HTML.ObjectDataHTA

[Guest]

Hi.

I have found that several files on XP SP2 machine are infected with
"HTML.ObjectDataHTA", as reported by ZoneAlarm Pro Internet Security
Suite 6.x Anti-virus scan.

The two infected files are .PMM email folder files used by the Pegasus
email client. I suppose they are infected attachments within the PMM
file. If I attempt to open either file with notepad text editor, ZA
reports file is infected and will not allow me to open. ZA AV scan says
it is "unable to delete the infected file". Cannot repair or quarantine
either. ZA suggests "opening file within archival utility". Not sure what
this means in this context.

Ran a-squared Free (from emisoft) which did not find anything.

Ran deep scans in Adaware SE and Spybot Search & Destory and no negative
reports either.

I have a list of other things I can try but i thought I would ask for
tips before proceeding. Appreciate your advice.

Woody

 

[Mediamon]

Try running the scan with your regular av in Safe Mode.

Yes scanning files in safe mode was by next step but hoping some tools/tips
might be applicable/useful in my circumstance in normal startup mode.

You may also be able to delete the files in Safe Mode. If you know what
the files are, you don't need to open them. Just right-click and
delete.

The two PMM files are containers for much important unread email. The point
of this exercise is to repair the files. Deleting is the very last resort
option.

FYI I think the infections made it onto the PC via SPAM between the time
NAV live update subscription ran out and the time ZAISS 6.x was installed
(several weeks). If was up to me I would never allowed that time frame to
elapse without installing updated virus definitions (it is my girl friends
PC).

You might also try scanning with either Sysclean or Dave Lipman's
Multi-AV. Ewido is also excellent for catching trojans. You can use
Ewido's free trial and then uninstall it afterwards.

I observed recommendations of Ewido on another forum so it was already on
my list to tryout if other tools did not quarantine or repair the trojan.

http://www.elephantboycomputers.com/page2.html#TrendMicros_Sysclean
http://www.ik-cs.com/multi-av.htm - how to use Dave Lipman's Multi-AV
http://www.ik-cs.com/programs/virtools/Multi_AV.exe - Multi-AV download

I don't know anything yet about Multi-AV or Sysclean. So Sysclean is from
Trend Micro? Thus is it hosted on the TrendMicro site. I am wary of
downloading from non well-known (to me) sites (e.g. elephantboy).

Also I'm hoping to avoid installing a major number of third party tools to
solve this one time problem. Registry bloat usually occurs because so many
apps don't clean up after themseleves when uninstalled and many contain
malware or DRM crap that I don't need to deal with.

e.g. Uninstalling a-squared auto launched my web browser opening a survey
webpage asking why I was installing their free product. I refused to submit
the form and closed the browser, so the uninstall did not complete. I found
major garbage left behind in file directories and the registry. I lost my
trust in the a2 product or emsi software with this experience.

Thanks for the recommends. Still open for others.

Woody

 

[David H. Lipman]

From: "lkriTÐs" <[email protected]>

| Hi.
|
| I have found that several files on XP SP2 machine are infected with
| "HTML.ObjectDataHTA", as reported by ZoneAlarm Pro Internet Security
| Suite 6.x Anti-virus scan.
|
| The two infected files are .PMM email folder files used by the Pegasus
| email client. I suppose they are infected attachments within the PMM
| file. If I attempt to open either file with notepad text editor, ZA
| reports file is infected and will not allow me to open. ZA AV scan says
| it is "unable to delete the infected file". Cannot repair or quarantine
| either. ZA suggests "opening file within archival utility". Not sure what
| this means in this context.
|
| Ran a-squared Free (from emisoft) which did not find anything.
|
| Ran deep scans in Adaware SE and Spybot Search & Destory and no negative
| reports either.
|
| I have a list of other things I can try but i thought I would ask for
| tips before proceeding. Appreciate your advice.
|
| Woody

Is this really Zone Alarm or is this really CA eTrust providing this error message ?

"HTML.ObjectDataHTA" is CA eTrust's naming convention and I believe that's what is
generating the message -- http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=39302

You have two choices..

1. Exclude the P-Mail folder; c:\pmail, run P-Mail and delete the messages.

2. Disable CA eTrust, Run P-Mail and delete the messages. Re-enable CA eTrust.

I suggest #1. It won't lower your security. I do this with Mcafee VirusScan v7.1E and
McAfee VirusScan v4.5.1.

Any malware scanner you use *must* be able to scan MIME and remove infectors in MIME encoded
files. You won't find that Ad-aware, SpyBot, etc.

 

[Guest]

From: "lkriTÐs" <[email protected]>

| Hi.
|
| I have found that several files on XP SP2 machine are infected with
| "HTML.ObjectDataHTA", as reported by ZoneAlarm Pro Internet Security
| Suite 6.x Anti-virus scan.
|
| The two infected files are .PMM email folder files used by the
| Pegasus email client. I suppose they are infected attachments within
| the PMM file. If I attempt to open either file with notepad text
| editor, ZA reports file is infected and will not allow me to open. ZA
| AV scan says it is "unable to delete the infected file". Cannot
| repair or quarantine either. ZA suggests "opening file within
| archival utility". Not sure what this means in this context.
|
| Ran a-squared Free (from emisoft) which did not find anything.
|
| Ran deep scans in Adaware SE and Spybot Search & Destory and no
| negative reports either.
|
| I have a list of other things I can try but i thought I would ask for
| tips before proceeding. Appreciate your advice.
|
| Woody

Is this really Zone Alarm or is this really CA eTrust providing this
error message ?

"HTML.ObjectDataHTA" is CA eTrust's naming convention and I believe
that's what is generating the message --
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=39302

It's ZoneAlarm Internet Security Suite 6.x anti-virus module, which as I
understand uses the eTrust engine.

You have two choices..

1. Exclude the P-Mail folder; c:\pmail, run P-Mail and delete the
messages.

2. Disable CA eTrust, Run P-Mail and delete the messages.
Re-enable CA eTrust.

I suggest #1. It won't lower your security. I do this with Mcafee
VirusScan v7.1E and McAfee VirusScan v4.5.1.

Any malware scanner you use *must* be able to scan MIME and remove
infectors in MIME encoded files. You won't find that Ad-aware,
SpyBot, etc.

I think you hit the nail on the head with this last statment. Any
suggestions for tools that can do this? That is "able to scan MIME and
remove infectors in MIME encoded files".


The two Pegasus PMM files are containers for much important unread email.
The point of this exercise is to repair the files. Deleting is the VERY
last resort option.

The problem is I can't see the two email "folders" now in Pegasus because
of the two infections (Pegasus email filing system works by a .pmm file
referring to a .pmi file). But I can see the files in file manager. The two
files contain incoming yet to be read email that is directly filtered to
the folders and other read email. It is important we TRY to repair. So at
this point I'm just interested in "repair" suggestions. (yes there should
ba a recent backup of these folders somewhere but there is not)

Scanning files in safe mode was the next step but hoping some tools/tips
might be applicable/useful in my circumstance in normal startup mode.

I think the infections made it onto the PC via SPAM between the time NAV
live update subscription ran out and the time ZAISS 6.x was installed
(several weeks). If was up to me I would never allowed that time frame to
elapse (ie. it is my girl friends PC).

I observed recommendations of Ewido on another forum so it is already on my
list to tryout if other tools did not quarantine or repair the trojan.

I don't know anything yet about your Multi-AV or Sysclean. So Sysclean is
from Trend Micro? Thus is it hosted on the TrendMicro site. I am wary of
downloading from non well-known (to me) sites (e.g. elephantboy).

However if possible I'm hoping to avoid installing a major number of third
party tools to solve this one time problem. Registry bloat usually occurs
because so many apps don't clean up after themseleves when uninstalled and
many contain malware or DRM crap that I don't need to deal with.

e.g. Uninstalling a-squared auto launched my web browser opening a survey
webpage asking why I was installing their free product. I refused to submit
the form and closed the browser, so the uninstall did not complete. I found
major garbage left behind in file directories and the registry. I lost my
trust in the a2 product or emsi software with this experience.

Thanks for the recommends. Still open for others.

Woody

 

[David H. Lipman]

From: "lkriTÐs" <[email protected]>

| I think you hit the nail on the head with this last statment. Any
| suggestions for tools that can do this? That is "able to scan MIME and
| remove infectors in MIME encoded files".
|
| The two Pegasus PMM files are containers for much important unread email.
| The point of this exercise is to repair the files. Deleting is the VERY
| last resort option.
|
| The problem is I can't see the two email "folders" now in Pegasus because
| of the two infections (Pegasus email filing system works by a .pmm file
| referring to a .pmi file). But I can see the files in file manager. The two
| files contain incoming yet to be read email that is directly filtered to
| the folders and other read email. It is important we TRY to repair. So at
| this point I'm just interested in "repair" suggestions. (yes there should
| ba a recent backup of these folders somewhere but there is not)
|
| Scanning files in safe mode was the next step but hoping some tools/tips
| might be applicable/useful in my circumstance in normal startup mode.
|
| I think the infections made it onto the PC via SPAM between the time NAV
| live update subscription ran out and the time ZAISS 6.x was installed
| (several weeks). If was up to me I would never allowed that time frame to
| elapse (ie. it is my girl friends PC).
|
| I observed recommendations of Ewido on another forum so it is already on my
| list to tryout if other tools did not quarantine or repair the trojan.
|
| I don't know anything yet about your Multi-AV or Sysclean. So Sysclean is
| from Trend Micro? Thus is it hosted on the TrendMicro site. I am wary of
| downloading from non well-known (to me) sites (e.g. elephantboy).
|
| However if possible I'm hoping to avoid installing a major number of third
| party tools to solve this one time problem. Registry bloat usually occurs
| because so many apps don't clean up after themseleves when uninstalled and
| many contain malware or DRM crap that I don't need to deal with.
|
| e.g. Uninstalling a-squared auto launched my web browser opening a survey
| webpage asking why I was installing their free product. I refused to submit
| the form and closed the browser, so the uninstall did not complete. I found
| major garbage left behind in file directories and the registry. I lost my
| trust in the a2 product or emsi software with this experience.
|
| Thanks for the recommends. Still open for others.
|
| Woody
|
P-Mail is a simple email program. It is NOT like an email application that uses VIM or MAPI
to scan email messages. P-Mail stores email in MIME ASCII files. However, P-Mail is
proprietary. I don't know of any other email application that works the same or store email
messages and folders the same way.

I only see the two options I provided.

Now the McAfee Command Line Scanner CAN scan MIME files with the /MIME switch parameter.
However, I don't know if it can SAFELY remove viruses without corrupting the P-Mail email
storage structure. So I ran an experiment. I emailed myself three WMF-Exploit files. I
downloaded the email and and moved it in a folder.

I then manually ran the McAfee commnad line scanner on the c:\pmail folder (after I made a
backup) and I scanned using the /MIME switch. No go. It didn't work.

I then tried kaspersky. It could see the infected files in the email but could NOT
disinfecte the messages.

ElephantBoy Computers is a company by Malke. She is a Microsoft MVP as "she can be
trusted".

I am the author of the Multi AV Scanning tool and it is just a front end to the command
line scanners from; Trend Micro, Mcafee, Sophos and Kaspersky.

 

[Guest]

It is always recommended to run virus/malware scans in Safe Mode because
most malware is actively in use during Regular Mode.
Right.


You cannot delete
a file in use.

Right two. In this instance these two infected files are not in use when
Pegasus is closed. And presently Pegasus cannot see them when it is
launched due to the infection

Sometimes it is even necessary to remove malware from
Safe Mode Command Prompt only because it has hooked into the gui.

Not sure which AV app to use to do that. That is which AV or anti-malware
apps support scanning/repairing from Safe Mode Command Prompt? I see David
referred to using McAfee command line scanner. Does it run from the Safe
Mode Command prompt?

There
is no reason to limit yourself to scanning in Normal Mode and in fact
doing this may hamper malware removal.

Sometimes in the thick of things it is easy to forget SafeMode is
available. Thanks for the reminder.

Then I would suggest you contact Pegasus tech support to see if they
can recommend a way to extract messages from their database files.

I doubt
you can "repair" the files. You need to extract the messages from the
database so you can delete the infected ones and then read/backup the
ones your girlfriend needs. Pegasus will know how to do this.

I can open the files in a text editor (when AV is shut off) and cut and
paste info. but was hoping to keep the folder email message store intact so
they will again appear as normal in Pegasus. Bascially the pmm file
contains the body content (and attachments) of each email message listed in
the specific Pegasus folder, and the headers of the same messages are
stored in the pmi, which points to the pmm. I'm hoping to be able to bring
up the folders and messages in the folder within Pegasus again (or I should
say my girlfirend is... I recommended Pegasus to her long time aga and it
has been a great email app to use the last five years). You're right I
should post this issue to the pmail support list. But was hoping that it
might be possible to disifect the files so wanted to attempt that first.

Multi-AV is a tool written by Dave Lipman.

SO would that be useful in this situation, that is "clean" the pmm file of
the Trojan? I didn't see David suggesting to use it in this instance.

Sysclean is a first-line
antivirus tool written and hosted by TrendMicro. It takes quite a while
to run its various scans, but is effective as a first step in removing
viruses/trojans. One of its great advantages is that it does not need
to be installed on the target machine.

Sounds good. So do you recommend I try Multi-AV first and then if that does
not clean try Sysclean? Or the other way around?

XP does not suffer from "registry bloat" ill effects the way earlier MS
operating systems did. I'd be far less worried about installing and
then uninstalling Ad-aware and Spybot

Adaware and Spybot already installed and used whenever issues arise. But
not really used as a prevention tool.

and Ewido

Do you recommend I try Ewido in this circumstance?

than the fact that yourfriend is not practicing safe computing.

Well generally she does but this was an unintentional mistake. I will not
chastise her for this as she is already aware of the mistake and has been
educated ;-)

Many tools like HijackThis and
Sysclean are not installed on the local computer.

Hmmm... I do have Hijack this installed on hard drive already. You mean
they don't have tobe installed on the PC to run. That is they can be run
from CD or other media?

