ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
How do I remove Trojan from email inbox
apb123


Joined: 29 Jul 2009
Posts: 1
Reply with quote
Hello ClamWin has found a Trojan in my Thunderbird local inbox (Inbox: Email.Trojan.GZC FOUND) but I'm not sure how to find this in my inbox. There is no indication of which email it is and I dont have any emails with attachments, so how do I know which email is infected so I can delete it?
Thanks, Andrew.
View user's profileSend private message
sherpya


Joined: 22 Mar 2006
Posts: 894
Location: Italy
Reply with quote
maybe you already deleted it, try compacting the folder in thunderbird
View user's profileSend private message
Offer an option to remove viruses from Inboxes!!!
Asylum


Joined: 30 Apr 2010
Posts: 5
Reply with quote
If it were already deleted then why would Clamwin be reporting that it found it? Does no one have an answer for this almost a whole year later?
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4255
Location: USA
Reply with quote
Can you do anything with dates? Do you have a scan date for the trojan? If so, can you find email with/around that date?

ClamWin never was set up by the developers to work with Thunderbird, but I believe there are some T-Bird add-ins.

Regards,
View user's profileSend private message
Asylum


Joined: 30 Apr 2010
Posts: 5
Reply with quote
Thanks for the response GuitarBob. Unfortunately there are no dates included so searching for similar dates of emails wont help. Below is everything that is output after the scan completes. There are no filenames or times output in this report so to try and manually remove the files from disc is not possible. Clamwin is now reporting that it is getting false positives on signed windows files so I am assuming that Clamwin has just gone to crap at least for the time being and maybe I should start seeking a working solution. Hoping that is not the answer as I rather like Clamwin and have recommended it to tons of people.

Scan Started Fri Apr 30 20:41:02 2010
-------------------------------------------------------------------------------

C:\Users\Username\AppData\Roaming\Thunderbird\Profiles\cxbiu0hm.default\ImapMail\imap.gmail.com\[Gmail].sbd\All Mail: no action performed on a mailbox
C:\Users\Username\AppData\Roaming\Thunderbird\Profiles\cxbiu0hm.default\ImapMail\imap.gmail.com\[Gmail].sbd\Spam: no action performed on a mailbox
C:\Users\Username\AppData\Roaming\Thunderbird\Profiles\cxbiu0hm.default\ImapMail\imap.gmail.com\[Gmail].sbd\Trash: no action performed on a mailbox

C:\Users\Username\AppData\Roaming\Thunderbird\Profiles\cxbiu0hm.default\ImapMail\imap.gmail.com\[Gmail].sbd\All Mail: Email.Trojan.GZC FOUND
C:\Users\Username\AppData\Roaming\Thunderbird\Profiles\cxbiu0hm.default\ImapMail\imap.gmail.com\[Gmail].sbd\Spam: Email.Ecard-51 FOUND
C:\Users\Username\AppData\Roaming\Thunderbird\Profiles\cxbiu0hm.default\ImapMail\imap.gmail.com\[Gmail].sbd\Trash: Email.Ecard-51 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 759267
Engine version: 0.96
Scanned directories: 72
Scanned files: 7743
Infected files: 3

Data scanned: 136.59 MB
Data read: 151.25 MB (ratio 0.90:1)
Time: 584.317 sec (9 m 44 s)

--------------------------------------
Completed
--------------------------------------
View user's profileSend private message
Just an update
Asylum


Joined: 30 Apr 2010
Posts: 5
Reply with quote
I have deleted "ALL" files from the Inbox yet a new scan returns the same exact results. The Inbox is empty so where are these "so-called" viruses? The most I can think is they are embedded into a file called "All Mail" which should be empty as well since I deleted "all" the files in the Inbox and there is nothing left.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4255
Location: USA
Reply with quote
There must be backup around since ClamWin is still detecting malware.

That Email.Trojan-51 is a sig from February. It catches: "To pick up your eCard, click on the following link...Your card will be aviailable".

As for the detection of those signed Windows files, do you get the standard ClamWin false positive message with a link to Clam's submission page? I guess that could be a false positive on a recent signature. Otherwise, if you don't get the false positive message with the link, it may be a real infection--the new signature would not equal the original digital signature in that case.

Regards,
View user's profileSend private message
Asylum


Joined: 30 Apr 2010
Posts: 5
Reply with quote
I have searched within the files that comprise all the messages sent to that account, not the directories that hold the actual emails as those have been cleaned already. I did not end up finding the text "To pick up your eCard" or even "eCard" for that matter, it does not appear to be anywhere. I have also tried compacting the folders to no avail.

I have just decided to stop wasting my time on this. I have archived the directory to an external source. Removed the account in question. Deleted all files in the profile related to the account. Recreated the account. All clean. I'll sort the rest out later.

One thing that could be helpful is if Clamwin's log results showed the line number in the file where it found the suspicious text so that you could examine it in a text editor using "go to line" as I am looking through a file with over 6000 emails. Takes forever to even open the file.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4255
Location: USA
Reply with quote
That's probably asking a lot of ClamWin to identify it like that.

You might run ClamSentinel with ClamWin. It doesn't scan emal per se, but include the email file extensions in Sentinel's extensions to scan, and it should scan files in real-time as they are put on the computer (if they go in one at a time). It has a very detailed real-time scan log. Here is an entry for something going into my temporary internet files from my log:

C:\DOCUMENTS AND SETTINGS\BOB\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\OLOLU4FL\PF_MDAY10_300X250_DODSTATUS[1].JS: OK .

Regards,
View user's profileSend private message
Asylum


Joined: 30 Apr 2010
Posts: 5
Reply with quote
You are probably right. Would be a helpful addition though. Thanks for the suggestions and everything.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4255
Location: USA
Reply with quote
If the above information does not help you, can you be more specific as to the problem?

Regards,
View user's profileSend private message
How to detect viruses in email attachments?
Passion


Joined: 14 Apr 2012
Posts: 1
Reply with quote
This is something I wanted to know for a long long time. Can anyone tell me how to scan email attachments?
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4255
Location: USA
Reply with quote
ClamWin is set up to scan Outlook email attachments. You can configure it via the email scanning tab. You can also scan your email folder manually.

Regards,
View user's profileSend private message
How do I remove Trojan from email inbox
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic