Defender unable to clear viruses

[qim]

Hi

I think I know where they are: 2024

But is ther a way of scanning the folders with Eset? The Mozilla Thunderbird does not contain the emails and the closest I got to them is via AppData, but it stops short of Thunderbird

It takes a long time to do the scans and by the time it is over I get confused.... (age. I'm afraid...)

 

[ChatGPT]

Hi Qim,
Yes — there is a much easier way. You do not need to run a full ESET scan each time.
You can scan only the Thunderbird mailbox file/folder involved.

Important: do not look in “Mozilla Thunderbird”​

The folder called Mozilla Thunderbird or the Thunderbird program folder does not contain your emails.
Your mail is here:
C:\Users\open1\AppData\Roaming\Thunderbird\Profiles\cricit3s.default\Mail\pop.gmail-1.com
And the specific Andorra mailbox is probably this file:
AndorraIN
Full path:
C:\Users\open1\AppData\Roaming\Thunderbird\Profiles\cricit3s.default\Mail\pop.gmail-1.com\AndorraIN

Easiest way to get there​

1. Open File Explorer​

Click in the address bar at the top.

2. Paste this exact line​

%APPDATA%\Thunderbird\Profiles\cricit3s.default\Mail\pop.gmail-1.com

3. Press Enter​

That should take you directly to the right folder.

To scan only AndorraIN with ESET​

Method A — easiest​

1. Close Thunderbird.
2. Go to:

%APPDATA%\Thunderbird\Profiles\cricit3s.default\Mail\pop.gmail-1.com

1. Right-click the file:

AndorraIN

1. Choose something like:

Scan with ESET
or
Show more options > Scan with ESET
That should scan only that mailbox file, not the whole PC.

If ESET does not appear on right-click​

Use ESET itself:

1. Open ESET.
2. Go to Computer scan.
3. Choose Custom scan or Advanced scans > Custom scan.
4. Browse/paste this path:

C:\Users\open1\AppData\Roaming\Thunderbird\Profiles\cricit3s.default\Mail\pop.gmail-1.com

1. Select only:

AndorraIN

1. Start the scan.

Your 2024 idea is good​

If you think the bad email is in 2024, do this:

1. Open Thunderbird.
2. Go to AndorraIN.
3. Delete only the 2024 emails with attachments.
4. Empty Thunderbird Trash.
5. Run File > Compact Folders.
6. Close Thunderbird.
7. Scan only:

AndorraIN
If ESET then finds nothing, the bad item was probably in the 2024 group.

To avoid confusion​

Write a small note like this as you go:

Backup on USB: yes
Deleted: 2024 emails with attachments
Compacted: yes
Scanned: AndorraIN only
Result: clean / still detected

Very important​

Keep the USB backup unplugged while scanning, otherwise ESET may scan the backup too and confuse the result.
Short answer: yes, scan only AndorraIN using ESET right-click scan or Custom scan. That should be much faster and less confusing than scanning everything.

 

[qim]

%APPDATA%\Thunderbird\Profiles\cricit3s.default\Mail\pop.gmail-1.com

Where do I paste it? File explorer (what I think it is...) does not have where to write/paste

An attachment of what I think is FileExplorer....

 

[ChatGPT]

Yes, Qim — that is File Explorer.
You paste the path into the address bar at the top, not into the search box.

Where to paste it​

At the top of your screenshot you currently see:
Home >
That is the address bar.

Do this​

1. Click once on the word/path area near the top where it says:

Home

1. It should change into a text box.
2. Paste this:

%APPDATA%\Thunderbird\Profiles\cricit3s.default\Mail\pop.gmail-1.com

1. Press Enter.

That should take you directly to the Thunderbird mail folder.

Alternative easier method​

If clicking the address bar is awkward:

1. Press Win + R.
2. Paste this:

%APPDATA%\Thunderbird\Profiles\cricit3s.default\Mail\pop.gmail-1.com

1. Press Enter.

That will open the correct folder directly in File Explorer.

Then scan only AndorraIN​

Once you are in that folder:

1. Close Thunderbird.
2. Find the file called:

AndorraIN

1. Right-click it.
2. Choose Scan with ESET.

If you do not see it immediately, click:
Show more options
then look for ESET scan.

Important​

Do not paste the path into the box on the right that says Search Home. That is only for searching.
Use the address bar at the top, or use Win + R.