In practical terms
you do what you need to in order to get a machine cleaned up. If you
want to limit your options, that's your business but it doesn't seem
logical to me when the goal is to get a clean machine at the end.

It's not that I wish to limit my repair options. But because my girlfriend
lives in another town fifty miles away I need to, before my next visit
prioritize and prepare for the best methods to use to attempt to disinfect
the files/remove the trojans. And only THEN if not possible then delete the
files to remove the trojans.

I am receiving lots of recommends so not sure yet which to try first.

My thoughts right now:

1. Run ZAISS 6.x AV in safe mode to see if I can repair (remove virus).

2. If this is not successful try a version McAfee VirusScan 9in safe mdoe).

3. If not successful try Multi-AV, Sysclean and/or Ewido. Not sure which of
these to try first so I can download and burn all to a CD to take with me.
I assume I can download updated AV definitions for each of these AV
utilities and burn to CD? (As I will not have internet access available
while I work on the computer).

4. I do have a boot CD at my disposal containing McAfee AV 4.40 and also F-
Prot AV 3.16b. If I use these tools I assume I will need to obtain updated
virus defs for these tools also. Not sure how to integrate the updated
virus definitions if running AV from a boot CD.

I just noted David has tried the McAfee command line scanner with the /MIME
switch but was not able to clean an infection from within a Pegasus mail
message store file.

And he reported running Kaspersky and was not able to disinfect.

I much appreciate the VERY informative feedback and the recommends that
both you and David have provided.

BTW sorry for the crazy cross-posting. I am still trying to get comfortable
with my Xnews news reader and still a bit perplexed. My intention was to
maintain the cohesiveness of the threads, without multi-posting, in:

microsoft.public.security,
microsoft.public.security.virus,
alt.comp.virus,
alt.comp.anti-virus

Is it proper ettiquette to cross-port to the above newsgroups? They all
seem to be used a lot for anti-virus issues.

Or should I apply "Follow-up to:" to only ONE of thses newsgroups, and if
so, which is preferred?

Thanks again.

Woody

 

[Guest]

From: "lkriTÐs" <[email protected]>

| I think you hit the nail on the head with this last statment. Any
| suggestions for tools that can do this? That is "able to scan MIME
| and remove infectors in MIME encoded files".
|

P-Mail is a simple email program. It is NOT like an email application
that uses VIM or MAPI to scan email messages. P-Mail stores email in
MIME ASCII files. However, P-Mail is proprietary. I don't know of
any other email application that works the same or store email
messages and folders the same way.

Right. I have been using Pegasus email client for five plus years now and
really like it. And yes the message store is different than standard email
client stores. I have learned over the years a bit of how the storage
structure works when I had to recover corrupt folders and
resynchonize/rebuild the folder structure or message store.

BTW previously you stated David placed Pegasus in the public domain but
then it sounds like you later discovered that it is indeed proprietary.
Anyway I am on the PM-NEWS announce list and did not see an announce that
he placed in public domain.

Yes v.4.31 is cool. Everyone using previous versions should upgrade or at
least should read the two December 2005 PM-NEWS notices at:
http://bama.ua.edu/cgi-bin/wa?A1=ind0512&L=pm-news

I only see the two options I provided.

Now the McAfee Command Line Scanner CAN scan MIME files with the /MIME
switch parameter. However, I don't know if it can SAFELY remove
viruses without corrupting the P-Mail email storage structure. So I
ran an experiment. I emailed myself three WMF-Exploit files. I
downloaded the email and and moved it in a folder.

I then manually ran the McAfee commnad line scanner on the c:\pmail
folder (after I made a backup) and I scanned using the /MIME switch.
No go. It didn't work.

Too bad. Your efforts in testing is much appreciated.

I then tried kaspersky. It could see the infected files in the email
but could NOT disinfecte the messages.

Bummer.

If any other ideas pop in your head let me know. I'm going to girlfriends
house tomorrow eve to see if I can do a quick disinfect/repair. If not will
bring the PC back to my location. If we have to delete the two files in the
Pegasus store I will do but I'm not ready to throw in the towel yet.

ElephantBoy Computers is a company by Malke. She is a Microsoft MVP
as "she can be trusted".

Very good to know. I just noticed the provided download link for for Trend
Micro's SysClean was hosted on the ElephantBoy site which I thought a bit
odd.

It's amazing to see the number of MS MVP's actively using, supporting and
promoting alternative third party software. I'm all for balancing ones
portfolio.

I am the author of the Multi AV Scanning tool and it is just a front
end to the command line scanners from; Trend Micro, Mcafee, Sophos
and Kaspersky.

That's good info. Will check out Multi-AV. I need to learn some of these
tools BEFORE I need them again.

Thanks again for your assist. In the meantime if you or anyone else come up
with any fresh ideas please let us all know. Best regards,

Woody