I have a persistant and annoying problem with incoming e-mail.

I use both WinXP and Linux operating systems. Thunderbird is my mail programme for both OSs

I use gmail accounts but Thunderbird pulls these messages from the server via POP and stores them in my central message folder; this is on a fat32 partition (my main data partition for both OSs).

About 1 month ago incoming mail under WinXP and Linux had the correct initial header and expected sender, however in the message window the subject is “Look sophisticated on your vacation” and the sender Ernest Terutah, recipient address is my former now cancelled email account with Wanadoo (confirmed inactive). Sometimes the message would be blank. Reading mesage information showed a lot of links which were common to urls on my machine.

I then ran adaware, and spybot scans on the WinXP partitions (including the email partition). Now I can receive emails that appear OK, in TBird under Windows but they are still being hijacked in the same way if I attempt this under Linux. I note that hijacked mails received under Linux can now be opened and read normally under WinXP.

In trying to find the culprit I installed Avast. When I try to scan the email folder the scan is bypassed and the report records “File was skipped because of scanner settings”.

OK a config problem. now have done a thorough scan, Avast found Win32:Faker-M virus and attempted to move it to virus chest. Received message “insufficient disk space” so I renamed and moved it. Now of course I’ve lost access to my messages.

Can anyone tell me how to remove this virus.

Can anyone help?

Since I do not use the same mail client, I can not be of help. But, I am sure someone here can help.

This article provides some guidelines on how to recover a quaratined inbox

http://kb.mozillazine.org/Antivirus_software#Recovering_a_quarantined_Inbox

Excuse for update old topic, but I have similar problem. (And for my language too )

Last Avast found Faker-M in m outbox of Outlook Express. The message is plain text with attachment - executable file with name “dekoder.ex_” (I change the extension oneself). But when I explode this file and scan it - no virus found. It’s my own file (compiled in Delphi 6) and I don’t think it’s infected and has no destructible or other like viruses functions.

Is it probability, that this alarm is false? Maybe oliverjames have the same effect…

If the file is yours, most probably a false positive.
To know if a file is a false positive, please submit it to VirusTotal and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com. VirusTotal has a file size limit of 10Mb. Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.

I scaned extracted email (OE - save as eml) on VirusTotal. Result: 5/36 (13.89%). But when I extracted attachment file and scan this - result is 4/36 (avast in this case not see virus).
I send this file (eml) to Avast now.

I attach scan result file.

GData uses avast engine to scan, so it detects too.
Did you compile this file? If it is clean, as a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the ‘a’ blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button…
You can use wildcards like * and ?. But be careful, you should ‘exclude’ that many files that let your system in danger.

It’s RAR SelfExtract archive with my own files (compiled by me self). I don’t know, where the virus found - in rar-exe or in files include in archive. If I save attached file - Avast don’t see anything. Log says (in my Outlook folder and exported email):

21.08.2008 18:14:59 Dawid 3892 Sign of "Win32:Faker-M [trj]" has been found in "D:\Dane aplikacji\Microsoft\Outlook Express\Wysłane.dbx\Dekoder.eml#19670144" file. 21.08.2008 18:19:09 Dawid 3496 Sign of "Win32:Faker-M [trj]" has been found in "D:\Dane aplikacji\Microsoft\Windows\Pulpit\Test1.eml" file.

Can I exclude ones of many email in my Outlook’s database file? (how?) (see: first line in log above).

I think you can’t. The better will be wait a little for them to correct the false positive.

Ok. I hope to get answer is it false positive or true infection So I’m waiting… Thanks for help!

You’re welcome. Feel free to come back any time you need help or just to change experiences 8)

Or exercise my english I will write about result (if I get answer from virus@avast… :))

Avast research team working effectively but silently I did not receive answer, but after last update (5 mins ago) Avast don’t see any virus in my outgoing emails now Thanks You for all, Tech, and all team!

Yeah… they correct false positives and this is the ‘answer’ for the detection. Not all the times they post here in forum that a problem was solved.

I hope to answer to my e-mail only I didn’t sure in 100% it’s false positive The most important, that they made something with this so quick

They do not usually reply to emails unless more information is needed. In this case, no email to you means they did not need more information, but, instead fixed the FP quickly. They are very good at fixing these FP’s quickly.

Please come back often, learn more, and maybe help others.

My English be too bad to help others Thanks for explains!

We understand you, Dżyszla, so your English is not that bad.

At least keep on returning here to learn more.

ok, I try to visit often… in free time