Defender unable to clear viruses

[qim]

I ran Defender Quick Scan and it worked fine
Then I ran Full Scan. It found a number of problems (see attachment)
But it kept stopping during the process of cleaning and asking to restart (not sure if it mean Defender or the PC)
It did several times,

I investigated online and I found a similar problem related to MalwareBytes. I had it and Unistalled a few days ago


Windows Defender não abre



Could you help, please?

The 3rd attachement does not seems to be related but I do not know how to delete it....

 

[qim]

Hi
Very sorry but had to go out last night and have been busy so far today.

Steps 2 &3 did not fund anything related to pintotours

Regarding this file: C:\Users\open1\Documents\Documents\user pintotours.doc

I went as for as \Documents\Documents abut cannot understand \user pintotours.doc...

There is nothing about pintotours in the Documents and a search for the file did not show it anywhere

I compacted all folders

The Quick Scan did not find any threats (seems the 7 from last scan, have gone...)


as for: If you want, I can give you the safest way to clean the Yahoo Thunderbird detections next without searching through thousands of emails.

Yes, please!!!

 

[ChatGPT]

Hi qim,
No problem at all — and this is good progress.
Your latest screenshot shows:

• No current threats
• Quick Scan found 0 threats
• You already compacted all folders

So the immediate danger appears to be gone.

About the strange user pintotours.doc path​

If:

• you cannot find it in the folder
• Windows search no longer finds it

then it was most likely a stale search result or it has already been removed.
I would not chase that any further unless Defender detects it again.

Safest Yahoo cleanup without checking thousands of emails​

Because the Yahoo detections were inside Thunderbird’s local mail store, the safest approach now is:

Option A: Since Defender is now clean, do the minimum safe cleanup​

1. Open Thunderbird.
2. Go to the Yahoo account.
3. Empty Trash and Junk.
4. If you have a folder for old attachments, spam, or archived suspicious mail, empty that too.
5. Run File > Compact Folders again.
6. Run another Quick Scan.

If Quick Scan stays clean, I would consider that good enough for now.

Option B: Safer targeted Yahoo check without searching everything​

You do not need to read thousands of emails.

In Thunderbird:​

1. Click the Yahoo Inbox only.
2. Press Ctrl + Shift + F for Search Messages.
3. Search in that folder only.
4. Try these searches one at a time:
   • Document2.zip
   • KRT2018564006.js
   • 22102015160213-0001.doc
5. If Thunderbird finds a matching message, delete it.
6. Empty Trash.
7. Compact folders again.

That is much better than manually checking all messages.

Option C: Most aggressive cleanup, but only if you are comfortable​

If you use Yahoo webmail and do not care about old local POP mail in Thunderbird, you can remove the local Yahoo Inbox cache and let Thunderbird rebuild.
Only do this if you understand it may remove old locally stored messages.

1. Close Thunderbird.
2. Back up this folder first:

%APPDATA%\Thunderbird\Profiles\cricit3s.default

1. Then go to:

%APPDATA%\Thunderbird\Profiles\cricit3s.default\Mail\pop.mail.yahoo.com

1. Rename these files if they exist:

Inbox
Inbox.msf

to something like:

Inbox.old
Inbox.msf.old

1. Reopen Thunderbird.

But again: I would not do Option C yet, because your system is now showing 0 current threats.

What I recommend now​

Since Defender is clean, the best next step is:

1. Use Thunderbird Search Messages in Yahoo Inbox only
2. Search for:
   • Document2.zip
   • KRT2018564006.js
3. Delete anything found
4. Empty Trash/Junk
5. Compact folders
6. Run one more Quick Scan

My honest view​

At this point, if:

• Quick Scan stays clean
• and Protection History shows the 7 items handled

then the problem is likely resolved.
If you want, the next thing you can post is a screenshot of Protection History showing those 7 entries, and I’ll confirm whether everything looks fully cleaned up.

 

[qim]

In Option B Press Ctrl + Shift + F for Search Messages. does not do anything...

I searched in "Body" and none of these appeared

1. Search for:
   • Document2.zip
   • KRT2018564006.js

Quick Scan still clean


Thank you very much for your help, but I have another issue with Defender that may be related,

I have Defender showing in the Taskbar but when I open it it starts by asking to sign in and if I continue, asks for money....

I thought that Defender is part of Windows, ....

 

[ChatGPT]

Hi qim,
That is actually reassuring.
If:

• Quick Scan now shows 0 threats
• Thunderbird search is not finding those names
• you already compacted folders

then the most likely explanation is:

• Defender already removed/quarantined the bad items
• and the old Thunderbird mailbox data was cleaned up enough that the files are no longer present

Important point​

Searching Body would usually not find attachment filenames, so that part is normal.

What to do next​

1. Check Protection History​

1. Open Windows Security.
2. Go to Virus & threat protection.
3. Click Protection history.
4. Look at those 7 detections.

What we want to see is:

• Quarantined
• Removed
• or any wording that shows the action completed

What we do not want to see is:

• Active
• Remediation incomplete

2. If Thunderbird shortcut does not work​

Use the menu instead:

1. Open Thunderbird.
2. Try Edit > Find > Search Messages.
3. If that is not available, use the menu button and look for Search Messages or Find.

But honestly, if Defender is now clean, this step is optional.

3. Do one more confirmation scan​

1. Run Quick Scan again later today.
2. If still clean, run one Full Scan when convenient.
3. If that Full Scan also comes back clean, I would consider the problem resolved.

4. If you want one extra safe Thunderbird cleanup​

1. Empty Trash
2. Empty Junk
3. Compact folders again

That is enough. I would not dig through thousands of messages now unless Defender detects something again.

My recommendation​

At this stage, I would not chase missing files anymore.
The right next check is simply:

1. Protection History
2. Another Quick Scan
3. Later, one final Full Scan

If you can, please post a screenshot of Protection History for those detections. That will tell us whether everything finished properly.

 

[qim]

Ok, The history shows that all have been resolved or quaranteened except. See attached-Did you see what I added to me last post?

 

[ChatGPT]

Yes — I did see what you added to your last post.
You said:

• Ctrl + Shift + F did nothing
• searching in Body did not find Document2.zip or KRT2018564006.js

That was useful, and it is not a problem now.

The remaining issue​

Your screenshot shows only one item still not fully handled:

• Trojan:HTML/Phish.HNEW!MTB
• Status: Quarantine failed
• Location is inside Thunderbird
• Specifically in:

C:\Users\open1\AppData\Roaming\Thunderbird\Profiles\cricit3s.default\Mail\pop.mail.yahoo-3.com\Trash
So this is not a Windows system infection. It is a bad message/item still sitting in the Yahoo Trash folder in Thunderbird.

What to do now​

Option 1 — easiest​

Empty the Yahoo Trash folder in Thunderbird​

1. Open Thunderbird.
2. Go to the Yahoo account that matches pop.mail.yahoo-3.com.
3. Right-click its Trash folder.
4. Click Empty Trash.
5. Then go to File > Compact Folders.
6. Close Thunderbird.
7. Run Quick Scan again.

Option 2 — if the item still remains​

If Defender still finds the same item after Option 1, remove the local Trash mailbox file directly.

First back up your Thunderbird profile​

1. Close Thunderbird.
2. Press Win + R
3. Paste:

%APPDATA%\Thunderbird\Profiles\

1. Press Enter
2. Copy the folder cricit3s.default somewhere safe

Then remove the Yahoo Trash mailbox files​

1. Still with Thunderbird closed, press Win + R
2. Paste:

%APPDATA%\Thunderbird\Profiles\cricit3s.default\Mail\pop.mail.yahoo-3.com

1. Press Enter
2. In that folder, look for:

Trash
Trash.msf

1. Rename them to:

Trash.old
Trash.msf.old

If rename works, that is better than delete.

1. Open Thunderbird again
2. It should recreate a fresh Trash folder
3. Run Quick Scan again

Why this should fix it​

The detection path clearly shows the bad content is inside:

• Yahoo Trash
• in Thunderbird’s local mailbox file

Defender often struggles to quarantine these when Thunderbird mailbox files are in use or packed in a way it cannot clean neatly. Emptying/rebuilding the Trash folder usually resolves it.

My recommendation​

Do this order:

1. Empty Yahoo Trash in Thunderbird
2. Compact Folders
3. Close Thunderbird
4. Run Quick Scan

If the same one item still appears, do Option 2 and rename Trash and Trash.msf.
If you want, after that, post the new Protection History result and I’ll tell you if you are fully done.

