Windows Defender reports recurring Thunderbird profile Trojan:HTML/Phish!pz threat
I am a longtime Thunderbird user, currently running 115.6.0 (32-bit). Very recently Windows Defender is detecting malware it identifies as Trojan:HTML/Phish!pz. Defender is unable to quarantine or eliminate the threat.
The specific file is appearing in Volume Shadow Copy data when I am running backup: file: \Device\HarddiskVolumeShadowCopy55\Users\fhanz\AppData\Local\Thunderbird\Profiles\sootdszw.default-release\cache2\entries\342F92977A0BA0715CB8880A9289BC8F8827262C
I've attempted several times to remove the offending file(s), but the problem returns.
What is the best method to determine the source of this malware and effectively eliminate it returning?
If it matters, I use Chrome as my default browser.
Wszystkie odpowiedzi (20)
The problem will probably keeps coming back until you delete the email containing the item. You can however clear the startup cache, that might help. Open troubleshooting information on the help menu and use the button.
Thanks for the suggestion, Matt. I've tried clearing the startup cache several times per your suggestion, but it didn't seem to have any impact on the appearance of the Trojan:HTML/Phish!pz threat in the shadow copy file. The threat just keeps propagating in later shadow copy files.
This has infected both of my laptops. Affected items over two days of working on this:
file: \Device\HarddiskVolumeShadowCopy37\Users\gregm\AppData\Local\Thunderbird\Profiles\qn1ojojd.default\cache2\entries\01688F16C7818B8CE29E306551A5B53AD9D210CE
file: \Device\HarddiskVolumeShadowCopy42\Users\gregm\AppData\Local\Thunderbird\Profiles\qn1ojojd.default\cache2\entries\01688F16C7818B8CE29E306551A5B53AD9D210CE
file: \Device\HarddiskVolumeShadowCopy39\Users\gregm\AppData\Local\Mozilla\Firefox\Profiles\xyd3i48c.default-release-1\cache2\entries\0627DD6B23F932EF2D09C793EAFEFEABB8EF5C6F
file: \Device\HarddiskVolumeShadowCopy36\Users\gregm\AppData\Local\Mozilla\Firefox\Profiles\xyd3i48c.default-release-1\cache2\entries\0627DD6B23F932EF2D09C793EAFEFEABB8EF5C6F
I see no option to remove it. I have turned off Firefox Sync to prevent reinfection through that route. MalwareBytes does not see it. This being a currently active issue for some of us, can we look forward to a solution from either Mozilla or Microsoft? I am variously frustrated/scared/confused/depressed by the failure of Windows Security to do its job.
I believe I was able to eliminate the original problem, but I'm not certain it won't come back. What I did:
> Based on information from Windows Defender, it appeared that the offending file in my Thunderbird profile cache corresponded to an email received on 12/21/2023 at 6:45 am. There were a fair number of such file entries in the cache, but only one was identified as a threat. The cache file names kept changing, but the date and time of the threat file remained the same since Defender alerted me to the threat.
> Clearing the Thunderbird cache was the right idea, but that command didn't seem to permanently clear it. That is, I could "Clear the startup cache..." from Thunderbird's Troubleshooting Information page, and restart Thunderbird, but all the prior cache entries re-appeared in the cache directory after restart, including all the entries for 12/21/23, 6:45 am.
> I next deleted all cache entries for 12/21, 6:45 am from the profile cache directory.
> I then renamed the original cache directory (to set it aside) and replaced it with an empty one with the name of the original.
> Upon restarting Thunderbird, there were only cache entries for the current day created, so the offending threat cache file entry was not re-created. By watching the profile directory, I could see that Thunderbird was creating a transitory "startup incomplete" file entry in that directory, but that file would then disappear.
> Meanwhile, everything in Thunderbird seems to be operating as usual. I was also successful in creating a System Image backup without Windows Defender complaining that it couldn't be completed because it contained a threat (how I stumbled upon the original Phishing threat problem).
I will be monitoring this for a time until it's clear the problem is permanently gone (I have to run Backup and create system image backups in order for Defender to identify a threat in Thunderbird profile files).
In the mean time, someone from the Thunderbird team should review the behavior of the "Clear the startup cache..." troubleshooting button and consider if it's as helpful as it should be. The current behavior suggests that it simply clears the existing cache and enables it to be re-populated on the next startup. That didn't prove helpful in this case since the offending cache entry would just be restored to the cache on the next startup.
Thanks for the detailed narrative. Right now dealing with two laptops, same problem, I've unplugged the SanDisk SSD backup drives from them, on the theory that backup to them failed because they were infected. Ran full scan and offline scan on the MECH-17 (WIN 10), and it's clean at this time. I will wait for the scans to finish on the Compal NBLB3 (WIN 7). If that's also clean, I'll format the SSDs to sterilize, and see if I can do Backup to them without getting the error report again. I'm struggling here, beyond my limits of competence. I appreciate your help, really.
