help needed with hijackthis log

General Topics
1

Hi,

I am struggling to get rid of a trojan.
It is saturating my line to connect to 72.157.8.5 and killing my internet connection. malawarebytes tells me it is adjusting three entries in the registry to disable antivirus, firewall and updates. It claims to quarantine and delete succesfully as seen below.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

Howevr every time i reboot it comes back and takes over svchost.exe and starts communicating. I can kill that particular svchost.exe process and it stops but i can’t get it to stop reinfecting after a reboot.
Avast has quarantined the virus supposedly.
Here is my hijackthis log.

any help gratefully received.

thanks,

Mairi

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:27:49, on 29/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\2BrightSparks\SyncBack\SyncBack.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] “C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe” /runcleanupscript
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: SyncBack.lnk = C:\Program Files\2BrightSparks\SyncBack\SyncBack.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (Egg Money Manager Digital Safe) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1249237591380
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ASP.NET State Service aspnet_stateSchedule (aspnet_stateSchedule) - Unknown owner - C:\WINDOWS\system32\algb.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

2

Run Malwarebytes in safe mode and see if that cures your headache.
Help for using Safe Mode
If that doesn’t cure your problem, let us know.

3

Close all browser sessions then start HijackThis then select then select Fixed checked:
O23 - Service: ASP.NET State Service aspnet_stateSchedule (aspnet_stateSchedule) - Unknown owner - C:\WINDOWS\system32\algb.exe

Reboot then use Windows Explorer (Windows key+E) then go to C:\WINDOWS\system32 and delete algb.exe

Prevx indicates that it is malware:
http://www.prevx.com/filenames/2952647801451994349-X1/ALGB.EXE.html

4

Hi,

thanks for your speedy suggestions. I appreciate your help. this is my first experience of a virus on my machine so is clearly a bit outside my comfort zone.
I have tried malwarebytes in safe mode but it found nothing and although i asked hijackthis to fix the registry entry you suggested but it won’t - i click fix then i rescan and it reappears in the list. also, even more confusingly, the algb.exe is nowhere to be found on my c drive so i can’t find it to delete it.
BTW i have blocked the ip address the virus wants to contact on my router so messages aren’t getting through and am denying the svchost.exe from getting through my software firewall so although it isnt saturating my cable line, it is still using almost all of my cpu power.

very confused. any other suggestions?

Mairi

5

Try these tools

Norman Malware Cleaner http://www.norman.com/support/support_tools/58732/en

Dr.WebCureit http://www.freedrweb.com/

6

It may be a hidden file.

How to show hidden files in Windows
http://www.bleepingcomputer.com/tutorials/tutorial62.html#winxp

7

:slight_smile: Hi Mairi :

I recommend you ask the trained, experienced, CERTIFIED, Volunteer
“Malware Removal Specialist(s)” that staff the Spybot Support Forums at
http://forums.spybot.info . They are trained & experienced in using “specialized” tools to rid a computer of malware .

8

Not always:

http://www.neuber.com/taskmanager/process/alg.exe.html

9

See what’s running under svchost:

http://www.bleepingcomputer.com/tutorials/tutorial129.html#procexp

10

Frank,
his app is ALGB.EXE not alg.exe Maybe it’s time for glasses ??? ;D ;D

11

thanks for all your help guys, i am finally getting somewhere.
I have used the norman malware cleaner and dr web though they didnt find anything. malawarebytes is still finding the three problems in the registry that i can delete though they reappear on reboot as before.
I have used the process explorer to find the dodgy svchost entry and it is definitely triggering the algb.exe file into saturating my line. (any idea what is is sending/receiving? i take it that my data is going somewhere and for some nefarious purpose)
i have managed to find algb.exe in the system32 folder and have now deleted it. (i had selected show hidden files but it was invisible because i was still hiding the protected operating system file. doh!)

hijack this acknowledges that algb.exe is missing but the registry entry still exists. a little investigation shows that hijack this will not fix 023 entries so i am now forced to do it manually.
This is where i run into trouble. :o I have never edited registry and know that it is a dangerous thing to do. do you guys (now my gurus) have any advice on safely editing registry? I have located the entry referencing algb.exe. should i just hit delete or should i be more cautious? was thinking of rebooting to see how the virus copes now algb.exe is gone and then using crap cleaner cos i presume that it will notice an entry referencing a file that does not exist. does this seem sensible approach? i dont know if i can avoid the 3 registry entries that malwarebytes finds after a reboot.

thanks,

Mairi
ps - should i be enjoying this? cos i am. ;D

12

Before you delete anything from your registry, make a back-up and save it where you can easily find it.
I would also create a restore point prior to deleting that entry.
Once that’s done, you can delete it it and reboot the system to see the results.
Should you have any problems, you’ll be able to restore your old registry and/or restore you system to a point prior to deleting the entry from the registry.

Good luck. :slight_smile:

13

You’re right. Thanks, my bad.

Google has started showing results for “Did you mean…” instead of just asking and I didn’t notice.

14

Click “Start” > “Run” and type “Services.msc” (without quotes) then hit “Ok”.

Click the “Extended” tab.

Scroll down and find the service called ASP.NET State Service aspnet_stateSchedule (aspnet_stateSchedule) - Unknown owner - C:\WINDOWS\system32\algb.exe

Click once on the service to highlight it.

Click “Stop”.

Right-click on the service.

Click on “Properties”.

Select the “General” tab.

Click the Arrow-down tab on the right-hand side on the “Start-up Type” box.

From the drop-down menu, click on “Disabled”.

Click “Apply”, then “OK”.

Now you will want to delete the service:

Open HijackThis.

Click on the “Open Misc. tools section” button.

Click on the “Delete an NT service” button.

Type aspnet_stateSchedule in the space provided and click OK.

The program will ask you to reboot. Accept.

Now, run HijackThis again and when it finishes, put a check before the following lines:

O23 - Service: ASP.NET State Service aspnet_stateSchedule (aspnet_stateSchedule) - Unknown owner - C:\WINDOWS\system32\algb.exe

Then, make sure ALL windows except HijackThis are closed and hit the “Fix Checked” button.

Next, navigate to and delete the following files listed below if they are found to exist.

C:\WINDOWS\system32\algb.exe

15

Hi,

I am now typing from my uninfected pc :slight_smile:
I did a backup, deleted the entry and the file and rebooted. Process explorer is clean now as is hijack this.

Thanks for all your help. I really appreciate it. :slight_smile:

Mairi

16

Good news. :slight_smile:

17

While I did not post in this thread, I have been following it. :slight_smile:

It is always nice to see that someone’s infected computer becomes clean again. :smiley:

Congratulations, mairi … please come back to the forums often and learn more. :slight_smile: