Win32: Agent-SG[Trj}

Hi
Did a boot scan and it picked up 2 viruses.

One was Win32 :Adware-gen did a check on Virus total come up clean even avast states it clean.

File C:\Documents and Settings\PeDrO\My Documents!!..JeNnAz!!\×_Odd.Bits.And.Bobs]].«3\×_DownLoads]].«3\FeLiX.exe is infected by Win32:Adware-gen. [Adw]
Have sent off to Alwil for testing.

I also got this but not sure if it can be quarantined or not
File C:\pagefile.sys is infected by Win32:Agent-SG [Trj]

This only shows up on a bootscan.

Is this okay to quarantine, i tried checking it out but could not find anything that i could understand.

Cheers

The content of the pagefile is not reused (when Windows boot up) - so it doesn’t really matter what’s inside. I’d suggest to ignore the file (i.e. not to move or delete it).

Thanks igor

I will do as you have suggested and just leave it.
Thanks a million for your help very much appreciated.

Cheers

I’m slightly curious, however, how did the Agent-SG signature get there. It is actually possible that it’s a false alarm, but it looks like belonging to a dialer.
Try to run ashQuick.exe “*MEMORY” to see if anything is detected in memory.

Hi

I am not very computer savvy i did try but could not get it to go, most likely i stuffed it up.

I am using Windows xp Home and have Avast Pro installed

Some directions may help me.

Cheers

Start Menu > Run
Write down there: “C:\Program Files\Alwil Software\Avast4\ashQuick.exe” “*MEMORY”

But Igor, some false positives should be there ::slight_smile: ???

Hi Tech

I tried it but it keeps coming up saying it can’t find the path etc to sheck that i have put in the right path.

I did a search the only ashQuick.exe that comes up is in C:Windows /Prefetch folder is this correct or am i losing the plot.
I have clicked to show hidden folders files etc

I appreciate your help, but i am not sure how much longer i can stay on, so if i should disappear i am not being rude.

Cheers Crofty59

Hi crofty59,

Go here and get this adware from your comp: http://www.spywareguide.com/product_show.php?id=30

polonus

No. The prefetched version is not good.
Where is your avast installed? There should be the ashquick.exe file.
I’ve posted the default folder, where did you install avast?
You have to use two pairs of quotes, like I’ve posted before.

Sure. Don’t worry my friend.

@crofty59
The prefetch is only designed to speed up the loading of files it gives HDD cluster information, etc., it isn’t the original file.

Try this path in the run command, Techs is likely to be incorrect for your setup:
“C:\Program Files\Alwil Software\Avast4\ashQuick.exe” “*MEMORY”, this works on mine

Hi polonus i have bookedmarked the web site will check it out .

Cheers crofty59

Hi tech
I installed in the default folder. I can find a icon in Avast folder for ashQuick but not ashQuick exe.

I ended up getting it to work, i put in what David had posted. i was putting in the wrong path.

Try this path in the run command, Techs is likely to be incorrect for your setup:
“C:\Program Files\Alwil Software\Avast4\ashQuick.exe” “*MEMORY”, this works on mine

Hi DavidR
Your path you posted worked like a charm. Thanks

Cheers crofty59

Hi igor
Run the scan and this is what i got
File name Process 876, memory block 0x01880000, block size 1814528
Malware name Win32:Agent-SG [Trj]
Malware Type Trogen Horse
VPS version 0642-2 07/11/06

File name Process 876, memory block 0x02B10000 block size 1814528
Malware name Win32:Agent-SG [Trj]
Malware Type Trogen Horse
VPS version 0642-2 07/11/06

I tried posting screen shots but didn’t work
Hopes this help

Cheers crofty59

::slight_smile: ??? Igor?

Can you find out what do these Win32:Agent-SG [Trj] detections correspond to? I mean, if you run Process Explorer and check the process with ID 876 (or what the virus dialog shows at the particular case)… what is it?
Additionally, if you select this process (in Process Explorer) and press Ctrl+D to display the DLLs in the lower pane - is there any DLL where the reported addresses (e.g. 02B10000) would fall into?

Hi

Belongs to Windows Defender
I ran (Process Explorer) ID 876 is MsMpEng.exe Service Executable Microsoft Corporation .

I pressed Ctrl+D but nothing came up with addresses all there was
Name Description Company Name Version

Cheers

Hmm… that’s not good >:(
I may be wrong, but it sounds like Windows Defender has unencrypted malware signatures in memory…

Hi

You are right it certainly dosn’t sound good.

I may post on there newsgroup and see what they have to say
Cheers

Well, I guess I make somebody reproduce the problem here first… I would like to see the corresponding memory block (the one where the virus signature is found) before making conclusions.

How do i go about doing that as i have not got a clue.

Cheers

What version of Windows Defender is that?

\Windows Defender\MsMpEng.exe
\Common Files\Softwin\BitDefender Scan Server\bdss.exe

C:\WINDOWS\system32\shlwapi.dll
\Common Files\Softwin\BitDefender Scan Server\bdcore.dll
C:\WINDOWS\system32\xcomm.dll