If you're in exactly the same situation I was in, Windows Defender may not detect the threat file in its normal scanning process (!). Sometime during my own troubleshooting, I attempted to do Windows Defender "quick" as well as "full" scans that found nothing. I even did the offline Microsoft Defender Antivirus scan (reboot involved).
Not sure why Windows Defender wasn't identifying the threat file in these scan usage scenarios, but in my case:
> They were identified during Backup(s) while attempting to save a System Image File.
> The Backup software refused to complete creating or saving an image file due to the threat file discovered in that process.
> It was in that scenario that Backup failed and Windows Defender reported the presence of the threat file. From the Windows Defender reporting, I would see that the problem file was part of a "volume shadow copy" which was being made/used to produce the System Image File during backup. One could also see that the threat file originated in Thunderbird's profile area. Took me a while to locate that area using File Explorer, show hidden files, and begin to do what I did.
Good luck Mr. Greg!
Yes, it looks exactly the same for both of us. Maybe for a few thousand others as well?
I wonder if just trying to "Create a System Image" would trigger the problem, without starting/running a full scan?? Save some time troubleshooting?
Here are some Recent Items from Protection History, all "Remediation Incomplete":
file: \Device\HarddiskVolumeShadowCopy37\Users\gregm\AppData\Local\Thunderbird\Profiles\qn1ojojd.default\cache2\entries\01688F16C7818B8CE29E306551A5B53AD9D210CE
file: \Device\HarddiskVolumeShadowCopy42\Users\gregm\AppData\Local\Thunderbird\Profiles\qn1ojojd.default\cache2\entries\01688F16C7818B8CE29E306551A5B53AD9D210CE
file: \Device\HarddiskVolumeShadowCopy39\Users\gregm\AppData\Local\Mozilla\Firefox\Profiles\xyd3i48c.default-release-1\cache2\entries\0627DD6B23F932EF2D09C793EAFEFEABB8EF5C6F
file: \Device\HarddiskVolumeShadowCopy36\Users\gregm\AppData\Local\Mozilla\Firefox\Profiles\xyd3i48c.default-release-1\cache2\entries\0627DD6B23F932EF2D09C793EAFEFEABB8EF5C6F
Both Thunderbird and Firefox are involved, it seems.
What do you suppose the backup SSDs have to do with the problem? Innocent bystanders?
I've read through your solution, and it scares me somewhat to work on the cache profiles. Maybe if I study it some more... I'd hate to wreck something I don't understand. How to rename a cache directory? Yikes.
Thanks for being there. greg
I use Chrome as my default browser, and I haven't seen any issues there -- I have seen reference to FireFox in other posts relating to Phishing threats.
I have a tech background and even so tried to move as cautiously as I could. A couple of things in our favor: 1. We're not twiddling with Windows (the OS), rather just an app (Thunderbird). 2. What's the worst that could happen? a. Thunderbird won't start (ok: reverse the changes and resume) b. Fallback: uninstall and re-install Thunderbird [I began down this path, but didn't like the prospect of having to configure a completely fresh profile -- I've been using T-bird for more than 10 years!] c. The Trojan threat file keeps showing up (I was in this plight for days, and did not like being stuck either).
As for techniques: > Navigate to the corresponding Profile location in your file tree using File Explorer. > If you right-click on items in the Profile directory, most likely you don't have the option to Delete or Rename them; these are available in the right-click menu under Show More Options, however > Be conservative; preserve the entire existing Cache2 folder by simply changing its name (I renamed mine Cache2-ORIG). You can always reverse the re-name. After doing this I simple created a new folder with the name Cache2. Of course, I was making these changes while Thunderbird was not running.
It occurred to me in retrospect that I could have been more surgical/precise than I was, and that I might have done something to preserve the threat file causing my problems in case some researcher wanted to inspect it. > Precision: use the file names showing up in your Defender notifications to locate the specific threat file in the cache2 directory. Note its date and time stamps, and compare to other entries in the cache (easier if you click the Date Modified column in Explorer to sort entries by date rather than Name); in my case, there were numerous entries that had the same time and date stamps, so I deleted all of them to ensure I nailed the threat file. This might have been overkill. > Preserve: If you want to preserve a version of the threat file, try copying that specific file to a different location before deleting the original in the cache location. If you choose not to mess with it, just delete the original.
In my case, restarting Thunderbird worked fine, seemed to preserve all my settings, and did no harm.
More info to share:
> I realized that my threat data file was preserved in my Recycle Bin since I had simply deleted it from the Profile/cache2/entries folder.
> I shut down Thunderbird and had Recycle Bin "restore" the threat file to its original Profile folder. I then made a copy of the threat file to my desktop, so I have that, if it's of interest to someone.
> Using Windows Security, I then did a Custom Scan pointing it directly at the Profiles directory so that the scan would take seconds (not minutes, or hours). Sure enough, Windows Security did not detect or complain about this threat file in the Thunderbird Profile.
I infer from this that: a) System Image Backup and Windows Defender are doing different styles of checks on file content; and b) Windows Defender is not capable of detecting this type of threat file on its own. (Nor was CCleaner, MalwareBytes, or F-Secure, all tools I tried in vain).
