hello,

i have recently configured a detailed scanning with the following options>

C:\ /adware /ah /all /arch+ /clean /cleanmode /delete /heur+ /log+ /mailbox+ /ntfs+ /pack+ /quarantine /scanboot+ /scanmbr+ /scanmem+ /scroll+ /sfx+ /unsafe /wrap+

it worked good for first few weeks like (4-5). After few weeks when the scanning got completed without even giving me a warning message it deleted all the emails in my inbox and other few folders. basically it was deleting the inbox.dbx and other .dbx files thus all the emails were getting deleted.

as per the settings given i assume this should not happen as it cannot delete the mail-box.

following is the error message that i got when i tried to restore and run the scan option. can anyone tell me what i am doing wrong?

File C:\Documents and Settings\vaisnav\Desktop\exportsravikarthikey.dbx is infected with trojan JS/TrojanDownloader.Tivso.gen. The file can be deleted. It is strongly recommended that you back up any crucial data before you proceed.

File C:\Documents and Settings\vaisnav\Desktop\add.dbx is infected with trojan JS/TrojanDownloader.Tivso.gen. The file can be deleted. It is strongly recommended that you back up any crucial data before you proceed.

File C:\Documents and Settings\doshion\Local Settings\Application Data\Identities\{BD34C244-A2D7-446E-BC9F-898ACE1F2B82}\Microsoft\Outlook Express\Inbox.dbx is infected with trojan JS/TrojanDownloader.Tivso.gen. The file can be deleted. It is strongly recommended that you back up any crucial data before you proceed.


File C:\Documents and Settings\doshion\Local Settings\Application Data\Identities\{BD34C244-A2D7-446E-BC9F-898ACE1F2B82}\Microsoft\Outlook Express\Deleted Items.dbx is infected with worm Win32/Stration.LZ. The file can be deleted. It is strongly recommended that you back up any crucial data before you proceed.

I just remembered that the computer does not have enough rights, i.e. it is just a guest user and not an administrator which can do modifications into the system, not sure if this can help you!

It sounds like there are individual e-mails within these folders that have infected attachments. You may have to go into Outlook Express and delete them manually.

If you are still getting these errors after deleting the messages, try going to File --> Folder --> Compact All Folders (in Outlook Express).

{QUOTE-> It sounds like there are individual e-mails within these folders that have infected attachments. You may have to go into Outlook Express and delete them manually.

If you are still getting these errors after deleting the messages, try going to File --> Folder --> Compact All Folders (in Outlook Express). <-QUOTE}
You are right, there are few virus in the folders, but will it directly delete the inbox.dbx instead just put a remark? Please advice.

Thanks!!!

I am not really sure, to tell you the truth. I have not tested this particular situation, myself. The safest thing to do may be to copy the inbox.dbx file and then scan the copy, to see what happens.

NOD32 does not perform any action on dbx files. I have never been able to replicate this issue on any computer under any circumstances.

{QUOTE-> I have never been able to replicate this issue on any computer under any circumstances. <-QUOTE}Same here.

Cheers ;D

{QUOTE-> NOD32 does not perform any action on dbx files. I have never been able to replicate this issue on any computer under any circumstances. <-QUOTE}
I know you are right, but I can also know see the file is deleted since I can see them into Quarantine. Also the mail-box which is shown in the left-side Quarantine are been deleted from Outlook, that is how I discovered that Nod32 is deleting the emails.

Is the system rights i.e. Guest control playing any role here? Please advice.

Also, when i just scan inbox.dbx it does not delete it, but when it do i via C:\ /adware /ah /all /arch+ /clean /cleanmode /delete /heur+ /log+ /mailbox+ /ntfs+ /pack+ /quarantine /scanboot+ /scanmbr+ /scanmem+ /scroll+ /sfx+ /unsafe /wrap+

it might have deleted, usually i keep the computer on at night for scanning, so not sure exactly how it happened.

Thanks, Hasit
PS: Any help to check on configuration will be HIGHLY advisable.

I can see that NOD32's recently defination file is containing the virus name "Win32/Stration.LZ", but what about the trojan, JS/TrojanDownloader.Tivso.gen?

any idea how to remove it?

also, because of this the .dbx file got deleted, any idea what should i do to ensure it is not repeated!

thanks, Hasit

You might need to remove the /mailbox+ parameter to prevent this from happening again, though my NOD32 didn't delete dbx files even with this parameter used.

{QUOTE-> You might need to remove the /mailbox+ parameter to prevent this from happening again, though my NOD32 didn't delete dbx files even with this parameter used. <-QUOTE}
this means it will not scan outlook items right? please advice.

i found on page http://forums.whirlpool.net.au/forum-replies-archive.cfm/416621.html that we should replace from

C:\ /adware /ah /all /arch+ /clean /cleanmode /delete /heur+ /log+ /mailbox+ /ntfs+ /pack+ /quarantine /scanboot+ /scanmbr+ /scanmem+ /scroll+ /sfx+ /unsafe /wrap+

to:
/local /adware /ah /all /arch+ /clean /cleanmode /delete /heur+ /log+ /mailbox+ /ntfs+ /pack+ /quarantine /scanboot+ /scanmbr+ /scanmem+ /scroll+ /sfx+ /unsafe /wrap+

basically change

/delete to /prompt

what do you say? is that worth? Please advice.

this means will it still keep the virus as it is? Please advice.

thanks, Hasit

hello,

I pasting logs of few of the scanning which was done today and once again my mailbox was deleted, somewhere in logs it is clearly mentioned that the file was quarantined and also deleted.

can you people look and suggest me the next

also, please advice if you want me to change /delete into /prompt.

------------------------------------
Scan performed at: 10/28/2006 9:51:00 AM
Scanning Log
NOD32 version 1.1842 (20061027) NT
Command line: C:\ /adware /ah /all /arch+ /clean /cleanmode /delete /heur+ /log+ /mailbox+ /ntfs+ /pack+ /quarantine /scanboot+ /scanmbr+ /scanmem+ /scroll+ /sfx+ /unsafe /wrap+
Operating memory - is OK

Date: 28.10.2006 Time: 09:51:12
Scanned disks, folders and files: C:\
C:\PAGEFILE.SYS - error opening (Access denied) [4]
C:\WINDOWS\system32\config\system.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\software.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\default.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\SECURITY - error opening (File locked) [4]
C:\WINDOWS\system32\config\SAM - error opening (File locked) [4]
C:\WINDOWS\system32\config\SAM.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\SECURITY.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\SYSTEM - error opening (File locked) [4]
C:\WINDOWS\system32\config\SOFTWARE - error opening (File locked) [4]
C:\WINDOWS\system32\config\DEFAULT - error opening (File locked) [4]
C:\WINDOWS\system32\CatRoot2\edb.log - error opening (File locked) [4]
C:\WINDOWS\system32\CatRoot2\tmp.edb - error opening (File locked) [4]
C:\WINDOWS\security\edb.log - error opening (File locked) [4]
C:\WINDOWS\security\edbtmp.log - error opening (File locked) [4]
C:\WINDOWS\security\tmp.edb - error opening (File locked) [4]
C:\WINDOWS\SoftwareDistribution\EventCache\{5789EC16-9E63-4529-B9D8-DE11FA338022}.bin - error opening (File locked) [4]
C:\WINDOWS\SoftwareDistribution\EventCache\{B9AB4EF4-F6D2-4BAF-8F18-33B2B53F5554}.bin - error opening (File locked) [4]
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb - error opening (File locked) [4]
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log - error opening (File locked) [4]
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\NTUSER.DAT - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\LocalService\NTUSER.DAT - error opening (File locked) [4]
C:\Documents and Settings\LocalService\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\doshion water\NTUSER.DAT - error opening (File locked) [4]
C:\Documents and Settings\doshion water\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\doshion water\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\doshion water\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "adm" <adm@doshion.com> to: "Bhavesh Upadhyay" <bupadhyay@doshion.com> with subject Budget data of 2005-2006 for HR and Personnel dept dated Sat, 1 Apr 2006 14:34:38 +0530 »MIME »tmp.dat »MIME - error occurred while reading archive
C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "adm" <adm@doshion.com> to: "Bhavesh Upadhyay" <bupadhyay@doshion.com> with subject P & HR Budget 20052006 P & HR Budget2005-2006.xls dated Sat, 1 Apr 2006 16:41:34 +0530 »MIME »tmp.dat »MIME - error occurred while reading archive
C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "adm" <adm@doshion.com> to: "Bhavesh Upadhyay" <bupadhyay@doshion.com> with subject SOP of the recruitment procedure Header Footer.doc dated Thu, 27 Apr 2006 11:27:07 +0530 »MIME »tmp.dat »MIME - error occurred while reading archive
C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "adm" <adm@doshion.com> to: "Bhavesh Upadhyay" <bupadhyay@doshion.com> with subject Salary structure and Clauses Copy of new salary st dated Fri, 19 May 2006 15:12:58 +0530 »MIME »tmp.dat »MIME - error occurred while reading archive
C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "adm" <adm@doshion.com> to: <bupadhyay@doshion.com> with subject Copy of new salary structure.xls [1/7] dated Wed, 24 May 2006 18:39:57 +0530 »MIME »tmp.dat »MIME - error occurred while reading archive
C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "Administrator" <admin@doshion.com> to: <sujit@doshion.com> with subject PostMaster Enterprise ALERT - DELIVERY ATTEMPT FAI dated Thu, 15 Jun 2006 15:22:23 +0530 »MIME » - error occurred while reading archive
C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "Administrator" <admin@doshion.com> to: <sujit@doshion.com> with subject PostMaster Enterprise ALERT - DELIVERY ATTEMPT FAI dated Thu, 15 Jun 2006 12:32:43 +0530 »MIME » - error occurred while reading archive
C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "adm" <adm@doshion.com> to: "Bhavesh Upadhyay" <bupadhyay@doshion.com> with subject Fw: Salary and car benefit letter for shalini sriv dated Fri, 23 Jun 2006 09:56:33 +0530 »MIME »tmp.dat »MIME - error occurred while reading archive
C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "dhiren.shukla" <dhiren.shukla@ionexchange.co.in> to: "bhavesh" <bupadhyay@doshion.com> with subject RE: dated Mon, 21 Aug 2006 22:51:00 +0530 »MIME »part001.htm - error occurred while reading archive
C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "Dhirenshukla" <dhiren.shukla@ionexchange.co.in> to: "Careers" <careers@doshion.com> with subject Re: hi dated Mon, 18 Sep 2006 10:44:15 +0530 »MIME - error occurred while reading archive
C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "Manas Chakraborty" <kolkata@doshion.com> to: adm <adm@doshion.com> with subject salary report dated Tue, 3 Oct 2006 09:52:33 +0530 »MIME »msg.zip »ZIP »mail.hta - JS/TrojanDownloader.Tivso.gen trojan - was a part of the deleted object
C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "Ravi" <ravi@doshion.com> to: <bupadhyay@doshion.com> with subject Increment Issues dated Sun, 8 Oct 2006 11:15:57 +0530 »MIME »mail.zip »ZIP »message.hta - JS/TrojanDownloader.Tivso.gen trojan - was a part of the deleted object
C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "Ravi" <ravi@doshion.com> to: <bupadhyay@doshion.com> with subject FW: Jeyakumar_Take Necessary Action dated Thu, 5 Oct 2006 11:20:53 +0530 »MIME »msg.zip »ZIP »msg.hta - JS/TrojanDownloader.Tivso.gen trojan - was a part of the deleted object
C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "Ravi" <ravi@doshion.com> to: <bupadhyay@doshion.com> with subject Request for mobile for Mr.Madappan dated Sun, 8 Oct 2006 15:23:29 +0530 »MIME »data.zip »ZIP »message.hta - JS/TrojanDownloader.Tivso.gen trojan - was a part of the deleted object
C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "Ravi" <ravi@doshion.com> to: <bupadhyay@doshion.com> with subject FW: Jeyakumar_Take Necessary Action dated Thu, 5 Oct 2006 11:21:13 +0530 »MIME »data.zip »ZIP »data.hta - JS/TrojanDownloader.Tivso.gen trojan - was a part of the deleted object
C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "Ravi" <ravi@doshion.com> to: <bupadhyay@doshion.com> with subject FW: DEDUCTION IN SALARY - 550 RUPEES FOR BUS CHARG dated Sun, 8 Oct 2006 11:02:32 +0530 »MIME »mail.zip »ZIP »message.hta - JS/TrojanDownloader.Tivso.gen trojan - was a part of the deleted object
C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "Anindya Roy" <anindya_roy@doshion.com> to: "'Mr. Bhavesh'" <bupadhyay@doshion.com> with subject Fw: Increment 2005-2006 dated Sun, 15 Oct 2006 13:30:40 +0530 »MIME »mail.zip »ZIP »msg.hta - JS/TrojanDownloader.Tivso.gen trojan - was a part of the deleted object
C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "shailesh kanaiyalal thaker" <drskt1@rediffmail.com> to: bupadhyay@doshion.com with subject programme dated 18 Oct 2006 15:09:04 -0000 »MIME - error occurred while reading archive
C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Deleted Items.dbx »DBX »from: "Manas Chakraborty" <kolkata@doshion.com> to: <adm@doshion.com> with subject salary report dated Tue, 3 Oct 2006 09:52:33 +0530 »MIME »msg.zip »ZIP »mail.hta - JS/TrojanDownloader.Tivso.gen trojan - was a part of the deleted object
C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Deleted Items.dbx »DBX »from: "Ravi" <ravi@doshion.com> to: <bupadhyay@doshion.com> with subject FW: DEDUCTION IN SALARY - 550 RUPEES FOR BUS CHARG dated Sun, 8 Oct 2006 11:04:47 +0530 »MIME »mail.zip »ZIP »msg.hta - JS/TrojanDownloader.Tivso.gen trojan - was a part of the deleted object
C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Deleted Items.dbx »DBX »from: noreply@hotmail.com to: bupadhyay@doshion.com with subject Protected Mail from HotMail.com user. dated Wed, 11 Oct 2006 12:17:42 +0530 »MIME »msg.zip »ZIP »data.hta - JS/TrojanDownloader.Tivso.gen trojan - was a part of the deleted object
C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Deleted Items.dbx »DBX »from: secur@niet.com to: bupadhyay@doshion.com with subject Mail server report. dated Thu, 19 Oct 2006 17:34:13 +0530 »MIME »Update-KB4625-x86.zip »ZIP »Update-KB4625-x86.exe - Win32/Stration.JQ worm - was a part of the deleted object
C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Sent Items.dbx »DBX »from: "Bavesh Upadhyay" <bupadhyay@doshion.com> to: <arif_lion@yahoo.co.in> with subject Fw: Copy of new salary structure.xls [1/7] dated Fri, 26 May 2006 14:32:22 +0530 »MIME »tmp.dat »MIME - error occurred while reading archive
Number of scanned files: 89797
Number of threats found: 11
Number of files cleaned: 2
Time of completion: 10:03:35 Total scanning time: 743 sec (00:12:23)

