• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 698
  • Last Modified:

is this process valid in sbs 2003

I think I might have a virus/spyware infection on my sbs2003 server and would like to verify a few services I am not sure about. I compared to a few other sbs2003 servers and I don't see these. Do they look like normal/valid apps ? The server was almost stalled this morning even after having shutdown most of the non-essential services.

- Appication Layer Gateway Server 21115012 (C:\WINDOWS\system32\svchost.exe /k netsvcs)
- Appication Layer Gateway Service (C:\WINDOWS\system32\alg.exe)
- Appication Layer Gateway Serviec (C:\WINDOWS\temp\svehost.exe)
  (this last one worries me a lot: misspelling, temp folder, svehost.exe)
I am running a scan on these with malwarebytes/hijackthis/superantispyware
0
ndidomenico
Asked:
ndidomenico
  • 3
  • 3
1 Solution
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Yeah... that's not good.  I would be booting to a Win7/Vista/2008/2008R2/UBCD4WIN boot CD and then RENAMING (NOT DELETING) that file so it couldn't start.  However, if it is Malware (and I strongly suspect it is), it's probably somewhere else on the system as well waiting to reinstall itself.  Malware bytes and you should probably switch antiviruses if it didn't catch this... (You ARE running one on the server, right?)
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Yeah... that's not good.  I would be booting to a Win7/Vista/2008/2008R2/UBCD4WIN boot CD and then RENAMING (NOT DELETING) that file so it couldn't start.  However, if it is Malware (and I strongly suspect it is), it's probably somewhere else on the system as well waiting to reinstall itself.  Malware bytes and you should probably switch antiviruses if it didn't catch this... (You ARE running one on the server, right?)
0
 
nwtechdeskCommented:
Rule of thumb: anything running in the temp folder is deletable and should be.

alg.exe should be there
svchost no problem

get rid of svehost
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
Lee W, MVPTechnology and Business Process AdvisorCommented:
That's right, delete it so you can bring down your whole system.  

Renaming it means you can easily restore it if necessary.  Deleting it means you could spend hours MORE trying to recover the system.

I've seen malware embed itself so thoroughly then when deleted, the system becomes UNUSABLE.  Hopefully, this is not the case - it's USUALLY not the case... but it can happen.  Don't make the infection worse by deleting it and potentially making the system unusable.  If the anti-malware products correctly identify it, they SHOULD know how to remove it safely.  Otherwise, by renaming, if it doesn't come back, you're PROBABLY clena and if it causes a complete failure you can rename it back and make sure you can run for a short time until you can rebuild the server.
0
 
ndidomenicoAuthor Commented:
Thanks all for your help. Ran Malwarebytes and it did detect 4 files infected The svehost.,exe was indeed a Trohan.Backdoor. It also found a "Memory Module Infected" Trojan.ServiceHijacker ?? (never saw this one before), and some registry keys infected. It was able to unload them but I will need to reboot the server to complete the deletion (delete on reboot), but will have to do this later tonight.

When the server would crawl down, the memory usage was way up (8 Gb when compare to 3 normally) but surprisingly the cpu utilization was still very loaw (1-5%). The memory usage now seems back to a normal usage now with minimum services loaded (file server, Exchange), and I will start the required other services slowly one by one (Bes, backup, antivirus, etc).

Looks like our Trend didn't catch this one. A bit worrying. Will scan with a few other tools (hijackthis, otl, superantispyware) to confirm there is nothing left.

0
 
nwtechdeskCommented:
Trend doesn't rank very high at catching malware.  Eset, Sophos, and Vipre do a better job.
0
 
nwtechdeskCommented:
Ooops, forgot to mention Kaspersky.  I've installed it in dozens of places and had very good results with it.  There have been some pc's with lingering problems where Kaspersky was able to pull out the malware tenterhooks over the space of a few days.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now