Solved

ALG.exe popup by Trend Micro Real Time Protection - can't remove

Posted on 2006-06-13
18
1,868 Views
Last Modified: 2012-08-13
Trend micro 2006 real time protection reports alg.exe in c:\windows folder  as part of sdbot.ik worm. Won't delete or quarantine it (have latest updates) even in safe mode. (The file is actually in the system32 folder.) Turned off system restore. (XP Home)

Can't shut down ALG process in Services - all stop options greyed out even when Manual is set.

Any way to remove this worm?
0
Comment
Question by:curtismjr
  • 9
  • 6
  • 3
18 Comments
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Can we look at your hijackthis log?

Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything.
Notepad will also open, copy its contents and paste it to either these sites:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or paste the log at --> http://www.hijackthis.de/
and click "Analyse", click "Save".  Post the link to the saved list here.


You could also try MS Removal tool, it removes SDBot worms, but not sure that it has definition for that particular variant(sdbot.ik)
Info here:
http://support.microsoft.com/?kbid=890830


MS malicious software removal tool:
http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
alg.exe in system32 folder is the legit file, anywhere else would be the worm or virus.

It's better to turn your System Restore back on just incase you need those restore points.
0
 

Author Comment

by:curtismjr
Comment Utility
Here is the HiJackthis log. I tried removing the 023 - Application Gateway Mgr entry but it keeps coming back...Also, ran Msft Windows Malicious Software tool Quick scan turned up nothing - am running more complete scan now.
-C
..................................

Logfile of HijackThis v1.99.1
Scan saved at 3:05:13 PM, on 6/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\alg.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\AOL\1144100885\ee\AOLSoftware.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\WINDOWS\system32\cmd.exe
C:\My Music\HijackThis.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1144100885\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe SILENT
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143141346843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143141415515
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://webcam.sewanee.edu/activex/AxisCamControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Application Layer Gateway Manager (AppLayerGatewayMgr) - Unknown owner - C:\WINDOWS\alg.exe
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

0
 

Author Comment

by:curtismjr
Comment Utility
Sorry about the paste above - new to this and here is the link to the logfile (I think.)

http://www.hijackthis.de/logfiles/b0c984d66af99c059c12aa25800c3be1.html

-C
0
 
LVL 32

Expert Comment

by:r-k
Comment Utility
For future reference, you can post the HJT log to http://www.hijackthis.de/ and just post a link to the analyzed log.

I did this for you, and it is at:

 http://www.hijackthis.de/logfiles/8162635dce2815d631f5927c54cb2e56.html

You should remove the following entries with HJT itself:

 O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
 O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"

Also, do you know what this is:

 O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe SILENT

To fix the O23 entry relating to alg.exe, do the following:

 Start -> Control Panel -> Admin Tools -> Services

then find the Service named "Application Layer Gateway Manager (AppLayerGatewayMgr) " and right-click on it, select "Properties", then click on "Stop" to stop it, next change the startup type from "Automatic" to "Disabled"

Then reboot and run you AV program and it should be able to clean it up. In any case make sure alg.exe is not running in Task Manager.
0
 

Author Comment

by:curtismjr
Comment Utility
Msft malicious software tool - Full scan shows nothing found, also.
-C
0
 
LVL 32

Accepted Solution

by:
r-k earned 250 total points
Comment Utility
If you look in the Services control panel, do you see "Application Layer Gateway Manager" there?

If you look at its properties, does it show as running from c:\windows\alg.exe ?

If so, stop and disable that. That file should only be in c:\windows\system32
0
 

Author Comment

by:curtismjr
Comment Utility
OK - I finally was able to stop App Gateway Service (and Mgr was stopped) (it was running from c:\windows folder) - before it was greyed out - but this time (maybe it was the  reboot) Stop was available.

Blubster is an MP3 music sharing service -  I can take it off, also.

Popups from Trend have already dropped off - I'm getting a few "Access Denied" on WebEenhancer trying to install but will take it off, also. This looks like a successful fix.
0
 
LVL 32

Expert Comment

by:r-k
Comment Utility
Yes, looks encouraging.

You don't have to remove Blubster, I just wasn't sure what that is.

When all is said and done, I would suggest renaming or deleting the file c:\windows\alg.exe (not the one in \system32\) unless Trend already did it for you.

Good luck.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:curtismjr
Comment Utility
I tried taking the 023  - alg.exe entry off in Hijack this but it comes back when I do a Scan again. However, the Service is still stopped and no pop ups from Trend.
0
 

Author Comment

by:curtismjr
Comment Utility
Ok - on deleting alg.exe - the odd thing is that it is not in the c:\windows folder at all (nor has it been when I first started looking.) I am "Viewing system folders and hidden files" in Folder options.
0
 
LVL 32

Expert Comment

by:r-k
Comment Utility
To delete the O23 Service, use the following method:

 http://www.theeldergeek.com/add_a_service_in_windows_xp.htm

I think the alg.exe in c:\windows was there, but was being hidden by the virus. Once you disabled it, then Trend probably deleted the file itself (from c:\windows)

The version in c:\windows\system32 is legit, part of the XP firewall, so leave that alone.

The malware is getting sneaky these days, using names similar to real files, making it hardder to spot.
0
 

Author Comment

by:curtismjr
Comment Utility
If it comes back as a Trend popup, I'll try theeldergeek suggestion - for now I'm leaving things as they are. Thanks for the help (and the possible explanation on the alg.exe not showing up - it was puzzling!)  I have to leave for a while - will check back with my client (and this post) tommorrow.

-C
0
 
LVL 32

Expert Comment

by:r-k
Comment Utility
OK, good luck. Leaving the Service as is will cause no harm so long as it stays disabled. I am sure Trend warning will not return now that alg.exe itself is gone.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
C:\WINDOWS\alg.exe <-- is this one gone?
Did you used explorer to look for it or you used "search"?
If you used "search", you need to reconfigure "search" function to search for hidden files?  by default it is not, and by showing hidden files via explorer folder options will not show hidden files when using "search".
You need to reconfigure search to search for hidden files:

Start > Search >
Click "all files and folders" then scroll down
and click "more advanced options"
put a check next to "hidden files and folders"
scroll up, type --> alg.exe
and click Search.


About the 023 entry:
Once the service is stopped, hijackthis are able to delete the service,
Open Hijackthis > Open Misc Tools Section > Open  "Delete an NT Service"
In the new window, copy and paste or type -->  AppLayerGatewayMgr
into the Open field and hit OK.

Or you can also delete it here:
Start > Run

sc delete AppLayerGatewayMgr
0
 

Author Comment

by:curtismjr
Comment Utility
I used Explorer to look for it in c:\windows - didn't try Search.
Will try the 023 removal with Misc Tools later today. (Webhancer has been triggering Trend popups this am so I'm working on that. I Add/rem programs it and deleted the Program files but it is still out there - but alg.exe has not been OK.)
0
 

Author Comment

by:curtismjr
Comment Utility
Removed Webenhancer with Ad aware and popups have stopped.
0
 
LVL 32

Expert Comment

by:r-k
Comment Utility
Great. I think you're pretty much in the clear now.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now