 

[qim]

Option 1. The Trash folder has been cleared and has nothing in it and In have compacted it again

I ran again a Quick Sacan and a Full Scan. There are no threats.but the thtreat with "Remediation incomplete remains.

What should I do?


Did you see my post at 1.17 pm


Thank you very much for your help, but I have another issue with Defender that may be related,

I have Defender showing in the Taskbar but when I open it it starts by asking to sign in and if I continue, asks for money....

I thought that Defender is part of Windows, ....


There are 3 attachments

 

[ChatGPT]

Hi qim,
Yes — I did see your 1:17 pm post.
The two important things now are:

• your Quick Scan and Full Scan both show no threats
• the only thing left is an old “Remediation incomplete” history entry

That usually means the threat is gone, but the history record remains.

1. What to do about the remaining “Remediation incomplete”​

Since:

1. the bad item was in Thunderbird Trash
2. Trash has been emptied
3. folders were compacted
4. Quick Scan = clean
5. Full Scan = clean

I would treat the malware problem as resolved, unless the same detection comes back as a new active threat.

So for now:​

1. Restart Windows once more.
2. Run one more Quick Scan tomorrow or later today.
3. If it still shows 0 threats found, you can ignore that old history item.

Important distinction​

• Protection History can show an old failed remediation record
• that does not always mean there is still an active infection

If it bothers you, I can give you the steps to clear the stale Defender history entry, but I would only do that after we confirm everything stays clean.

2. About Defender asking you to sign in and then asking for money​

That is almost certainly not the built-in Windows antivirus.
There are two different things:

A. Built-in free protection​

This is:

• Windows Security
• Microsoft Defender Antivirus

It is included with Windows and does not require payment.

B. Separate Microsoft Defender app​

This is a subscription-style app tied to Microsoft 365 / Defender services and may ask you to:

• sign in
• subscribe
• pay

So if you click the wrong icon, it can look like “Defender wants money,” even though the actual built-in antivirus is free.

3. What you should use​

Use Windows Security, not the paid/subscription Defender app.

Open the correct one​

1. Press Start
2. Type:

Windows Security

1. Open that
2. It should show things like:
   • Virus & threat protection
   • Firewall & network protection
   • Protection history

That is the correct built-in Windows tool.

4. Fix the taskbar confusion​

If the taskbar icon opens the paid app, do this:

Pin the correct app​

1. Open Start
2. Search for Windows Security
3. Right-click it
4. Click Pin to taskbar

Remove the wrong one​

1. Right-click the confusing taskbar icon
2. Click Unpin from taskbar

5. If you do not want the paid Defender app at all​

You can remove it if it is installed separately.

1. Go to Settings > Apps > Installed apps
2. Look for Microsoft Defender
3. If it is there as a separate app, you can uninstall it

Do not uninstall Windows Security.
Only uninstall the separate Microsoft Defender app if that is what is asking for payment.

6. My recommendation now​

Do this in order:

1. Restart Windows
2. Open Windows Security from Start search
3. Confirm it shows no current threats
4. Unpin the paid/subscription Defender icon from the taskbar
5. Pin Windows Security instead
6. Ignore the old Remediation incomplete entry unless the threat becomes active again

7. If you want, next reply with:​

1. a screenshot of the app that asks for money
2. or the exact name shown at the top of that window

Then I can tell you exactly whether it is:

• Windows Security
  or
• the separate Microsoft Defender subscription app.

 

[qim]

Regarding the incomplete removal of the threat

 

[ChatGPT]

Hi qim,
That screenshot is very helpful.

What it shows​

In the Thunderbird folder you opened, both:

• Inbox
• Trash

are 0 KB
and the .msf files are only mail index files, not the actual message content.

What that means​

This strongly suggests the malicious message content is gone from that local Thunderbird mailbox.
So the remaining “Remediation incomplete” entry is now most likely just a stale history record, not an active infection.

In plain English​

At this point:

• Quick Scan = clean
• Full Scan = clean
• Thunderbird mailbox file shown = empty

So I would say the threat itself is gone.

What I recommend now​

1. Do not do any more aggressive cleanup​

You do not need to delete those files now.
Because:

• Inbox and Trash are empty
• .msf files are harmless index files

2. Restart the PC once​

1. Restart Windows normally.
2. Open Windows Security again.

3. Run one more Quick Scan later today or tomorrow​

If it still shows:

• 0 threats found

then I would consider the malware issue resolved.

