Trojan horse Downloader.Generic.ML

Discussion in 'Computer Security' started by Ron Reaugh, Jun 15, 2005.

  1. Ron Reaugh

    Ron Reaugh Guest

    It's the file C:\NULL

    Suddenly shortly after cold boot my fully updated(WinUp) and patched W98se
    PC reported the above noted infection. It's Grisoft free AVG with the
    latest updates. This PC is also protected by ZoneAlarm, Belkin WiFi router
    with firewall, SpyBot(resident). A normal Shutdown was done 12 hours
    earlier with no indication of any problems. There are still no indications
    of any problems EXCEPT that AVG claims it's found this trojan. There have
    been no floppy operations/mounts, no CD operations/mounts and no downloads
    and installs of anything since an hour before shutdown last night and now.

    From the DOS prompt I can see a file C:\NULL that has a 5/5/05 date. Since
    5/5 both a full manual AVG and Trend HouseCall 6 run have been done on this
    PC finding nothing.

    So where and how did this file C:\NULL that AVG claims is Trojan horse
    Downloader.Generic.ML appear from? Was it really there since 5/5 but went
    unnoticed by both AVG and Trend HouseCall 6 and then this morning AVG
    suddenly downloaded a new definition file which started seeing this trojan?
    OR did something penetrate all the firewalls and suddenly spawn this file
    which AVG quickly recognized?

    What likely happened here?

    The operation I was in the middle of when AVG popped up was reading a text
    only no attachment NG message in OE 6.00.2800.1123.
    Ron Reaugh, Jun 15, 2005
    #1
    1. Advertising

  2. Ron Reaugh

    Eric Parker Guest

    "Ron Reaugh" <> wrote in message
    news:EKYre.963481$...
    > It's the file C:\NULL
    >
    > Suddenly shortly after cold boot my fully updated(WinUp) and patched W98se
    > PC reported the above noted infection. It's Grisoft free AVG with the
    > latest updates. This PC is also protected by ZoneAlarm, Belkin WiFi router
    > with firewall, SpyBot(resident). A normal Shutdown was done 12 hours
    > earlier with no indication of any problems. There are still no indications
    > of any problems EXCEPT that AVG claims it's found this trojan. There have
    > been no floppy operations/mounts, no CD operations/mounts and no downloads
    > and installs of anything since an hour before shutdown last night and now.
    >
    > From the DOS prompt I can see a file C:\NULL that has a 5/5/05 date. Since
    > 5/5 both a full manual AVG and Trend HouseCall 6 run have been done on this
    > PC finding nothing.
    >
    > So where and how did this file C:\NULL that AVG claims is Trojan horse
    > Downloader.Generic.ML appear from? Was it really there since 5/5 but went
    > unnoticed by both AVG and Trend HouseCall 6 and then this morning AVG
    > suddenly downloaded a new definition file which started seeing this trojan?
    > OR did something penetrate all the firewalls and suddenly spawn this file
    > which AVG quickly recognized?
    >
    > What likely happened here?
    >
    > The operation I was in the middle of when AVG popped up was reading a text
    > only no attachment NG message in OE 6.00.2800.1123.
    >
    >


    If you're doubting AVG, you could submit the file to www.virustotal.com.
    That would give you a lots of opinions on it.
    As to how it got there, I can't help.

    eric

    eric
    --
    Remove the dross to contact me directly
    Eric Parker, Jun 15, 2005
    #2
    1. Advertising

  3. Ron Reaugh

    Ron Reaugh Guest

    "Eric Parker" <> wrote in message
    news:42b06ef5$0$2402$...
    >
    > "Ron Reaugh" <> wrote in message
    > news:EKYre.963481$...
    > > It's the file C:\NULL
    > >
    > > Suddenly shortly after cold boot my fully updated(WinUp) and patched

    W98se
    > > PC reported the above noted infection. It's Grisoft free AVG with the
    > > latest updates. This PC is also protected by ZoneAlarm, Belkin WiFi

    router
    > > with firewall, SpyBot(resident). A normal Shutdown was done 12 hours
    > > earlier with no indication of any problems. There are still no

    indications
    > > of any problems EXCEPT that AVG claims it's found this trojan. There

    have
    > > been no floppy operations/mounts, no CD operations/mounts and no

    downloads
    > > and installs of anything since an hour before shutdown last night and

    now.
    > >
    > > From the DOS prompt I can see a file C:\NULL that has a 5/5/05 date.

    Since
    > > 5/5 both a full manual AVG and Trend HouseCall 6 run have been done on

    this
    > > PC finding nothing.
    > >
    > > So where and how did this file C:\NULL that AVG claims is Trojan horse
    > > Downloader.Generic.ML appear from? Was it really there since 5/5 but

    went
    > > unnoticed by both AVG and Trend HouseCall 6 and then this morning AVG
    > > suddenly downloaded a new definition file which started seeing this

    trojan?
    > > OR did something penetrate all the firewalls and suddenly spawn this

    file
    > > which AVG quickly recognized?
    > >
    > > What likely happened here?
    > >
    > > The operation I was in the middle of when AVG popped up was reading a

    text
    > > only no attachment NG message in OE 6.00.2800.1123.
    > >
    > >

    >
    > If you're doubting AVG,


    NO, I'm not doubting AVG at all. The file c:\null didn't belong there and
    came from some unknown source and I assume that in fact is a trojan. What I
    can't understand is how and when it got there unnoticed until this AM?? I
    thought I'd taken all the extra precautions and kept very current and then
    all of the sudden from left field this AVG warning appears at a time and
    circumstance that does NOT correspond to when I'd expect such a thing to
    have happened.

    FURTHER I was under the impression that most all the current virus checker
    companies were really on top of things and got out protection(new def files)
    within hours or at most a day from when something new was found in the wild.
    I find it highly unlikely that I'm some special case that got this infection
    only or long before anyone else. If one believes the 5/5/05 date on c:\null
    then that suggests that this thing has been out in the wild for over a month
    when AVG just this AM suddenly updated the def file to include its
    detection. Also Trend Housecall 6 didn't find it if you believe the 5/5/05
    date.

    How did this all come to pass. Do I have some misconceptions somewhere
    regarding these issues? I thought I had all my bases covered and then this.
    What should I start doing differently? Are virus/trojan files ever put of
    folks HD and then change their own dates back in time; has that ever been
    seen?

    > you could submit the file to www.virustotal.com.


    AVG zapped it already.

    > That would give you a lots of opinions on it.
    > As to how it got there, I can't help.
    >
    > eric
    >
    > eric
    > --
    > Remove the dross to contact me directly
    >
    >
    Ron Reaugh, Jun 15, 2005
    #3
  4. Ron Reaugh

    Ron Reaugh Guest

    Google web/groups doesn't show any hits on "downloader.generic.ml" so this
    may be something really NEW!

    "Ron Reaugh" <> wrote in message
    news:EKYre.963481$...
    > It's the file C:\NULL
    >
    > Suddenly shortly after cold boot my fully updated(WinUp) and patched W98se
    > PC reported the above noted infection. It's Grisoft free AVG with the
    > latest updates. This PC is also protected by ZoneAlarm, Belkin WiFi

    router
    > with firewall, SpyBot(resident). A normal Shutdown was done 12 hours
    > earlier with no indication of any problems. There are still no

    indications
    > of any problems EXCEPT that AVG claims it's found this trojan. There have
    > been no floppy operations/mounts, no CD operations/mounts and no downloads
    > and installs of anything since an hour before shutdown last night and now.
    >
    > From the DOS prompt I can see a file C:\NULL that has a 5/5/05 date.

