is this process valid in sbs 2003

I think I might have a virus/spyware infection on my sbs2003 server and would like to verify a few services I am not sure about. I compared to a few other sbs2003 servers and I don't see these. Do they look like normal/valid apps ? The server was almost stalled this morning even after having shutdown most of the non-essential services.

- Appication Layer Gateway Server 21115012 (C:\WINDOWS\system32\svchost.exe /k netsvcs)
- Appication Layer Gateway Service (C:\WINDOWS\system32\alg.exe)
- Appication Layer Gateway Serviec (C:\WINDOWS\temp\svehost.exe)
  (this last one worries me a lot: misspelling, temp folder, svehost.exe)
I am running a scan on these with malwarebytes/hijackthis/superantispyware
ndidomenicoAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lee W, MVPTechnology and Business Process AdvisorCommented:
Yeah... that's not good.  I would be booting to a Win7/Vista/2008/2008R2/UBCD4WIN boot CD and then RENAMING (NOT DELETING) that file so it couldn't start.  However, if it is Malware (and I strongly suspect it is), it's probably somewhere else on the system as well waiting to reinstall itself.  Malware bytes and you should probably switch antiviruses if it didn't catch this... (You ARE running one on the server, right?)
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
Yeah... that's not good.  I would be booting to a Win7/Vista/2008/2008R2/UBCD4WIN boot CD and then RENAMING (NOT DELETING) that file so it couldn't start.  However, if it is Malware (and I strongly suspect it is), it's probably somewhere else on the system as well waiting to reinstall itself.  Malware bytes and you should probably switch antiviruses if it didn't catch this... (You ARE running one on the server, right?)
0
nwtechdeskCommented:
Rule of thumb: anything running in the temp folder is deletable and should be.

alg.exe should be there
svchost no problem

get rid of svehost
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

Lee W, MVPTechnology and Business Process AdvisorCommented:
That's right, delete it so you can bring down your whole system.  

Renaming it means you can easily restore it if necessary.  Deleting it means you could spend hours MORE trying to recover the system.

I've seen malware embed itself so thoroughly then when deleted, the system becomes UNUSABLE.  Hopefully, this is not the case - it's USUALLY not the case... but it can happen.  Don't make the infection worse by deleting it and potentially making the system unusable.  If the anti-malware products correctly identify it, they SHOULD know how to remove it safely.  Otherwise, by renaming, if it doesn't come back, you're PROBABLY clena and if it causes a complete failure you can rename it back and make sure you can run for a short time until you can rebuild the server.
0
ndidomenicoAuthor Commented:
Thanks all for your help. Ran Malwarebytes and it did detect 4 files infected The svehost.,exe was indeed a Trohan.Backdoor. It also found a "Memory Module Infected" Trojan.ServiceHijacker ?? (never saw this one before), and some registry keys infected. It was able to unload them but I will need to reboot the server to complete the deletion (delete on reboot), but will have to do this later tonight.

When the server would crawl down, the memory usage was way up (8 Gb when compare to 3 normally) but surprisingly the cpu utilization was still very loaw (1-5%). The memory usage now seems back to a normal usage now with minimum services loaded (file server, Exchange), and I will start the required other services slowly one by one (Bes, backup, antivirus, etc).

Looks like our Trend didn't catch this one. A bit worrying. Will scan with a few other tools (hijackthis, otl, superantispyware) to confirm there is nothing left.

0
nwtechdeskCommented:
Trend doesn't rank very high at catching malware.  Eset, Sophos, and Vipre do a better job.
0
nwtechdeskCommented:
Ooops, forgot to mention Kaspersky.  I've installed it in dozens of places and had very good results with it.  There have been some pc's with lingering problems where Kaspersky was able to pull out the malware tenterhooks over the space of a few days.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.