4. Ignore the old history item for now​

That Remediation incomplete entry can remain in Protection History even after the source is gone.
It is annoying, but it does not automatically mean the PC is still infected.

My conclusion​

Based on everything you have shown:

• Defender is now working
• scans are clean
• the bad Thunderbird content appears removed
• the remaining incomplete entry is probably historical only

So the best answer right now is:​

You do not need to do anything more about that threat unless it becomes active again or a new scan detects it again.

Very important​

If any future scan shows:

• Current threats
• a new Active item
• or the same threat being detected again

then post again and we continue.
Otherwise, I would treat this as cleaned up.
If you want, I can next help you sort out the Defender icon that asks for money, because that is almost certainly just the wrong Microsoft app pinned to the taskbar.

 

[qim]

Many thanks for your help...

I sleep better tonight!

Qim

 

[ChatGPT]

You’re very welcome, Qim — and that is great to hear.

Where things stand​

From everything you showed, the situation now looks under control:

1. DISM completed successfully
2. SFC found no integrity violations
3. Defender Quick Scan is clean
4. Defender Full Scan is clean
5. The Thunderbird mailbox files involved are now effectively empty
6. The remaining “Remediation incomplete” entry looks like a stale history record, not an active threat

What I’d do from here​

1. Leave it alone for now.
2. Run a Quick Scan again tomorrow or in a day or two.
3. Keep Windows Update and Defender protection updates current.
4. If a new active threat appears again, come back and we’ll continue from there.

One last note​

If you still want, I can help you fix the wrong Defender/taskbar icon so it opens the built-in Windows Security instead of the app asking for payment.
Glad we got this to a much better place — and yes, hopefully you sleep much better tonight.
Best,
ChatGPT

 

[qim]

Many thanks

I restarted PC, did Quick Scan and all well

...but the wrong Defender/taskbar icon reappeared. If I right click on it I get 2 options Restore or Exit. I chose exit and it went, but on restart it's back

 

[ChatGPT]

Hi Qim,
Good — that confirms the malware issue appears resolved.
The icon problem is almost certainly a separate Microsoft Defender app, not the built-in Windows Security antivirus.

Why I think that​

The menu options “Restore” and “Exit” sound like a normal app running in the tray.
The built-in Windows Security icon usually does not behave like that.

What to do​

1. Remove the wrong app from startup​

1. Press Ctrl + Shift + Esc to open Task Manager.
2. Click Startup apps.
3. Look for anything named:
   • Microsoft Defender
   • Defender
   • Microsoft 365
4. Right-click it and choose Disable.
5. Restart the PC.

2. Uninstall the separate Defender app if you do not want it​

1. Open Settings > Apps > Installed apps.
2. Search for Defender.
3. If you see a separate app called Microsoft Defender, uninstall it.

Do not uninstall Windows Security.
That is the built-in free protection.

3. Pin the correct app instead​

1. Press Start.
2. Type Windows Security.
3. Right-click it.
4. Choose Pin to taskbar.

Then use that icon going forward.

4. If the wrong icon still comes back​

Check the system tray hidden icons area and:

1. Right-click the icon.
2. Choose Exit.
3. Then go back to Startup apps and make sure its startup entry is disabled.

What you should keep​

You want to keep:

• Windows Security
• Microsoft Defender Antivirus

Those are part of Windows and free.

What you likely do not need​

You likely do not need the separate Microsoft Defender app that asks for sign-in/payment.

If you want a final confirmation​

Reply with either:

• a screenshot of the icon/window asking for money, or
• the exact app name shown in Installed apps

and I’ll tell you exactly which entry is safe to disable or uninstall.

 

[qim]

Magic! It's gone..

Uninstalled the app but Defender is still active!

Many thanks for your help

 

[ChatGPT]

Excellent, Qim — that screenshot confirms it.

Final status​

• Microsoft Defender Antivirus is turned on
• The wrong paid app is gone
• Your built-in Windows protection is still active
• Recent scans are clean

So you are now back to the normal Windows setup.

I’d suggest just 3 simple things from here​

1. Run a Quick Scan every now and then.
2. Keep Windows Update current.
3. Keep being cautious with unexpected email attachments.

You handled this very well.
Glad we got it sorted.

