Author Topic: Win32: Agent-SG[Trj} (Read 13370 times)

crofty59 · « **on:** November 06, 2006, 05:28:44 AM »

Hi
Did a boot scan and it picked up 2 viruses.

One was Win32 :Adware-gen did a check on Virus total come up clean even avast states it clean.

File C:\Documents and Settings\PeDrO\My Documents\!!..JeNnAz!!\×_Odd.Bits.And.Bobs]].«3\×_DownLoads]].«3\FeLiX.exe is infected by Win32:Adware-gen. [Adw]
Have sent off to Alwil for testing.

I also got this but not sure if it can be quarantined or not
File C:\pagefile.sys is infected by Win32:Agent-SG [Trj]

This only shows up on a bootscan.

Is this okay to quarantine, i tried checking it out but could not find anything that i could understand.

Cheers

igor · « **Reply #1 on:** November 06, 2006, 11:49:22 AM »

The content of the pagefile is not reused (when Windows boot up) - so it doesn't really matter what's inside. I'd suggest to ignore the file (i.e. not to move or delete it).

crofty59 · « **Reply #2 on:** November 06, 2006, 01:21:03 PM »

Thanks igor

I will do as you have suggested and just leave it.
Thanks a million for your help very much appreciated.

Cheers

igor · « **Reply #3 on:** November 06, 2006, 04:29:58 PM »

I'm slightly curious, however, how did the Agent-SG signature get there. It is actually possible that it's a false alarm, but it looks like belonging to a dialer.
Try to run ashQuick.exe "*MEMORY" to see if anything is detected in memory.

crofty59 · « **Reply #4 on:** November 07, 2006, 05:31:28 AM »

Quote from: igor on November 06, 2006, 04:29:58 PM

I'm slightly curious, however, how did the Agent-SG signature get there. It is actually possible that it's a false alarm, but it looks like belonging to a dialer.
Try to run ashQuick.exe "*MEMORY" to see if anything is detected in memory.

Hi

I am not very computer savvy i did try but could not get it to go, most likely i stuffed it up.

I am using Windows xp Home and have Avast Pro installed

Some directions may help me.

Cheers

Lisandro · « **Reply #5 on:** November 07, 2006, 12:29:04 PM »

Quote from: crofty59 on November 07, 2006, 05:31:28 AM

I am not very computer savvy i did try but could not get it to go, most likely i stuffed it up.
Some directions may help me.

Start Menu > Run
Write down there: "C:\Program Files\Alwil Software\Avast4\ashQuick.exe" "*MEMORY"

But Igor, some false positives should be there

crofty59 · « **Reply #6 on:** November 07, 2006, 01:03:39 PM »

Hi Tech

I tried it but it keeps coming up saying it can't find the path etc to sheck that i have put in the right path.

I did a search the only ashQuick.exe that comes up is in C:Windows /Prefetch folder is this correct or am i losing the plot.
I have clicked to show hidden folders files etc

I appreciate your help, but i am not sure how much longer i can stay on, so if i should disappear i am not being rude.

Cheers Crofty59

polonus · « **Reply #7 on:** November 07, 2006, 01:36:36 PM »

Hi crofty59,

Go here and get this adware from your comp: http://www.spywareguide.com/product_show.php?id=30

polonus

Lisandro · « **Reply #8 on:** November 07, 2006, 02:52:48 PM »

Quote from: crofty59 on November 07, 2006, 01:03:39 PM

I tried it but it keeps coming up saying it can't find the path etc to sheck that i have put in the right path.
I did a search the only ashQuick.exe that comes up is in C:Windows /Prefetch folder is this correct or am i losing the plot.

No. The prefetched version is not good.
Where is your avast installed? There should be the ashquick.exe file.
I've posted the default folder, where did you install avast?
You have to use two pairs of quotes, like I've posted before.

Quote from: crofty59 on November 07, 2006, 01:03:39 PM

I appreciate your help, but i am not sure how much longer i can stay on, so if i should disappear i am not being rude.

Sure. Don't worry my friend.

DavidR · « **Reply #9 on:** November 07, 2006, 03:38:51 PM »

@crofty59
The prefetch is only designed to speed up the loading of files it gives HDD cluster information, etc., it isn't the original file.

