outlook express files/mails deleted

Discussion in 'NOD32 version 2 Forum' started by hasit, Oct 27, 2006.

Thread Status:
Not open for further replies.
  1. hasit

    hasit Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    44
    hello,

    i have recently configured a detailed scanning with the following options>

    C:\ /adware /ah /all /arch+ /clean /cleanmode /delete /heur+ /log+ /mailbox+ /ntfs+ /pack+ /quarantine /scanboot+ /scanmbr+ /scanmem+ /scroll+ /sfx+ /unsafe /wrap+

    it worked good for first few weeks like (4-5). After few weeks when the scanning got completed without even giving me a warning message it deleted all the emails in my inbox and other few folders. basically it was deleting the inbox.dbx and other .dbx files thus all the emails were getting deleted.

    as per the settings given i assume this should not happen as it cannot delete the mail-box.

    following is the error message that i got when i tried to restore and run the scan option. can anyone tell me what i am doing wrong?

    File C:\Documents and Settings\vaisnav\Desktop\exportsravikarthikey.dbx is infected with trojan JS/TrojanDownloader.Tivso.gen. The file can be deleted. It is strongly recommended that you back up any crucial data before you proceed.

    File C:\Documents and Settings\vaisnav\Desktop\add.dbx is infected with trojan JS/TrojanDownloader.Tivso.gen. The file can be deleted. It is strongly recommended that you back up any crucial data before you proceed.

    File C:\Documents and Settings\doshion\Local Settings\Application Data\Identities\{BD34C244-A2D7-446E-BC9F-898ACE1F2B82}\Microsoft\Outlook Express\Inbox.dbx is infected with trojan JS/TrojanDownloader.Tivso.gen. The file can be deleted. It is strongly recommended that you back up any crucial data before you proceed.


    File C:\Documents and Settings\doshion\Local Settings\Application Data\Identities\{BD34C244-A2D7-446E-BC9F-898ACE1F2B82}\Microsoft\Outlook Express\Deleted Items.dbx is infected with worm Win32/Stration.LZ. The file can be deleted. It is strongly recommended that you back up any crucial data before you proceed.

    I just remembered that the computer does not have enough rights, i.e. it is just a guest user and not an administrator which can do modifications into the system, not sure if this can help you!
     
    Last edited: Oct 27, 2006
  2. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    It sounds like there are individual e-mails within these folders that have infected attachments. You may have to go into Outlook Express and delete them manually.

    If you are still getting these errors after deleting the messages, try going to File --> Folder --> Compact All Folders (in Outlook Express).
     
  3. hasit

    hasit Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    44
    You are right, there are few virus in the folders, but will it directly delete the inbox.dbx instead just put a remark? Please advice.

    Thanks!!!
     
  4. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    I am not really sure, to tell you the truth. I have not tested this particular situation, myself. The safest thing to do may be to copy the inbox.dbx file and then scan the copy, to see what happens.
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    NOD32 does not perform any action on dbx files. I have never been able to replicate this issue on any computer under any circumstances.
     
  6. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Same here.

    Cheers :D
     
  7. hasit

    hasit Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    44
    I know you are right, but I can also know see the file is deleted since I can see them into Quarantine. Also the mail-box which is shown in the left-side Quarantine are been deleted from Outlook, that is how I discovered that Nod32 is deleting the emails.

    Is the system rights i.e. Guest control playing any role here? Please advice.

    Also, when i just scan inbox.dbx it does not delete it, but when it do i via C:\ /adware /ah /all /arch+ /clean /cleanmode /delete /heur+ /log+ /mailbox+ /ntfs+ /pack+ /quarantine /scanboot+ /scanmbr+ /scanmem+ /scroll+ /sfx+ /unsafe /wrap+

    it might have deleted, usually i keep the computer on at night for scanning, so not sure exactly how it happened.

    Thanks, Hasit
    PS: Any help to check on configuration will be HIGHLY advisable.
     
  8. hasit

    hasit Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    44
    I can see that NOD32's recently defination file is containing the virus name "Win32/Stration.LZ", but what about the trojan, JS/TrojanDownloader.Tivso.gen?

    any idea how to remove it?

    also, because of this the .dbx file got deleted, any idea what should i do to ensure it is not repeated!

    thanks, Hasit
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    You might need to remove the /mailbox+ parameter to prevent this from happening again, though my NOD32 didn't delete dbx files even with this parameter used.
     
