Re: Trojan horse Downloader.Generic.ML

From: David W. Hodgins (dhodgin1661_at_nomail.afraid.org)
Date: 06/18/05


Date: Fri, 17 Jun 2005 19:08:09 -0400

On Fri, 17 Jun 2005 01:56:18 -0400, Ron Reaugh <ron-reaugh@worldnet.att.net> wrote:

> Back to my original issue, why would AVG be detecting c:\null at that
> moment. What could have caused AVG resident to detect a file in c:\ at that
> moment EXCEPT watching/checking some file I/O to that file at that moment?

The virus definitions may have been updated.
The date on the file may not reflect it's actual creation date.

Keep in mind that on access scanning, does not normally scan non-executable
files. On demand scanning, only does so, if you specify it in the configuration
settings.

As to the question, of when to format/reinstall, it's easier to describe when it
isn't needed.

If you know what malware was installed, how it got installed, can be confident that
that's the only malware that was installed, and that malware does not provide
remote access, then it's safe to just clean it using whatever tools are most
suitable.

Otherwise, you should assume all executables (including macros etc), are compromised.

You could boot from a known clean boot media, and compare every executable, to the
files from the installation sources, but it's usually faster to just reinstall.

In most cases, just using an appropriate anti malware tool, to remove the infection,
will be effective, but you cannot/should not count on it. If the pc is used for
any financial activity (online banking, etc), failing to wipe/reinstall, and change
all passwords, could be expensive. Same with failure to remove a dialler, if you
have a regular modem connected to a phone line. Remote access tools can also get
your account terminated for sending spam etc, or cause reputation loss, if everyone
in your address book gets spammed with malware, from your computer.

Regards, Dave Hodgins

-- 
Change nomail.afraid.org to rogers.com to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)


Relevant Pages

  • Re: Trojan horse Downloader.Generic.ML
    ... that's the only malware that was installed, and that malware does not provide ... remote access, then it's safe to just clean it using whatever tools are most ... You could boot from a known clean boot media, and compare every executable, to the ... files from the installation sources, but it's usually faster to just reinstall. ...
    (alt.computer.security)
  • Re: Trojan horse Downloader.Generic.ML
    ... > that's the only malware that was installed, ... > Otherwise, you should assume all executables, are ... > You could boot from a known clean boot media, ... > files from the installation sources, but it's usually faster to just ...
    (comp.security.firewalls)
  • Re: Trojan horse Downloader.Generic.ML
    ... > that's the only malware that was installed, ... > Otherwise, you should assume all executables, are ... > You could boot from a known clean boot media, ... > files from the installation sources, but it's usually faster to just ...
    (alt.computer.security)
  • Re: avp.exe
    ... the same thing as an XP installation CD. ... Malware is in two broad categories: ... I would not uninstall The Shield until you have all your installation ...
    (microsoft.public.windowsxp.general)
  • Re: avp.exe
    ... I downloaded & installed MalwareBytes' AntiMalware. ... Malware - done as described above - with AntiMalware ... hidden recovery partition on there. ... not the same thing as an XP installation CD. ...
    (microsoft.public.windowsxp.general)