Notes:
[4] File cannot be opened. It may be in use by another application or operating system.

------------------------------------------------------------------------

one more extract from the log is::

File C:\Documents and Settings\Administrator\Desktop\Inbox.dbx is infected with trojan JS/TrojanDownloader.Tivso.gen. The file can be deleted. It is strongly recommended that you back up any crucial data before you proceed.


i can attach more logs if required!

I cannot tell for sure, but it looks like NOD32 may have removed the infected MIME attachments from the e-mail messages, but left the rest of the .dbx file intact.

As for changing /delete to /prompt, this will make the NOD32 scanner stop and ask you what you want to do with the threats that it has found, instead of deleting the file automatically. If you are going to be sitting at the computer when you run the scan, this may be OK, because then you can choose. However, if you are going to be away from the computer, this may be bad, because the scan will be paused until you come back to your computer (if it finds a threat). The choice is up to you.

{QUOTE-> hello,

I pasting logs of few of the scanning which was done today and once again my mailbox was deleted, somewhere in logs it is clearly mentioned that the file was quarantined and also deleted.

can you people look and suggest me the next

also, please advice if you want me to change /delete into /prompt.

... <-QUOTE}Hello hasit,

First can you please start the scan you have been using, then stop it partway through look at the 'Actions' tab. Compare both the email and email folders settings to the screenshot and let us know if there are any differences at all, but especially in the area marked.

184531

Cheers :)

I've run
nod32.exe Inbox.dbx /adware /ah /all /arch+ /clean /cleanmode /delete /heur+ /log+ /mailbox+ /ntfs+ /pack+ /quarantine /scanboot+ /scanmbr+ /scanmem+ /scroll+ /sfx+ /unsafe /wrap+

and got the following pop-up window:

{QUOTE-> I cannot tell for sure, but it looks like NOD32 may have removed the infected MIME attachments from the e-mail messages, but left the rest of the .dbx file intact.

