any one has info about: msagnts.exe

Discussion in 'other software & services' started by hadi, Apr 7, 2005.

Thread Status:
Not open for further replies.
  1. hadi

    hadi Guest

    I found this entry (msconfig>startup)

    HKLM\...\RUN:[Ns Agnt]msagnts.exe

    1-Google search: Nil
    2-on line Hijackthis log analysis Read: Unknown service should be fixed

    Have you guys any info about "msagnts.exe" and is it safe to fix it using Hijackthis.Thank you
     
  2. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Hello Hadi, and Welcome.

    As you may have read, Wilder's unfortunately no longer processes HJT logs. You'd be far safer to post a HJT log at one of the *participating* sites listed on that page. But if you're one to tinker, I would suggest reviewing the information provided here.

    Beyond that (sorry you didn't mention you're OS), you could take a look at "How to manage Windows Startup"
    and "How Malware hides and is installed as a service on Windows NT/XP/2000/2003."

    If you could forward any other info or symptoms you're system may be suffering,
    I'd be happy to look further. :)


    GF
     
  3. hadi

    hadi Guest


    OS: XP Pro SP2, IE6
    I Use this link to analyze Hijackthis log
    http://www.hijackthis.de/index.php?langselect=english
    I've removed the entry related to "msagnts.exe" using Hijackthis
    still I want to know what this service is
    so far so good
    fingers crosed
    Thnx
     
  4. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi hadi,

    Fixing the startup line in HijackThis will only stop the file from running, but of course doesn't remove the file. Since this seems to be an unknown file and its name very similar to a windows file, that right there makes it suspicious.

    Before deleting any unknown file(s) you should first invesitgate it further. You can do a search of your system and once the file is located, right-click on it and choose Properties, then look under the tabs to see if there is anything there that might help identify the file. If nothing looks familiar to you, then upload the file to Jotti's malware scan for a check.

    With most infections, there is rarely only one file involved, and other files may be hidden, or further infected files downloaded while the unknown file was running.

    You have not mentioned if you have any security apps installed (anti-virus, anti-spyware, etc.) or if you've done a scan with them. If you do not have any security apps installed, then you can follow the General Cleaning Instructions.

    The on-line HijackThis Analysis is not recommended. I would suggest you follow up with posting a HijackThis log at one of the sites listed here: http://www.a-sap.org/ where an experienced HijackThis log Analyst can review the log and give you instructions for checking your system further for any hidden malware.

    Please let us know what you find as it may help others who could also have this file on their system.

    Regards,

    snap
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    You could also submit the file itself (msagnts.exe) for example here:
    http://virusscan.jotti.org/ and see what comes up.
    In case of doubt send a (preferably zipped) copy to the email address in my profile with a link to this thread and I'll have a look.

    Regards,

    Pieter

    LOL. Hi snapdragin :-*
     
  6. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    LOL! Hi Pieter :-* I wondered if you might want a copy of that. ;)

    hadi, as Pieter has requested, please do send him a copy of the file (msagnts.exe) for analysis.

    Thank you,

    snap
     
  7. hadi

    hadi Guest

    @snapdragin
    AV: NOD32 2 12 4 (trial)

    @Pieter_Arntz
    I scanned the file (12Kb) with nod and other 6 AVs. result:normal
    I think (only think from the icon shape) its related to net connection service.
    but couldnt fine any info about it anywhere
     
  8. TylerGred

    TylerGred Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    69
    Location:
    USA
    I think msagent is something that MS Anti-spyware uses...

    Do you have that installed?
     
  9. hadi

    hadi Guest

    @TylerGred
    GREAT people always here
    YES. Thank you very much
    I remember now that I've downloaded "microsoft antispyware" when I saw its beta after I clicked install I canceled the install. That explain why the entry is in startup.I wonder why google search turns up with nothing.
    Thanks m8
     
  10. TylerGred

    TylerGred Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    69
    Location:
    USA
    Well I just saw that you wrote "msagnts.exe"

    I have no idea what "msagnts.exe" is, however "msagent.exe" is what I was talking about.

    Hopefully you just had a typo... if not, then I don't think its MS-AS related.
     
  11. hadi

    hadi Guest

    NO typing errors
    msagnts.exe

    that isthe name.
    But I'm sure the entry appears after I was trying microsoft anti spyware BETA!! because I check periodically [msconfig>startup}.
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    The Startup entry for the version of MSAS I have is:
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

    I do not have any files called msagnts.exe although I do have MSAS beta installed and the MicroSoft Agents

    Could you please send me a copy, so I can have a look?

    Regards,

    Pieter
     
  13. hadi

    hadi Guest

    @TylerGred
    You made sorting it out
    Was happy to deleate the file. went back after your reply then in the recyclebin it reads underneath the name a graytext
    ---------------------
    msagent
    NS Internet Connection Module
    NS SYSTEMS
    ---------------------
    I had the internet connection months ago and I check weekly (msconfig > startup) why this thing didnt show up earlier.OR it hasnt got any thing to do with my internet connection.
    confused!!!!!!!!!!
     
  14. hadi

    hadi Guest

    @Pieter_Arntz
    I wanted to send you a copy but I can't access your profile I'M A GUEST at the moment. thanks
     
  15. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi hadi,

    A guest can still view a member's profile. Click on the link Pieter gave you in Post #5 above. That will take you to his Profile Page. Once there, look under the "Additional Information" and you'll see the "Optional Contact Info" That is the email address to use to send the file to Pieter.

    snap
     
  16. hadi

    hadi Guest

  17. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Well that is odd, as a guest using IE or Opera, I can view a members profile. Why you can't, I don't know. Ah, I see what you're saying now, and you are right you cannot as a guest send a PM (Private Message) or send an email by clicking the "send an email' link in the member's profile. That is why I mentioned to scroll down on the profile page and look at the "Additional Information" section to read the email address. Anyways...I've typed it out below:

    But you can send the file to (pieter AT wilderssecurity.org) Replace the word "AT" with @ and remove the spaces.
     
  18. hadi

    hadi Guest

    @snapdragin

    info sent to Pieter_Arntz

    Thanks
     
  19. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Thanks for the file hadi.

    I looked at it and didn't notice anything suspicious.
    It didn't do much when I ran it, either.
    Probably I'm missing some components for it to work. Maybe you can do a find-files for files that were created the same day and that will learn you something more. But I don't think it is something malicious.

    Regards,

    Pieter
     
  20. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    It certainly looked suspicious, but felt it somehow wasn't a typo. I couldn't locate it on the web either, so please excuse my lack of experience in not mentioning Jotti's in my first reply. It was a good idea to suggest a date search on the file to gain some more info Pieter, and thanks for noticing I needed a little assistance jumping in Snap. ;)

    I had a feeling this might be something new when Google came up negative,
    guess time will tell...


    GF
     
  21. VoodooVane

    VoodooVane Guest

    I have the same file, its new, wasnt on my startup list the last time I checked and its not related to Microsoft AntiSpyware.

    Also, when I searched for msagnts.exe, I found two files, one in C:\Windows\Prefect named "MSAGNTS.EXE-013393B3.pf" and the other in C:\Windows\System32 named "msagnts.exe". I'm not sure what that prefetch file is for. Also scanned the file on the site u mentioned earlier, seems clean.
     
Loading...
Thread Status:
Not open for further replies.