Ok I d/l the Nod32 trial version and updates yesterday and this showed up today, if the image doesn't show its in the HTTP comp. setup-- SCAgent(user agent) Explorer.EXE (program) and the same again with iexplorer.exe as the program. All the Google searches web and groups comes up with this as a trojan, hijackthis shows nothing about this, a total hd search has nothing, Adaware nothing, Spybot S&D nothing, Housecall won't load for some reason, but it did the other day before I had Nod32 installed, it may not be related. I am also running Sygate Pro firewall behind a router to a cable modem. WIN XP SP2

So is this a trojan or something else? The info I saw says it resides in the system32 folder, no such animal there. It wasn't there last night and only showed up sometime this morning the only places I went was here the Microsoft Dungeon Siege website and Windows update. I know this because I went over the great tutorial Blackspear made on this forum for the extra settings last night and didn't see it in there, the computer was in sleep mode all night.

Anyway can anyone look and see if they have this and if not maybe direct me to find out more and what to do.

If this post is not right for this forum feel free to delete or move.

Thanks,
Don

Perhaps it's really a part of MS software: http://www.filename.info/f/helphost.exe.html

Helphost yes, SCAgent is not there, that's the suspicious file. Thanks for that link though it will be helpful. Right there in that dialog and the corresponding registry entries for IMON and the MRU for search is the only place I can find the SCAgent name on my computer. It's almost like this tried to attach to the computer but Sygate or something else refused it but Nod32 picked up the reference. I did visit another website which was the amazon site that is linked in the top sticky post here about broswers not loading properly.

Nod32 run full bore again found nothing, Housecall found nothing, I couldn't run Housecall before because Sygate had my browser stealthed (referer).

I found this...

http://www.viruslist.com/en/find?search_mode=virus&words=scagent&x=14&y=3

....but all the major and most minor AV's pick them up according to the site if I read it correctly. I'm sure Nod32 and Housecall do too. But there has to be a file and that I don't have.

I have to go to bed, thanks again. I'll check back in a few hours.

I have SCAgent within IMON as well, as per screen shot...

There are very comprehensive cleaning instructions that can be found in post number 2 here: http://www.wilderssecurity.com/showthread.php?t=47830 though I suspect that your system is indeed clean.

Hope this helps...

Cheers ;D

Hey thanks, Blackspear, Marcos, ewido found 2 tracking cookies, that's it. I uninstalled Nod32 and reinstalled to see if I could make that entry come back and so far trying to repeat my footsteps from this morning I can't make it show up so I don't know what it is. I'll keep tabs on it and if it shows up try to determine what launched it if there was anything that was launched.

As an aside if it can be answered here, when IMON is in active mode for downloads where does it store the file before it releases it to the OS? I ask this because I turned off "Automatic Passive Mode" for files larger than xxxx kB so I can see the d/l window. If the download should fail or otherwise not complete I don't want to leave remnants of large files laying around.

Thanks I appreciate the help,

Don

Found it, haha it's the IE and Windows Search Companion Agent using msagent. SCAgent, just click the search button in Explore or IE and there it is, entry in IMON.

"Microsoft Agent is a set of programmable software services that supports the presentation of interactive animated characters within the Microsoft Windows interface. "

I turned the lousy animated dog off the first day I installed XP and he comes back and almost bites me. Bah and MS making an user agent with the same moniker as a trojan downloader. Bah Bah.

Thanks,

Don

BTW: I'll give NOD32 a few more days to see how it works with my system then I'll be a paying customer. I love this thing and I've tried them all, well most of them. ;D

{QUOTE-> ...I'll give NOD32 a few more days to see how it works with my system then I'll be a paying customer. I love this thing and I've tried them all, well most of them. ;D <-QUOTE}
Good to see Don, it will be nice to have you aboard...

All the best.

Cheers ;D