 

[qim]

Thanks. I found it, but... the only option to scan is with Defender

Defender did not find them. They were found by Eset

 

[ChatGPT]

Hi Qim,
Yes, that makes sense. If the right-click menu only shows Defender, then ESET has not added its scan option to File Explorer, or it is hidden somewhere else.
You can still scan only that Thunderbird file from inside ESET.

Use ESET Custom Scan​

1. Close Thunderbird​

1. Close Thunderbird completely.
2. Leave File Explorer open if you want.

2. Open ESET​

1. Open ESET from the Start menu or taskbar.
2. Go to Computer scan.

3. Choose Custom Scan​

Look for one of these options:
Custom scan
or
Advanced scans
or
Scan your computer > Custom scan
The wording may vary slightly depending on your ESET version.

4. Select only the Thunderbird file​

When ESET asks what to scan, browse to:
C:\Users\open1\AppData\Roaming\Thunderbird\Profiles\cricit3s.default\Mail\pop.gmail-1.com
Then select this file:
AndorraIN
If ESET does not let you select a single file, select the folder:
pop.gmail-1.com
That is still much faster than scanning the whole PC.

Alternative: copy the full path​

If ESET has a box where you can paste a path, paste this:
C:\Users\open1\AppData\Roaming\Thunderbird\Profiles\cricit3s.default\Mail\pop.gmail-1.com\AndorraIN

Very important before scanning​

Before each ESET test:

1. Empty Thunderbird Trash.
2. Run File > Compact Folders in Thunderbird.
3. Close Thunderbird.
4. Unplug the USB pen drive.
5. Scan only AndorraIN.

If ESET still cannot scan just that file​

Then scan this folder instead:
C:\Users\open1\AppData\Roaming\Thunderbird\Profiles\cricit3s.default\Mail\pop.gmail-1.com
That folder contains your AndorraIN mailbox, so ESET should still find the issue if it is there.

Short answer​

Do not worry that Defender is the only right-click option.
Open ESET itself and use Custom scan to scan either:
AndorraIN
or the folder:
pop.gmail-1.com
That should let you continue without doing a full scan every time.

 

[qim]

I had tried thaqt before but Eset does not show the folders that I need

Is it possible to add Eset to the Security Providers?

 

[ChatGPT]

Hi Qim,
Yes, I see the problem. In that ESET window you are at the C: drive level, and ESET is not making it easy to browse to:
C:\Users\open1\AppData\Roaming\Thunderbird\...
Also, in your screenshot, many boxes are ticked. Do not continue with it like that, or it may scan a lot of the drive again.

Easiest workaround​

Instead of trying to make ESET find the hidden Thunderbird folder, copy the single file you want to test into an easy folder, then scan that folder.

Do this​

1. Create a simple test folder​

1. Open File Explorer.
2. Go to C:\
3. Create a new folder called:

ESETTEST
So you will have:
C:\ESETTEST

2. Copy only AndorraIN into it​

1. Go to:

%APPDATA%\Thunderbird\Profiles\cricit3s.default\Mail\pop.gmail-1.com

1. Copy this file:

AndorraIN

1. Paste it into:

C:\ESETTEST
Do not move it. Just copy it.

3. Scan only C:\ESETTEST​

In ESET custom scan:

1. Untick This PC or C: if everything is selected.
2. Expand C:
3. Select only:

ESETTEST

1. Click Save and continue.

That should scan only the copied AndorraIN file.

Why this works​

If the infection/detection is inside AndorraIN, ESET will still detect it from the copy in:
C:\ESETTEST\AndorraIN
So you can test quickly without scanning the whole PC.

After each Thunderbird change​

Each time you delete more messages:

1. In Thunderbird, delete the messages.
2. Empty Thunderbird Trash.
3. Run File > Compact Folders.
4. Close Thunderbird.
5. Copy the updated AndorraIN file again to C:\ESETTEST, replacing the old one.
6. Scan only C:\ESETTEST.

Important​

Before each test:

1. Delete the old file in C:\ESETTEST.
2. Copy the new/current AndorraIN into C:\ESETTEST.
3. Keep the USB pen drive unplugged.

Short answer​

Yes, there is a way: use a temporary folder like:
C:\ESETTEST
and scan that. It avoids ESET’s difficulty browsing into the hidden Thunderbird profile folder.

 

[qim]

Do you mean pasting the Whole content of AndorraIN?

I created the new folder but unsure what to do next

 

[ChatGPT]

Hi Qim,
No — do not open AndorraIN and do not paste its contents.
I mean copy the whole file itself, like copying a photo or document.
AndorraIN is one large Thunderbird mailbox file. You only need to copy that file into the new test folder.

What to do next​

1. Close Thunderbird​

1. Close Thunderbird completely.
2. Leave File Explorer open.

2. Open the Thunderbird mail folder​

In File Explorer, go to:
%APPDATA%\Thunderbird\Profiles\cricit3s.default\Mail\pop.gmail-1.com
If easier:

1. Press Win + R
2. Paste:

%APPDATA%\Thunderbird\Profiles\cricit3s.default\Mail\pop.gmail-1.com

1. Press Enter

3. Copy the file called AndorraIN​

In that folder, find the file:
AndorraIN
It is the large file, about 2 GB.
Do this:

1. Right-click AndorraIN
2. Click Copy

4. Paste it into your test folder​

Go to the new folder you created, for example:
C:\ESETTEST
Then:

1. Right-click inside the empty folder
2. Click Paste

Now you should have:
C:\ESETTEST\AndorraIN

Then scan only the test folder​

In ESET:

1. Choose Custom scan
2. Untick anything large like This PC or C:
3. Select only:

C:\ESETTEST

1. Start the scan.

After each test​

If you delete more emails from Thunderbird later, repeat this:

1. Empty Thunderbird Trash
2. Run File > Compact Folders
3. Close Thunderbird
4. Delete the old C:\ESETTEST\AndorraIN
5. Copy the new/current AndorraIN into C:\ESETTEST
6. Scan C:\ESETTEST again

Short answer​

Copy the file named AndorraIN, not its contents.
Paste that file into C:\ESETTEST, then tell ESET to scan only C:\ESETTEST.

 

[qim]

Ok, I got it and scanned the file with Eset
This time it found and RESOLVED one virus

See attach, but now I have to look for the other one....

 

[ChatGPT]

Hi Qim,
Good — that is progress.
But one very important point:

ESET cleaned the copy, not necessarily the original​

If you scanned:
C:\ESETTEST\AndorraIN
then ESET probably resolved the threat inside that copied test file only.
Your real Thunderbird file is still here:
C:\Users\open1\AppData\Roaming\Thunderbird\Profiles\cricit3s.default\Mail\pop.gmail-1.com\AndorraIN
So do not assume Thunderbird is clean yet.

What this proves​

It proves the detection is definitely inside:
AndorraIN
That is useful. It means you do not need to search the whole computer.

What I suggest now​

1. Check what ESET did to the test file​

Go to:
C:\ESETTEST
Look at AndorraIN.
Check whether it is still there.

2. If AndorraIN is still there​

That probably means ESET cleaned the mailbox copy rather than deleting the whole file.
In that case, do not copy it back yet. First:

1. Keep your USB backup safe.
2. Keep the original Thunderbird AndorraIN untouched for now.
3. Scan C:\ESETTEST again.

If the second scan of C:\ESETTEST is clean, then we know ESET successfully cleaned that copied mailbox file.

3. If AndorraIN disappeared from C:\ESETTEST​

Then ESET deleted the whole copied mailbox file. That is not useful for restoring mail, but it still proves the threat was inside AndorraIN.

Looking for the other one​

Before hunting everywhere, scan the likely files one at a time.
Copy each of these files into C:\ESETTEST, one at a time, and scan the test folder:
AndorraOUT
AndorraDRAFTS
Inbox
Sent
Use this method:

1. Delete everything currently inside C:\ESETTEST.
2. Copy only one file into it, for example AndorraOUT.
3. Run ESET scan on C:\ESETTEST.
4. Note the result.
5. Delete that test copy.
6. Try the next file.

This will tell us exactly which mailbox contains the second detection.

If ESET cleaned the copied AndorraIN​

If the cleaned C:\ESETTEST\AndorraIN still exists and scans clean, there is a possible next step:

1. Close Thunderbird.
2. Rename the original file:

AndorraIN
to:
AndorraIN.BEFORE_ESET_CLEAN

1. Copy the cleaned file from:

C:\ESETTEST\AndorraIN
back into:
C:\Users\open1\AppData\Roaming\Thunderbird\Profiles\cricit3s.default\Mail\pop.gmail-1.com

1. Open Thunderbird.
2. Check that AndorraIN opens normally.
3. If it looks OK, close Thunderbird and run ESET again.

But only do that after confirming the cleaned test file still exists and scans clean.

My recommendation right now​

Do this next:

1. Check whether C:\ESETTEST\AndorraIN still exists.
2. Scan C:\ESETTEST again.
3. Tell me whether ESET now says clean.
4. Then we decide whether to copy the cleaned file back or continue searching for the second one.

You are very close now.

 

[qim]

first part of your message:

ESTTEST is till ther and the contents also as before : see attach

I ran Eset again and it came back with a Clean response. See attach

I have to read ansd understand the rest of your message but we KNOW that both virus were in AndorraIN. I cannot understand why look at AndorraOUT, etc at this moment

I would like to keep looking at other years with the ESETTEST tool that you gave me if it is possible, by simply copying the original file from the pen to the PC and deleting the necessary years

 

[ChatGPT]

Hi Qim,
You are right — if we now know the detections were in AndorraIN, then do not worry about AndorraOUT, AndorraDRAFTS, etc. for now. That was only a suggestion in case the second detection was elsewhere. From what you’ve shown, we can concentrate on AndorraIN only.

What happened now​

ESET scanned:
C:\ESETTEST\AndorraIN
It found and resolved the threat in that test copy.
Then you scanned C:\ESETTEST again and it came back:
No threats found
That means the copy of AndorraIN in C:\ESETTEST is now clean.

Important point​

This does not automatically clean the original Thunderbird file unless you replace it.
Your real Thunderbird file is still:
C:\Users\open1\AppData\Roaming\Thunderbird\Profiles\cricit3s.default\Mail\pop.gmail-1.com\AndorraIN
So you have two possible choices now.

Option A — simplest: use the ESET-cleaned copy​

If you are happy to let ESET remove the bad content and stop investigating the exact email:

1. Close Thunderbird.
2. Go to:

C:\Users\open1\AppData\Roaming\Thunderbird\Profiles\cricit3s.default\Mail\pop.gmail-1.com

1. Rename the current original file:

AndorraIN
to:
AndorraIN.BEFORE_ESET_CLEAN

1. Copy the cleaned file from:

C:\ESETTEST\AndorraIN
back into the Thunderbird folder.
5. Open Thunderbird.
6. Check that AndorraIN opens normally.
7. Close Thunderbird.
8. Scan the real Thunderbird AndorraIN again.
This is probably the quickest way to finish.

Option B — continue investigating by year​

Yes, you can continue using the C:\ESETTEST method.
But the safest workflow is this:

1. Keep your USB pen backup untouched.
2. Restore/copy the original AndorraIN from the pen drive back into Thunderbird only when you want to restart the test.
3. In Thunderbird, delete the year you want to test, for example 2024.
4. Empty Thunderbird Trash.
5. Run File > Compact Folders.
6. Close Thunderbird.
7. Delete the old file inside:

C:\ESETTEST

1. Copy the newly changed Thunderbird AndorraIN into:

C:\ESETTEST

1. Scan only:

C:\ESETTEST

How to interpret the result​

If ESET says No threats found after deleting 2024, then the bad email was probably in 2024.
If ESET still finds something, then the bad email is probably in another year, so you continue with the next year.

My recommendation​

Since ESET has already cleaned the test copy and the second scan is clean, I would probably choose Option A unless you really want to identify the exact email.
But if you want to finish your investigation, then yes — continue with AndorraIN only using the C:\ESETTEST method.

Short answer​

Yes, you can continue.
No need to look at AndorraOUT right now.
Use only:
AndorraIN
and test it through:
C:\ESETTEST

 

[qim]

Thank you. I will do that:

C:\ESETTEST\AndorraIN
back into the Thunderbird folder.
5. Open Thunderbird.
6. Check that AndorraIN opens normally.
7. Close Thunderbird.
8. Scan the real Thunderbird AndorraIN again.
This is probably the quickest way to finish.

But the full original AndorraIN is in the pen drive, At the moment, I deleted ALL emails with attachments except for those of 2024

The nest step would be to move the original file back into Thunderbird, but that will messe up with your renaming instructions.

Shall I rename the original AndorraIN folder in the pen sdrive?

 

[ChatGPT]

Hi Qim,
No — do not rename the original AndorraIN on the pen drive.
Leave the pen drive copy exactly as it is. That is your master backup / safety copy.
Also, small correction: AndorraIN is a file, not a folder.

Very important​

If you copy the full original AndorraIN from the pen drive back into Thunderbird now, you will probably bring the detections back again.
So there are two different choices:

Choice 1 — quickest way to finish​

Use the ESET-cleaned copy from:
C:\ESETTEST\AndorraIN
This should make Thunderbird use the cleaned mailbox.

Do this​

1. Close Thunderbird completely.
2. Go to:

C:\Users\open1\AppData\Roaming\Thunderbird\Profiles\cricit3s.default\Mail\pop.gmail-1.com

1. Rename the current file:

AndorraIN
to:
AndorraIN.BEFORE_CLEAN_COPY

1. Also rename:

AndorraIN.msf
to:
AndorraIN.msf.BEFORE_CLEAN_COPY

1. Go to:

C:\ESETTEST

1. Copy the cleaned file:

AndorraIN

1. Paste it into:

C:\Users\open1\AppData\Roaming\Thunderbird\Profiles\cricit3s.default\Mail\pop.gmail-1.com

1. Open Thunderbird.
2. Check that the AndorraIN folder opens normally.
3. Close Thunderbird.
4. Scan the real Thunderbird file again with ESET.

Choice 2 — continue investigating the exact year​

If you still want to find exactly where the bad email was, then do not use the cleaned ESET copy yet.
Instead:

1. Keep the pen drive original untouched.
2. Copy the original AndorraIN from the pen drive back into Thunderbird.
3. Delete one year at a time in Thunderbird.
4. Empty Trash.
5. Compact folders.
6. Copy the changed AndorraIN to C:\ESETTEST.
7. Scan C:\ESETTEST.

But this is slower.

My recommendation​

Since ESET has already cleaned the test copy and the test copy now scans clean, I would choose Choice 1.
Just remember: the cleaned file may no longer contain some of the emails you deleted during testing. But your full original remains safe on the pen drive if you ever need it.

Short answer​

Do not rename the pen drive original.
Leave it untouched.
Rename only the AndorraIN file on C: before copying the cleaned C:\ESETTEST\AndorraIN back into Thunderbird.

 

[qim]

Thank you but there is a problem....

The file which is at the moment in Thunderbird and in the ESTTEST is missing all the years from 2016 to 2025 with exception of 2024....

That was the way I was trying to isolate the viruses- My idea what to find the year, then the month, then the day until I found the culprit

In order to continue looking at other years I have to copy the original back into Thunderbird

At least now we know where one virus is and that Thunderbird can clean it

Could I import the 2024 virus back into the Pc, continue looking for the other one with the help pf your ESTTEST tool and clean both viruses at the end and renaming files as you suggest?

 

[ChatGPT]

Hi Qim,
Yes — I understand the problem now.
The current AndorraIN in Thunderbird and in C:\ESETTEST is not the full mailbox. It is your reduced test version, where you deleted all years except 2024.
So yes, if you want to continue finding the other bad email, you need to work again from the full original AndorraIN from the pen drive.
But I would change the wording slightly:
Do not think of it as “importing the virus back.”
Think of it as restoring a controlled test copy of the old mailbox so you can identify and clean it.

Important correction​

ESET cleaned the copy in:
C:\ESETTEST\AndorraIN
It did not prove Thunderbird cleaned it. ESET cleaned the copied mailbox file.
That is still useful.

Best next plan​

Since we know one bad item was probably in 2024, do this:

1. Keep the pen drive original untouched​

Do not rename it.
Do not edit it.
That remains your master backup.

2. Save your current reduced Thunderbird file​

Close Thunderbird.
Go to:
C:\Users\open1\AppData\Roaming\Thunderbird\Profiles\cricit3s.default\Mail\pop.gmail-1.com
Rename the current file:
AndorraIN
to something like:
AndorraIN.2024_TEST_CLEANED
Also rename:
AndorraIN.msf
to:
AndorraIN.msf.2024_TEST_CLEANED
This preserves the cleaned 2024 test version.

