Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


ALG.exe popup by Trend Micro Real Time Protection - can't remove

Posted on 2006-06-13
Medium Priority
Last Modified: 2012-08-13
Trend micro 2006 real time protection reports alg.exe in c:\windows folder  as part of sdbot.ik worm. Won't delete or quarantine it (have latest updates) even in safe mode. (The file is actually in the system32 folder.) Turned off system restore. (XP Home)

Can't shut down ALG process in Services - all stop options greyed out even when Manual is set.

Any way to remove this worm?
Question by:curtismjr
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 6
  • 3
LVL 47

Expert Comment

ID: 16898730
Can we look at your hijackthis log?

Please download HijackThis 1.99.1
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything.
Notepad will also open, copy its contents and paste it to either these sites:
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or paste the log at --> 
and click "Analyse", click "Save".  Post the link to the saved list here.

You could also try MS Removal tool, it removes SDBot worms, but not sure that it has definition for that particular variant(sdbot.ik)
Info here:

MS malicious software removal tool:

LVL 47

Expert Comment

ID: 16898760
alg.exe in system32 folder is the legit file, anywhere else would be the worm or virus.

It's better to turn your System Restore back on just incase you need those restore points.

Author Comment

ID: 16906377
Here is the HiJackthis log. I tried removing the 023 - Application Gateway Mgr entry but it keeps coming back...Also, ran Msft Windows Malicious Software tool Quick scan turned up nothing - am running more complete scan now.

Logfile of HijackThis v1.99.1
Scan saved at 3:05:13 PM, on 6/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\AOL\1144100885\ee\AOLSoftware.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\My Music\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1144100885\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe SILENT
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Application Layer Gateway Manager (AppLayerGatewayMgr) - Unknown owner - C:\WINDOWS\alg.exe
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.


Author Comment

ID: 16906443
Sorry about the paste above - new to this and here is the link to the logfile (I think.)

LVL 32

Expert Comment

ID: 16906503
For future reference, you can post the HJT log to and just post a link to the analyzed log.

I did this for you, and it is at:

You should remove the following entries with HJT itself:

 O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
 O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"

Also, do you know what this is:

 O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe SILENT

To fix the O23 entry relating to alg.exe, do the following:

 Start -> Control Panel -> Admin Tools -> Services

then find the Service named "Application Layer Gateway Manager (AppLayerGatewayMgr) " and right-click on it, select "Properties", then click on "Stop" to stop it, next change the startup type from "Automatic" to "Disabled"

Then reboot and run you AV program and it should be able to clean it up. In any case make sure alg.exe is not running in Task Manager.

Author Comment

ID: 16906582
Msft malicious software tool - Full scan shows nothing found, also.
LVL 32

Accepted Solution

r-k earned 1000 total points
ID: 16906642
If you look in the Services control panel, do you see "Application Layer Gateway Manager" there?

If you look at its properties, does it show as running from c:\windows\alg.exe ?

If so, stop and disable that. That file should only be in c:\windows\system32

Author Comment

ID: 16906964
OK - I finally was able to stop App Gateway Service (and Mgr was stopped) (it was running from c:\windows folder) - before it was greyed out - but this time (maybe it was the  reboot) Stop was available.

Blubster is an MP3 music sharing service -  I can take it off, also.

Popups from Trend have already dropped off - I'm getting a few "Access Denied" on WebEenhancer trying to install but will take it off, also. This looks like a successful fix.
LVL 32

Expert Comment

ID: 16907009
Yes, looks encouraging.

You don't have to remove Blubster, I just wasn't sure what that is.

When all is said and done, I would suggest renaming or deleting the file c:\windows\alg.exe (not the one in \system32\) unless Trend already did it for you.

Good luck.

Author Comment

ID: 16907034
I tried taking the 023  - alg.exe entry off in Hijack this but it comes back when I do a Scan again. However, the Service is still stopped and no pop ups from Trend.

Author Comment

ID: 16907056
Ok - on deleting alg.exe - the odd thing is that it is not in the c:\windows folder at all (nor has it been when I first started looking.) I am "Viewing system folders and hidden files" in Folder options.
LVL 32

Expert Comment

ID: 16907126
To delete the O23 Service, use the following method:

I think the alg.exe in c:\windows was there, but was being hidden by the virus. Once you disabled it, then Trend probably deleted the file itself (from c:\windows)

The version in c:\windows\system32 is legit, part of the XP firewall, so leave that alone.

The malware is getting sneaky these days, using names similar to real files, making it hardder to spot.

Author Comment

ID: 16907167
If it comes back as a Trend popup, I'll try theeldergeek suggestion - for now I'm leaving things as they are. Thanks for the help (and the possible explanation on the alg.exe not showing up - it was puzzling!)  I have to leave for a while - will check back with my client (and this post) tommorrow.

LVL 32

Expert Comment

ID: 16907198
OK, good luck. Leaving the Service as is will cause no harm so long as it stays disabled. I am sure Trend warning will not return now that alg.exe itself is gone.
LVL 47

Expert Comment

ID: 16908286
C:\WINDOWS\alg.exe <-- is this one gone?
Did you used explorer to look for it or you used "search"?
If you used "search", you need to reconfigure "search" function to search for hidden files?  by default it is not, and by showing hidden files via explorer folder options will not show hidden files when using "search".
You need to reconfigure search to search for hidden files:

Start > Search >
Click "all files and folders" then scroll down
and click "more advanced options"
put a check next to "hidden files and folders"
scroll up, type --> alg.exe
and click Search.

About the 023 entry:
Once the service is stopped, hijackthis are able to delete the service,
Open Hijackthis > Open Misc Tools Section > Open  "Delete an NT Service"
In the new window, copy and paste or type -->  AppLayerGatewayMgr
into the Open field and hit OK.

Or you can also delete it here:
Start > Run

sc delete AppLayerGatewayMgr

Author Comment

ID: 16913101
I used Explorer to look for it in c:\windows - didn't try Search.
Will try the 023 removal with Misc Tools later today. (Webhancer has been triggering Trend popups this am so I'm working on that. I Add/rem programs it and deleted the Program files but it is still out there - but alg.exe has not been OK.)

Author Comment

ID: 16915150
Removed Webenhancer with Ad aware and popups have stopped.
LVL 32

Expert Comment

ID: 16915657
Great. I think you're pretty much in the clear now.

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
How does someone stay on the right and legal side of the hacking world?
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question