How can I remove Trojan.Linker.C virus from an attachment resident in my INBOX. I cannot find the infected e-mail amongst thousands of messages in there?
My installed Bitdefender internet security package found Trojan.Linker.C residing in an attachment to an e-mail in my Thunderbird INBOX. Bitdefender reports that it cannot remove this infection without possibly damaging the mail archive. I have too many messages retained in my INBOX to manually find the infected attachment. (Shame on me.) Bitdefender cannot finger the culprit; it can only state that somewhere in the INBOX there is this piece of nastiness. Does anyone know a safe and effective way to remove Trojan.Linker.C from Thunderbird's INBOX?
All Replies (9)
I'm having trouble finding information on this detection. There are some similarly named baddies mentioned by other security companies, but I don't know whether they are the same thing.
Have you had BitDefender long enough to think the problem must be in a recently received message? In that case, what do you think about creating some new folders (July, June) and moving the mail from those periods into those folders and seeing which one BitDefender flags? Then you would have a smaller universe of messages to look at, or subdivide into smaller sets.
Alternately, you could consider bulk exporting every single message in the inbox to a separate file using an extension and wait for BitDefender to get excited. Then you should be able to get an idea of which message is the problem. This is the one that comes to mind:
https://addons.mozilla.org/thunderbird/addon/importexporttools/
Hopefully someone else has a more surgical approach!
jscher2000 said
I'm having trouble finding information on this detection. There are some similarly named baddies mentioned by other security companies, but I don't know whether they are the same thing. Have you had BitDefender long enough to think the problem must be in a recently received message? In that case, what do you think about creating some new folders (July, June) and moving the mail from those periods into those folders and seeing which one BitDefender flags? Then you would have a smaller universe of messages to look at, or subdivide into smaller sets. Alternately, you could consider bulk exporting every single message in the inbox to a separate file using an extension and wait for BitDefender to get excited. Then you should be able to get an idea of which message is the problem. This is the one that comes to mind: https://addons.mozilla.org/thunderbird/addon/importexporttools/ Hopefully someone else has a more surgical approach!
July 26, 2017
Thanks for the quick and informative reply. I will give a lot of considerations to your thoughtful suggestions . MalwareBytes did not detect this infection, but Digital Care did and identified it as being of the "Archbomb" category of threat. They recommended running VIPRE in Safe Mode but cautioned that this is an extra heavy duty process and that I should back-up everything first. I don't like the idea of backing-up infected files, so I am fishing around for safer remedies. ---- I only recently switched to Bitdefender from Kaspersky, which failed to detect this threat. Again, I am grateful for yor quick and informative reply.
Kaspersky is pretty thorough, and "Archbomb" is ridiculous, so I am beginning to wonder how real this is.
Unless you can afford to lose your Inbox, making regular backups would be a good idea, infected or not.
November 17, 2017
Hello again. My motherboard on my PC died not long after we last chatted, and it took this long to get operational again. I migrated my Thunderbird to my new, home-built clone PC and ran Bitdefender again. Trojan.Linker.C is still resident in my Inbox.
I hope you are still around and still available to help out a naive user like me with an ugly persistent problem,
I did something a bit more modest than bulk exporting you had advised earlier. I SAVED all my Inbox messages to a few folders grabbing about 1/5 of the messages per folder. I then scanned each folder and, outrageously, found no occurrence of this infection. Perhaps the bulk exporting would have worked better.
Going back to Bitdefender's technical help people, I was directed to find the infected message by the message number. I had not noticed that the log file of a scan produces a message number. The log file reported
C:\Users\Papa Jim\AppData\Roaming\Thunderbird\Profiles\xzqjqn9r.default\Mail\pop.erols.com\Inbox=>(message 4674)
as the infected message. So, naive me thought I was almost home. All I need to do is find message 4674. The tech help person advised me to just do a SEARCH for message 4674. The Search feature, however, only looks at the bodies of the messages but not the message headers.
I examined the detailed header information in a few messages and could find nothing that gives a message number. Temporarily adding or subtracting messages from my Inbox does NOT alter Bitdefender's identification of the infected file as message 4674. Apparently, this identity remains fixed with the message regardless of how I might cull my Inbox of virtual junk mail (of which I have thousands).
