c:\WINDOWS\alg.exe\...

Viruses and worms
1

Hi guys, :slight_smile:
I’ve recently scanned my pc by using Avast4.7Pro, regularly updated, and got as a result two threats.
One of them is alg.exe, full path C:\WINDOWS\alg.exe[Embedded#RTLSTD10.DLL]

While searching for an answer on the internet, I’ve found that if the alg.exe is located in another place than C:\WINDOWS\System32\ then it’s a virus.

Is that true? ???
Could you please tell me what to do? ::slight_smile:
Will a do right if I move it to the bin or I better don’t touch it to avoid causing unespecting consequences of my system?

Thanks in advance for your kind reply. :wink:

2

Hi Ramna,

If you are on windows XP you probably haven’t got ServicePack2 installed.
Read here for what services could be responsible: http://www.blackviper.com/WinXP/servicecfg.htm
Use process explorer to establish this, to be found fron this page:
http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx

polonus

3

Hi Polonus,

Thanks for your answer… Service Pack 2 is already installed.

Here my System information:
Microsoft Windows XP
Home Edition
Version 2002
Service Pack 2

4 
Added by the Troj/Rootkit-AA worm and IRC backdoor. When started, this infection connects to a remote IRC server where it waits for commands to execute.

Download AVG Anti-Rootkit Beta from here and save it to your Desktop.
Close all open programs as this will require a reboot.
Double click AVG_AntiRootkit_version number.exe to install the program.
(By default this will be to C:\Program Files\GRISOFT\AVG Anti-Rootkit Beta.)
Once the program has installed, you will be prompted to reboot - please allow this to happen.
When the PC has rebooted, click the AVG Anti-Rootkit Beta shortcut that is now on your desktop.
Click Perform in-depth search and put your feet up as this can take a while.
Once the scan has completed, if any files have been detected, right click the window and select Save results from the menu that appears.
Save the file as “AVGRootkit.txt”, including the quotation marks, to the location of your choice.
If anything has been detected, copy and paste the log into your next reply. If not, just let me know.

PLUS

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

5

Hi there!

Well, I downloaded, installed and run AVG Anti-RootKit and found 4 hidden objects following listed:

C:\Program Files\Internet Explorer\iexplore.exe,Hidden application
C:\WINDOWS\hg1.exe,Hidden application file
c:\WINDOWS\hg1.DLL,Hidden File
c:\WINDOWS\hg1.exe,Hidden File

…alg.exe has not been detected…

6

OK then let us run sdfix first and follow that up with a Hijackthis log

Download [color=red]SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
[*]Restart your computer
[*]After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
[*]Instead of Windows loading as normal, the Advanced Options Menu should appear;
[*]Select the first option, to run Windows in Safe Mode, then press Enter.
[*]Choose your usual account.

[*] Open the extracted SDFix folder and double click RunThis.bat to start the script.
[*] Type Y to begin the cleanup process.
[*] It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
[*] Press any Key and it will restart the PC.
[*] When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
[*] Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
[*] Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

7

Here I am again,

Downloaded SDFix, extracted files and executed RunThis.bat…

Got this report:

===

SDFix: Version 1.109

Run by xxx xxx on 14/09/2007 at 18:42

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting…

Normal Mode:
Checking Files:

[b]Trojan Files Found:

C:\WINDOWS\alg.exe - Deleted[/b]

Removing Temp Files…

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

                             Final Check:

Remaining Services:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“C:\WINDOWS\system32\java.exe”="C:\WINDOWS\system32\java.exe::Enabled:Java™ 2 Platform Standard Edition binary”
“C:\Program Files\WS_FTP\WS_FTP95.exe”=“C:\Program Files\WS_FTP\WS_FTP95.exe::Enabled:WS_FTP 95"
“C:\Documents and Settings\xxx xxx\utorrent.exe”="C:\Documents and Settings\xxx xxx\utorrent.exe::Enabled:æTorrent”
“C:\Program Files\eMule\emule.exe”=“C:\Program Files\eMule\emule.exe::Enabled:eMule"
“C:\Program Files\JackSMS 3\JackSMS.exe”="C:\Program Files\JackSMS 3\JackSMS.exe::Enabled:JackSMS”
“C:\Program Files\Spyware Terminator\SpywareTerminator.Exe”=“C:\Program Files\Spyware Terminator\SpywareTerminator.Exe::Enabled:Spyware Terminator"
“C:\Program Files\Bonjour\mDNSResponder.exe”="C:\Program Files\Bonjour\mDNSResponder.exe::Disabled:Bonjour”
“C:\Documents and Settings\xxx xxx\Programs\utorrent.exe”=“C:\Documents and Settings\xxx xxx\Programs\utorrent.exe:*:Enabled:æTorrent”