    Since
    > 5/5 both a full manual AVG and Trend HouseCall 6 run have been done on

    this
    > PC finding nothing.
    >
    > So where and how did this file C:\NULL that AVG claims is Trojan horse
    > Downloader.Generic.ML appear from? Was it really there since 5/5 but went
    > unnoticed by both AVG and Trend HouseCall 6 and then this morning AVG
    > suddenly downloaded a new definition file which started seeing this

    trojan?
    > OR did something penetrate all the firewalls and suddenly spawn this file
    > which AVG quickly recognized?
    >
    > What likely happened here?
    >
    > The operation I was in the middle of when AVG popped up was reading a text
    > only no attachment NG message in OE 6.00.2800.1123.
    >
    >
    Ron Reaugh, Jun 15, 2005
    #4
  5. "Ron Reaugh" <> wrote in message
    news:EKYre.963481$...
    > It's the file C:\NULL
    >
    > Suddenly shortly after cold boot my fully updated(WinUp) and patched W98se
    > PC reported the above noted infection. It's Grisoft free AVG with the
    > latest updates. This PC is also protected by ZoneAlarm, Belkin WiFi

    router
    > with firewall, SpyBot(resident).


    And do you use Internet Explorer?

    > A normal Shutdown was done 12 hours
    > earlier with no indication of any problems.


    There wouldn't be.
    If something did sneak in via an IE or some other vulnerability then it
    would most likely not run until the next startup.

    > There are still no indications
    > of any problems EXCEPT that AVG claims it's found this trojan.


    Sounds like an indication of a problem to me.
    A false detection is a possibility but there is no way for me to be certain.

    > There have
    > been no floppy operations/mounts, no CD operations/mounts and no downloads
    > and installs of anything since an hour before shutdown last night and now.


    But you did surf with Internet Explorer?

    >
    > From the DOS prompt I can see a file C:\NULL that has a 5/5/05 date.

    Since
    > 5/5 both a full manual AVG and Trend HouseCall 6 run have been done on

    this
    > PC finding nothing.
    >
    > So where and how did this file C:\NULL that AVG claims is Trojan horse
    > Downloader.Generic.ML appear from? Was it really there since 5/5 but went
    > unnoticed by both AVG and Trend HouseCall 6 and then this morning AVG
    > suddenly downloaded a new definition file which started seeing this

    trojan?

    Virus scanners don't have any magical ability to detect trojans, they have
    to be told what is a trojan and what isn't via the updates. An anti-virus
    vendor may manage to do an update in less that a day if the virus/trojan is
    all over the news but it may otherwise take longer. Trojan writers are not
    under any obligation to send copies of their trojans to anti-virus vendors.

    > OR did something penetrate all the firewalls and suddenly spawn this file
    > which AVG quickly recognized?


    I have no idea where C:\NULL came from but if it were on my PC I would want
    to know what it was.
    If I was sitting at the PC which had C:\NULL on it then I'd look in C:\NULL
    to see what was there.
    I'd also find out whether anything in there was referenced during startup.
    For that I'd need spybot S&D in advanced mode or http://www.hijackthis.de/
    or just regedit.

    >
    > What likely happened here?


    Impossible to say. One possibility is that you got something via an
    unpatched IE vulnerability. Another is that AVG is/was giving a false
    detection. Another is that I don't have a clue what happened.

    >
    > The operation I was in the middle of when AVG popped up was reading a text
    > only no attachment NG message in OE 6.00.2800.1123.


    Did this message contain a link/url that you happened to click on?

    Jason

    >
    >
    Jason Edwards, Jun 15, 2005
    #5
  6. Ron Reaugh

    Ron Reaugh Guest

    "Jason Edwards" <> wrote in message
    news:...
    > "Ron Reaugh" <> wrote in message
    > news:EKYre.963481$...
    > > It's the file C:\NULL
    > >
    > > Suddenly shortly after cold boot my fully updated(WinUp) and patched

    W98se
    > > PC reported the above noted infection. It's Grisoft free AVG with the
    > > latest updates. This PC is also protected by ZoneAlarm, Belkin WiFi

    > router
    > > with firewall, SpyBot(resident).

    >
    > And do you use Internet Explorer?


    Yep, the very latest and fully patched/WinUp-ed version.

    > > A normal Shutdown was done 12 hours
    > > earlier with no indication of any problems.

    >
    > There wouldn't be.
    > If something did sneak in via an IE or some other vulnerability then it
    > would most likely not run until the next startup.


    Are you saying that AVG's resident and SpyBots resident(watching reg
    updates) wouldn't have caught it at the time of infection?

    > > There are still no indications
    > > of any problems EXCEPT that AVG claims it's found this trojan.

    >
    > Sounds like an indication of a problem to me.
    > A false detection is a possibility but there is no way for me to be

    certain.

    That c:\null IS a bogus file from an unknown source suggests that there was
    no false detection.

    > > There have
    > > been no floppy operations/mounts, no CD operations/mounts and no

    downloads
    > > and installs of anything since an hour before shutdown last night and

    now.
    >
    > But you did surf with Internet Explorer?


    Yep and other than the possibility that you are a FireFox drum beater, the
    use of a fully updated IE generally does NOT expose one to such when a fully
    functional firewall, virus checker and spyware checker are in place.

    > > From the DOS prompt I can see a file C:\NULL that has a 5/5/05 date.

    > Since
    > > 5/5 both a full manual AVG and Trend HouseCall 6 run have been done on

    > this
    > > PC finding nothing.
    > >
    > > So where and how did this file C:\NULL that AVG claims is Trojan horse
    > > Downloader.Generic.ML appear from? Was it really there since 5/5 but

    went
    > > unnoticed by both AVG and Trend HouseCall 6 and then this morning AVG
    > > suddenly downloaded a new definition file which started seeing this

    > trojan?
    >
    > Virus scanners don't have any magical ability to detect trojans, they have
    > to be told what is a trojan and what isn't via the updates.


    Right but 5/5/05 is over 30 days old...am I some special case alpha
    infection point?

    > An anti-virus
    > vendor may manage to do an update in less that a day if the virus/trojan

    is
    > all over the news but it may otherwise take longer. Trojan writers are not
    > under any obligation to send copies of their trojans to anti-virus

    vendors.
    >
    > > OR did something penetrate all the firewalls and suddenly spawn this

    file
    > > which AVG quickly recognized?

    >
    > I have no idea where C:\NULL came from but if it were on my PC I would

    want
    > to know what it was.
    > If I was sitting at the PC which had C:\NULL on it then I'd look in

    C:\NULL
    > to see what was there.


    After one noticed it. I don't inspect c:\ or c:\win or c:\win\system[32]
    hourly to spot undesirable files. That's what I got AVG etc. for.

    > I'd also find out whether anything in there was referenced during startup.
    > For that I'd need spybot S&D in advanced mode or http://www.hijackthis.de/
    > or just regedit.
    >
    > >
    > > What likely happened here?

    >
    > Impossible to say. One possibility is that you got something via an
    > unpatched IE vulnerability.


    I was under the impression that there weren't any of these that have
    resulted in actual infections any time recently. Lots of new
    vulnerabilities keep being found and reported and fixed. And that's all
    before there is any infections/penetrations using them and that's what I've
    been hearing for over a year.

