Thank you, G, for all the reference sites. I have added them to my favorites. This morning I deleted the three suspected Trojans from the Vault in AVG. I then ran an update on AVG and another scan. It came up clean so I did not do anything with System Restore. Thanks again for your help. Sandi ----- Original Message ----- From: "GMan" <gman.pctt@xxxxxxxxx> To: <pctechtalk@xxxxxxxxxxxxx> Sent: Saturday, October 13, 2007 9:17 PM Subject: -=PCTechTalk=- Re: Trojan Horse Generic 8.LDI > Hi Sandi, > [added just before sending this reply] - After reading what I've written > below, I thought I should warn you that this is probably going to show you > more about the "flow" of my thinking than answer your question. > lol > > > It's not just AVG that's been flagging this file recently. Still, it > is > often a false positive caused by an aggressive definition file update. > Since much more than AVG has been recently coming up with this, I now have > to wonder if there's just one crew that creates these definitions that > then > sells them to all of the AV companies. If not, then there's an awful lot > of > sharing of virus solutions going on out there in AV land. lol > > The fact that the file is located under its standard "Common Files\MS > Shared\Works" parent folder is almost enough to confirm this without > looking > it up. Still, to be safe (one of the primary tenets of PCTT, I might > add), > I did some research and found that the name of this particular file > (legitimate, but normally worthless) HAS INDEED been used by a trojan or > other malware. As a result, my own caution alert just went up a bit. > Still, I have to wonder how a malware pest was able to locate this file > under an old backup folder since most malware doesn't have any hard drive > scanning capability. Very odd! > > However, those infections have the bad file residing under the > C:\Windows or C:\Windows\system32 folders (locations that are NEVER used > by > Microsoft for this particular file). Since these files are obviously > placed > there directly by the referenced malware, it shows that they don't bother > looking all over your hard drive to see if there's an old copy of the > original file somewhere else (like your year old backup). As a result, I > am > still very much inclined to believe that this is just a false positive. > > So, what can you do about this that will make all parties happy? Well, > if you don't use the MS Works Calendar Reminder program (and I seriously > doubt you're somehow using it from within an old backup), just delete the > file. If you also have Works installed on your present Windows system > (that > is, the file also exists at its standard ...Common Files\MS > Shared\Works\... > location), you'll want to keep this info in the back of your mind, just in > case it's ever flagged like the old one. If it is, again, just delete the > file if you know you'll never be using the Reminder function. If you DO > use > it, you'll have to go into the Preferences/Options/Settings of your AV > program and create an exception for that file so it's never scanned again. > > > REFERENCES: > The first link below will take you to a site (sysinfo.org) that lists > all of the known files that come into question like this. Some are linked > to malware while some are not. I highly recommend that anyone interested > load up the page to see what the site is all about. Then, click on the > second link below to get to the main database page and bookmark that for > future reference. It's not the only research you should conduct when > facing > something like this, but it's a great start to your own research. > :O) > > http://shrunklink.com/adia > http://www.sysinfo.org/startuplist.php > > Here is another process database site that explains various files found > throughout Windows. You'll also find numerous other tests and info in the > links on the left side of the page. I suggest adding this one to your > Malware Research folder as well. > > http://www.auditmypc.com/process/wkcalrem.asp > > Here's yet another Process database for your concideration. (and I > think > I'll stop there before I completely take over your bookmarks folder) > :O) > > http://shrunklink.com/adib > > Peace, > GMan > > "The only dumb questions are the ones that are never asked!" > --------------------------------------------------------------- Please remember to trim your replies (including this sentence and everything below it) and adjust the subject line as necessary. To unsubscribe or change your email settings: //www.freelists.org/webpage/pctechtalk To access our Archives: http://groups.yahoo.com/group/PCTechTalk/messages/ //www.freelists.org/archives/pctechtalk/ To contact only the PCTT Mod Squad, write to: pctechtalk-moderators@xxxxxxxxxxxxx ---------------------------------------------------------------