  10. hasit

    hasit Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    44
    this means it will not scan outlook items right? please advice.
     
  11. hasit

    hasit Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    44
    i found on page http://forums.whirlpool.net.au/forum-replies-archive.cfm/416621.html that we should replace from

    C:\ /adware /ah /all /arch+ /clean /cleanmode /delete /heur+ /log+ /mailbox+ /ntfs+ /pack+ /quarantine /scanboot+ /scanmbr+ /scanmem+ /scroll+ /sfx+ /unsafe /wrap+

    to:
    /local /adware /ah /all /arch+ /clean /cleanmode /delete /heur+ /log+ /mailbox+ /ntfs+ /pack+ /quarantine /scanboot+ /scanmbr+ /scanmem+ /scroll+ /sfx+ /unsafe /wrap+

    basically change

    /delete to /prompt

    what do you say? is that worth? Please advice.

    this means will it still keep the virus as it is? Please advice.

    thanks, Hasit
     
  12. hasit

    hasit Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    44
    hello,

    I pasting logs of few of the scanning which was done today and once again my mailbox was deleted, somewhere in logs it is clearly mentioned that the file was quarantined and also deleted.

    can you people look and suggest me the next

    also, please advice if you want me to change /delete into /prompt.

    ------------------------------------
    Scan performed at: 10/28/2006 9:51:00 AM
    Scanning Log
    NOD32 version 1.1842 (20061027) NT
    Command line: C:\ /adware /ah /all /arch+ /clean /cleanmode /delete /heur+ /log+ /mailbox+ /ntfs+ /pack+ /quarantine /scanboot+ /scanmbr+ /scanmem+ /scroll+ /sfx+ /unsafe /wrap+
    Operating memory - is OK

