I went looking for those files following the path in both the Old C Drive folder and in the current C drive and they are not there. I presume they have been moved to the vault in AVG? And I can simply delete them from there? Curiously, when I opened Works it warned me that I have too many fonts and things might not work right because of it. I have had this message before and ignored it because everything was working o.k. Then when I opened a Works template for a letter I got the message that I am out of memory. What would gobble up my memory? I seldom use Works as I write letters from my various card programs. I do indeed have a lot of fonts because of the numerous greeting card programs, some with a full install. And when I came back from Church this morning AVG had a message about the Trojan but it disappeared so fast I could not get a screen shot or totally read what it said. I opened AVG and it still says I have 3 Trojans in the Vault. I need now to print off your message, G, and further cogitate on it!! Should I first thing delete those files in the Old Drive that are in the Vault? How about the file on C Drive? Delete it too? Sandi ----- Original Message ----- From: "GMan" <gman.pctt@xxxxxxxxx> To: <pctechtalk@xxxxxxxxxxxxx> Sent: Saturday, October 13, 2007 9:17 PM Subject: -=PCTechTalk=- Re: Trojan Horse Generic 8.LDI > Hi Sandi, > [added just before sending this reply] - After reading what I've written > below, I thought I should warn you that this is probably going to show you > more about the "flow" of my thinking than answer your question. > lol > > > It's not just AVG that's been flagging this file recently. Still, it > is > often a false positive caused by an aggressive definition file update. > Since much more than AVG has been recently coming up with this, I now have > to wonder if there's just one crew that creates these definitions that > then > sells them to all of the AV companies. If not, then there's an awful lot > of > sharing of virus solutions going on out there in AV land. lol > > The fact that the file is located under its standard "Common Files\MS > Shared\Works" parent folder is almost enough to confirm this without > looking > it up. Still, to be safe (one of the primary tenets of PCTT, I might > add), > I did some research and found that the name of this particular file > (legitimate, but normally worthless) HAS INDEED been used by a trojan or > other malware. As a result, my own caution alert just went up a bit. > Still, I have to wonder how a malware pest was able to locate this file > under an old backup folder since most malware doesn't have any hard drive > scanning capability. Very odd! > > However, those infections have the bad file residing under the > C:\Windows or C:\Windows\system32 folders (locations that are NEVER used > by > Microsoft for this particular file). Since these files are obviously > placed > there directly by the referenced malware, it shows that they don't bother > looking all over your hard drive to see if there's an old copy of the > original file somewhere else (like your year old backup). As a result, I > am > still very much inclined to believe that this is just a false positive. > > So, what can you do about this that will make all parties happy? Well, > if you don't use the MS Works Calendar Reminder program (and I seriously > doubt you're somehow using it from within an old backup), just delete the > file. If you also have Works installed on your present Windows system > (that > is, the file also exists at its standard ...Common Files\MS > Shared\Works\... > location), you'll want to keep this info in the back of your mind, just in > case it's ever flagged like the old one. If it is, again, just delete the > file if you know you'll never be using the Reminder function. If you DO > use > it, you'll have to go into the Preferences/Options/Settings of your AV > program and create an exception for that file so it's never scanned again. > > > REFERENCES: > The first link below will take you to a site (sysinfo.org) that lists > all of the known files that come into question like this. Some are linked > to malware while some are not. I highly recommend that anyone interested > load up the page to see what the site is all about. Then, click on the > second link below to get to the main database page and bookmark that for > future reference. It's not the only research you should conduct when > facing > something like this, but it's a great start to your own research. > :O) > > http://shrunklink.com/adia > http://www.sysinfo.org/startuplist.php > > Here is another process database site that explains various files found > throughout Windows. You'll also find numerous other tests and info in the > links on the left side of the page. I suggest adding this one to your > Malware Research folder as well. > > http://www.auditmypc.com/process/wkcalrem.asp > > Here's yet another Process database for your concideration. (and I > think > I'll stop there before I completely take over your bookmarks folder) > :O) > > http://shrunklink.com/adib > > Peace, > GMan > > "The only dumb questions are the ones that are never asked!" --------------------------------------------------------------- Please remember to trim your replies (including this sentence and everything below it) and adjust the subject line as necessary. To unsubscribe or change your email settings: //www.freelists.org/webpage/pctechtalk To access our Archives: http://groups.yahoo.com/group/PCTechTalk/messages/ //www.freelists.org/archives/pctechtalk/ To contact only the PCTT Mod Squad, write to: pctechtalk-moderators@xxxxxxxxxxxxx ---------------------------------------------------------------