-=PCTechTalk=- Re: Trojan Horse Generic 8.LDI
- From: GMan <gman.pctt@xxxxxxxxx>
- To: <pctechtalk@xxxxxxxxxxxxx>
- Date: Sat, 13 Oct 2007 22:17:48 -0400
Hi Sandi,
[added just before sending this reply] - After reading what I've written
below, I thought I should warn you that this is probably going to show you
more about the "flow" of my thinking than answer your question.
lol
It's not just AVG that's been flagging this file recently. Still, it is
often a false positive caused by an aggressive definition file update.
Since much more than AVG has been recently coming up with this, I now have
to wonder if there's just one crew that creates these definitions that then
sells them to all of the AV companies. If not, then there's an awful lot of
sharing of virus solutions going on out there in AV land. lol
The fact that the file is located under its standard "Common Files\MS
Shared\Works" parent folder is almost enough to confirm this without looking
it up. Still, to be safe (one of the primary tenets of PCTT, I might add),
I did some research and found that the name of this particular file
(legitimate, but normally worthless) HAS INDEED been used by a trojan or
other malware. As a result, my own caution alert just went up a bit.
Still, I have to wonder how a malware pest was able to locate this file
under an old backup folder since most malware doesn't have any hard drive
scanning capability. Very odd!
However, those infections have the bad file residing under the
C:\Windows or C:\Windows\system32 folders (locations that are NEVER used by
Microsoft for this particular file). Since these files are obviously placed
there directly by the referenced malware, it shows that they don't bother
looking all over your hard drive to see if there's an old copy of the
original file somewhere else (like your year old backup). As a result, I am
still very much inclined to believe that this is just a false positive.
So, what can you do about this that will make all parties happy? Well,
if you don't use the MS Works Calendar Reminder program (and I seriously
doubt you're somehow using it from within an old backup), just delete the
file. If you also have Works installed on your present Windows system (that
is, the file also exists at its standard ...Common Files\MS Shared\Works\...
location), you'll want to keep this info in the back of your mind, just in
case it's ever flagged like the old one. If it is, again, just delete the
file if you know you'll never be using the Reminder function. If you DO use
it, you'll have to go into the Preferences/Options/Settings of your AV
program and create an exception for that file so it's never scanned again.
REFERENCES:
The first link below will take you to a site (sysinfo.org) that lists
all of the known files that come into question like this. Some are linked
to malware while some are not. I highly recommend that anyone interested
load up the page to see what the site is all about. Then, click on the
second link below to get to the main database page and bookmark that for
future reference. It's not the only research you should conduct when facing
something like this, but it's a great start to your own research.
:O)
http://shrunklink.com/adia
http://www.sysinfo.org/startuplist.php
Here is another process database site that explains various files found
throughout Windows. You'll also find numerous other tests and info in the
links on the left side of the page. I suggest adding this one to your
Malware Research folder as well.
http://www.auditmypc.com/process/wkcalrem.asp
Here's yet another Process database for your concideration. (and I think
I'll stop there before I completely take over your bookmarks folder)
:O)
http://shrunklink.com/adib
Peace,
GMan
"The only dumb questions are the ones that are never asked!"
----- Original Message -----
From: "Sandi Beach" <sandib2@xxxxxxxxx>
To: "pctechtalk" <pctechtalk@xxxxxxxxxxxxx>
Sent: Saturday, October 13, 2007 4:06 PM
Subject: -=PCTechTalk=- Trojan Horse Generic 8.LDI
> AVG found three of the above and put them in the vault. A search on
> Google
> gave no hits with the above information but when I put in wkcalrem.exe,
> which was in the description, I found a number of hits. It is Microsoft
> Works Calendar Reminder. I never use this.
> The path shown in AVG was C\Old Drive\joyce\Joyce\Program Files\Common
> Files\Microsoft Shared\Works Shared\wkcalrem.exe
> Two with this path (except only one Joyce in one of them) were in C\Old
> Drive. The third left out the two Joyces but was otherwise identical and
> it
> was in the C Drive.
> For now I am leaving them in the vault. I am curious as to why they are
> just now showing up as the Old C Drive folder has been there since a
> reformat over a year ago. Would it be because I just downloaded updates
> to
> virus definitions? Could it be a false positive?
> I have signed up for Google alerts on the Trojan Horse Generic 8.LDI to
> see
> if I can learn anything from that.
> I have also signed up for Google alerts on wkcalrem.exe
> Anyone else using AVG getting this Trojan Horse showing up?
> Sandi
---------------------------------------------------------------
Please remember to trim your replies (including this sentence and everything
below it) and adjust the subject line as necessary.
To unsubscribe or change your email settings:
//www.freelists.org/webpage/pctechtalk
To access our Archives:
http://groups.yahoo.com/group/PCTechTalk/messages/
//www.freelists.org/archives/pctechtalk/
To contact only the PCTT Mod Squad, write to:
pctechtalk-moderators@xxxxxxxxxxxxx
---------------------------------------------------------------
Other related posts:
