Alg.exe trying to connect to remote ip port 21... help

Discussion in 'other firewalls' started by tak300, Oct 25, 2007.

Thread Status:
Not open for further replies.
  1. tak300

    tak300 Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    10
    Hi there

    A few days ago, my firewall (Sygate Pro) warned me that alg.exe was trying to connect to a remote ip and to the ftp port, port 21. Since I didnt "request" any ftp connection nor I knew the ip I blocked it. I then scanned my computer with NOD32, A-Square free anti-spyware and AVg anti spyware(All updated) and found nothing. I also ran gmer which turned nothing too. And my HijackThis log seems to be okay (although I'm no expert in HJ log's :) )

    What the hell could be going on here? At the time of the "warning" I was running a torrent client, nothing more. Could that be it? Its really weird since the anti-virus/spyware software I ran found nothing...

    So what do you guys think? Thanks in advanced :)
     
  2. screamer

    screamer Registered Member

    Joined:
    Apr 14, 2006
    Posts:
    921
    Location:
    Big Apple USA
    Application Layer Gateway service is a component of of Windows OS. It is required if you use a 3rd party firewall or Internet Connection Sharing (ICS) to connect to the internet.
    This process doesn't need to connect out, just block it.

    ...screamer
     
  3. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    Better yet, just disable the service.
     
  4. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    975
    You can certainly disable the service, but it's questionable behaviour that needs to be investigated. You can upload the file to VirusTotal for scanning but it's more likely something else is connecting through it.
     
  5. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    ALG will invisibly proxy ftp traffic, and if you don't use the XP Firewall disable the service.
     
  6. tak300

    tak300 Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    10
    I have it blocked, however i would like to know if i should be concern about a potential spyware/virus infection. I ran every security program i have and found nothing. Could a legit program have done this?
     
  7. De Hollander

    De Hollander Registered Member

    Joined:
    Sep 10, 2005
    Posts:
    718
    Location:
    Windmills and cows
    Is there any entry in a log about the destination IP.
     
  8. tak300

    tak300 Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    10
    Yes, i have infact 2 ip's
    Should i be concerned?
     
  9. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Please post the IP`s. We can then possibly have some indication of what the connection was intended for.
    There is always a possible need for concern of any unknown connection attempt. But saying that, ALG is used by many 3rd party programs (not so much directly now), but they would use this service, as the service is allowed by default in a number of firewalls.
     
  10. nonex23

    nonex23 Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    3
    I am having the exact same problem. This started a couple of weeks ago, with the most recent as of last night. Sygate caught alg.exe trying to connect via port 21 (ftp) to these two IPs:

    72.188.43.172

    and

    190.161.67.207

    The first time it happened, I just clicked no and didn't think much about it. Now I'm worried. I've done numerous scans and found nothing that I could tell is wrong. I even used rootkit revealer but didn't see anything that I could recognize as unusual.

    Here is a HJT dump:

    ~Log removed per this announcement.~


    I don't see anything unusual there, does anyone else?

    After searching all over, on a hunch, I checked winlogon.exe and alg.exe on virustotal.com. Neither files popped up as bad.

    One strange thing:

    winlogon.exe on this machine is version 5.1.2600.2180 which I don't see listed on http://support.microsoft.com/dllhelp/?dlltype=file&l=55&alpha=winlogon.exe&S=1&x=9&y=7

    alg.exe shows the same version number 5.1.2600.2180 (is it normal for two different files to have the same version numbero_O) which IS listed on the msn site http://support.microsoft.com/dllhelp/default.aspx?l=55&fid=211767

    I'm stumped. I'm ready to re-do both of these machines.

    More info: I have a DLINK wireless router that has the wireless encrypted. The machine that uses that wireless access is a laptop running Vista. It is two months old and running slow as &^*%%^. I have AVG running on that machine, but Vista is still a new beast to me.

    I'm going to be re-doing that laptop with XP soon I think.

    I am sharing folders on my network.

    Anyone have any ideas of what is going on? This seems to be a new problem since I am not finding much info on it on the internet at the moment. The only reason I found this forum was using google "alg.exe sygate"

    Thanks very much for your help with this.
     
