fadamo said

One more thing, if Firefox is open and I start Thunderbird for the first time, a new tab opens in Friefox for the bitcoinfyi web page. Thanks,

Try this: Open Thunderbird Close Firefox after it has auto opened. 'In Thunderbird 'Menu icon' > 'Tools' > 'Clear Recent history'

A small window should open asking what to clear. Suggest: time range - everything under 'Details' select 'Browsing history', 'Cookies' and 'Cache' click on 'Clear now'

Exit Thunderbird.

Wait for background processes to complete. Start Thunderbird.

Did this work ?

Toad-Hall,

First, thank you for closing that duplicate question. I don't know how it happened, and I could not figure out to delete it.

Second, I held off opening Thunderbird until I got a response, so I opened Thunderbird and it did not happen - I suppose it's unpredictable. Whenever the issue occurs again, I will try your solution and let you know whether it has worked or not.

Third, I forgot to mention another odd occurrence in Thunderbird in my original question. After I have entered my POP password and the e-mail messages have downloaded into Thunderbird, I will open one of the messages (it doesn't matter which one) by double-clicking on it. During the one second that it takes for Thunderbird to open and display the e-mail, I see an html type page (colors are black, gray, and purple with yellow text) flash on the screen in Thunderbird. It flashes too quickly to read it or to react - I can only see it for a second then I see the e-mail message. This started a few weeks ago and may be related to the bitcoinfyi web page issue. I am not sure that downloading the message is significant to the issue. Also, this tends to only happen once per day after opening Thunderbird.

Do you know what this means?

Thanks.

Todd-Hall,

Though I didn't get the web page: bitcoinfyi.com to display when I logged in for the first time yesterday, I went ahead and tried your fix - I figured it couldn't hurt.

Today, I started Thunderbird and got the prompt to enter my POP mail password as usual. However, I waited about ten minutes before entering the password - no web page opened. Thunderbird even reported a message in the lower right portion of the screen that my pop mail server has timed out. So, I entered the POP mail password. Instantaneously, Firefox started and opened a tab with "https://www.facebook.com/tr/" in the URL and the phrase: "(GIF Image, 1 x 1 pixels)" on the tab. The web page is completely black with one white pixel in the center.

What do you think about that? I am completely flummoxed. I fear that Thunderbird has somehow been hacked, but I don't know how they did it. I am very careful. While I open all e-mail, I don't open files or click on links sent to me by unknown senders or within suspicious e-mail - I just delete it. I hope someone out there has an answer.

Thanks.

Todd-Hall,

One more thing that I forgot to mention in my last post. After entering my POP mail password and having the web page open, none of the messages on the POP server downloaded into Thunderbird. I had to hit the "Get Messages" button to get them. Usually, after entering the password, the mail downloads without having to hit the button.

Thanks again.

Suggest you start your computer in 'Safe Mode'.

Backup your TB profile name folder. C:\Users\<Windows user name>\AppData\Roaming\Thunderbird\Profiles\<Profile name>\ Suggest you copy and paste the Roaming 'Thunderbird' folder to external drive.

Then run full scan on computer.

What Anti-Virus product do you use ?

Folks,

Today, I restarted Thunderbird and opened an e-mail message (the first one that just downloaded). Immediately for about one second a mostly purple and black trimmed html-like page flashed with orange text in the center of the page (about six lines of text at approximately 14-point font). The text was underlined. It's the same screen that has been flashing seemingly randomly for several weeks. It does not seem to be related to the e-mail message opened.

I think Mozilla needs to look at this more closely because it seems someone has figured out how to hack their reader.

Thanks.

Please report back on results of restarting computer in 'safe mode'. Backing up TB profile then running scans.

Todd-Hall,

I am currently running a scan. I am using 360 Total Security, Malwarebytes, Microsoft Security Essentials, and SpyBot Search & Destroy. Do you have any suggestions?

I will reboot computer and start in safe mode. I will run another scan.

Thanks.