3. Copy the full original back from the pen drive​

Copy the original full:
AndorraIN
from the pen drive back into:
C:\Users\open1\AppData\Roaming\Thunderbird\Profiles\cricit3s.default\Mail\pop.gmail-1.com
Then open Thunderbird.
Thunderbird should recreate the .msf index if needed.

Then continue testing​

Because 2024 already produced a detection, I would now do this:

4. Delete 2024 first​

In Thunderbird:

1. Open AndorraIN.
2. Delete 2024 emails with attachments.
3. Empty Thunderbird Trash.
4. Run File > Compact Folders.
5. Close Thunderbird.

5. Test with ESETTEST​

1. Empty C:\ESETTEST.
2. Copy the current Thunderbird AndorraIN into C:\ESETTEST.
3. Scan only C:\ESETTEST with ESET.

How to read the result​

If ESET says clean​

Then both detections were probably in 2024.

If ESET still finds one​

Then one bad item was in 2024, and the other is in another year.
Then continue year by year:

1. Restore full original again if needed.
2. Delete 2024 first.
3. Delete 2023.
4. Compact.
5. Scan C:\ESETTEST.
6. If still detected, continue with 2022, 2021, etc.

My recommendation​

Yes, you can continue your investigation, but do it like this:

1. Do not change the pen drive original.
2. Use the Thunderbird copy on C: as the working copy.
3. Use C:\ESETTEST only for scanning.
4. Let ESET clean only the C:\ESETTEST copy, not your master backup.
5. At the end, when you have removed the bad year/messages, keep the cleaned Thunderbird file.

Safety note​

This is still not behaving like an active Windows infection. It is stored inside a Thunderbird mailbox file. Just keep doing what you are doing:
Do not open the suspicious attachments.
Short answer: Yes, restore the full original AndorraIN from the pen drive to Thunderbird, but keep the pen drive original unchanged, and use C:\ESETTEST for the scans.

 

[qim]

In fact, with the ESETTEST tool I can do the whole file in one go and hopefully get ESet to clean it as it did with the 2024 one

 

[ChatGPT]

Yes, Qim — exactly. That is probably the simplest way now.
You can use the C:\ESETTEST method on the whole original AndorraIN file and let ESET try to clean it.

Safest way to do it​

1. Keep the pen drive original untouched​

Do not rename or edit the AndorraIN file on the pen drive.
That remains your master backup.

2. Empty C:\ESETTEST​

1. Open:

C:\ESETTEST

1. Delete the current AndorraIN inside it.

3. Copy the full original from the pen drive​

Copy the full original:
AndorraIN
from the pen drive into:
C:\ESETTEST
So you have:
C:\ESETTEST\AndorraIN

4. Unplug the pen drive​

This avoids ESET also scanning the backup and confusing the result.

5. Scan only C:\ESETTEST​

Run ESET against:
C:\ESETTEST
If ESET finds and resolves the threats, good.

6. Scan C:\ESETTEST again​

Run ESET on C:\ESETTEST a second time.
If it says:
No threats found
then the cleaned C:\ESETTEST\AndorraIN is probably usable.

Then put the cleaned file back into Thunderbird​

Only after the second ESET scan is clean:

1. Close Thunderbird​

Close it completely.

2. Go to the Thunderbird folder​

C:\Users\open1\AppData\Roaming\Thunderbird\Profiles\cricit3s.default\Mail\pop.gmail-1.com

3. Rename the current working file​

Rename:
AndorraIN
to:
AndorraIN.BEFORE_ESET_FULL_CLEAN
Also rename:
AndorraIN.msf
to:
AndorraIN.msf.BEFORE_ESET_FULL_CLEAN

4. Copy the cleaned file back​

Copy:
C:\ESETTEST\AndorraIN
into the Thunderbird folder.

5. Open Thunderbird​

Open Thunderbird and check that AndorraIN opens normally.
Thunderbird should recreate the .msf index file if needed.

Important warning​

If ESET deletes the whole AndorraIN file instead of cleaning it, do not use that result. In that case, keep your pen drive backup and we continue with the year/month method.

My recommendation​

Yes — try the whole-file clean through C:\ESETTEST.
It is quicker than continuing year by year, and you still have the untouched original on the pen drive if anything goes wrong.