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019”

Remaining Files:

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Thu 13 Sep 2007 2,402,304 A.SH. — “C:\WINDOWS\alerter.exe”
Thu 13 Sep 2007 888,320 A.SH. — “C:\WINDOWS\hg1.exe”
Sat 19 Nov 2005 4,348 A.SH. — “C:\Documents and Settings\All Users\DRM\DRMv1.bak”
Sun 23 Apr 2006 136,192 A…H. — “C:\Documents and Settings\xxx xxx\My Documents\eBook\Translations\xxx\xxx~WRL0691.TMP”
Wed 6 Jul 2005 281,600 A…H. — “C:\Documents and Settings\xxx xxx\My Documents\eBook\Translations\xxx\xxx~WRL0022.TMP”
Wed 6 Jul 2005 279,040 A…H. — “C:\Documents and Settings\xxx xxx\My Documents\eBook\Translations\xxx\xxx~WRL0301.TMP”
Wed 6 Jul 2005 280,576 A…H. — “C:\Documents and Settings\xxx xxx\My Documents\eBook\Translations\xxx\xxx~WRL0523.TMP”
Wed 6 Jul 2005 288,768 A…H. — “C:\Documents and Settings\xxx xxx\My Documents\eBook\Translations\xxx\xxx~WRL0542.TMP”
Wed 6 Jul 2005 281,088 A…H. — “C:\Documents and Settings\xxx xxx\My Documents\eBook\Translations\xxx\xxx~WRL1906.TMP”
Wed 6 Jul 2005 285,184 A…H. — “C:\Documents and Settings\xxx xxx\My Documents\eBook\Translations\xxx\xxx~WRL1930.TMP”
Wed 6 Jul 2005 281,088 A…H. — “C:\Documents and Settings\xxx xxx\My Documents\eBook\Translations\xxx\xxx~WRL1953.TMP”
Wed 6 Jul 2005 284,160 A…H. — “C:\Documents and Settings\xxx xxx\My Documents\eBook\Translations\xxx\xxx~WRL2415.TMP”
Wed 6 Jul 2005 285,696 A…H. — “C:\Documents and Settings\xxx xxx\My Documents\eBook\Translations\xxx\xxx~WRL3055.TMP”
Wed 6 Jul 2005 280,064 A…H. — “C:\Documents and Settings\xxx xxx\My Documents\eBook\Translations\xxx\xxx~WRL3132.TMP”
Wed 6 Jul 2005 281,088 A…H. — “C:\Documents and Settings\xxx xx\My Documents\eBook\Translations\xxx\xxx~WRL3250.TMP”
Wed 6 Jul 2005 280,576 A…H. — “C:\Documents and Settings\xxx xxx\My Documents\eBook\Translations\xxx\xxx~WRL3486.TMP”
Wed 6 Jul 2005 281,088 A…H. — “C:\Documents and Settings\xxx xxx\My Documents\eBook\Translations\xxx\xxx~WRL3600.TMP”
Wed 6 Jul 2005 281,088 A…H. — “C:\Documents and Settings\xxx xxx\My Documents\eBook\Translations\xxx\xxx~WRL3612.TMP”
Wed 6 Jul 2005 280,576 A…H. — “C:\Documents and Settings\xxx xxx\My Documents\eBook\Translations\xxx\xxx~WRL3669.TMP”
Wed 6 Jul 2005 285,184 A…H. — “C:\Documents and Settings\xxx xxx\My Documents\eBook\Translations\xxx\xxx~WRL3852.TMP”
Wed 6 Jul 2005 284,160 A…H. — “C:\Documents and Settings\xxx xxx\My Documents\eBook\Translations\xxx\xxx~WRL3853.TMP”
Wed 6 Jul 2005 280,064 A…H. — “C:\Documents and Settings\xxx xxx\My Documents\eBook\Translations\xxx\xxx~WRL3924.TMP”
Wed 6 Jul 2005 281,600 A…H. — “C:\Documents and Settings\xxx xxx\My Documents\eBook\Translations\xxx\xxx~WRL3963.TMP”
Wed 6 Jul 2005 286,720 A…H. — “C:\Documents and Settings\xxx xxx\My Documents\eBook\Translations\xxx\xxx~WRL4003.TMP”

Finished!

===

Done?
Thank you so much! :wink:

8

If you have any further problems then come back