Re: My home page has changed to "CoolWWWSearch" variant

From: Bill Sanderson (Bill_Sanderson_at_msn.com.plugh.org)
Date: 04/28/04 

Date: Wed, 28 Apr 2004 15:27:48 -0400

Check on how many ALG.EXE's exist on your system.

Check using the ATTRIB command-line command.

Don't read too much into a name. Just because Microsoft has a benign useful
piece of the OS named ALG.EXE doesn't mean that there isn't something else,
in a different location, using the same name.

"thejd" <thejd@uk2.net> wrote in message
news:OQTgm1DLEHA.3300@TK2MSFTNGP10.phx.gbl...
> Good points. Im learning how to use "Process Explorer" by SysInternals,
> looks good.
>
> Last night after much examination I discovered alg.exe running, but only
> while the WARNING pop-ups appeared from winpatrol telling me that the IE
> settings were being changed. alg.exe = Application Layer Gateway Service.
>
> alg.exe turned out to be related to ICS, Internet connection sharing.
> Thats strange I thought, seeing as I dont use ICS, nor is it enabled.
>
> So I "disabled" Application Layer Gateway Service from "manual" startup in
> "Services" and it seems to have worked!!! WinPatrol is no longer reporting
> IE changes and my home page is no longer being changed nor is the CWS
> addon helper appearing in the IE Settings.
>
> So what is alg.exe? Accoring to MS it: "Provides support for 3rd party
> protocol plug-ins for Internet Connection Sharing and the Internet
> Connection Firewall"
>
> Im not aware of any problems disabling this Service as yet, any other idea
> or comments appreciated....
>
> Was the reason I could not clear the CWS source file because it was not
> resident on my PC? Did CWS hijack my internet connection (via alg.exe) to
> download itself again and again??
>
> Yes I have a firewall, yes Im using a NAPT fireall router, No Im not using
> any file sharing, Guest acc is disabled etc etc.
>
> Pretty scary stuff! Perhaps someone from MS would like to comment on the
> security alg.exe?
>
>
>
>
> "N. Miller" <nsm@blackhole.aosake.net> wrote in message
> news:MPG.1af718c17ef0fb89989eff@msnews.microsoft.com...
>> In article <ug7Gv14KEHA.3852@TK2MSFTNGP10.phx.gbl>, thejd@uk2.net says...
>>
>>> WinXP SP1 fully patched with IE security settings all at default.
>>
>>> I was running as administrator (silly) whilst surfing the internet.
>>
>>> :::::My home page has changed to "CoolWWWSearch" variant.:::::::
>>
>>> Ive tried absolutly everything in the way of adware, trojen and virus
>>> remove
>>> tools including CWShredder.
>>
>>> I have even tried installing XP SP2-beta, but to no avail.
>>
>>> Where is the resident CWS file? Every few minutes WinPatrol reports the
>>> changes to my IE settings, but is unable to stop them.
>>
>>> I try disabling (new XP SP2 feature) the "IE Helper" but it simply
>>> returns
>>> in to the enabled list after a few minutes.
>>>
>>> After spending 3 days on this now, I am wondering whether their is a
>>> cure, I
>>> am also curious that there seems to be little open debate on the MS-Home
>>> site regarding the FACT that this trojan can infect a FULLY patched XP
>>> OS!!!!! Without me ever agreeing to a download or similar numpty
>>> activity
>>> (other than being logged in as admin)
>>
>> Welcome to the commercial Internet, where many commercial interests
>> believe
>> that they own your computer. A fully patched system won't stop them. If
>> they
>> pop up sneaky windows, telling you that you should download a "small
>> plugin" so your browser will work on their site, and if you click "Ok",
>> no
>> patches will help you. Some popups are even sneakier; they ignore your
>> choice of "No", and install anyway, treating the "No" button click as an
>> affirmation.
>>
>> The authors of the Cool Web Search browser hijacker are in an arms race
>> with
>> the spyware killers. They are trying to stay three steps ahead of the
>> spyware removers, to make it harder for you to regain control of your
>> computer. Remember what I said; they want to possess your computer for
>> their
>> ends. Maybe, if you contact the CWS people, they have recent updates, or
>> may
>> even be interested in finding out if yours is a new variant that they
>> haven't seen, yet.
>>
>> I live in California. I wish that Sen. Liz Figueroa (D-Fremont) would
>> drop
>> her proposed legislation against Google, for their "Gmail", and pursue
>> legislation against Cool Web Search type browser hijackers instead.
>> Google
>> is up front about what they intend to do; more so than Hotmail, or
>> Yahoo!,
>> which are just as significant in their privacy issues.
>>
>> Cool Web Search is downright sneaky and malicious.
>>
>> --
>> Norman
>> ~Win dain a lotica, En vai tu ri, Si lo ta
>> ~Fin dein a loluca, En dragu a sei lain
>> ~Vi fa-ru les shutai am, En riga-lint
>
>