    > Another is that AVG is/was giving a false
    > detection. Another is that I don't have a clue what happened.
    >
    > >
    > > The operation I was in the middle of when AVG popped up was reading a

    text
    > > only no attachment NG message in OE 6.00.2800.1123.

    >
    > Did this message contain a link/url that you happened to click on?


    NOPE! I assume that the NG message reading had nothing to do with it but
    then what did??

    > Jason
    Ron Reaugh, Jun 15, 2005
    #6
  7. Ron Reaugh

    Jim Byrd Guest

    Hi Ron - You might want to download and run the free or trial version of A2
    Personal, here: http://www.emsisoft.com/en/ UPDATE, then run from a Clean
    Boot or Safe Mode with Show Hidden Files enabled. This is a MUCH better
    piece of software for detecting Trojans than AVG.

    Directions for a Clean Boot and Show Hidden Files in my Blog, addy in
    Signature.

    --
    Regards, Jim Byrd, MS-MVP
    My, Blog Defending Your Machine, here:
    http://defendingyourmachine.blogspot.com/

    "Ron Reaugh" <> wrote in message
    news:EKYre.963481$
    > It's the file C:\NULL
    >
    > Suddenly shortly after cold boot my fully updated(WinUp) and patched
    > W98se PC reported the above noted infection. It's Grisoft free AVG
    > with the latest updates. This PC is also protected by ZoneAlarm,
    > Belkin WiFi router with firewall, SpyBot(resident). A normal
    > Shutdown was done 12 hours earlier with no indication of any
    > problems. There are still no indications of any problems EXCEPT that
    > AVG claims it's found this trojan. There have been no floppy
    > operations/mounts, no CD operations/mounts and no downloads and
    > installs of anything since an hour before shutdown last night and
    > now.
    >
    > From the DOS prompt I can see a file C:\NULL that has a 5/5/05 date.
    > Since 5/5 both a full manual AVG and Trend HouseCall 6 run have been
    > done on this PC finding nothing.
    >
    > So where and how did this file C:\NULL that AVG claims is Trojan horse
    > Downloader.Generic.ML appear from? Was it really there since 5/5 but
    > went unnoticed by both AVG and Trend HouseCall 6 and then this
    > morning AVG suddenly downloaded a new definition file which started
    > seeing this trojan? OR did something penetrate all the firewalls and
    > suddenly spawn this file which AVG quickly recognized?
    >
    > What likely happened here?
    >
    > The operation I was in the middle of when AVG popped up was reading a
    > text only no attachment NG message in OE 6.00.2800.1123.
    Jim Byrd, Jun 15, 2005
    #7
  8. Ron Reaugh

    Ron Reaugh Guest

    "Jim Byrd" <> wrote in message
    news:...
    > Hi Ron - You might want to download and run the free or trial version of

    A2
    > Personal, here: http://www.emsisoft.com/en/ UPDATE, then run from a Clean
    > Boot or Safe Mode with Show Hidden Files enabled.
    > This is a MUCH better
    > piece of software for detecting Trojans than AVG.


    Why would AVG or Trend HouseCall 6 be weak in this regard?

    > Directions for a Clean Boot and Show Hidden Files in my Blog, addy in
    > Signature.
    >
    > --
    > Regards, Jim Byrd, MS-MVP
    > My, Blog Defending Your Machine, here:
    > http://defendingyourmachine.blogspot.com/
    >
    > "Ron Reaugh" <> wrote in message
    > news:EKYre.963481$
    > > It's the file C:\NULL
    > >
    > > Suddenly shortly after cold boot my fully updated(WinUp) and patched
    > > W98se PC reported the above noted infection. It's Grisoft free AVG
    > > with the latest updates. This PC is also protected by ZoneAlarm,
    > > Belkin WiFi router with firewall, SpyBot(resident). A normal
    > > Shutdown was done 12 hours earlier with no indication of any
    > > problems. There are still no indications of any problems EXCEPT that
    > > AVG claims it's found this trojan. There have been no floppy
    > > operations/mounts, no CD operations/mounts and no downloads and
    > > installs of anything since an hour before shutdown last night and
    > > now.
    > >
    > > From the DOS prompt I can see a file C:\NULL that has a 5/5/05 date.
    > > Since 5/5 both a full manual AVG and Trend HouseCall 6 run have been
    > > done on this PC finding nothing.
    > >
    > > So where and how did this file C:\NULL that AVG claims is Trojan horse
    > > Downloader.Generic.ML appear from? Was it really there since 5/5 but
    > > went unnoticed by both AVG and Trend HouseCall 6 and then this
    > > morning AVG suddenly downloaded a new definition file which started
    > > seeing this trojan? OR did something penetrate all the firewalls and
    > > suddenly spawn this file which AVG quickly recognized?
    > >
    > > What likely happened here?
    > >
    > > The operation I was in the middle of when AVG popped up was reading a
    > > text only no attachment NG message in OE 6.00.2800.1123.
    Ron Reaugh, Jun 15, 2005
    #8
  9. "Ron Reaugh" <> wrote in message
    news:qW_re.324813$...
    >
    > "Jason Edwards" <> wrote in message
    > news:...
    > > "Ron Reaugh" <> wrote in message
    > > news:EKYre.963481$...
    > > > It's the file C:\NULL
    > > >
    > > > Suddenly shortly after cold boot my fully updated(WinUp) and patched

    > W98se
    > > > PC reported the above noted infection. It's Grisoft free AVG with the
    > > > latest updates. This PC is also protected by ZoneAlarm, Belkin WiFi

    > > router
    > > > with firewall, SpyBot(resident).

    > >
    > > And do you use Internet Explorer?

    >
    > Yep, the very latest and fully patched/WinUp-ed version.


    Ok, so it's probably only got approximately n+100 vulnerabilities left to be
    patched.

    >
    > > > A normal Shutdown was done 12 hours
    > > > earlier with no indication of any problems.

    > >
    > > There wouldn't be.
    > > If something did sneak in via an IE or some other vulnerability then it
    > > would most likely not run until the next startup.

    >
    > Are you saying that AVG's resident and SpyBots resident(watching reg
    > updates) wouldn't have caught it at the time of infection?


    Yes

    >
    > > > There are still no indications
    > > > of any problems EXCEPT that AVG claims it's found this trojan.

    > >
    > > Sounds like an indication of a problem to me.
    > > A false detection is a possibility but there is no way for me to be

    > certain.
    >
    > That c:\null IS a bogus file from an unknown source suggests that there

    was
    > no false detection.


    It does, if you are sure that C:\NULL is not part of anything legitimate or
    anything you have done yourself.

    >
    > > > There have
    > > > been no floppy operations/mounts, no CD operations/mounts and no

    > downloads
    > > > and installs of anything since an hour before shutdown last night and

    > now.
    > >
    > > But you did surf with Internet Explorer?

    >
    > Yep and other than the possibility that you are a FireFox drum beater,

    the
    > use of a fully updated IE generally does NOT expose one to such when a

    fully
    > functional firewall, virus checker and spyware checker are in place.


    I don't wish to upset you but it took me a while to stop laughing after
    reading that.

    >
    > > > From the DOS prompt I can see a file C:\NULL that has a 5/5/05 date.

