Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: royo on April 09, 2011, 03:55:12 PM
-
This one has me close to despair.
I recently had some kind of malware infestation. WinXP 32, fully up to date. Avast/ZA etc. I noticed, comparing with another three computers that this one had a process, alg.exe, running. A search revealed that this is sometimes associated with malware, however the source file was in system32, as it should be. Symptoms included keyboard remapping, multiple object selection etc. Killing the process restored normal functioning.
So I rebuilt the PC from scratch.
Then, without thinking, I reconnected a drive that had been used for backup previously when the PC had been configured in "dynamic disc" mode (don't ask...) On rebooting this immediately reinfected the PC. Or so I thought.
So I rebuilt it again. Full low-level format etc. No internet connection except Win update activity using (I think) IE 6n with Win firewall on. Added Avast, ZA, Chrome etc. Started using the PC. Within 24 hrs, SAME SYMPTOMS! Tear out remaining hair.
NOTHING identifies this malware - tried boot-time scans, online scans from other AV suppliers etc.
I would appreciate some help as I really don't want to spend another couple of days rebuilding this PC - possibly to no useful result. I searched this site and found a couple of references to this process however I'd like to start from a blank sheet.
Thanks
Roy
-
Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here in this topic and not in the guide )
To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log )
Essexboy will look at the logs when posted...
-
Prozess Name: Application Layer Gateway Service
Produkt: Windows XP
Firma: Microsoft
Datei: alg.exe
Path: C:\Windows\System32
This is a Windows service. Description: Part of Internet Connection Sharing application and Internet Connection Firewall for Windows XP. This service provides support for third party protocol plug-ins for the Internet Connection Sharing application and Internet Connection Firewall.
Also used for Windows Firewall.
Unsuspicious and harmless.
-
This is a Windows service. ...
Unsuspicious and harmless.
[/quote]
Read up some more. Like many other "harmless" processes it's sometimes emulated by malware. Or so many people say. Additionally, of 4 pc's here (3 on XP, one on Win7/64) this is the only one which displays this process. Killing it usually resumes normal service. Hmm.
I'll follow someone else's advice but thanks for the observation.
Roy
-
Assuming you are using XP Service Pack 3 and your alg.exe matches up with the following, then it is not malicious:
File Version: 5.1.2600.5512
File: alg.exe
CRC-32: 4ddab640
MD4: 31e9ff921ec386afad5521052d7e478a
MD5: 8c515081584a38aa007909cd02020b3d
SHA-1: ef5728c819f466bfe56c36bc9db3fac004ef3d50
-
This is a Windows service. ...
Unsuspicious and harmless.
Read up some more. Like many other "harmless" processes it's sometimes emulated by malware. Or so many people say. Additionally, of 4 pc's here (3 on XP, one on Win7/64) this is the only one which displays this process. Killing it usually resumes normal service. Hmm.
I'll follow someone else's advice but thanks for the observation.
Roy
Well, one can never be careful enough.
However, I think you will find that I am right. alg.exe also is used by win xp firewall.
Have the alg.exe uploaded and checked by www.virustotal.com to make sure it is clean anyway.
-
Well as an XP Pro SP3 user the application layer gateway, alg.exe is a valid service and is running on my system, image1.
Check the windows services for more info, image2.
-
Well as an XP Pro SP3 user the application layer gateway, alg.exe is a valid service and is running on my system, image1.
Check the windows services for more info, image2.
Yep, that's it. If you stop ICS (should you run internet connection sharing) and the firewalls (to include WinXP FW), then alg.exe should automatically disappear.