    Date: 28.10.2006 Time: 09:51:12
    Scanned disks, folders and files: C:\
    C:\PAGEFILE.SYS - error opening (Access denied) [4]
    C:\WINDOWS\system32\config\system.LOG - error opening (File locked) [4]
    C:\WINDOWS\system32\config\software.LOG - error opening (File locked) [4]
    C:\WINDOWS\system32\config\default.LOG - error opening (File locked) [4]
    C:\WINDOWS\system32\config\SECURITY - error opening (File locked) [4]
    C:\WINDOWS\system32\config\SAM - error opening (File locked) [4]
    C:\WINDOWS\system32\config\SAM.LOG - error opening (File locked) [4]
    C:\WINDOWS\system32\config\SECURITY.LOG - error opening (File locked) [4]
    C:\WINDOWS\system32\config\SYSTEM - error opening (File locked) [4]
    C:\WINDOWS\system32\config\SOFTWARE - error opening (File locked) [4]
    C:\WINDOWS\system32\config\DEFAULT - error opening (File locked) [4]
    C:\WINDOWS\system32\CatRoot2\edb.log - error opening (File locked) [4]
    C:\WINDOWS\system32\CatRoot2\tmp.edb - error opening (File locked) [4]
    C:\WINDOWS\security\edb.log - error opening (File locked) [4]
    C:\WINDOWS\security\edbtmp.log - error opening (File locked) [4]
    C:\WINDOWS\security\tmp.edb - error opening (File locked) [4]
    C:\WINDOWS\SoftwareDistribution\EventCache\{5789EC16-9E63-4529-B9D8-DE11FA338022}.bin - error opening (File locked) [4]
    C:\WINDOWS\SoftwareDistribution\EventCache\{B9AB4EF4-F6D2-4BAF-8F18-33B2B53F5554}.bin - error opening (File locked) [4]
    C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb - error opening (File locked) [4]
    C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log - error opening (File locked) [4]
    C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb - error opening (File locked) [4]
    C:\Documents and Settings\NetworkService\NTUSER.DAT - error opening (File locked) [4]
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG - error opening (File locked) [4]
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
    C:\Documents and Settings\LocalService\NTUSER.DAT - error opening (File locked) [4]
    C:\Documents and Settings\LocalService\ntuser.dat.LOG - error opening (File locked) [4]
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
    C:\Documents and Settings\doshion water\NTUSER.DAT - error opening (File locked) [4]
    C:\Documents and Settings\doshion water\ntuser.dat.LOG - error opening (File locked) [4]
    C:\Documents and Settings\doshion water\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
    C:\Documents and Settings\doshion water\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
    C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "adm" <adm@doshion.com> to: "Bhavesh Upadhyay" <bupadhyay@doshion.com> with subject Budget data of 2005-2006 for HR and Personnel dept dated Sat, 1 Apr 2006 14:34:38 +0530 »MIME »tmp.dat »MIME - error occurred while reading archive
    C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "adm" <adm@doshion.com> to: "Bhavesh Upadhyay" <bupadhyay@doshion.com> with subject P & HR Budget 20052006 P & HR Budget2005-2006.xls dated Sat, 1 Apr 2006 16:41:34 +0530 »MIME »tmp.dat »MIME - error occurred while reading archive
    C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "adm" <adm@doshion.com> to: "Bhavesh Upadhyay" <bupadhyay@doshion.com> with subject SOP of the recruitment procedure Header Footer.doc dated Thu, 27 Apr 2006 11:27:07 +0530 »MIME »tmp.dat »MIME - error occurred while reading archive
    C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "adm" <adm@doshion.com> to: "Bhavesh Upadhyay" <bupadhyay@doshion.com> with subject Salary structure and Clauses Copy of new salary st dated Fri, 19 May 2006 15:12:58 +0530 »MIME »tmp.dat »MIME - error occurred while reading archive
    C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "adm" <adm@doshion.com> to: <bupadhyay@doshion.com> with subject Copy of new salary structure.xls [1/7] dated Wed, 24 May 2006 18:39:57 +0530 »MIME »tmp.dat »MIME - error occurred while reading archive
    C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "Administrator" <admin@doshion.com> to: <sujit@doshion.com> with subject PostMaster Enterprise ALERT - DELIVERY ATTEMPT FAI dated Thu, 15 Jun 2006 15:22:23 +0530 »MIME » - error occurred while reading archive
    C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "Administrator" <admin@doshion.com> to: <sujit@doshion.com> with subject PostMaster Enterprise ALERT - DELIVERY ATTEMPT FAI dated Thu, 15 Jun 2006 12:32:43 +0530 »MIME » - error occurred while reading archive
    C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "adm" <adm@doshion.com> to: "Bhavesh Upadhyay" <bupadhyay@doshion.com> with subject Fw: Salary and car benefit letter for shalini sriv dated Fri, 23 Jun 2006 09:56:33 +0530 »MIME »tmp.dat »MIME - error occurred while reading archive
    C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "dhiren.shukla" <dhiren.shukla@ionexchange.co.in> to: "bhavesh" <bupadhyay@doshion.com> with subject RE: dated Mon, 21 Aug 2006 22:51:00 +0530 »MIME »part001.htm - error occurred while reading archive
    C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "Dhirenshukla" <dhiren.shukla@ionexchange.co.in> to: "Careers" <careers@doshion.com> with subject Re: hi dated Mon, 18 Sep 2006 10:44:15 +0530 »MIME - error occurred while reading archive
    C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "Manas Chakraborty" <kolkata@doshion.com> to: adm <adm@doshion.com> with subject salary report dated Tue, 3 Oct 2006 09:52:33 +0530 »MIME »msg.zip »ZIP »mail.hta - JS/TrojanDownloader.Tivso.gen trojan - was a part of the deleted object
    C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "Ravi" <ravi@doshion.com> to: <bupadhyay@doshion.com> with subject Increment Issues dated Sun, 8 Oct 2006 11:15:57 +0530 »MIME »mail.zip »ZIP »message.hta - JS/TrojanDownloader.Tivso.gen trojan - was a part of the deleted object
    C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "Ravi" <ravi@doshion.com> to: <bupadhyay@doshion.com> with subject FW: Jeyakumar_Take Necessary Action dated Thu, 5 Oct 2006 11:20:53 +0530 »MIME »msg.zip »ZIP »msg.hta - JS/TrojanDownloader.Tivso.gen trojan - was a part of the deleted object
    C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "Ravi" <ravi@doshion.com> to: <bupadhyay@doshion.com> with subject Request for mobile for Mr.Madappan dated Sun, 8 Oct 2006 15:23:29 +0530 »MIME »data.zip »ZIP »message.hta - JS/TrojanDownloader.Tivso.gen trojan - was a part of the deleted object
    C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "Ravi" <ravi@doshion.com> to: <bupadhyay@doshion.com> with subject FW: Jeyakumar_Take Necessary Action dated Thu, 5 Oct 2006 11:21:13 +0530 »MIME »data.zip »ZIP »data.hta - JS/TrojanDownloader.Tivso.gen trojan - was a part of the deleted object
    C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "Ravi" <ravi@doshion.com> to: <bupadhyay@doshion.com> with subject FW: DEDUCTION IN SALARY - 550 RUPEES FOR BUS CHARG dated Sun, 8 Oct 2006 11:02:32 +0530 »MIME »mail.zip »ZIP »message.hta - JS/TrojanDownloader.Tivso.gen trojan - was a part of the deleted object
    C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "Anindya Roy" <anindya_roy@doshion.com> to: "'Mr. Bhavesh'" <bupadhyay@doshion.com> with subject Fw: Increment 2005-2006 dated Sun, 15 Oct 2006 13:30:40 +0530 »MIME »mail.zip »ZIP »msg.hta - JS/TrojanDownloader.Tivso.gen trojan - was a part of the deleted object
    C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Inbox.dbx »DBX »from: "shailesh kanaiyalal thaker" <drskt1@rediffmail.com> to: bupadhyay@doshion.com with subject programme dated 18 Oct 2006 15:09:04 -0000 »MIME - error occurred while reading archive
    C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Deleted Items.dbx »DBX »from: "Manas Chakraborty" <kolkata@doshion.com> to: <adm@doshion.com> with subject salary report dated Tue, 3 Oct 2006 09:52:33 +0530 »MIME »msg.zip »ZIP »mail.hta - JS/TrojanDownloader.Tivso.gen trojan - was a part of the deleted object
    C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Deleted Items.dbx »DBX »from: "Ravi" <ravi@doshion.com> to: <bupadhyay@doshion.com> with subject FW: DEDUCTION IN SALARY - 550 RUPEES FOR BUS CHARG dated Sun, 8 Oct 2006 11:04:47 +0530 »MIME »mail.zip »ZIP »msg.hta - JS/TrojanDownloader.Tivso.gen trojan - was a part of the deleted object
    C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Deleted Items.dbx »DBX »from: noreply@hotmail.com to: bupadhyay@doshion.com with subject Protected Mail from HotMail.com user. dated Wed, 11 Oct 2006 12:17:42 +0530 »MIME »msg.zip »ZIP »data.hta - JS/TrojanDownloader.Tivso.gen trojan - was a part of the deleted object
    C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Deleted Items.dbx »DBX »from: secur@niet.com to: bupadhyay@doshion.com with subject Mail server report. dated Thu, 19 Oct 2006 17:34:13 +0530 »MIME »Update-KB4625-x86.zip »ZIP »Update-KB4625-x86.exe - Win32/Stration.JQ worm - was a part of the deleted object
    C:\Documents and Settings\doshion water\Local Settings\Application Data\Identities\{04B42628-8BC8-4723-82EE-FAF11D912BDA}\Microsoft\Outlook Express\Sent Items.dbx »DBX »from: "Bavesh Upadhyay" <bupadhyay@doshion.com> to: <arif_lion@yahoo.co.in> with subject Fw: Copy of new salary structure.xls [1/7] dated Fri, 26 May 2006 14:32:22 +0530 »MIME »tmp.dat »MIME - error occurred while reading archive
    Number of scanned files: 89797
    Number of threats found: 11
    Number of files cleaned: 2
    Time of completion: 10:03:35 Total scanning time: 743 sec (00:12:23)

