Problem with Virus and/or spyware : please help

[MNMAN]

After searching the web for hours and hours , I found the solution :

It's alga.exe Trojan, the following link explains it all.

http://www.edwinraja.com/how-to-remove-alga-exe-trojan-pws.html


How To Remove alga.exe Trojan PWS

UnHackMe, Junk Removal Tool, HijackThis or Microsoft Security Essential, those antiviruses have failed to detect this alga.exe trojan virus.
alga.exe is a malware related executable file and runs in Task Manager as the process alga.exe. Most often it creates web page called web.html inside “C:\Users\<user>\AppData\Local\Microsoft\Windows\Temporary Internet Files”
folder and launches web browser to load (file:///C:/Users/<user>/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/web.html) everytime there is internet connection available or at computer startup.
If your computer is having infected with this virus, there is a solution that might help with having to be done manually.

Steps Of How To Remove

1.Check to see if there is installed program named “setup” in your program lists and Uninstall with “Your Uninstaller!” with super mode (recommended) or go to Control Panel » Uninstall a program » right click “setup” name and Uninstall

2.Remove C:\Windows\System32\config\systemprofile\AppData\Local\Svchost folder which contains alga.exe or C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Svchost for x64 system.

3.Delete alga.exe from C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup folder

4.Delete patch.dll from C:\ProgramData folder

5.Restart computer

[SuperDave]

MBAM should have picked that up.

[MNMAN]

MBAM should have picked that up.

I really don't know why it didn't.

However the popup problem is over, I am afraid the symptoms are gone but there are still an infection of some kind.

Now and after following up the above procedures to remove the alga.exe, the popup is not coming (issue solved), however every time I delete the file Svchost that contains the file alga.exe (C:\Windows\System32\config\systemprofile\AppData\Local\Svchost) , it creates itself again in the same place (P.s. the computer running fine and no popup as I mentioned earlier), any ideas please?!!

[SuperDave]

Did you follow the instructions completely?
Please run MBAM again and see if it picks it up.This is a new infection (Nov./13)and I would like to see if it will remove it.
Also, please do a search for alga.exe and delete those you find.

[MNMAN]

Did you follow the instructions completely?

YES, word by word. And the popup is not an issue anymore.

Please run MBAM again and see if it picks it up. This is a new infection (Nov./13)and I would like to see if it will remove it

MBAM doesn't catch the alga.exe file
 

Also, please do a search for alga.exe and delete those you find.

Done, and deleted manually.

The only issue now is the file Svchost that contains alga.exe. I delete it and it keeps generating itself. I have noticed that it only generate itself when the internet is connected. I deleted all the temp internet files and tried again, same thing, it generated itself once the internet connection is on.

[MNMAN]

http://www.removespywaretips.com/exe-a/alga-exe.html

Is this a safe program to try and see if it will solve the problem?

[SuperDave]

Is this a safe program to try and see if it will solve the problem?

Usually those programs that are downloaded to solve a problem end up making much more problems.

Download Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
Unzip ProcessExplorer.zip, and double click on procexp.exe to run the program.
Click on View > Select Colunms.
In addition to already pre-selected options, make sure, the Command Line is selected, and press OK.
Go File>Save As, and save the report as Procexp.txt.
Attach the file to your next reply.

[MNMAN]

Please find attached the file requested : Procexp.txt




[recovering disk space, attachment deleted by admin]

[MNMAN]

I though it's better to run all common programs I use on daily bases and then run procexp.exe again while all these programs are running. Here attached the report Procexp2.txt 

[recovering disk space, attachment deleted by admin]

[SuperDave]

I don't see it running in Taskmanager. Could you please look for these folderss below

delete folder svchost from C:\Windows\system32\config\systemprofile\AppData\Local or C:\Windows\SysWOW64\config\systemprofile\AppData\Local for x64 system and

patch.dll from c:\ProgramData folder

[MNMAN]

delete folder svchost from C:\Windows\system32\config\systemprofile\AppData\Local

I keep deleting svchost folder from C:\Windows\system32\config\systemprofile\AppData\Local but it generates itself every time I connect to the internet as I explained earlier.

and patch.dll from c:\ProgramData folder

Already deleted from before.

[SuperDave]

I sent a pm to my chum to see if he has any input. I'll be back.

[MNMAN]

I sent a pm to my chum to see if he has any input. I'll be back

Thanks for all the efforts, really appreciated.

[SuperDave]

My colleague has never seen anything like this but he did mention that Clarysoft says it's safe. That's about all the help I can give you.

[MNMAN]

Thanks a lot for all the help provided and your patience.

A friend of mine advised me to delete svchost file and then to run ESET Online scanner, but this time under setting check unwanted programs and check unsafe programs.

I did that and three threats are founds as following (last few lines of the created log):

# scanned=151511
# found=3
# cleaned=3
# scan_time=6310
sh=4EDB200FD0A27552F099453D3F5B6098A36E56FD ft=0 fh=0000000000000000 vn="a variant of MSIL/Adware.Agent.AB application (deleted - quarantined)" ac=C fn="C:\Windows\Installer\21c1102.msi"
sh=B84A20BD42C6B0BB9C5BB033BF07F0FC47CADF20 ft=1 fh=b8a4cc1cd24ab5b0 vn="a variant of MSIL/Adware.Agent.AB application (cleaned by deleting (after the next restart) - quarantined)" ac=C fn="C:\Windows\System32\service.exe"
sh=4EDB200FD0A27552F099453D3F5B6098A36E56FD ft=0 fh=0000000000000000 vn="a variant of MSIL/Adware.Agent.AB application (deleted - quarantined)" ac=C fn="C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Update.msi"

And since these three threats are quarantined the svchost file  stopped creating itself and the computer looks fine.
I hope this is the end of my misery  , and again thanks for your help.