Hi Clint, Found this on the internet , don't know if it helps any.
"FILENAME: Alg.exe. PROGRAM NAME: Application Layer Gateway. DESCRIPTION: Part of Windows XP that provides support for ICS and Internet Connection Firewall (ICF). RECOMMENDED ACTION: If a third-party firewall warns you that ALG.exe wants access, check to make sure you're not double-firewalled. If you are, disable ICF. If you are using neither ICF nor ICS and are warned that ALG.exe is trying to access the Net, deny it. A Trojan horse or worm may be trying to use it as a backdoor." Bram AngloCom ----- Original Message ----- From: "Support-OrpheusComputing.com" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, March 20, 2004 4:40 PM Subject: PCWorks: Not enough room here to explain this odd event-firewall alert/probe attempt causing crash of ONE HD partition? > About an hour or so ago I started to "experience some very odd > behavior" on this PC (XP Pro). My HD is partitioned several > times, and my G partition is "storage". No programs are > installed on it, it's just a backup of everything, but > "Desktop" is stored on that partition. (I moved it from the > original location to G, it's been like that since day 1, a long > time ago). > > Every time I clicked the G icon on my desktop to access that > partition, I got an alert from what I think was the Native XP > firewall, but it could have been a Sygate alert. I say the XP > firewall since if I recall correctly that alg.exe is what is, > or part of, the XP firewall--at least alg.exe is what is > running in the background during a cont-alt-del check of what's > running when the XP firewall is active. If it's disabled, > alg.exe disappears from the task manager. More on that in a > moment. Maybe the *way* I was alerted is irrelevant, but I > though I'd include that anyway. > > During that process of the alert (sometimes right before or > sometimes right after the alert) ANY folder in the G partition > that I tried to even hover over, resulted in a total lock-up of > THAT WINDOW ONLY. That G window could not be moved, closed, > maximized or minimized. I could open OTHER folders just fine > on the desktop, and do other things just fine, just that G > partition's window was "DEAD". It would stay like that a > couple of minutes or so, then everything would go black, just a > black screen and nothing else. (My Desktop background is black > and the mouse cursor was still there). Then after a few > seconds the desktop would start to come back and my toolbar at > the bottom of the main desktop screen would "freak out". The > address bar would disappear, the Quick Launch toolbar would > disappear, it would go from "three level" to "one level" > (revert back to almost the original XP default toolbar layout)! > It gets stranger. When I would try to right click to enable > Quick Launch again, it would come back with the several dozen > icons all out of the order they were in (which has NEVER > happened before when the QL toolbar was disabled or disappeared > from other reasons). This happened 3 or 4 times with the EXACT > SAME results and procedure done each time even AFTER RESTARTS. > Each time beginning with me trying to access anything on the G > partition. Again, ALL of the other partitions are normal, > acting as usual. > > Now for more on the firewall alert: what is bizarre is the > alert was due to US Robotics/3com and there is NOTHING on this > PC that is USR or 3com! No modem, just a NIC which is an Intel > NIC. Now here's the $$$ question, what the heck would this PC > be doing trying to contact USR, or, what would USR be doing > trying to connect to this PC, and what has that got to do with > not being able to access the G partition and its lockup?? The > same thing happened whether I denied or granted access. I > denied access the first few times, then I decided to grant it > to see if that changed anything and it did NOT. I ran SpyBot, > AdAware, etc, and they were clean. The ONLY way I could fix > this "issue" was to do a system restore to yesterday and thank > God for it, that worked and all seems to be back to normal > again. But this leaves me somewhat troubled since I can > usually always figure out what's going on, but I'm at a bit of > a loss here. I think it's probably a good idea to try and find > out what was going on, what caused it, etc. Below is paste > from the firewall alert showing the probe, as you can see, > that's USR's IP address and their FTP site! Any takers on this > one? ;-) > > File Version : 5.1.2600.1106 (xpsp1.020828-1920) > File Description : Application Layer Gateway Service (alg.exe) > File Path : C:\WINDOWS\system32\alg.exe > Process ID : 0x5E0 (Heximal) 1504 (Decimal) > Connection origin : local initiated > Protocol : TCP > Local Address : 192.168.0.134 > Local Port : 3500 > Remote Name : ftp.usr.com > Remote Address : 65.61.164.30 > Remote Port : 21 (FTP - File Transfer [Control]) > Ethernet packet details: > Ethernet II (Packet Length: 76) > Destination: 00-50-18-09-61-4c > Source: 00-07-e9-02-0c-58 > Type: IP (0x0800) > Internet Protocol > Version: 4 > Header Length: 20 bytes > Flags: > .1.. = Don't fragment: Set > ..0. = More fragments: Not set > Fragment offset:0 > Time to live: 64 > Protocol: 0x6 (TCP - Transmission Control Protocol) > Header checksum: 0xdc7d (Correct) > Source: 192.168.0.134 > Destination: 65.61.164.30 > Transmission Control Protocol (TCP) > Source port: 3500 > Destination port: 21 > Sequence number: 2864471034 > Acknowledgment number: 0 > Header length: 28 > Flags: > 0... .... = Congestion Window Reduce (CWR): Not set > .0.. .... = ECN-Echo: Not set > ..0. .... = Urgent: Not set > ...0 .... = Acknowledgment: Not set > .... 0... = Push: Not set > .... .0.. = Reset: Not set > .... ..1. = Syn: Set > .... ...0 = Fin: Not set > Checksum: 0xb0d0 (Correct) > Data (0 Bytes) > Binary dump of the packet: > 0000: 00 50 18 09 61 4C 00 07 : E9 02 0C 58 08 00 45 5C | > .P..aL.....X..E\ > 0010: 00 30 16 06 40 00 40 06 : 7D DC C0 A8 00 86 41 3D | > [EMAIL PROTECTED]@.}.....A= > 0020: A4 1E 0D AC 00 15 AA BC : 5B FA 00 00 00 00 70 02 | > ........[.....p. > 0030: F7 80 D0 B0 00 00 02 04 : 05 A0 01 01 04 02 4C 45 | > ..............LE > 0040: 48 46 43 45 50 46 46 46 : 41 43 41 43 | > HFCEPFFFACAC > > -Clint > > God Bless > Clint Hamilton, Owner > http://OrpheusComputing.com ) ============= PCWorks Mailing List ================= Don't see your post? Check our posting guidelines & make sure you've followed proper posting procedures, http://pcworkers.com/rules.htm Contact list owner <[EMAIL PROTECTED]> Unsubscribing and other changes: http://pcworkers.com =====================================================