Needless to say, before restarting Thunderbird, I again deleted the threat file from the Profile directory.
Windows 10 running Firefox 120.0 (64-bit) and Backup & restore (Windows 7).
Got a solution that worked for me. Noticed that every file called out as causing the backup to fail was some variation on C:\Users\UserName\AppData\Local\Mozilla\Firefox\Profiles\<user>.default\cache2\*
Set Firefox to automatically delete the cache upon logout for all user on the PC (https://support.mozilla.org/en-US/kb/how-clear-firefox-cache#w_automatically-clear-the-cache), which deletes cache2.
Deleted the Windows shadow copy (https://www.ubackup.com/windows-10/how-to-delete-shadow-copies-windows-10-5740.html) and backup runs just fine.
This does require that Firefox not be running when backup is run.
Jackb.luddite this thread is in the Thunderbird support forum section and not Firefox.
However yes you are not infected if this was only found in the Cache folder as it is harmless there if left alone there. It will either get overwritten over time as Cache gets used or deleted if you clear the Cache.
This old KB article was more for Firefox in mind.
https://support.mozilla.org/en-US/kb/Firefox%20cache%20file%20was%20infected%20with%20a%20virus
Last night I tried the easier cache delete/shadow copy delete fix on both laptops. Both failed in the next attempt at Backup: file: \Device\HarddiskVolumeShadowCopy38\Users\gregm\AppData\Local\Thunderbird\Profiles\qn1ojojd.default\cache2\entries\01688F16C7818B8CE29E306551A5B53AD9D210CE
This morning I was doing my update and scan routine on the MECH-17. Downloaded MSERT V 1.403.1266.0, which has updated the "Trojan:HTML/Phish!pz" threat detection.
Ran it. No new entries came up in the "Remediation Incomplete" list. I have some more checking to see if the backup problem is corrected.
Could it be that Microsoft has responded to a few thousand complaints? Stay tuned.
Replying to self here... 1:10 PM 12/28/2023 Formatted SanDisk, then ran backup. Failed again with error 0x800700E1 and:
file: \Device\HarddiskVolumeShadowCopy4\Users\gregm\AppData\Local\Thunderbird\Profiles\qn1ojojd.default\cache2\entries\01688F16C7818B8CE29E306551A5B53AD9D210CE
12/28/2023, 7:00pm. Ran another backup try, and failed. file: \Device\HarddiskVolumeShadowCopy8\Users\gregm\AppData\Local\Mozilla\Firefox\Profiles\xyd3i48c.default-release-1\cache2\entries\0D925849F02F3177AEAAB6072092C2141B93D6F7
So, new threat defs did not help. Microsoft fails us again? I don't know enough to decide. Have to get brave/smart and try fhanzel's solution.
Hello Mr. Greg,
I think backup will fail until cache2 is removed. and the easy way to remove that is to change the settings in Firefox, for every user on the PC, so that the cache2 is erased when Firefox closes. (settings - Privacy and Security - History - Use Custom Settings - and set History to clear when Fi9refox is closed)
The history clearing setting you advise has been my default setting since I started using Firefox over a decade ago. I must be missing something here....
There is a Bugzilla entry that just came up a little while ago.
https://bugzilla.mozilla.org/show_bug.cgi?id=1872395
This looks interesting.
After setting Thunderbird to "Clear cache on shutdown"... as Firefox was already set to do, I shut down both of them, did a quick Format of my Backup SanDisk 2TB drive, and ran Backup.
IT WORKED!!
Is this a real solution, or another red herrring?
greg
Mr Greg said
After setting Thunderbird to "Clear cache on shutdown"... as Firefox was already set to do, I shut down both of them, did a quick Format of my Backup SanDisk 2TB drive, and ran Backup. IT WORKED!! Is this a real solution, or another red herrring? greg
Another red herring. Clearly the code defender is reacting to is in an email that keeps getting downloaded to the cache, or your original clearing of the cache would have cured the error. So by clearing the cache on shutdown you increase the use of bandwidth to fetch everything anew every time you start the application and you make it run slower by removing the cache whose sole purpose to to make local copies that can be accessed faster. It might clear the backup error, something I would have ignored as not relevant to me because it is in a cache, I would not even be backup such a thing up. A complete waste of backup space.
Why are you wasting backup space and time backing up a cache? By it's very definition it is not something that needs to be backed up. You have spend a considerable amount of time here trying to fix a backup of something that seriously should not be backed up.
Clearly you have no concern with the fact the code is on your system as the solution you have found is to delete it so your backup runs without error. Not identify the source and eliminate it from the server.
Re: Is Thunderbird "Clear cache on shutdown..." a real solution.
This sounds more like a work-around rather than an actual solution.
1. Restart Thunderbird with the "Clear cache on shutdown" enabled. 2. Run your backup. a. If the Phish issue reappears, it's not a workaround rather than a complete solution (user must remember to shut down Thunderbird before running backup). b. If Backup runs successfully, you have a real solution.
It sounds like an effective workaround until there is a real solution found.