Hello ClamWin has found a Trojan in my Thunderbird local inbox (Inbox: Email.Trojan.GZC FOUND) but I'm not sure how to find this in my inbox. There is no indication of which email it is and I dont have any emails with attachments, so how do I know which email is infected so I can delete it?
Thanks, Andrew.

maybe you already deleted it, try compacting the folder in thunderbird

If it were already deleted then why would Clamwin be reporting that it found it? Does no one have an answer for this almost a whole year later?

Can you do anything with dates? Do you have a scan date for the trojan? If so, can you find email with/around that date?

ClamWin never was set up by the developers to work with Thunderbird, but I believe there are some T-Bird add-ins.

Regards,

Thanks for the response GuitarBob. Unfortunately there are no dates included so searching for similar dates of emails wont help. Below is everything that is output after the scan completes. There are no filenames or times output in this report so to try and manually remove the files from disc is not possible. Clamwin is now reporting that it is getting false positives on signed windows files so I am assuming that Clamwin has just gone to crap at least for the time being and maybe I should start seeking a working solution. Hoping that is not the answer as I rather like Clamwin and have recommended it to tons of people.

Scan Started Fri Apr 30 20:41:02 2010
-------------------------------------------------------------------------------

C:\Users\Username\AppData\Roaming\Thunderbird\Profiles\cxbiu0hm.default\ImapMail\imap.gmail.com\[Gmail].sbd\All Mail: no action performed on a mailbox
C:\Users\Username\AppData\Roaming\Thunderbird\Profiles\cxbiu0hm.default\ImapMail\imap.gmail.com\[Gmail].sbd\Spam: no action performed on a mailbox
C:\Users\Username\AppData\Roaming\Thunderbird\Profiles\cxbiu0hm.default\ImapMail\imap.gmail.com\[Gmail].sbd\Trash: no action performed on a mailbox

C:\Users\Username\AppData\Roaming\Thunderbird\Profiles\cxbiu0hm.default\ImapMail\imap.gmail.com\[Gmail].sbd\All Mail: Email.Trojan.GZC FOUND
C:\Users\Username\AppData\Roaming\Thunderbird\Profiles\cxbiu0hm.default\ImapMail\imap.gmail.com\[Gmail].sbd\Spam: Email.Ecard-51 FOUND
C:\Users\Username\AppData\Roaming\Thunderbird\Profiles\cxbiu0hm.default\ImapMail\imap.gmail.com\[Gmail].sbd\Trash: Email.Ecard-51 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 759267
Engine version: 0.96
Scanned directories: 72
Scanned files: 7743
Infected files: 3

Data scanned: 136.59 MB
Data read: 151.25 MB (ratio 0.90:1)
Time: 584.317 sec (9 m 44 s)

--------------------------------------
Completed
--------------------------------------

I have deleted "ALL" files from the Inbox yet a new scan returns the same exact results. The Inbox is empty so where are these "so-called" viruses? The most I can think is they are embedded into a file called "All Mail" which should be empty as well since I deleted "all" the files in the Inbox and there is nothing left.

There must be backup around since ClamWin is still detecting malware.

That Email.Trojan-51 is a sig from February. It catches: "To pick up your eCard, click on the following link...Your card will be aviailable".

As for the detection of those signed Windows files, do you get the standard ClamWin false positive message with a link to Clam's submission page? I guess that could be a false positive on a recent signature. Otherwise, if you don't get the false positive message with the link, it may be a real infection--the new signature would not equal the original digital signature in that case.

Regards,

I have searched within the files that comprise all the messages sent to that account, not the directories that hold the actual emails as those have been cleaned already. I did not end up finding the text "To pick up your eCard" or even "eCard" for that matter, it does not appear to be anywhere. I have also tried compacting the folders to no avail.

I have just decided to stop wasting my time on this. I have archived the directory to an external source. Removed the account in question. Deleted all files in the profile related to the account. Recreated the account. All clean. I'll sort the rest out later.

One thing that could be helpful is if Clamwin's log results showed the line number in the file where it found the suspicious text so that you could examine it in a text editor using "go to line" as I am looking through a file with over 6000 emails. Takes forever to even open the file.

That's probably asking a lot of ClamWin to identify it like that.

You might run ClamSentinel with ClamWin. It doesn't scan emal per se, but include the email file extensions in Sentinel's extensions to scan, and it should scan files in real-time as they are put on the computer (if they go in one at a time). It has a very detailed real-time scan log. Here is an entry for something going into my temporary internet files from my log:

C:\DOCUMENTS AND SETTINGS\BOB\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\OLOLU4FL\PF_MDAY10_300X250_DODSTATUS[1].JS: OK .

Regards,

You are probably right. Would be a helpful addition though. Thanks for the suggestions and everything.

If the above information does not help you, can you be more specific as to the problem?

Regards,

This is something I wanted to know for a long long time. Can anyone tell me how to scan email attachments?

ClamWin is set up to scan Outlook email attachments. You can configure it via the email scanning tab. You can also scan your email folder manually.

Regards,