    > > Since
    > > > 5/5 both a full manual AVG and Trend HouseCall 6 run have been done on

    > > this
    > > > PC finding nothing.
    > > >
    > > > So where and how did this file C:\NULL that AVG claims is Trojan horse
    > > > Downloader.Generic.ML appear from? Was it really there since 5/5 but

    > went
    > > > unnoticed by both AVG and Trend HouseCall 6 and then this morning AVG
    > > > suddenly downloaded a new definition file which started seeing this

    > > trojan?
    > >
    > > Virus scanners don't have any magical ability to detect trojans, they

    have
    > > to be told what is a trojan and what isn't via the updates.

    >
    > Right but 5/5/05 is over 30 days old...am I some special case alpha
    > infection point?


    Nope, you're just an average Windows user who got the trojan that wasn't
    widespread enough to be noticed immediately.

    >
    > > An anti-virus
    > > vendor may manage to do an update in less that a day if the virus/trojan

    > is
    > > all over the news but it may otherwise take longer. Trojan writers are

    not
    > > under any obligation to send copies of their trojans to anti-virus

    > vendors.
    > >
    > > > OR did something penetrate all the firewalls and suddenly spawn this

    > file
    > > > which AVG quickly recognized?

    > >
    > > I have no idea where C:\NULL came from but if it were on my PC I would

    > want
    > > to know what it was.
    > > If I was sitting at the PC which had C:\NULL on it then I'd look in

    > C:\NULL
    > > to see what was there.

    >
    > After one noticed it. I don't inspect c:\ or c:\win or c:\win\system[32]
    > hourly to spot undesirable files. That's what I got AVG etc. for.


    I don't either, but I don't allow additional executable files on to the
    system in the first place, so I don't have to go file spotting very often on
    my own machines. I also don't need AVG.

    >
    > > I'd also find out whether anything in there was referenced during

    startup.
    > > For that I'd need spybot S&D in advanced mode or

    http://www.hijackthis.de/
    > > or just regedit.
    > >
    > > >
    > > > What likely happened here?

    > >
    > > Impossible to say. One possibility is that you got something via an
    > > unpatched IE vulnerability.

    >
    > I was under the impression that there weren't any of these that have
    > resulted in actual infections any time recently. Lots of new
    > vulnerabilities keep being found and reported and fixed. And that's all
    > before there is any infections/penetrations using them and that's what

    I've
    > been hearing for over a year.


    Who have you been hearing this from?
    Ask yourself why there is a cumulative update every month.

    >
    > > Another is that AVG is/was giving a false
    > > detection. Another is that I don't have a clue what happened.
    > >
    > > >
    > > > The operation I was in the middle of when AVG popped up was reading a

    > text
    > > > only no attachment NG message in OE 6.00.2800.1123.

    > >
    > > Did this message contain a link/url that you happened to click on?

    >
    > NOPE! I assume that the NG message reading had nothing to do with it but
    > then what did??


    It is not possible for me to say for certain what did.

    If I were you I'd wipe the drive and reinstall the operating system.
    There is no other way to be sure that your system isn't compromised.

    Jason

    >
    > > Jason

    >
    >
    Jason Edwards, Jun 15, 2005
    #9
  10. Ron Reaugh

    Roger Wilco Guest

    "Ron Reaugh" <> wrote in message
    news:EKYre.963481$...
    > It's the file C:\NULL
    >
    > Suddenly shortly after cold boot my fully updated(WinUp) and patched

    W98se
    > PC reported the above noted infection. It's Grisoft free AVG with the
    > latest updates. This PC is also protected by ZoneAlarm, Belkin WiFi

    router
    > with firewall, SpyBot(resident). A normal Shutdown was done 12 hours
    > earlier with no indication of any problems. There are still no

    indications
    > of any problems EXCEPT that AVG claims it's found this trojan. There

    have
    > been no floppy operations/mounts, no CD operations/mounts and no

    downloads
    > and installs of anything since an hour before shutdown last night and

    now.
    >
    > From the DOS prompt I can see a file C:\NULL that has a 5/5/05 date.

    Since
    > 5/5 both a full manual AVG and Trend HouseCall 6 run have been done on

    this
    > PC finding nothing.
    >
    > So where and how did this file C:\NULL that AVG claims is Trojan horse
    > Downloader.Generic.ML appear from?


    New malware can download and use old malware. Just a shot in the dark,
    what else do you have with that date?

    > Was it really there since 5/5 but went
    > unnoticed by both AVG and Trend HouseCall 6 and then this morning AVG
    > suddenly downloaded a new definition file which started seeing this

    trojan?

    Possible. Or it could be a false positive. Without the evidence we can't
    know.

    > OR did something penetrate all the firewalls and suddenly spawn this

    file
    > which AVG quickly recognized?


    Also possible.

    > What likely happened here?


    Without analysing the file "NULL", and or finding other malware files to
    analyse - it is anybody's guess.

    > The operation I was in the middle of when AVG popped up was reading a

    text
    > only no attachment NG message in OE 6.00.2800.1123.


    This may be paranoia at work here, but new malware could download many
    things undetected at present and throw you a bone (like an old trojan)
    to make you think your defenses are adequate and have protected you.
    Maybe other things have been date altered to 5/5/5 as well - or looking
    at 5/5/5 dated files will jar your memory about what "NULL" is (or was).
    Roger Wilco, Jun 15, 2005
    #10
  11. Ron Reaugh

    Jim Byrd Guest

    Hi Ron - A2 is designed specifically to detect Trojans. The only _virus_
    scanner I'm aware of that offers comparable _Trojan_ detection is SysClean.
    From my Blog:


    Boot to Safe mode with Network Support (HowTo here:
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
    or a Clean Boot as above.

    Download sysclean.com , from Trend Micro, here:
    http://www.trendmicro.com/download/dcs.asp along with the latest released
    pattern file, here: http://www.trendmicro.com/download/pattern.asp Be sure
    to read the "How-to" info here:
    http://www.trendmicro.com/ftp/products/tsc/readme.txt

    You might also want to get Art's updater, SYS-UP.Zip, here for future
    updating of these: http://home.epix.net/~artnpeg/). The updater files plus a
    short tutorial on using them and SysClean are also available in one package
    here: http://www.ik-cs.com/Programs/virtools/SYSCLEAN UTILITY.exe (If you
    download and use the updater from the beginning, it will automatically
    handle downloading the other files.)

    An alternative automatic updater which adds some capabilities to Art's
    updater, such as restarting in Safe mode to run, etc., SYSCLEAN_FE , is
    available here: http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe.
    There's a brief description here: http://www.ik-cs.com/more_information.htm.
    I would recommend that you use Clean Boot with either updater, however.

    NOTE: You can get a somewhat more current interim pattern file, the
    Controlled Pattern Release, here and manually unzip it to your SysClean
    folder: http://www.trendmicro.com/download/pattern-cpr-disclaimer.asp Look
    for the lptxxx.zip file after you agree to the terms. (Sorry, but the
    Updaters won't go get this one for you. However, if you manually download
    the CPR first and then use one of the updaters, SysClean will automatically
    use these CPR definitions when it starts.)

    Place them in a dedicated folder after appropriate unzipping.

    Show hidden and system files (HowTo here:
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339)

    If you're using WindowsME or WindowsXP, SysClean (and the other cleaning
    tools below) may find infections within Restore Points which it will be
    unable to clean. You may choose to disable Restore if you're on XP or ME
    (directions here:
    http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm) which will
    eliminate ALL previous Restore Points, or alternatively, you can wait until
    cleaning is completed and then use the procedure within the *********'s
    below to delete all older, possibly infected Restore Points and save a new,
    clean one. This approach is in the sprit of "keep what you've got" so that
    you can recover to an at least operating albeit infected system if you
    inadvertently delete something vital, and is the approach I recommend that
    you take.

