exe
C:\WINDOWS\alg.exe
C:\WINDOWS\System32\spool\ DRIVERS\W3 2X86\3\OPH ALDCS.EXE
C:\WINDOWS\system32\nvsvc3 2.exe
C:\PROGRA~1\TRENDM~1\INTER N~1\PcCtlC om.exe
C:\WINDOWS\System32\svchos t.exe
C:\PROGRA~1\TRENDM~1\INTER N~1\Tmntsr v.exe
C:\PROGRA~1\TRENDM~1\INTER N~1\tmprox y.exe
C:\PROGRA~1\TRENDM~1\INTER N~1\TmPfw. exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\spool\ DRIVERS\W3 2X86\3\E_F ATI9FA.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\AOL\1144100885\ee\AO LSoftware. exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\A OLSPY~1\AO LSP Scheduler.exe
C:\Program Files\Real\RealPlayer\Real Play.exe
C:\Program Files\iTunes\iTunesHelper. exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\iPod\bin\iPodService .exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\WINDOWS\system32\cmd.ex e
C:\My Music\HijackThis.exe
C:\PROGRA~1\TRENDM~1\INTER N~1\TSC.EX E
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7 695ECA0567 0} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn\ yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEH elper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8 EA1C75885F 9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn\ yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-A A305ED9D92 2} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\ DRIVERS\W3 2X86\3\E_F ATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1144100885\ee\AO LSoftware. exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl. dll,NvStar tup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\ AOLSPY~1\A OLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\Real Play.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORT MA~1\PortA OL.exe" -Run
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper. exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\w hAgent.exe "
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\w hSurvey.ex e"
O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.ex e SILENT
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\ search.htm l
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B 4C75499B57 8} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-0 0B0D0A1DE4 5} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0 0C0F0318AF E} - C:\WINDOWS\system32\Shdocv w.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D 1495792D4C 5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-F CFDF33E833 C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143141346843
O16 - DPF: {6E32070A-766D-4EE6-879C-D C1FA91D2FC 3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143141415515
O16 - DPF: {917623D1-D8E5-11D2-BE8B-0 0104B06BDE 3} - http://webcam.sewanee.edu/activex/AxisCamControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aol tsmon.exe
O23 - Service: Application Layer Gateway Manager (AppLayerGatewayMgr) - Unknown owner - C:\WINDOWS\alg.exe
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\System32\spool\ DRIVERS\W3 2X86\3\OPH ALDCS.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver \11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService .exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc3 2.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTER N~1\PcCtlC om.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTER N~1\Tmntsr v.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTER N~1\TmPfw. exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTER N~1\tmprox y.exe
-C
..........................
Logfile of HijackThis v1.99.1
Scan saved at 3:05:13 PM, on 6/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aol
C:\WINDOWS\alg.exe
C:\WINDOWS\System32\spool\
C:\WINDOWS\system32\nvsvc3
C:\PROGRA~1\TRENDM~1\INTER
C:\WINDOWS\System32\svchos
C:\PROGRA~1\TRENDM~1\INTER
C:\PROGRA~1\TRENDM~1\INTER
C:\PROGRA~1\TRENDM~1\INTER
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\spool\
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\AOL\1144100885\ee\AO
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\A
C:\Program Files\Real\RealPlayer\Real
C:\Program Files\iTunes\iTunesHelper.
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\iPod\bin\iPodService
C:\Program Files\America Online 9.0a\shellmon.exe
C:\WINDOWS\system32\cmd.ex
C:\My Music\HijackThis.exe
C:\PROGRA~1\TRENDM~1\INTER
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-A
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1144100885\ee\AO
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\Real
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORT
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\w
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\w
O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.ex
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-0
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {917623D1-D8E5-11D2-BE8B-0
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aol
O23 - Service: Application Layer Gateway Manager (AppLayerGatewayMgr) - Unknown owner - C:\WINDOWS\alg.exe
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\System32\spool\
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc3
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTER
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTER
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTER
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTER
ASKER
Sorry about the paste above - new to this and here is the link to the logfile (I think.)
http://www.hijackthis.de/logfiles/b0c984d66af99c059c12aa25800c3be1.html
-C
http://www.hijackthis.de/logfiles/b0c984d66af99c059c12aa25800c3be1.html
-C
For future reference, you can post the HJT log to http://www.hijackthis.de/ and just post a link to the analyzed log.
I did this for you, and it is at:
http://www.hijackthis.de/logfiles/8162635dce2815d631f5927c54cb2e56.html
You should remove the following entries with HJT itself:
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\w hAgent.exe "
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\w hSurvey.ex e"
Also, do you know what this is:
O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.ex e SILENT
To fix the O23 entry relating to alg.exe, do the following:
Start -> Control Panel -> Admin Tools -> Services
then find the Service named "Application Layer Gateway Manager (AppLayerGatewayMgr) " and right-click on it, select "Properties", then click on "Stop" to stop it, next change the startup type from "Automatic" to "Disabled"
Then reboot and run you AV program and it should be able to clean it up. In any case make sure alg.exe is not running in Task Manager.
I did this for you, and it is at:
http://www.hijackthis.de/logfiles/8162635dce2815d631f5927c54cb2e56.html
You should remove the following entries with HJT itself:
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\w
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\w
Also, do you know what this is:
O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.ex
To fix the O23 entry relating to alg.exe, do the following:
Start -> Control Panel -> Admin Tools -> Services
then find the Service named "Application Layer Gateway Manager (AppLayerGatewayMgr) " and right-click on it, select "Properties", then click on "Stop" to stop it, next change the startup type from "Automatic" to "Disabled"
Then reboot and run you AV program and it should be able to clean it up. In any case make sure alg.exe is not running in Task Manager.
