Thanks, Barry sent me that off list and I guess I should have posted that he sent it to me. :-) I figured that alg.exe was needed for the firewall, and I do have 3 firewalls running. The hardware firewall in my router, XP's, and Sygate. I guess it could have been a Trojan I as first suspected but nothing ever turned up. Could be something brand new that no AV software or firewall signature files know anything about yet. That still doesn't ascertain USR's involvement in this which I'd really like to find out. -Clint
God Bless Clint Hamilton, Owner http://OrpheusComputing.com ) ----- Original Message ----- From: "Bram" <[EMAIL PROTECTED]> Hi Clint, Found this on the internet , don't know if it helps any. "FILENAME: Alg.exe. PROGRAM NAME: Application Layer Gateway. DESCRIPTION: Part of Windows XP that provides support for ICS and Internet Connection Firewall (ICF). RECOMMENDED ACTION: If a third-party firewall warns you that ALG.exe wants access, check to make sure you're not double-firewalled. If you are, disable ICF. If you are using neither ICF nor ICS and are warned that ALG.exe is trying to access the Net, deny it. A Trojan horse or worm may be trying to use it as a backdoor." Bram AngloCom ----- Original Message ----- From: "Support-OrpheusComputing.com" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, March 20, 2004 4:40 PM Subject: PCWorks: Not enough room here to explain this odd event-firewall alert/probe attempt causing crash of ONE HD partition? > About an hour or so ago I started to "experience some very odd > behavior" on this PC (XP Pro). My HD is partitioned several > times, and my G partition is "storage". No programs are > installed on it, it's just a backup of everything, but > "Desktop" is stored on that partition. (I moved it from the > original location to G, it's been like that since day 1, a long > time ago). > > Every time I clicked the G icon on my desktop to access that > partition, I got an alert from what I think was the Native XP > firewall, but it could have been a Sygate alert. I say the XP > firewall since if I recall correctly that alg.exe is what is, > or part of, the XP firewall--at least alg.exe is what is > running in the background during a cont-alt-del check of what's > running when the XP firewall is active. If it's disabled, > alg.exe disappears from the task manager. More on that in a > moment. Maybe the *way* I was alerted is irrelevant, but I > though I'd include that anyway. > > During that process of the alert (sometimes right before or > sometimes right after the alert) ANY folder in the G partition > that I tried to even hover over, resulted in a total lock-up of > THAT WINDOW ONLY. That G window could not be moved, closed, > maximized or minimized. I could open OTHER folders just fine > on the desktop, and do other things just fine, just that G > partition's window was "DEAD". It would stay like that a > couple of minutes or so, then everything would go black, just a > black screen and nothing else. (My Desktop background is black > and the mouse cursor was still there). Then after a few > seconds the desktop would start to come back and my toolbar at > the bottom of the main desktop screen would "freak out". The > address bar would disappear, the Quick Launch toolbar would > disappear, it would go from "three level" to "one level" > (revert back to almost the original XP default toolbar layout)! > It gets stranger. When I would try to right click to enable > Quick Launch again, it would come back with the several dozen > icons all out of the order they were in (which has NEVER > happened before when the QL toolbar was disabled or disappeared > from other reasons). This happened 3 or 4 times with the EXACT > SAME results and procedure done each time even AFTER RESTARTS. > Each time beginning with me trying to access anything on the G > partition. Again, ALL of the other partitions are normal, > acting as usual. > > Now for more on the firewall alert: what is bizarre is the > alert was due to US Robotics/3com and there is NOTHING on this > PC that is USR or 3com! No modem, just a NIC which is an Intel > NIC. Now here's the $$$ question, what the heck would this PC > be doing trying to contact USR, or, what would USR be doing > trying to connect to this PC, and what has that got to do with > not being able to access the G partition and its lockup?? The > same thing happened whether I denied or granted access. I > denied access the first few times, then I decided to grant it > to see if that changed anything and it did NOT. I ran SpyBot, > AdAware, etc, and they were clean. The ONLY way I could fix > this "issue" was to do a system restore to yesterday and thank > God for it, that worked and all seems to be back to normal > again. But this leaves me somewhat troubled since I can > usually always figure out what's going on, but I'm at a bit of > a loss here. I think it's probably a good idea to try and find > out what was going on, what caused it, etc. Below is paste > from the firewall alert showing the probe, as you can see, > that's USR's IP address and their FTP site! Any takers on this > one? ;-) > > File Version : 5.1.2600.1106 (xpsp1.020828-1920) > File Description : Application Layer Gateway Service (alg.exe) > File Path : C:\WINDOWS\system32\alg.exe > Process ID : 0x5E0 (Heximal) 1504 (Decimal) > Connection origin : local initiated > Protocol : TCP > Local Address : 192.168.0.134 > Local Port : 3500 > Remote Name : ftp.usr.com > Remote Address : 65.61.164.30 > Remote Port : 21 (FTP - File Transfer [Control]) > Ethernet packet details: > Ethernet II (Packet Length: 76) > Destination: 00-50-18-09-61-4c > Source: 00-07-e9-02-0c-58 > Type: IP (0x0800) > Internet Protocol > Version: 4 > Header Length: 20 bytes > Flags: > .1.. = Don't fragment: Set > ..0. = More fragments: Not set > Fragment offset:0 > Time to live: 64 > Protocol: 0x6 (TCP - Transmission Control Protocol) > Header checksum: 0xdc7d (Correct) > Source: 192.168.0.134 > Destination: 65.61.164.30 > Transmission Control Protocol (TCP) > Source port: 3500 > Destination port: 21 > Sequence number: 2864471034 > Acknowledgment number: 0 > Header length: 28 > Flags: > 0... .... = Congestion Window Reduce (CWR): Not set > .0.. .... = ECN-Echo: Not set > ..0. .... = Urgent: Not set > ...0 .... = Acknowledgment: Not set > .... 0... = Push: Not set > .... .0.. = Reset: Not set > .... ..1. = Syn: Set > .... ...0 = Fin: Not set > Checksum: 0xb0d0 (Correct) > Data (0 Bytes) > Binary dump of the packet: > 0000: 00 50 18 09 61 4C 00 07 : E9 02 0C 58 08 00 45 5C | > .P..aL.....X..E\ > 0010: 00 30 16 06 40 00 40 06 : 7D DC C0 A8 00 86 41 3D | > [EMAIL PROTECTED]@.}.....A= > 0020: A4 1E 0D AC 00 15 AA BC : 5B FA 00 00 00 00 70 02 | > ........[.....p. > 0030: F7 80 D0 B0 00 00 02 04 : 05 A0 01 01 04 02 4C 45 | > ..............LE > 0040: 48 46 43 45 50 46 46 46 : 41 43 41 43 | > HFCEPFFFACAC > > -Clint ============= PCWorks Mailing List ================= Don't see your post? Check our posting guidelines & make sure you've followed proper posting procedures, http://pcworkers.com/rules.htm Contact list owner <[EMAIL PROTECTED]> Unsubscribing and other changes: http://pcworkers.com =====================================================
