[ssilk]

I've just started going through my startup list in detail, to try & remove any unnecessary items.
The first item is "Application Layer Gateway Service," with manufacturer "Microsoft Corporation."

In the CastleCops startup files database, it says this is added by W32.LINKBOT.M.
However, there are debates on other sites over whether this is legit or not. A few sites say it is legit if it's in the System32 folder, and not if elsewhere.
I did a search, and on my computer it is only found in C:\I386.

Any ideas? I can post a HijackThis log if that might help.
Incidentally, none of AVG, Spybot, Trojan, ZoneLabs, and Trend Housecall have picked this up as a problem.
Thanks.

[Advertisements]

""Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Windows Firewall." This can be disabled if you are not using Internet Connection Sharing or the built-in Windows firewall."

[pogonici]

""Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Windows Firewall." This can be disabled if you are not using Internet Connection Sharing or the built-in Windows firewall."

[ssilk]

Thanks.
I've just been reading up on it myself, and here are all the details:

There's one called "Application Layer Gateway Service" with filename alg.exe. This is legit, and is described by your quote.

There's another called "ALG.EXE" with filename iexplorer.exe. This is added by the W32/Demotry-B worm. This worm also adds the following registry key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ALG.EXE
"iexplorer .exe"

More details can be found here.

-Simon