Trojans Threat Alerts when Thunderbird is Opened
I started having a problem yesterday where if I have Thunderbird open, I continue to get numerous 'Threat Found' notifications from Windows Defender regarding 2 Trojan viruses.
- Trojan:Script/Wacatac.B!ml
- TrojanDownloader:Win32/Nemucod!ml
Below I've included the file paths for 'Affected Files'.
If I uninstall Thunderbird completely, run the virus scans / clean laptop and then re-install Thunderbird, will that help the situation? What about my actual email service? I've already changed my password but I don't how these files arrived (I don't know from which email) and so looking at header for IP to block isn't a useful setup (yet). Given the file paths (see below), are these coming in via email and how do I stop it if I don't know which emails they are coming in on, specifically the part1788:Package.zip files.
Here's what I've noticed: 1. Once I close Thunderbird and finish running removal and scans with Windows defenders, the Threat notifications stop. As soon as I open Thunderbird, the notifications start up again.
2. Yesterday, emails I sent late in the day had attachments such as part2.YaqiOQSc.bq3wtLf4 . Does this mean that I am now passing on infected files?! See uploaded image for an example of these attachments.
Help please!!
Affected items: file: C:\Users\[name]\AppData\Roaming\Thunderbird\Profiles\r4uh2f0v.default-release\ImapMail\secure.emailsrvr.com\INBOX->(part5063:Your-Generated-Divi-child-theme-template-by-DiviCake.zip)
file: C:\Users\[name]\AppData\Roaming\Thunderbird\Profiles\r4uh2f0v.default-release\ImapMail\secure.emailsrvr.com\INBOX->(part8412:cf7-lasso-v1.2.zip)
file: C:\Users\[name]\AppData\Roaming\Thunderbird\Profiles\r4uh2f0v.default-release\ImapMail\secure.emailsrvr.com\INBOX->(part1788:Package.zip)
file: C:\Users\[name]\AppData\Roaming\Thunderbird\Profiles\r4uh2f0v.default-release\ImapMail\secure.emailsrvr.com\INBOX->(part1793:FP.zip)
Opaite Mbohovái (1)
The path C:\Users\[name]\AppData\Roaming\Thunderbird\Profiles\r4uh2f0v.default-release is for your Thunderbird profile folder. See Profiles - Where Thunderbird stores your messages and other user data
As for the infected items, why don't you search for them in Thunderbird using their file names then delete? You've got: Your-Generated-Divi-child-theme-template-by-DiviCake.zip cf7-lasso-v1.2.zip Package.zip FP.zip
Use Thunderbird's (global) search. You should add the profile folder to Defender's exclusions to avoid conflict. You can't have Thunderbird and Defender fighting for control over files that are used for Thunderbird's normal functioning.