ASKER
Msft malicious software tool - Full scan shows nothing found, also.
-C
-C
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK - I finally was able to stop App Gateway Service (and Mgr was stopped) (it was running from c:\windows folder) - before it was greyed out - but this time (maybe it was the reboot) Stop was available.
Blubster is an MP3 music sharing service - I can take it off, also.
Popups from Trend have already dropped off - I'm getting a few "Access Denied" on WebEenhancer trying to install but will take it off, also. This looks like a successful fix.
Blubster is an MP3 music sharing service - I can take it off, also.
Popups from Trend have already dropped off - I'm getting a few "Access Denied" on WebEenhancer trying to install but will take it off, also. This looks like a successful fix.
Yes, looks encouraging.
You don't have to remove Blubster, I just wasn't sure what that is.
When all is said and done, I would suggest renaming or deleting the file c:\windows\alg.exe (not the one in \system32\) unless Trend already did it for you.
Good luck.
You don't have to remove Blubster, I just wasn't sure what that is.
When all is said and done, I would suggest renaming or deleting the file c:\windows\alg.exe (not the one in \system32\) unless Trend already did it for you.
Good luck.
ASKER
I tried taking the 023 - alg.exe entry off in Hijack this but it comes back when I do a Scan again. However, the Service is still stopped and no pop ups from Trend.
ASKER
Ok - on deleting alg.exe - the odd thing is that it is not in the c:\windows folder at all (nor has it been when I first started looking.) I am "Viewing system folders and hidden files" in Folder options.
To delete the O23 Service, use the following method:
http://www.theeldergeek.com/add_a_service_in_windows_xp.htm
I think the alg.exe in c:\windows was there, but was being hidden by the virus. Once you disabled it, then Trend probably deleted the file itself (from c:\windows)
The version in c:\windows\system32 is legit, part of the XP firewall, so leave that alone.
The malware is getting sneaky these days, using names similar to real files, making it hardder to spot.
http://www.theeldergeek.com/add_a_service_in_windows_xp.htm
I think the alg.exe in c:\windows was there, but was being hidden by the virus. Once you disabled it, then Trend probably deleted the file itself (from c:\windows)
The version in c:\windows\system32 is legit, part of the XP firewall, so leave that alone.
The malware is getting sneaky these days, using names similar to real files, making it hardder to spot.
ASKER
If it comes back as a Trend popup, I'll try theeldergeek suggestion - for now I'm leaving things as they are. Thanks for the help (and the possible explanation on the alg.exe not showing up - it was puzzling!) I have to leave for a while - will check back with my client (and this post) tommorrow.
-C
-C
OK, good luck. Leaving the Service as is will cause no harm so long as it stays disabled. I am sure Trend warning will not return now that alg.exe itself is gone.
C:\WINDOWS\alg.exe <-- is this one gone?
Did you used explorer to look for it or you used "search"?
If you used "search", you need to reconfigure "search" function to search for hidden files? by default it is not, and by showing hidden files via explorer folder options will not show hidden files when using "search".
You need to reconfigure search to search for hidden files:
Start > Search >
Click "all files and folders" then scroll down
and click "more advanced options"
put a check next to "hidden files and folders"
scroll up, type --> alg.exe
and click Search.
About the 023 entry:
Once the service is stopped, hijackthis are able to delete the service,
Open Hijackthis > Open Misc Tools Section > Open "Delete an NT Service"
In the new window, copy and paste or type --> AppLayerGatewayMgr
into the Open field and hit OK.
Or you can also delete it here:
Start > Run
sc delete AppLayerGatewayMgr
Did you used explorer to look for it or you used "search"?
If you used "search", you need to reconfigure "search" function to search for hidden files? by default it is not, and by showing hidden files via explorer folder options will not show hidden files when using "search".
You need to reconfigure search to search for hidden files:
Start > Search >
Click "all files and folders" then scroll down
and click "more advanced options"
put a check next to "hidden files and folders"
scroll up, type --> alg.exe
and click Search.
About the 023 entry:
Once the service is stopped, hijackthis are able to delete the service,
Open Hijackthis > Open Misc Tools Section > Open "Delete an NT Service"
In the new window, copy and paste or type --> AppLayerGatewayMgr
into the Open field and hit OK.
Or you can also delete it here:
Start > Run
sc delete AppLayerGatewayMgr
ASKER
I used Explorer to look for it in c:\windows - didn't try Search.
Will try the 023 removal with Misc Tools later today. (Webhancer has been triggering Trend popups this am so I'm working on that. I Add/rem programs it and deleted the Program files but it is still out there - but alg.exe has not been OK.)
Will try the 023 removal with Misc Tools later today. (Webhancer has been triggering Trend popups this am so I'm working on that. I Add/rem programs it and deleted the Program files but it is still out there - but alg.exe has not been OK.)
ASKER
Removed Webenhancer with Ad aware and popups have stopped.
Great. I think you're pretty much in the clear now.
Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything.
Notepad will also open, copy its contents and paste it to either these sites:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:
Or paste the log at --> http://www.hijackthis.de/
and click "Analyse", click "Save". Post the link to the saved list here.
You could also try MS Removal tool, it removes SDBot worms, but not sure that it has definition for that particular variant(sdbot.ik)
Info here:
http://support.microsoft.com/?kbid=890830
MS malicious software removal tool:
http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en