    Read tscreadme.txt carefully, then do a complete scan of your system and
    clean or delete anything it finds.
    Reboot and re-run SysClean and continue this procedure until you get a clean
    scan or nothing further can be cleaned/removed.

    Now reboot to normal mode and re-run the scan again.

    This scan may take a long time, as Sysclean is VERY extensive and thorough.
    For example, one user reported that Sysclean found 69 hits that an
    immediately prior Norton AV v. 11.0.2.4 run had missed.



    --
    Regards, Jim Byrd, MS-MVP
    My, Blog Defending Your Machine, here:
    http://defendingyourmachine.blogspot.com/

    "Ron Reaugh" <> wrote in message
    news:s0%re.324830$
    > "Jim Byrd" <> wrote in message
    > news:...
    >> Hi Ron - You might want to download and run the free or trial
    >> version of A2 Personal, here: http://www.emsisoft.com/en/ UPDATE,
    >> then run from a Clean Boot or Safe Mode with Show Hidden Files
    >> enabled.
    >> This is a MUCH better
    >> piece of software for detecting Trojans than AVG.

    >
    > Why would AVG or Trend HouseCall 6 be weak in this regard?
    >
    >> Directions for a Clean Boot and Show Hidden Files in my Blog, addy in
    >> Signature.
    >>
    >> --
    >> Regards, Jim Byrd, MS-MVP
    >> My, Blog Defending Your Machine, here:
    >> http://defendingyourmachine.blogspot.com/
    >>
    >> "Ron Reaugh" <> wrote in message
    >> news:EKYre.963481$
    >>> It's the file C:\NULL
    >>>
    >>> Suddenly shortly after cold boot my fully updated(WinUp) and patched
    >>> W98se PC reported the above noted infection. It's Grisoft free AVG
    >>> with the latest updates. This PC is also protected by ZoneAlarm,
    >>> Belkin WiFi router with firewall, SpyBot(resident). A normal
    >>> Shutdown was done 12 hours earlier with no indication of any
    >>> problems. There are still no indications of any problems EXCEPT
    >>> that AVG claims it's found this trojan. There have been no floppy
    >>> operations/mounts, no CD operations/mounts and no downloads and
    >>> installs of anything since an hour before shutdown last night and
    >>> now.
    >>>
    >>> From the DOS prompt I can see a file C:\NULL that has a 5/5/05 date.
    >>> Since 5/5 both a full manual AVG and Trend HouseCall 6 run have been
    >>> done on this PC finding nothing.
    >>>
    >>> So where and how did this file C:\NULL that AVG claims is Trojan
    >>> horse Downloader.Generic.ML appear from? Was it really there since
    >>> 5/5 but went unnoticed by both AVG and Trend HouseCall 6 and then
    >>> this morning AVG suddenly downloaded a new definition file which
    >>> started seeing this trojan? OR did something penetrate all the
    >>> firewalls and suddenly spawn this file which AVG quickly recognized?
    >>>
    >>> What likely happened here?
    >>>
    >>> The operation I was in the middle of when AVG popped up was reading
    >>> a text only no attachment NG message in OE 6.00.2800.1123.
    Jim Byrd, Jun 15, 2005
    #11
  12. Ron Reaugh

    mhicaoidh Guest

    Taking a moment's reflection, Ron Reaugh mused:
    |
    | NO, I'm not doubting AVG at all. The file c:\null didn't belong
    | there and came from some unknown source and I assume that in fact is
    | a trojan. What I can't understand is how and when it got there
    | unnoticed until this AM??

    My guess would be that when it ws put there, AVG didn't have a
    definition for it. Sometime between now and then, the definition was
    added, and now AVG can detect it. It could also be a false positive.
    mhicaoidh, Jun 16, 2005
    #12
  13. Ron Reaugh

    Ron Reaugh Guest

    "Jason Edwards" <> wrote in message
    news:...
    > "Ron Reaugh" <> wrote in message
    > news:qW_re.324813$...
    > >
    > > "Jason Edwards" <> wrote in message
    > > news:...
    > > > "Ron Reaugh" <> wrote in message
    > > > news:EKYre.963481$...
    > > > > It's the file C:\NULL
    > > > >
    > > > > Suddenly shortly after cold boot my fully updated(WinUp) and patched

    > > W98se
    > > > > PC reported the above noted infection. It's Grisoft free AVG with

    the
    > > > > latest updates. This PC is also protected by ZoneAlarm, Belkin

    WiFi
    > > > router
    > > > > with firewall, SpyBot(resident).
    > > >
    > > > And do you use Internet Explorer?

    > >
    > > Yep, the very latest and fully patched/WinUp-ed version.

    >
    > Ok, so it's probably only got approximately n+100 vulnerabilities left to

    be
    > patched.


    Maybe but do you have any evidence that any of these has been actually used
    in a penetration recently? OR are they all just potential?

    > >
    > > > > A normal Shutdown was done 12 hours
    > > > > earlier with no indication of any problems.
    > > >
    > > > There wouldn't be.
    > > > If something did sneak in via an IE or some other vulnerability then

    it
    > > > would most likely not run until the next startup.

    > >
    > > Are you saying that AVG's resident and SpyBots resident(watching reg
    > > updates) wouldn't have caught it at the time of infection?

    >
    > Yes


    Why? If that's not what they're lookin for then what are they lookin for?

    > > > > There are still no indications
    > > > > of any problems EXCEPT that AVG claims it's found this trojan.
    > > >
    > > > Sounds like an indication of a problem to me.
    > > > A false detection is a possibility but there is no way for me to be

    > > certain.
    > >
    > > That c:\null IS a bogus file from an unknown source suggests that there

    > was
    > > no false detection.

    >
    > It does, if you are sure that C:\NULL is not part of anything legitimate

    or
    > anything you have done yourself.


    I'm sure. You ever heard of c:\null?

    > > > > There have
    > > > > been no floppy operations/mounts, no CD operations/mounts and no

    > > downloads
    > > > > and installs of anything since an hour before shutdown last night

    and
    > > now.
    > > >
    > > > But you did surf with Internet Explorer?

    > >
    > > Yep and other than the possibility that you are a FireFox drum beater,

    > the
    > > use of a fully updated IE generally does NOT expose one to such when a

    > fully
    > > functional firewall, virus checker and spyware checker are in place.

    >
    > I don't wish to upset you but it took me a while to stop laughing after
    > reading that.


    Provide some references that suggest that is not the usual and EFFECTIVE
    model?

    > > > > From the DOS prompt I can see a file C:\NULL that has a 5/5/05 date.
    > > > Since
    > > > > 5/5 both a full manual AVG and Trend HouseCall 6 run have been done

    on
    > > > this
    > > > > PC finding nothing.
    > > > >
    > > > > So where and how did this file C:\NULL that AVG claims is Trojan

    horse
    > > > > Downloader.Generic.ML appear from? Was it really there since 5/5

    but
    > > went
    > > > > unnoticed by both AVG and Trend HouseCall 6 and then this morning

    AVG
    > > > > suddenly downloaded a new definition file which started seeing this
    > > > trojan?
    > > >
    > > > Virus scanners don't have any magical ability to detect trojans, they

    > have
    > > > to be told what is a trojan and what isn't via the updates.

    > >
    > > Right but 5/5/05 is over 30 days old...am I some special case alpha
    > > infection point?

    >
    > Nope, you're just an average Windows user who got the trojan that wasn't
    > widespread enough to be noticed immediately.


    I find that unlikely but barely possible.

    > > > An anti-virus
    > > > vendor may manage to do an update in less that a day if the

    virus/trojan
    > > is
    > > > all over the news but it may otherwise take longer. Trojan writers are

    > not
    > > > under any obligation to send copies of their trojans to anti-virus

    > > vendors.
    > > >
    > > > > OR did something penetrate all the firewalls and suddenly spawn this

    > > file
    > > > > which AVG quickly recognized?
    > > >
    > > > I have no idea where C:\NULL came from but if it were on my PC I would

    > > want
    > > > to know what it was.
    > > > If I was sitting at the PC which had C:\NULL on it then I'd look in

    > > C:\NULL
    > > > to see what was there.

    > >
    > > After one noticed it. I don't inspect c:\ or c:\win or

    c:\win\system[32]
    > > hourly to spot undesirable files. That's what I got AVG etc. for.

    >
    > I don't either, but I don't allow additional executable files on to the
    > system in the first place, so I don't have to go file spotting very often

    on
    > my own machines. I also don't need AVG.
    >
    > >
    > > > I'd also find out whether anything in there was referenced during

    > startup.
    > > > For that I'd need spybot S&D in advanced mode or

    > http://www.hijackthis.de/
    > > > or just regedit.
    > > >
    > > > >
    > > > > What likely happened here?
    > > >
    > > > Impossible to say. One possibility is that you got something via an
    > > > unpatched IE vulnerability.

    > >
    > > I was under the impression that there weren't any of these that have
    > > resulted in actual infections any time recently. Lots of new
    > > vulnerabilities keep being found and reported and fixed. And that's all
    > > before there is any infections/penetrations using them and that's what

    > I've
    > > been hearing for over a year.

    >
    > Who have you been hearing this from?


    Where have you been hearing the other from?

    > Ask yourself why there is a cumulative update every month.


    YES, please do so. Have you been reading about the intense preemptive work
    going on to find the holes before the hackers. From what I've heard that's
    been effective down to with a day or two for the last year or two.
    References otherwise?

    > > > Another is that AVG is/was giving a false
    > > > detection. Another is that I don't have a clue what happened.
    > > >
    > > > >
    > > > > The operation I was in the middle of when AVG popped up was reading

    a
    > > text
    > > > > only no attachment NG message in OE 6.00.2800.1123.
    > > >
    > > > Did this message contain a link/url that you happened to click on?

    > >
    > > NOPE! I assume that the NG message reading had nothing to do with it

    but
    > > then what did??

    >
    > It is not possible for me to say for certain what did.
    >
    > If I were you I'd wipe the drive and reinstall the operating system.


    Clueless!

    > There is no other way to be sure that your system isn't compromised.


    Now you've established your credentials.
    Ron Reaugh, Jun 16, 2005
    #13
  14. Ron Reaugh

    Ron Reaugh Guest

    "mhicaoidh" <®êmõvé_mhic_aoidh@hotÑîXmailS­PäM.com> wrote in message
    news:1u2se.53808$x96.41190@attbi_s72...
    > Taking a moment's reflection, Ron Reaugh mused:
    > |
    > | NO, I'm not doubting AVG at all. The file c:\null didn't belong
    > | there and came from some unknown source and I assume that in fact is
    > | a trojan. What I can't understand is how and when it got there
    > | unnoticed until this AM??
    >
    > My guess would be that when it ws put there, AVG didn't have a
    > definition for it. Sometime between now and then, the definition was
    > added, and now AVG can detect it. It could also be a false positive.


    My thinking exactly. c:\null IS a foreign and uninvited file so it's not a
    false positive even if the file contains all binary zeroes<g>.

    My understanding is that actually encountering something before one's virus
    checker has it in the def file is a rather unusual occurence. HOWEVER also
    my understanding is that between a virus checker(AVG), SpyBot and ZoneAlarm
    that nothing should be able to arbitrarily go out and put some file named
    c:\null in the root directory regardless of any def file entry. Am I
    missing something here?
    Ron Reaugh, Jun 16, 2005
    #14
  15. Ron Reaugh

    Roger Wilco Guest

    "Ron Reaugh" <> wrote in message
    news:G23se.965446$...
    >
    > "mhicaoidh" <®êmõvé_mhic_aoidh@hotÑîXmailS­PäM.com> wrote in message
    > news:1u2se.53808$x96.41190@attbi_s72...
    > > Taking a moment's reflection, Ron Reaugh mused:
    > > |
    > > | NO, I'm not doubting AVG at all. The file c:\null didn't belong
    > > | there and came from some unknown source and I assume that in fact

    is
    > > | a trojan. What I can't understand is how and when it got there
    > > | unnoticed until this AM??
    > >
    > > My guess would be that when it ws put there, AVG didn't have a
    > > definition for it. Sometime between now and then, the definition

    was
    > > added, and now AVG can detect it. It could also be a false

    positive.
    >
    > My thinking exactly. c:\null IS a foreign and uninvited file so it's

    not a
    > false positive even if the file contains all binary zeroes<g>.


    It would still be a false positive, albeit a welcome one. :)

    > My understanding is that actually encountering something before one's

    virus
    > checker has it in the def file is a rather unusual occurence.


    Generally they have to affect a number of users before it comes to the
    attention of the virus fighters.

    > HOWEVER also
    > my understanding is that between a virus checker(AVG), SpyBot and

    ZoneAlarm
    > that nothing should be able to arbitrarily go out and put some file

    named
    > c:\null in the root directory regardless of any def file entry. Am I
    > missing something here?


    Yes, virus checkers generally don't prevent the creation of files, they
    only scan on-access (usually on opening the file). For instance if for
    some reason your system configuration allows sharing of the root
    directory (not a good thing), none of the measures you mention will have
    any affect on the creation of a file in the root directory. Only when
    accessed next will the AV scan it - and having no extension makes it
    hard to have it in any include/exclude by extension config file.

    It is really too bad the file is not available for further scrutiny.:(

    You are right that such a file suddenly appearing raises suspicion.
    Roger Wilco, Jun 16, 2005
    #15
  16. Ron Reaugh

    Roger Wilco Guest

    "Ron Reaugh" <> wrote in message
    news:G23se.965445$...

    > > If I were you I'd wipe the drive and reinstall the operating system.

    >
    > Clueless!
    >
    > > There is no other way to be sure that your system isn't compromised.

    >
    > Now you've established your credentials.


    As much as I'd like to disagree with Jason about such a drastic measure,
    it IS the recommended procedure when a compromise has taken place.
    Roger Wilco, Jun 16, 2005
    #16
  17. Ron Reaugh

    Ron Reaugh Guest

    "Roger Wilco" <> wrote in message
    news:...
    >
    > "Ron Reaugh" <> wrote in message
    > news:G23se.965446$...
    > >
    > > "mhicaoidh" <®êmõvé_mhic_aoidh@hotÑîXmailS­PäM.com> wrote in message
    > > news:1u2se.53808$x96.41190@attbi_s72...
    > > > Taking a moment's reflection, Ron Reaugh mused:
    > > > |
    > > > | NO, I'm not doubting AVG at all. The file c:\null didn't belong
    > > > | there and came from some unknown source and I assume that in fact

    > is
    > > > | a trojan. What I can't understand is how and when it got there
    > > > | unnoticed until this AM??
    > > >
    > > > My guess would be that when it ws put there, AVG didn't have a
    > > > definition for it. Sometime between now and then, the definition

    > was
    > > > added, and now AVG can detect it. It could also be a false

    > positive.
    > >
    > > My thinking exactly. c:\null IS a foreign and uninvited file so it's

    > not a
    > > false positive even if the file contains all binary zeroes<g>.

    >
    > It would still be a false positive, albeit a welcome one. :)
    >
    > > My understanding is that actually encountering something before one's

    > virus
    > > checker has it in the def file is a rather unusual occurence.

    >
    > Generally they have to affect a number of users before it comes to the
    > attention of the virus fighters.


    Number of users vs time seems quite a different thing.

    > > HOWEVER also
    > > my understanding is that between a virus checker(AVG), SpyBot and

    > ZoneAlarm
    > > that nothing should be able to arbitrarily go out and put some file

    > named
    > > c:\null in the root directory regardless of any def file entry. Am I
    > > missing something here?

    >
    > Yes, virus checkers generally don't prevent the creation of files,


    I thought they protected against virus like behavior.

    > they
    > only scan on-access (usually on opening the file). For instance if for
    > some reason your system configuration allows sharing of the root
    > directory (not a good thing), none of the measures you mention will have
    > any affect on the creation of a file in the root directory.


    AH, how about ZoneAlarm???

    > Only when
    > accessed next will the AV scan it - and having no extension makes it
    > hard to have it in any include/exclude by extension config file.
    >
    > It is really too bad the file is not available for further scrutiny.:(


    HMM, it seems to be in AVG's virus vault but the extraction (Save As..)
    hangs.

    > You are right that such a file suddenly appearing raises suspicion.
    Ron Reaugh, Jun 16, 2005
    #17
  18. Ron Reaugh

    Ron Reaugh Guest

    "Roger Wilco" <> wrote in message
    news:...
    >
    > "Ron Reaugh" <> wrote in message
    > news:G23se.965445$...
    >
    > > > If I were you I'd wipe the drive and reinstall the operating system.

    > >
    > > Clueless!
    > >
    > > > There is no other way to be sure that your system isn't compromised.

    > >
    > > Now you've established your credentials.

    >
    > As much as I'd like to disagree with Jason about such a drastic measure,
    > it IS the recommended procedure when a compromise has taken place.



    Recommended by who? Are you saying that all this virus checkers and
    cleaners/disinfectors are frauds as that can't possibly work reliably?? If
    so then I know how to build an app that can detect any infection...I assumed
    that such had already been done. Start with an app that does somekind of a
    fancy encrypted CRC of all the relevant files on a HD and then it keeps an
    encrypted database of same for later comparison...I didn't say it was
    pretty.

    Clean install isn't a rational/reasonable option. The same logic would
    suggest that any backups be burned immediately....just NO.
    Ron Reaugh, Jun 16, 2005
    #18
  19. Ron Reaugh

    Chris Salter Guest

    Ron Reaugh wrote:

    > Recommended by who?


    Cert & Microsoft. Google it.

    >Are you saying that all this virus checkers and
    > cleaners/disinfectors are frauds as that can't possibly work reliably??


    ? His text didn't even hint at them being frauds. Can't work reliably
    when compromised yes.

    >If
    > so then I know how to build an app that can detect any infection...I assumed
    > that such had already been done. Start with an app that does somekind of a
    > fancy encrypted CRC of all the relevant files on a HD and then it keeps an
    > encrypted database of same for later comparison...I didn't say it was
    > pretty.


    It has been done, host based IDS. Its still unreliable in the case of
    being owned or root-kitted.

    > Clean install isn't a rational/reasonable option.


    Its entirely upto whether you reinstall. (It doesn't take long so i
    don't understand why you wouldn't.)

    >The same logic would
    > suggest that any backups be burned immediately....just NO.


    Your flawed logic maybe. The real logic would dicate that you would
    reinstall windows, recover executable data from a known good backup, and
    restore the data from a recent backup. At this point the data is still
    untrust worthy so you would have to test it, check it etc etc.

    --
    Chris Salter
    MOB: 07707169232
    Chris Salter, Jun 16, 2005
    #19
  20. "Ron Reaugh" <> wrote in message
    news:G23se.965445$...
    >
    > "Jason Edwards" <> wrote in message
    > news:...
    > > "Ron Reaugh" <> wrote in message
    > > news:qW_re.324813$...
    > > >
    > > > "Jason Edwards" <> wrote in message
    > > > news:...
    > > > > "Ron Reaugh" <> wrote in message
    > > > > news:EKYre.963481$...
    > > > > > It's the file C:\NULL
    > > > > >
    > > > > > Suddenly shortly after cold boot my fully updated(WinUp) and

    patched
    > > > W98se
    > > > > > PC reported the above noted infection. It's Grisoft free AVG with

    > the
    > > > > > latest updates. This PC is also protected by ZoneAlarm, Belkin

    > WiFi
    > > > > router
    > > > > > with firewall, SpyBot(resident).
    > > > >
    > > > > And do you use Internet Explorer?
    > > >
    > > > Yep, the very latest and fully patched/WinUp-ed version.

    > >
    > > Ok, so it's probably only got approximately n+100 vulnerabilities left

    to
    > be
    > > patched.

    >
    > Maybe but do you have any evidence that any of these has been actually

    used
    > in a penetration recently? OR are they all just potential?


    Sure. Some time ago I was curious about strange messages with links
    appearing in newsgroups, so I set up an isolated PC with its own broadband
    connection running Windows 98 with ALL updates and clicked one of the links.
    This took me to a website offering adult material. I can't remember the
    details but it had some clever way of getting me to scroll down and click. A
    quick run of hijackthis then discovered that a trojan had been planted in
    the startup folder and was waiting to run on the next startup.
    The computer was then wiped and restored from a clean image.
    I got rid of the trojan file about a week later, it was kept only to verify
    that two popular virus scanners were still pronouncing it clean after a
    week.

    >
    > > >
    > > > > > A normal Shutdown was done 12 hours
    > > > > > earlier with no indication of any problems.
    > > > >
    > > > > There wouldn't be.
    > > > > If something did sneak in via an IE or some other vulnerability then

    > it
    > > > > would most likely not run until the next startup.
    > > >
    > > > Are you saying that AVG's resident and SpyBots resident(watching reg
    > > > updates) wouldn't have caught it at the time of infection?

    > >
    > > Yes

    >
    > Why? If that's not what they're lookin for then what are they lookin for?


    I thought I'd already explained that no matter how hard they look they can't
    be expected to include all malware the same day it's written. Some may only
    be included months later, or perhaps never.

    >
    > > > > > There are still no indications
    > > > > > of any problems EXCEPT that AVG claims it's found this trojan.
    > > > >
    > > > > Sounds like an indication of a problem to me.
    > > > > A false detection is a possibility but there is no way for me to be
    > > > certain.
    > > >
    > > > That c:\null IS a bogus file from an unknown source suggests that

    there
    > > was
    > > > no false detection.

    > >
    > > It does, if you are sure that C:\NULL is not part of anything legitimate

    > or
    > > anything you have done yourself.

    >
    > I'm sure. You ever heard of c:\null?


    Nope.