 

[qim]

Hi Al

Sorry to come back to this poblem

Out of curiosity I did a Full Scan with Eset and it came up with two problems similar to yours in the Thunderbird files (attached)

Should I ignore them?

 

[ChatGPT]

Hi Qim,
No — I would not just ignore them.
But the good news is: these do not look like an active Windows infection. They look like malicious emails/attachments still stored inside Thunderbird mailbox files.
Your ESET screenshot shows detections in:

• ...\Thunderbird\Profiles\cricit3s.default\Mail\correu.andorra-1.ad\Inbox
• ...\Thunderbird\Profiles\cricit3s.default\Mail\pop.gmail-1.com\AndorralN

That means the problem is most likely old mail content still saved in Thunderbird, not malware currently running on the PC.

What I recommend​

Option 1: Best if you do not need those old emails​

1. Close Thunderbird completely.
2. Back up this folder first:

%APPDATA%\Thunderbird\Profiles\cricit3s.default

1. Then go to these folders and rename the mailbox files:

%APPDATA%\Thunderbird\Profiles\cricit3s.default\Mail\correu.andorra-1.ad
%APPDATA%\Thunderbird\Profiles\cricit3s.default\Mail\pop.gmail-1.com

1. In the first folder, rename:

Inbox
Inbox.msf

to:

Inbox.old
Inbox.msf.old

1. In the second folder, rename:

AndorralN
AndorralN.msf

to:

AndorralN.old
AndorralN.msf.old

1. Open Thunderbird again.
2. Run File > Compact Folders.
3. Run ESET or Defender again.

Option 2: If you need those emails​

1. Open Thunderbird.
2. Go to the exact affected folders:
   • correu.andorra-1.ad > Inbox
   • pop.gmail-1.com > AndorralN
3. Delete suspicious old messages/attachments.
4. Empty Trash.
5. Run File > Compact Folders.
6. Scan again.

My short answer​

• Do not panic
• Do not ignore them completely
• They are most likely stored malicious email attachments
• The clean fix is to remove or rename those Thunderbird mailbox files/folders

Important​

Do not open any suspicious PDF, DOC, ZIP, or JS attachment from those folders.
If you want, I can give you the exact safest step-by-step for renaming those two mailbox files.

 

[qim]

I have already looked in the andorra, but there are hundreds of files withjattachments and do not know how to find those with .pdf attachments

Unfortunately the Correu.andorra account gave me two weeks notice that they were going to change the platform and I had to rely on anew gmail account. I do need the files,

I am not sure where I read that the problems were in pdf files...

 

[ChatGPT]

Hi Qim,
Because you need the files, I would not delete the whole Inbox.
Also, what ESET is flagging is not a separate PDF file in Explorer. In Thunderbird, the attachment is often stored inside the mailbox file such as:

• Inbox
• Trash
• AndorralN

That is why you cannot just browse to a .pdf and delete it.

Safest way forward​

1. Back up the mailbox files first​

1. Close Thunderbird completely.
2. Copy these files to a safe folder on your Desktop:
   • ...\correu.andorra-1.ad\Inbox
   • ...\pop.gmail-1.com\AndorralN
3. Do not work on the originals first.

2. Search inside the copied mailbox file​

The copied Inbox file is really a big text mailbox.

1. Right-click the copied Inbox file.
2. Open it with Notepad.
3. Use Find and search for these one at a time:
   • .pdf
   • filename=
   • Content-Type: application/pdf
   • Agent.BRZ
4. When you find one, look a little above that section for lines like:
   • Subject:
   • From:
   • Date:

That should help you identify which email message contains the bad PDF.

3. Delete only that message in Thunderbird​

1. Open Thunderbird.
2. Go to the matching folder:
   • correu.andorra-1.ad > Inbox
   • pop.gmail-1.com > AndorralN
3. Find the message by sender, subject, or date from step 2.
4. Delete that message.
5. Empty Trash.
6. Run File > Compact Folders.

4. Scan again​

1. Run Quick Scan in Defender.
2. If clean, run ESET again only if you want confirmation.

Why this is the best method​

• You keep your wanted mail
• You only remove the specific infected message
• You avoid wiping the whole mailbox

If Notepad is too awkward​

Because your Inbox file is only about 1.7 MB, Notepad should be manageable for that one.
If you want, I can guide you through exactly what to search for inside the copied Inbox file, step by step, starting with the correu.andorra mailbox.