Todd-Hall,

I noticed in Control Panel->Programs and Features that Mozilla Thunderbird has an Installed On date of 5/22/2018. I installed Thunderbird many years ago. However, was there a recent update issued by Mozilla because I think that I have my options set to automatically update the software?

I am currently running the virus scan in safe mode.

Thank you.

Todd-Hall,

I ran several scans in safe mode. The 360 Total Security scan did not find anything. The Malwarebytes scan did not find anything. However, the SpyBot scan found some things that may have significance. I have the log file from the scan, but I am leary about uploading it to this public forum.

What's next?

Make sure both the Firefox browser and thunderbird is also cleared of cookies, just in case something is connecting to either. Firefox and Thunderbird do have some code that is similar although separate for each program.

Do you only have the one email address/mail account? Do you always choose to logon each time or do you usually have thunderbird remember the password?

The first times this occurred you said it started upon starting Thunderbird program. If you had passwords saved then Thunderbird would auto connect to server to check for mail. So, did you have saved password which TB used on startup or did you logon manually almost immediately, so this could have occurred not when TB started but each time you logged on to server?

Later, after removing history.cookies etc, this stopped occurring when Thunderbird started, but did occcur when you used Thunderbird to connect to server over internet by entering password.

Do you have any passwords stored in the Firefox profile?

Whilst in Safe Mode, run Thunderbird.

• 'Menu icon' > 'Options' > 'Options' >'Privacy'

Mail Content

• uncheck - do not select - 'allow remote content'
• click on 'Exceptions'
• remove everthing in the list
• click on 'Save changes'
• click on 'OK'

Todd-Hall,

I have been using a screen recorder for the past few days. The problem has not appeared for the past few days - I thought that it was resolved. However today, I opened Thunderbird and before entering my POP password, the browser (Firefox) opened automatically and attempted to display this web page: https://www.zenhealthy.com/how-to-achieve-the-perfect-makeup-look?utm_source=mgid////////////////////. This is a different web page (the previous page was the bit coin fyi page - see previous post). Firefox was not able to display the new page, however, because it "detected that the server is redirecting the request for this address in a way that will never complete. This problem can sometimes be caused by disabling or refusing to accept cookies."

So, I believe this is a serious malware/hacking problem that Mozilla should investigate. I would like to open a case and work with the software developers to help them resolve this issue.

Incidentally, I started recording the screen to capture the flashing page in Thunderbird that I reported a few days ago - this issue has not re-surfaced. However, I believe that it will re-occur, and when it does, I will have it captured for review.

With respect to your questions, I have more than one account identified in accounts, but I am only receiving mail from one of them.

I choose to login every time - I never let Thunderbird remember my password.

So far, the web page appears in the browser as soon as Thunderbird displays the screen showing my inbox and simultaneously with the window prompting me to enter my password. In fact, I see the window prompt to enter password for about one second, then, before I am able to enter a password, the browser appears. With regard to the other issue, I have only seen that when I open an e-mail message. So far, I have been entering my password, getting the messages, then opening an e-mail before it appears. I have to test whether or not entry of the password is a factor (i.e. I must cancel the prompt and just open an e-mail without logging in).

No stored passwords.

Thanks

I entered the POP mail password. Instantaneously, Firefox started and opened a tab with "https://www.facebook.com/tr/" in the URL and the phrase: "(GIF Image, 1 x 1 pixels)" on the tab.

I don't think this is uncommon. Web content from messages shown in Thunderbird can trigger to open a new browser window or a new tab.

Do you have the message pane enabled? If so, press F8 to turn it off.

Other things you can do:

View (Alt-V) - Message Body As - Simple HTML

Install an adblocker like Adblock Plus, and subscribe to the filter lists of your choice. https://addons.mozilla.org/en-US/android/addon/adblock-plus/

Note, you'd need to follow the 'See all versions' link and find the last version before Adblock Plus has been converted to a Webextension. Version 2.9.1 should do.

https://adblockplus.org/en/subscriptions

Could you check what setting you have for 'Remote Content'.