    >
    > > > > > There have
    > > > > > been no floppy operations/mounts, no CD operations/mounts and no
    > > > downloads
    > > > > > and installs of anything since an hour before shutdown last night

    > and
    > > > now.
    > > > >
    > > > > But you did surf with Internet Explorer?
    > > >
    > > > Yep and other than the possibility that you are a FireFox drum beater,

    > > the
    > > > use of a fully updated IE generally does NOT expose one to such when a

    > > fully
    > > > functional firewall, virus checker and spyware checker are in place.

    > >
    > > I don't wish to upset you but it took me a while to stop laughing after
    > > reading that.

    >
    > Provide some references that suggest that is not the usual and EFFECTIVE
    > model?


    Sure it's the usual model for a home Windows user but it is not effective
    for the reasons you have discovered for yourself. Personal software
    firewalls are useless because there are many ways for malware to bypass
    them. Malware might ride on another application such as Internet Explorer,
    it might answer the firewall's popup questions itself, it might shut the
    firewall down completely, it might prevent the firewall from getting
    updates, etc.
    Virus scanners are useless for exactly the reason that you are
    understandably upset about discovering for yourself. You thought you were
    doing everything possible but you still got a trojan.

    >
    > > > > > From the DOS prompt I can see a file C:\NULL that has a 5/5/05

    date.
    > > > > Since
    > > > > > 5/5 both a full manual AVG and Trend HouseCall 6 run have been

    done
    > on
    > > > > this
    > > > > > PC finding nothing.
    > > > > >
    > > > > > So where and how did this file C:\NULL that AVG claims is Trojan

    > horse
    > > > > > Downloader.Generic.ML appear from? Was it really there since 5/5

    > but
    > > > went
    > > > > > unnoticed by both AVG and Trend HouseCall 6 and then this morning

    > AVG
    > > > > > suddenly downloaded a new definition file which started seeing

    this
    > > > > trojan?
    > > > >
    > > > > Virus scanners don't have any magical ability to detect trojans,

    they
    > > have
    > > > > to be told what is a trojan and what isn't via the updates.
    > > >
    > > > Right but 5/5/05 is over 30 days old...am I some special case alpha
    > > > infection point?

    > >
    > > Nope, you're just an average Windows user who got the trojan that wasn't
    > > widespread enough to be noticed immediately.

    >
    > I find that unlikely but barely possible.


    Barely possible would be more than enough for me. I'd rather make it
    impossible. To do that you arrange to prevent any executable code getting
    where you don't want it. This is likely to be impossible with a Windows 98
    PC connected directly to a broadband connection where everything has
    complete access to everything else.
    Consider an external firewall box which stops it getting to the PC in the
    first place.

    >
    > > > > An anti-virus
    > > > > vendor may manage to do an update in less that a day if the

    > virus/trojan
    > > > is
    > > > > all over the news but it may otherwise take longer. Trojan writers

    are
    > > not
    > > > > under any obligation to send copies of their trojans to anti-virus
    > > > vendors.
    > > > >
    > > > > > OR did something penetrate all the firewalls and suddenly spawn

    this
    > > > file
    > > > > > which AVG quickly recognized?
    > > > >
    > > > > I have no idea where C:\NULL came from but if it were on my PC I

    would
    > > > want
    > > > > to know what it was.
    > > > > If I was sitting at the PC which had C:\NULL on it then I'd look in
    > > > C:\NULL
    > > > > to see what was there.
    > > >
    > > > After one noticed it. I don't inspect c:\ or c:\win or

    > c:\win\system[32]
    > > > hourly to spot undesirable files. That's what I got AVG etc. for.

    > >
    > > I don't either, but I don't allow additional executable files on to the
    > > system in the first place, so I don't have to go file spotting very

    often
    > on
    > > my own machines. I also don't need AVG.
    > >
    > > >
    > > > > I'd also find out whether anything in there was referenced during

    > > startup.
    > > > > For that I'd need spybot S&D in advanced mode or

    > > http://www.hijackthis.de/
    > > > > or just regedit.
    > > > >
    > > > > >
    > > > > > What likely happened here?
    > > > >
    > > > > Impossible to say. One possibility is that you got something via an
    > > > > unpatched IE vulnerability.
    > > >
    > > > I was under the impression that there weren't any of these that have
    > > > resulted in actual infections any time recently. Lots of new
    > > > vulnerabilities keep being found and reported and fixed. And that's

    all
    > > > before there is any infections/penetrations using them and that's what

    > > I've
    > > > been hearing for over a year.

    > >
    > > Who have you been hearing this from?

    >
    > Where have you been hearing the other from?
    >
    > > Ask yourself why there is a cumulative update every month.

    >
    > YES, please do so. Have you been reading about the intense preemptive

    work
    > going on to find the holes before the hackers. From what I've heard

    that's
    > been effective down to with a day or two for the last year or two.
    > References otherwise?


    How about the experiment I did with the isolated windows 98 PC described
    above.
    It may be that this hole has since been patched but it makes no difference
    to me, I will continue to trust no executable code unless I'm very sure
    about where it came from and what it's going to do to my system.
    You may say that it's difficult or impossible to keep addware off a Windows
    PC. But this is not the same as asking whether or not it can be done.

    >
    > > > > Another is that AVG is/was giving a false
    > > > > detection. Another is that I don't have a clue what happened.
    > > > >
    > > > > >
    > > > > > The operation I was in the middle of when AVG popped up was

    reading
    > a
    > > > text
    > > > > > only no attachment NG message in OE 6.00.2800.1123.
    > > > >
    > > > > Did this message contain a link/url that you happened to click on?
    > > >
    > > > NOPE! I assume that the NG message reading had nothing to do with it

    > but
    > > > then what did??

    > >
    > > It is not possible for me to say for certain what did.
    > >
    > > If I were you I'd wipe the drive and reinstall the operating system.

    >
    > Clueless!


    There was a Microsoft technet article giving just this advice but I can't
    find it, maybe someone else can unless it's gone.

    >
    > > There is no other way to be sure that your system isn't compromised.

    >
    > Now you've established your credentials.


    No. What I have established is that you are understandably upset about the
    fact that you did everything you thought you had to do (virus scanner,
    personal firewall, spyware remover) but you STILL got a trojan.
    It's not my fault if you would rather attack the person giving you this
    information instead of asking yourself why the methods you've applied so far
    are not working.

    Jason

    >
    >
    Jason Edwards, Jun 16, 2005
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Laurie Selwyn

    trojan horse downloader.vb.br

    Laurie Selwyn, Jan 22, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    1,954
    Tergiversative
    Jan 22, 2004
  2. paul bennett

    trojan horse downloader.small.7.AU

    paul bennett, Oct 4, 2004, in forum: Computer Support
    Replies:
    1
    Views:
    420
    °Mike°
    Oct 4, 2004
  3. anOLDun

    trojan horse downloader.agent.5.h

    anOLDun, Nov 26, 2004, in forum: Computer Support
    Replies:
    4
    Views:
    912
    anOLDun
    Nov 26, 2004
  4. Scott

    Trojan Horse Generic DGV - How to get rid of?

    Scott, Nov 28, 2005, in forum: Computer Support
    Replies:
    1
    Views:
    501
    Gloria Vixentart
    Nov 28, 2005
  5. U812many4me

    trojan horse generic

    U812many4me, Feb 6, 2008, in forum: Computer Support
    Replies:
    3
    Views:
    3,076
Loading...

Share This Page