-=PCTechTalk=- Re: Trojan Horse Generic 8.LDI
- From: "Sandi Beach" <sandib2@xxxxxxxxx>
- To: <pctechtalk@xxxxxxxxxxxxx>
- Date: Mon, 15 Oct 2007 15:26:41 -0500
Thank you, G, for all the reference sites. I have added them to my
favorites.
This morning I deleted the three suspected Trojans from the Vault in AVG. I
then ran an update on AVG and another scan. It came up clean so I did not
do anything with System Restore.
Thanks again for your help.
Sandi
----- Original Message -----
From: "GMan" <gman.pctt@xxxxxxxxx>
To: <pctechtalk@xxxxxxxxxxxxx>
Sent: Saturday, October 13, 2007 9:17 PM
Subject: -=PCTechTalk=- Re: Trojan Horse Generic 8.LDI
> Hi Sandi,
> [added just before sending this reply] - After reading what I've written
> below, I thought I should warn you that this is probably going to show you
> more about the "flow" of my thinking than answer your question.
> lol
>
>
> It's not just AVG that's been flagging this file recently. Still, it
> is
> often a false positive caused by an aggressive definition file update.
> Since much more than AVG has been recently coming up with this, I now have
> to wonder if there's just one crew that creates these definitions that
> then
> sells them to all of the AV companies. If not, then there's an awful lot
> of
> sharing of virus solutions going on out there in AV land. lol
>
> The fact that the file is located under its standard "Common Files\MS
> Shared\Works" parent folder is almost enough to confirm this without
> looking
> it up. Still, to be safe (one of the primary tenets of PCTT, I might
> add),
> I did some research and found that the name of this particular file
> (legitimate, but normally worthless) HAS INDEED been used by a trojan or
> other malware. As a result, my own caution alert just went up a bit.
> Still, I have to wonder how a malware pest was able to locate this file
> under an old backup folder since most malware doesn't have any hard drive
> scanning capability. Very odd!
>
> However, those infections have the bad file residing under the
> C:\Windows or C:\Windows\system32 folders (locations that are NEVER used
> by
> Microsoft for this particular file). Since these files are obviously
> placed
> there directly by the referenced malware, it shows that they don't bother
> looking all over your hard drive to see if there's an old copy of the
> original file somewhere else (like your year old backup). As a result, I
> am
> still very much inclined to believe that this is just a false positive.
>
> So, what can you do about this that will make all parties happy? Well,
> if you don't use the MS Works Calendar Reminder program (and I seriously
> doubt you're somehow using it from within an old backup), just delete the
> file. If you also have Works installed on your present Windows system
> (that
> is, the file also exists at its standard ...Common Files\MS
> Shared\Works\...
> location), you'll want to keep this info in the back of your mind, just in
> case it's ever flagged like the old one. If it is, again, just delete the
> file if you know you'll never be using the Reminder function. If you DO
> use
> it, you'll have to go into the Preferences/Options/Settings of your AV
> program and create an exception for that file so it's never scanned again.
>
>
> REFERENCES:
> The first link below will take you to a site (sysinfo.org) that lists
> all of the known files that come into question like this. Some are linked
> to malware while some are not. I highly recommend that anyone interested
> load up the page to see what the site is all about. Then, click on the
> second link below to get to the main database page and bookmark that for
> future reference. It's not the only research you should conduct when
> facing
> something like this, but it's a great start to your own research.
> :O)
>
> http://shrunklink.com/adia
> http://www.sysinfo.org/startuplist.php
>
> Here is another process database site that explains various files found
> throughout Windows. You'll also find numerous other tests and info in the
> links on the left side of the page. I suggest adding this one to your
> Malware Research folder as well.
>
> http://www.auditmypc.com/process/wkcalrem.asp
>
> Here's yet another Process database for your concideration. (and I
> think
> I'll stop there before I completely take over your bookmarks folder)
> :O)
>
> http://shrunklink.com/adib
>
> Peace,
> GMan
>
> "The only dumb questions are the ones that are never asked!"
>
---------------------------------------------------------------
Please remember to trim your replies (including this sentence and everything
below it) and adjust the subject line as necessary.
To unsubscribe or change your email settings:
//www.freelists.org/webpage/pctechtalk
To access our Archives:
http://groups.yahoo.com/group/PCTechTalk/messages/
//www.freelists.org/archives/pctechtalk/
To contact only the PCTT Mod Squad, write to:
pctechtalk-moderators@xxxxxxxxxxxxx
---------------------------------------------------------------
Other related posts:
