|
Posted by =?Utf-8?B?bGtyaVTQBXO=?= on January 4, 2006, 10:31 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>
> It is always recommended to run virus/malware scans in Safe Mode because
> most malware is actively in use during Regular Mode.
Right.
> You cannot delete
> a file in use.
Right two. In this instance these two infected files are not in use when
Pegasus is closed. And presently Pegasus cannot see them when it is
launched due to the infection
> Sometimes it is even necessary to remove malware from
> Safe Mode Command Prompt only because it has hooked into the gui.
Not sure which AV app to use to do that. That is which AV or anti-malware
apps support scanning/repairing from Safe Mode Command Prompt? I see David
referred to using McAfee command line scanner. Does it run from the Safe
Mode Command prompt?
> There
> is no reason to limit yourself to scanning in Normal Mode and in fact
> doing this may hamper malware removal.
Sometimes in the thick of things it is easy to forget SafeMode is
available. Thanks for the reminder.
>> The two PMM files are containers for much important unread email. The
>> point of this exercise is to repair the files. Deleting is the very
>> last resort option.
>
> Then I would suggest you contact Pegasus tech support to see if they
> can recommend a way to extract messages from their database files.
>
> I doubt
> you can "repair" the files. You need to extract the messages from the
> database so you can delete the infected ones and then read/backup the
> ones your girlfriend needs. Pegasus will know how to do this.
I can open the files in a text editor (when AV is shut off) and cut and
paste info. but was hoping to keep the folder email message store intact so
they will again appear as normal in Pegasus. Bascially the pmm file
contains the body content (and attachments) of each email message listed in
the specific Pegasus folder, and the headers of the same messages are
stored in the pmi, which points to the pmm. I'm hoping to be able to bring
up the folders and messages in the folder within Pegasus again (or I should
say my girlfirend is... I recommended Pegasus to her long time aga and it
has been a great email app to use the last five years). You're right I
should post this issue to the pmail support list. But was hoping that it
might be possible to disifect the files so wanted to attempt that first.
> Multi-AV is a tool written by Dave Lipman.
SO would that be useful in this situation, that is "clean" the pmm file of
the Trojan? I didn't see David suggesting to use it in this instance.
> Sysclean is a first-line
> antivirus tool written and hosted by TrendMicro. It takes quite a while
> to run its various scans, but is effective as a first step in removing
> viruses/trojans. One of its great advantages is that it does not need
> to be installed on the target machine.
Sounds good. So do you recommend I try Multi-AV first and then if that does
not clean try Sysclean? Or the other way around?
>> Also I'm hoping to avoid installing a major number of third party
>> tools to solve this one time problem. Registry bloat usually occurs
>> because so many apps don't clean up after themseleves when uninstalled
>> and many contain malware or DRM crap that I don't need to deal with.
>
> XP does not suffer from "registry bloat" ill effects the way earlier MS
> operating systems did. I'd be far less worried about installing and
> then uninstalling Ad-aware and Spybot
Adaware and Spybot already installed and used whenever issues arise. But
not really used as a prevention tool.
> and Ewido
Do you recommend I try Ewido in this circumstance?
> than the fact that yourfriend is not practicing safe computing.
Well generally she does but this was an unintentional mistake. I will not
chastise her for this as she is already aware of the mistake and has been
educated ;-)
> Many tools like HijackThis and
> Sysclean are not installed on the local computer.
Hmmm... I do have Hijack this installed on hard drive already. You mean
they don't have tobe installed on the PC to run. That is they can be run
from CD or other media?
> In practical terms
> you do what you need to in order to get a machine cleaned up. If you
> want to limit your options, that's your business but it doesn't seem
> logical to me when the goal is to get a clean machine at the end.
It's not that I wish to limit my repair options. But because my girlfriend
lives in another town fifty miles away I need to, before my next visit
prioritize and prepare for the best methods to use to attempt to disinfect
the files/remove the trojans. And only THEN if not possible then delete the
files to remove the trojans.
I am receiving lots of recommends so not sure yet which to try first.
My thoughts right now:
1. Run ZAISS 6.x AV in safe mode to see if I can repair (remove virus).
2. If this is not successful try a version McAfee VirusScan 9in safe mdoe).
3. If not successful try Multi-AV, Sysclean and/or Ewido. Not sure which of
these to try first so I can download and burn all to a CD to take with me.
I assume I can download updated AV definitions for each of these AV
utilities and burn to CD? (As I will not have internet access available
while I work on the computer).
4. I do have a boot CD at my disposal containing McAfee AV 4.40 and also F-
Prot AV 3.16b. If I use these tools I assume I will need to obtain updated
virus defs for these tools also. Not sure how to integrate the updated
virus definitions if running AV from a boot CD.
I just noted David has tried the McAfee command line scanner with the /MIME
switch but was not able to clean an infection from within a Pegasus mail
message store file.
And he reported running Kaspersky and was not able to disinfect.
I much appreciate the VERY informative feedback and the recommends that
both you and David have provided.
BTW sorry for the crazy cross-posting. I am still trying to get comfortable
with my Xnews news reader and still a bit perplexed. My intention was to
maintain the cohesiveness of the threads, without multi-posting, in:
microsoft.public.security,
microsoft.public.security.virus,
alt.comp.virus,
alt.comp.anti-virus
Is it proper ettiquette to cross-port to the above newsgroups? They all
seem to be used a lot for anti-virus issues.
Or should I apply "Follow-up to:" to only ONE of thses newsgroups, and if
so, which is preferred?
Thanks again.
Woody
| 
XML site map