As for changing /delete to /prompt, this will make the NOD32 scanner stop and ask you what you want to do with the threats that it has found, instead of deleting the file automatically. If you are going to be sitting at the computer when you run the scan, this may be OK, because then you can choose. However, if you are going to be away from the computer, this may be bad, because the scan will be paused until you come back to your computer (if it finds a threat). The choice is up to you. <-QUOTE}
I think for now I would keep it prompt as i dont want to risk anything! Once i get required support i shall switch it to Delete!

{QUOTE-> Hello hasit,

First can you please start the scan you have been using, then stop it partway through look at the 'Actions' tab. Compare both the email and email folders settings to the screenshot and let us know if there are any differences at all, but especially in the area marked.

184531

Cheers :) <-QUOTE}
I have already done the needful on this, as you can see there is no option to delete the mailbox, then there is no chance for looking ahead!

{QUOTE-> I've run
nod32.exe Inbox.dbx /adware /ah /all /arch+ /clean /cleanmode /delete /heur+ /log+ /mailbox+ /ntfs+ /pack+ /quarantine /scanboot+ /scanmbr+ /scanmem+ /scroll+ /sfx+ /unsafe /wrap+

and got the following pop-up window: <-QUOTE}
Once i ran that i get the following:

C:\Documents and Settings\p\Local Settings\Application Data\Identities\{AE6D8788-4341-413D-BDF7-0AA5A2A9BCFB}\Microsoft\Outlook Express\Inbox.dbx - JS/TrojanDownloader.Tivso.gen trojan - quarantined - deleted

it says deleted, how can this happen? attached are few more logs for your detailed study. i have attached them as logs1.txt and logs2.txt (in my next post)

do you want me to provide you with span-shot, but i guess you can easily trust this.

{QUOTE-> C:\Documents and Settings\p\Local Settings\Application Data\Identities\{AE6D8788-4341-413D-BDF7-0AA5A2A9BCFB}\Microsoft\Outlook Express\Inbox.dbx - JS/TrojanDownloader.Tivso.gen trojan - quarantined - deleted

it says deleted <-QUOTE}No it doesn't say that at all, it says it was "part" of the deleted object:

{QUOTE-> C:\Documents and Settings\p\Local Settings\Application Data\Identities\{AE6D8788-4341-413D-BDF7-0AA5A2A9BCFB}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: noreply@hotmail.com to: base_ahm@doshion.com with subject Secure Mail from HotMail.com user. dated Mon, 16 Oct 2006 22:43:10 -0700 »MIME »msg.zip »ZIP »mail.hta - JS/TrojanDownloader.Tivso.gen trojan - was a part of the deleted object <-QUOTE}I am not seeing any action taken by NOD32 on that file in the log you have provided.

The second log shows no infections at all.

Cheers ;D

Where it is mentioned that it was part of the deleted object?

also, you are trying to prove that it would not delete, but in actual case it got deleted. any idea what should i do?

{QUOTE-> Where it is mentioned that it was part of the deleted object? <-QUOTE}Do a search on your log file for the word "deleted" and you will see that no action was performed except cleaning, as in the file was not deleted.

{QUOTE-> also, you are trying to prove that it would not delete, but in actual case it got deleted. <-QUOTE}Your logs state otherwise, they state that 2 files were "cleaned", not deleted.

Cheers ;D

And the on demand scanner has delete grayed out because it is an unavailable action that can not be performed.

I have carried out hundreds and hundreds of scans of "dbx" files on customers infected machines, the scanner has never deleted a single infection found as it can not do so; it lists the location of the file (Inbox, Deleted Items etc) and then that file can ONLY be manually navigated to and manually removed.

Cheers ;D

Hasit, can you cut-and-paste a screenshot of your NOD32 System Tools --> Quarantine screen? I am particularly interested in the size of the quarantined files, and how they compare in size to the Inbox.dbx file.

For example, if your Inbox.dbx file is 1000000 bytes, but the quarantined files are 8000 bytes, then Inbox.dbx is not in the Quarantine. On the other hand, if you do have a 1000000 byte file in Quarantine, then maybe we can see what is going on.

The file-size is the same as inbox.dbx and i have verified it.

I have already deleted the Quarantine, but i can surely try to get a span-shot of the same. Give me few hours to check on this.

Thanks anyways!

Please also post a "screenshot" of exactly as you see in post number 23 above.

Cheers ;D