    Notes:
    [4] File cannot be opened. It may be in use by another application or operating system.

    ------------------------------------------------------------------------

    one more extract from the log is::

    File C:\Documents and Settings\Administrator\Desktop\Inbox.dbx is infected with trojan JS/TrojanDownloader.Tivso.gen. The file can be deleted. It is strongly recommended that you back up any crucial data before you proceed.


    i can attach more logs if required!
     
  13. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    I cannot tell for sure, but it looks like NOD32 may have removed the infected MIME attachments from the e-mail messages, but left the rest of the .dbx file intact.

    As for changing /delete to /prompt, this will make the NOD32 scanner stop and ask you what you want to do with the threats that it has found, instead of deleting the file automatically. If you are going to be sitting at the computer when you run the scan, this may be OK, because then you can choose. However, if you are going to be away from the computer, this may be bad, because the scan will be paused until you come back to your computer (if it finds a threat). The choice is up to you.
     
  14. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Hello hasit,

    First can you please start the scan you have been using, then stop it partway through look at the 'Actions' tab. Compare both the email and email folders settings to the screenshot and let us know if there are any differences at all, but especially in the area marked.

    Screenshot - 29_10_2006 , 3_28_29 AM.png

    Cheers :)
     
  15. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I've run
    nod32.exe Inbox.dbx /adware /ah /all /arch+ /clean /cleanmode /delete /heur+ /log+ /mailbox+ /ntfs+ /pack+ /quarantine /scanboot+ /scanmbr+ /scanmem+ /scroll+ /sfx+ /unsafe /wrap+

    and got the following pop-up window:
     

    Attached Files:

  16. hasit

    hasit Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    44
    I think for now I would keep it prompt as i dont want to risk anything! Once i get required support i shall switch it to Delete!
     
  17. hasit

    hasit Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    44
    I have already done the needful on this, as you can see there is no option to delete the mailbox, then there is no chance for looking ahead!
     
  18. hasit

    hasit Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    44
    Once i ran that i get the following:

    C:\Documents and Settings\p\Local Settings\Application Data\Identities\{AE6D8788-4341-413D-BDF7-0AA5A2A9BCFB}\Microsoft\Outlook Express\Inbox.dbx - JS/TrojanDownloader.Tivso.gen trojan - quarantined - deleted

    it says deleted, how can this happen? attached are few more logs for your detailed study. i have attached them as logs1.txt and logs2.txt (in my next post)
     

    Attached Files:

  19. hasit

    hasit Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    44
    do you want me to provide you with span-shot, but i guess you can easily trust this.
     

    Attached Files:

  20. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    No it doesn't say that at all, it says it was "part" of the deleted object:

    I am not seeing any action taken by NOD32 on that file in the log you have provided.

    The second log shows no infections at all.

    Cheers :D
     
  21. hasit

    hasit Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    44
    Where it is mentioned that it was part of the deleted object?

    also, you are trying to prove that it would not delete, but in actual case it got deleted. any idea what should i do?
     
  22. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Do a search on your log file for the word "deleted" and you will see that no action was performed except cleaning, as in the file was not deleted.

    Your logs state otherwise, they state that 2 files were "cleaned", not deleted.

    Cheers :D
     
  23. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    And the on demand scanner has delete grayed out because it is an unavailable action that can not be performed.

    I have carried out hundreds and hundreds of scans of "dbx" files on customers infected machines, the scanner has never deleted a single infection found as it can not do so; it lists the location of the file (Inbox, Deleted Items etc) and then that file can ONLY be manually navigated to and manually removed.

    Cheers :D
     

    Attached Files:

  24. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    Hasit, can you cut-and-paste a screenshot of your NOD32 System Tools --> Quarantine screen? I am particularly interested in the size of the quarantined files, and how they compare in size to the Inbox.dbx file.

    For example, if your Inbox.dbx file is 1000000 bytes, but the quarantined files are 8000 bytes, then Inbox.dbx is not in the Quarantine. On the other hand, if you do have a 1000000 byte file in Quarantine, then maybe we can see what is going on.
     
  25. hasit

    hasit Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    44
    The file-size is the same as inbox.dbx and i have verified it.

    I have already deleted the Quarantine, but i can surely try to get a span-shot of the same. Give me few hours to check on this.

    Thanks anyways!
     
Thread Status:
Not open for further replies.