Dear all,
Recently, my anti-virus Kaspersky, informed me that it had found a Trojan Virus (Trojan-Dropper.VBS.ramnit.a) at the following location on my computer: C:\xxxxx\Thunderbird\Profiles\xxxxx.default\Mail\mail.xxxx-2.com\Inbox
As soon as I was informed of this, I removed the virus via Kaspersky.
However, the next day, nearly all of my e-mails in the relevant Inbox in Thunderbird were not appearing. I could see the headings but when I clicked on them, nothing showed up (i.e. the content of the e-mails).
I tried compacting. It did not change anything.
I tried repairing but then the headings all disappeared.
Is there any way of retrieving these e-mails?
Virus causing blank e-mails
-
DanRaisch
- Moderator
- Posts: 127240
- Joined: September 23rd, 2004, 8:57 pm
- Location: Somewhere on the right coast
Re: Virus causing blank e-mails
That sounds like Kaspersky moved your Inbox data to a quarantine file. You were still seeing header data that was stored in the .msf (index) file but the actual message data was not accessible to Thunderbird. See if you can undo that quarantine.
-
makaiguy
- Posts: 16878
- Joined: November 18th, 2002, 6:44 pm
- Location: Somewhere in SE USA
- Contact:
Re: Virus causing blank e-mails
What follows assumes this account is set up to retrieve mails using the POP3 email protocol.
TBird stores the header data in a summary or index file, with a .msf (Mozilla Summary File) filename extension, separate from the Inbox file for the actual full messages. It is data from this index file that is shown in your message list, as accessing this is much quicker than wading through the actual message file for everything. When you click on the message, TBird then retrieves the full message from the long single Inbox (with no filename extension) message file.
Each message is just a part of one long continuous Inbox file. It sounds to me that when Kaspersky removed the suspect message it considered the whole Inbox file to be contaminated and removed the whole thing. TBird would find the Inbox file missing the next time it started and would replace it with a new empty one. Kaspersky left the Inbox.msf file behind, which is the one TBird uses to display the message list, so you still saw all your messages listed, but when you clicked a message to view it, the message cannot be found because the new Inbox file doesn't contain the old messages.
When you then repaired the Inbox it built a new Inbox.msf index file from the contents of the current Inbox file. Since the new empty Inbox file contained no messages, the rebuilt index file now shows no messages either.
If Kaspersky is set to quarantine rather than delete suspect files, you should be able to recover the lost messages.
If you find your Inbox (with no filename extension) file in Kaspersky's quarantine area, write back and we can walk you through the recovery process.
TBird stores the header data in a summary or index file, with a .msf (Mozilla Summary File) filename extension, separate from the Inbox file for the actual full messages. It is data from this index file that is shown in your message list, as accessing this is much quicker than wading through the actual message file for everything. When you click on the message, TBird then retrieves the full message from the long single Inbox (with no filename extension) message file.
Each message is just a part of one long continuous Inbox file. It sounds to me that when Kaspersky removed the suspect message it considered the whole Inbox file to be contaminated and removed the whole thing. TBird would find the Inbox file missing the next time it started and would replace it with a new empty one. Kaspersky left the Inbox.msf file behind, which is the one TBird uses to display the message list, so you still saw all your messages listed, but when you clicked a message to view it, the message cannot be found because the new Inbox file doesn't contain the old messages.
When you then repaired the Inbox it built a new Inbox.msf index file from the contents of the current Inbox file. Since the new empty Inbox file contained no messages, the rebuilt index file now shows no messages either.
If Kaspersky is set to quarantine rather than delete suspect files, you should be able to recover the lost messages.
If you find your Inbox (with no filename extension) file in Kaspersky's quarantine area, write back and we can walk you through the recovery process.
Doug Wilson
Win10 64bit: FF 124.0.2 64bit, TB 102.12.0 32-bit ║ Android 13/10: FF 124.2.0/115.9.0 ║ No TB for Android available, dammit!
What a fool believes he sees, no wise man has the power to reason away - Doobie Brothers
Win10 64bit: FF 124.0.2 64bit, TB 102.12.0 32-bit ║ Android 13/10: FF 124.2.0/115.9.0 ║ No TB for Android available, dammit!
What a fool believes he sees, no wise man has the power to reason away - Doobie Brothers
-
Demon_114
- Posts: 25
- Joined: May 8th, 2013, 8:19 am
Re: Virus causing blank e-mails
Thank you both for the prompt reply and thank you Doug for the detailed and clear explanation.
Unfortunately, I almost certainly deleted the Trojan Virus and, since it was over a month ago, Kaspersky has not stored the report. I have checked Quarantine and there are no files there.
I really should have backed up those e-mails. A lesson for the future.
Do you have any tips just in case this happens again? Should I quarantine rather than delete viruses?
What annoys me is that I get an anti-virus to protect my system and it ends up deleting my TBird e-mails! There wasn't even a warning message that it might affect my e-mails!
Any advice for the future would be appreciated!
Many thanks!
Unfortunately, I almost certainly deleted the Trojan Virus and, since it was over a month ago, Kaspersky has not stored the report. I have checked Quarantine and there are no files there.
I really should have backed up those e-mails. A lesson for the future.
Do you have any tips just in case this happens again? Should I quarantine rather than delete viruses?
What annoys me is that I get an anti-virus to protect my system and it ends up deleting my TBird e-mails! There wasn't even a warning message that it might affect my e-mails!
Any advice for the future would be appreciated!
Many thanks!
-
DanRaisch
- Moderator
- Posts: 127240
- Joined: September 23rd, 2004, 8:57 pm
- Location: Somewhere on the right coast
Re: Virus causing blank e-mails
The best advice on this is to have frequent backups -- http://kb.mozillazine.org/Profile_backup
-
tanstaafl
- Moderator
- Posts: 49647
- Joined: July 30th, 2003, 5:06 pm
Re: Virus causing blank e-mails
Using a IMAP account would make you less vulnerable as the messages would still be stored on the server. All it might delete are the optional offline folders and the search index used by global search/indexing.
Anti-virus scanners are prone to returning false positives. Ideally you'd like the opportunity to have a second opinion by uploading the suspect file to a service such as https://virusscan.jotti.org/ which runs multiple anti-virus scanners against the file before you decide to let your anti-virus scanner quarantine or delete the file.
Anti-virus scanners are prone to returning false positives. Ideally you'd like the opportunity to have a second opinion by uploading the suspect file to a service such as https://virusscan.jotti.org/ which runs multiple anti-virus scanners against the file before you decide to let your anti-virus scanner quarantine or delete the file.
-
Demon_114
- Posts: 25
- Joined: May 8th, 2013, 8:19 am
Re: Virus causing blank e-mails
Thank you both for the helpful advice/links!
This forum is incredible!
This forum is incredible!