Try this path in the run command, Techs is likely to be incorrect for your setup:
"C:\Program Files\Alwil Software\Avast4\ashQuick.exe" "*MEMORY", this works on mine

crofty59 · « **Reply #10 on:** November 08, 2006, 06:36:48 AM »

Quote from: polonus on November 07, 2006, 01:36:36 PM

Hi crofty59,

Go here and get this adware from your comp: http://www.spywareguide.com/product_show.php?id=30

polonus

Hi polonus i have bookedmarked the web site will check it out .

Cheers crofty59

Quote from: Tech on November 07, 2006, 02:52:48 PM

No. The prefetched version is not good.
Where is your avast installed? There should be the ashquick.exe file.
I've posted the default folder, where did you install avast?
You have to use two pairs of quotes, like I've posted before.

Hi tech
I installed in the default folder. I can find a icon in Avast folder for ashQuick but not ashQuick exe.

I ended up getting it to work, i put in what David had posted. i was putting in the wrong path.

Quote from: DavidR on November 07, 2006, 03:38:51 PM

@crofty59
The prefetch is only designed to speed up the loading of files it gives HDD cluster information, etc., it isn't the original file.

Try this path in the run command, Techs is likely to be incorrect for your setup:
"C:\Program Files\Alwil Software\Avast4\ashQuick.exe" "*MEMORY", this works on mine

Try this path in the run command, Techs is likely to be incorrect for your setup:
"C:\Program Files\Alwil Software\Avast4\ashQuick.exe" "*MEMORY", this works on mine

Quote

Hi DavidR
Your path you posted worked like a charm. Thanks

Cheers crofty59

Quote from: igor on November 06, 2006, 04:29:58 PM

I'm slightly curious, however, how did the Agent-SG signature get there. It is actually possible that it's a false alarm, but it looks like belonging to a dialer.
Try to run ashQuick.exe "*MEMORY" to see if anything is detected in memory.

Hi igor
Run the scan and this is what i got
File name Process 876, memory block 0x01880000, block size 1814528
Malware name Win32:Agent-SG [Trj]
Malware Type Trogen Horse
VPS version 0642-2 07/11/06

File name Process 876, memory block 0x02B10000 block size 1814528
Malware name Win32:Agent-SG [Trj]
Malware Type Trogen Horse
VPS version 0642-2 07/11/06

I tried posting screen shots but didn't work
Hopes this help

Cheers crofty59

Lisandro · « **Reply #11 on:** November 08, 2006, 11:38:19 AM »

Quote from: Tech on November 07, 2006, 12:29:04 PM

But Igor, some false positives should be there

Igor?

igor · « **Reply #12 on:** November 08, 2006, 11:51:37 AM »

Can you find out what do these Win32:Agent-SG [Trj] detections correspond to? I mean, if you run Process Explorer and check the process with ID 876 (or what the virus dialog shows at the particular case)... what is it?
Additionally, if you select this process (in Process Explorer) and press Ctrl+D to display the DLLs in the lower pane - is there any DLL where the reported addresses (e.g. 02B10000) would fall into?

crofty59 · « **Reply #13 on:** November 08, 2006, 01:22:58 PM »

Hi

Belongs to Windows Defender
I ran (Process Explorer) ID 876 is MsMpEng.exe Service Executable Microsoft Corporation .

I pressed Ctrl+D but nothing came up with addresses all there was
Name Description Company Name Version

Cheers

igor · « **Reply #14 on:** November 08, 2006, 01:55:17 PM »

Hmm... that's not good

I may be wrong, but it sounds like Windows Defender has unencrypted malware signatures in memory...

Author Topic: Win32: Agent-SG[Trj} (Read 13370 times)

crofty59

Win32: Agent-SG[Trj}

igor

Re: Win32: Agent-SG[Trj}

crofty59

Re: Win32: Agent-SG[Trj}

igor

Re: Win32: Agent-SG[Trj}

crofty59

Re: Win32: Agent-SG[Trj}

Lisandro

Re: Win32: Agent-SG[Trj}

crofty59

Re: Win32: Agent-SG[Trj}

polonus

Re: Win32: Agent-SG[Trj}

Lisandro

Re: Win32: Agent-SG[Trj}

DavidR

Re: Win32: Agent-SG[Trj}

crofty59

Re: Win32: Agent-SG[Trj}

Lisandro

Re: Win32: Agent-SG[Trj}

igor

Re: Win32: Agent-SG[Trj}

crofty59

Re: Win32: Agent-SG[Trj}

igor

Re: Win32: Agent-SG[Trj}