• 'Menu icon' > 'Options' > 'Options' > 'Privacy'

Mail content

• uncheck 'Allow remote content in messages'
• click on 'Exceptions'
• Remove everything listed.
• click on 'Save changes'
• click on OK

Toad-Hall,

I have finally captured the flashing purple and black screen that shows up randomly for a millisecond whenever I open any e-mail message - see previous posts. I have attached the image. It is something from thunderbrowse.com. I believe this is the culprit.

I apologize for addressing you as "Todd-Hall" in previous posts. I didn't catch the mistake until recently.

So, how do I remove this insidious creature infecting Thunderbird?

Thanks

If you do have the Thunderbrowse add-on installed, remove it.

christ1 said

I entered the POP mail password. Instantaneously, Firefox started and opened a tab with "https://www.facebook.com/tr/" in the URL and the phrase: "(GIF Image, 1 x 1 pixels)" on the tab.

I don't think this is uncommon. Web content from messages shown in Thunderbird can trigger to open a new browser window or a new tab.

Do you have the message pane enabled? If so, press F8 to turn it off.

Other things you can do:

View (Alt-V) - Message Body As - Simple HTML

Install an adblocker like Adblock Plus, and subscribe to the filter lists of your choice. https://addons.mozilla.org/en-US/android/addon/adblock-plus/

Note, you'd need to follow the 'See all versions' link and find the last version before Adblock Plus has been converted to a Webextension. Version 2.9.1 should do.

https://adblockplus.org/en/subscriptions

Christ1,

I appreciate your response.

I do not have the pane enabled. In fact, I think the pane is a pain and it's the first thing I disable after installing because I recall that it is on by default. You are correct, the pane causes the user to open potentially nefarious e-mail that would have likely been deleted without opening, which is the reason I have it off.

Message body is already set to simple HTML. I also have Thunderbird set to ask me whether or not to display content in HTML messages.

I have AdBlock Plus version 2.9.1 installed as an extension. It's been installed and kept updated for a long time (years).

Finally, I disagree with your characterization of the issue being common. I think this could be a serious hack of the Thunderbird e-mail reader that needs to be addressed and fixed by Mozilla. If this were a common issue, then a search of the support data base would have yielded more hits, but I didn't find any issues reported similar to this one. I find it very suspicious whenever a web browser opens automatically onto random, mysterious web pages.

Incidentally, I reported the spam to the ISPs that purportedly are hosting the web pages that have opened mysteriously thus far. Amazon (via GoDaddy) reported after its initial investigation that "it appears that this content is not being hosted on the AWS network" regarding zenhealthy.com. With respect to bitcoinfyi.com, Name.com reported: "It appears that the link you provided is no longer resolving to a malicious site at this time." When I used the "Contact" link at zenhealthy.com, I received a Failure Notice - "unable to deliver the message." Bitcoinfyi.com does not have a contact link. Facebook responded by thanking me for reporting the issue, but did not comment one way or the other.

I respect your opinion, but at this time it doesn't sound like a "common" problem. It's seems like it may be a malware issue.

Thanks.

Toad-Hall said

Could you check what setting you have for 'Remote Content'.

• 'Menu icon' > 'Options' > 'Options' > 'Privacy'

Mail content

• uncheck 'Allow remote content in messages'
• click on 'Exceptions'
• Remove everything listed.
• click on 'Save changes'
• click on OK

Toad-Hall,

I already did this. It didn't help and it disabled Google Calendar. If you can figure out how to disable and keep Google Calendar working, then please post it in your response.

I would appreciate this issue being picked up by the Mozilla developers and looked at. You have the flashing purple and black web page for review as a starting point. This is not a coincidence - it is related to the issue in some way.

Thanks,

After posting about thunderbrowse.com, I learned that thunderbrowse is a Thunderbird add-on. As it happens, I had it installed, though it was disabled. I have since removed it.

I used VirusTotal to scan thunderbrowse.com. One site reported it to be malicious. I also found this article on WOT: https://review.easycounter.com/reputation-Thunder-Browse-safe, which indicated that it was safe.

I am still skeptical - maybe it has become more insidious of late.

Thanks.