Can you help me, PLEASE.
Frustrated, Jim Price [email protected]
P. S. I do regular backups. I had been using Kaspersky for many years, and it never saw Trojan.Linker.C . Only earlier this year, 2017, did I switch to Bitdefender, which did find the infection. I have not browsed my disk-image backups to see if I have an earlier version of my Inbox that is not infected, but mail I got recently is important to me and voluminous, so I am not ready to just delete the new / newer Inboxes to be rid of this nightmare. I still hope I can find the infected message and delete it as Bitdefender advises. Many thanks for whatever help you can give me. Jim Price [email protected]
I've never seen any sign that Thunderbird uses message numbers in any way that is accessible to users. I suspect that number is something concocted by BitDefender. Hopefully I am wrong and we can make some positive use of this number.
You could open the associated mbox file in a good text editor and do a search for that number. If that fails, try again with the associated msf file. Given that your supposedly infected message is in the Inbox, you need to look at files named Inbox and Inbox.msf. The "Local Directory" box in the account settings for this account will show you which subfolder in your profile you need to visit.
If you do find this number, look around for any distinguishing text that would let you find the message in Thunderbird. If you know what you're doing, you could probably select the offending message and excise it from the mbox file. You would then need to either re-index, or delete the msf file (forcing a re-index) so that the index (aka the msf file) will be brought into line with the new state of the mbox file.
However, I believe you're worrying unnecessarily. The virus, or whatever it is, is just bytes in a file. It can't do any harm until it is allowed or made to run and it can't do that until you try to open or run the offending attachment. And at the point you do so, BitDefender should step in and stop you.
Certainly, it would irritate and annoy me to know this unwelcome thing was on my disk. But I don't think it presents any real or immediate threat.
Thanks very much for your kind and informative reply. Your last paragraph tells the story; I am irritated and a little paranoid about the persistence of this thing on my disk. You may be right about it being harmless until I do something stupid like opening an attachment to a piece of junk mail, but I would still like it to be gone.
I naively think that, if I can locate the infected message, all I would need to do is delete that message. But the trojan may be lurking in Inbox.msf instead of Inbox and therefore survive deletion, but I am not sure it would work that way.
Supposedly Microsoft's antivirus software and Sofos can find and kill this thing, so I may give them a try. I am still communicating with Bidefender. It seems to me that if it can differentiate the infected mail message from all the thousands of others, it should be able to give a user enough information to find and delete the message, especially since it advises the user to do just that.
Again, thanks for your kind and expert help. If you think about anything else I could do, please write back.
Appreciatively yours, Jim Price [email protected]
The malware won't be in the msf file. That's an index to help manage the list of files, but it may contain a clue as to the identity of the offending message, including, perhaps, that elusive message number.
The risk of using any of these third party tools is that they don't understand the mbox storage used by Thunderbird. They see an infected file and quarantine it, not recognising that in doing so they are taking out a whole folder full of messages. Ideally they would operate on the incoming message and nobble it before it was added to the message store, but that particular horse has bolted; the offending message is already in your message store.
Thanks again for hanging-in there with me !!
I got the infection while using Kaspersky Internet Security, which never detected the infection in subsequent scans with updated virus signatures. I discovered the infection after I switched to Bitdefender, which did not automatically quarantine the Inbox. It gave me that awful choice to make.
Yes, it seems that Bitdefender is ignorant of the mbox storage, but did seem to be able to identify the infected message --- "message 4674" according to the log file. This, as you pointed out, may be a concoction by Bitdefender. In any case, I have replied to a Bitdefender technical support person's suggestion to "search" for this message. I am asking for help in such a search. It may be too much to expect them to look in detail at the mbox format and upgrade their software to be useful to Thunderbird users.
I am trying Sophos antivirus program now, but it has its own issues, like scans that never terminate. Gawd, why with all the threats out in cyberland, are there not robust, properly functioning defenses?
Appreciatively,
Jim Price [email protected]