Author Topic: Win32: Agent-SG[Trj} (Read 13412 times)

crofty59 · « **Reply #15 on:** November 08, 2006, 01:57:51 PM »

Hi

You are right it certainly dosn't sound good.

I may post on there newsgroup and see what they have to say
Cheers

igor · « **Reply #16 on:** November 08, 2006, 02:06:31 PM »

Well, I guess I make somebody reproduce the problem here first... I would like to see the corresponding memory block (the one where the virus signature is found) before making conclusions.

crofty59 · « **Reply #17 on:** November 08, 2006, 02:10:12 PM »

Quote from: igor on November 08, 2006, 02:06:31 PM

Well, I guess I make somebody reproduce the problem here first... I would like to see the corresponding memory block (the one where the virus signature is found) before making conclusions.

How do i go about doing that as i have not got a clue.

Cheers

igor · « **Reply #18 on:** November 08, 2006, 03:00:55 PM »

What version of Windows Defender is that?

Lisandro · « **Reply #19 on:** November 08, 2006, 03:16:19 PM »

Quote from: igor on November 08, 2006, 11:51:37 AM

Can you find out what do these Win32:Agent-SG [Trj] detections correspond to? I mean, if you run Process Explorer and check the process with ID 876 (or what the virus dialog shows at the particular case)... what is it?

\Windows Defender\MsMpEng.exe
\Common Files\Softwin\BitDefender Scan Server\bdss.exe

Quote from: igor on November 08, 2006, 11:51:37 AM

Additionally, if you select this process (in Process Explorer) and press Ctrl+D to display the DLLs in the lower pane - is there any DLL where the reported addresses (e.g. 02B10000) would fall into?

C:\WINDOWS\system32\shlwapi.dll
\Common Files\Softwin\BitDefender Scan Server\bdcore.dll
C:\WINDOWS\system32\xcomm.dll

Quote from: igor on November 08, 2006, 03:00:55 PM

What version of Windows Defender is that?

crofty59 · « **Reply #20 on:** November 09, 2006, 03:41:38 AM »

Hi

My version of Windows defender is Final Version 1.1.1592.0

I ran another ashquick memory scan. and the process has changed. Was 876

Now it is Process 912 memory block 0x01880000, block size 1814528
Malware name Win32:Agent-SG [Trj]
Malware Type Trogen Horse
VPS version 0642-2 07/11/06

I ran (Process Explorer) ID 912 is MsMpEng.exe Service Executable Microsoft Corporation .

I only get one virus warning now, i did delete what was in ouarantine in windows defender.

When i get the virus warning can i send it to the chest and send it of to Alwil .
If this can be done will i just leave it in the chest or restore.

Cheers

crofty59 · « **Reply #21 on:** November 09, 2006, 08:46:39 AM »

Hi

I uninstalled Windows defender, ran a AshQick scan and it came up clean.

Reinstalled Windows defender, updated signatures and ran scan again, came up with Win32: Agent-SG[Trj} again.

Process 912 memory block 0x020f0000 block size 1814528
Malware name Win32:Agent-SG [Trj]
Malware Type Trogen Horse
VPS version 0642-2 07/11/06

Cheers crofty59

Lisandro · « **Reply #22 on:** November 09, 2006, 11:57:52 AM »

Quote from: crofty59 on November 09, 2006, 03:41:38 AM

I ran another ashquick memory scan. and the process has changed. Was 876

It's normal, I mean, the ID number change.

Quote from: crofty59 on November 09, 2006, 03:41:38 AM

When i get the virus warning can i send it to the chest and send it of to Alwil .
If this can be done will i just leave it in the chest or restore.

I think you can't... there isn't such an option scanning the memory...

crofty59 · « **Reply #23 on:** November 09, 2006, 01:21:02 PM »

Hi Tech

Thanks for letting me know about it's normal for the id to change.

Also thanks for the info about virus chest with memory

Should i uninstall windows defender and look for a different malware scanner etc. Or this virus warning i keep getting, just ignore it.

Cheers

Lisandro · « **Reply #24 on:** November 09, 2006, 03:09:29 PM »

Quote from: crofty59 on November 09, 2006, 01:21:02 PM

Should i uninstall windows defender and look for a different malware scanner etc. Or this virus warning i keep getting, just ignore it.

No. You don't have to uninstall Windows Defender.
Probably Igor will say something to MS support. They (MS) should encrypt the signatures loaded in the memory

That's not a virus (infection), just a signature that is not encrypted and it is detected by avast.

crofty59 · « **Reply #25 on:** November 10, 2006, 05:02:10 AM »

Quote from: Tech on November 09, 2006, 03:09:29 PM

Quote from: crofty59 on November 09, 2006, 01:21:02 PM
Should i uninstall windows defender and look for a different malware scanner etc. Or this virus warning i keep getting, just ignore it.
No. You don't have to uninstall Windows Defender.
Probably Igor will say something to MS support. They (MS) should encrypt the signatures loaded in the memory
That's not a virus (infection), just a signature that is not encrypted and it is detected by avast.

Thanks Tech, I will definitely leave it installed.

Cheers Crofty59

crofty59 · « **Reply #26 on:** December 04, 2006, 07:09:42 AM »

Hi all

I ran a bootscan today and it comes up clean.

Just curious that if i do ashquick memory scan i still get this
Malware name Win32:Agent-SG [Trj]
Malware Type Trogen Horse

When i originally got this i also had a c:pagefile. sys show up in the bootscan.

Also when you do a normal scan doesn't avast also do a memory scan, again just curious why it doesn't show up there as well.

Cheers

Author Topic: Win32: Agent-SG[Trj} (Read 13412 times)

crofty59

Re: Win32: Agent-SG[Trj}

igor

Re: Win32: Agent-SG[Trj}

crofty59

Re: Win32: Agent-SG[Trj}

igor

Re: Win32: Agent-SG[Trj}

Lisandro

Re: Win32: Agent-SG[Trj}

crofty59

Re: Win32: Agent-SG[Trj}

crofty59

Re: Win32: Agent-SG[Trj}

Lisandro

Re: Win32: Agent-SG[Trj}

crofty59

Re: Win32: Agent-SG[Trj}

Lisandro

Re: Win32: Agent-SG[Trj}

crofty59

Re: Win32: Agent-SG[Trj}

crofty59

Re: Win32: Agent-SG[Trj}