    Last edited by a moderator: Oct 28, 2007
  11. nonex23

    nonex23 Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    3
    Update: I just found info that might shed light on my problem, however I am not convinced because how specific the request to use alg.exe is (port 21)

    What I found @ http://www.derkeiler.com/Newsgroups/microsoft.public.security.virus/2003-10/1416.html

    ALG is a component of ICS/ICF. If you are running both ICF and a
    third-party firewall, this message can result from normal activities.
    Solution: Disable ICF--this is an artifact of having two firewalls running
    at the same time.

    However, if ICF isn't running, this could be viral/trojan activity, so the
    full system scan is the right first step. ​

    Turns out that yes, I happen to have ICF running on this machine at the same time as Sygate. It looks like I forgot to turn it off when I set this machine up.

    Am I being paranoid? Is it a coincidence that someone else had the same problem pop up recently?

    Again, thanks for any insight on this!
     
  12. tak300

    tak300 Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    10
    Well i also had the windows firewall on, maybe that is it but i doubt it. I have disabled ALG service for now, but im still trying to know what happened.

    I checked the ips on dnstuff and they appear to be ip's from dsl connections, which means they belong to someone like us.

    nonex23, let us know if you have the same problem again after you disabled ICF.
     
  13. nonex23

    nonex23 Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    3
    Hey Tak300, here's some more thoughts on this:

    Sygate came out before SP2 and is no longer supported. From what I've read, modern software firewalls will ignore alg.exe, which is part of SP2.

    I was also using bit torrent when this happened. I think there is a setting for bit torrent users to use random ports. What if this is just a random connection from a fellow bit torrent user using port 21?

    It would explain why the IPs appear harmless.

    I'm still on my toes with this one, but considering that you and I seem to be the only people having this problem and we are sharing similar setups, it might be nothing!

    Just to confirm... you did say you were using bit torrent right? I seem to remember it happening to me after I finished my torrent and shut the application down. Do you remember if this was the same for you?
     
  14. tak300

    tak300 Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    10
    I was using utorrent at the time. I cant recall if it was when i shutdown utorrent tho

    I do however remember a "similar" problem happening a few months back.
    I was using uTorrent and all of the sudden i get warning from sygate saying that firefox wants to connect to ip X and port Y. And this was every 10miliseconds or so :x So i disconnected from the web and i went to check it out. Turns out the ip's firefox was tring to connect were ips from uTorrent. I dont know how or why this happened, but at the time i was confused.... This new problem made me "rethink" the other one and maybe they are connected
     
  15. erik_in_illinois

    erik_in_illinois Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    2
    :eek: Im new, Hello. Im running microtorrent also. ALG is acting up.. first time tho, I formatted and reinstalled **** after a stable running system for 2+ years then it started up.. However Im using that late nite commercial STOPSIGN dot com a/v firewall.. (this found an infection NOD32 passed up..thats why i use it)

    anyway, maybe its some new sploit with utorrent.. Ive had it try to connect to about 3 ips so far, the activity is really sparatic right now..but a lot of attempts so far..

    <img src="http://i23.tinypic.com/256rcpd.png"/>

    Thats the latest xnection attempt---^

    Im going to go and disable the service..
    (windows key + r + services.msc + ENTER )

    btw how many svchost processes does one really have running on average..sometimes it just seems weird that so many run


    --
    ALG
    "Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Windows Firewall."


    so basicaly you dont need it running.. i remember somewhere it being described as being important and if disabled or w/e your internet broke lol
     
  16. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    I have 5 instances running...
    Disabled mine, and a few others from reading up here http://www.blackviper.com/WinXP/servicecfg.htm with no issues to date...
     
  17. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    I normally have 3 instances of it running. I believe it is possible to configure windows so that svchost doesn't run at all.
     
  18. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    I had it down to 2 instances once, but after that last critical-error I decided to stick with "power-user" settings instead of "bare-bones." Probably could get it down to 0-1 instances, just not with my set-up I guess...
     
  19. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hello.

    You need ALG if you run server applications (P2P i.e.) through ICS. For most setups, it is unneeded and can safely be disabled.

    All Windows services run through svchost.exe, so if you have at least one service enabled, you will have svchost among your running tasks. It is (svchost) a multithreading task, so several processes can have their separate threads inside one svchost. You can check that easily with Process Explorer :)

    Cheers,
     
  20. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    975
    A task manager extension like Prio can show you which services are running under each instance of svchost.
     
  21. erik_in_illinois

    erik_in_illinois Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    2
    Great! thanks folks, no outbound connection attempts as of yet..
     
Loading...
Thread Status:
Not open for further replies.