Quick scan shows a threat, full and offline scans do not?

Hi D9999_037

Thank you for posting in Microsoft Community.

It seems like the Trojan threat was detected during the quick scan but not during the full and offline scans. Since the quarantine failed, the threat may not have been completely remediated.

To address this issue, you can take the following steps:

>Manually Locate & Delete the File

Since the detected file is in Firefox’s storage folder, try deleting it manually:

Open File Explorer and navigate to:

C:\Users\anes1\AppData\Roaming\Mozilla\Firefox\Profiles\l05f4g6l.default-release\storage\default\

Locate the moz-extension+++43e6cbab-5589-48db-88d5-6de15d0eb29d folder.

Delete the entire folder (or at least the idb subfolder).

Restart your PC and run another scan.

> Clear Browser Cache & Extensions

Since the threat is linked to a Firefox extension, clearing cache and removing suspicious extensions can help:

Open Firefox and go to Settings > Privacy & Security.

Scroll down to Cookies and Site Data and click Clear Data.

Go to Add-ons & Extensions (Ctrl + Shift + A) and remove any unknown or suspicious extensions.

> Run Windows Defender in Safe Mode

If the malware is actively running, it may evade detection during normal scans:

Restart your PC while holding Shift.

Go to Troubleshoot > Advanced Options > Startup Settings.

Select Safe Mode with Networking.

Run a full scan in Windows Defender.

> Use Microsoft Safety Scanner

Microsoft offers a deep-scan tool that can detect hidden threats:

Download Microsoft Safety Scanner.

Run a full scan and remove any detected threats.

> Reset Windows Defender Detection History

Sometimes, Windows Defender keeps showing past threats even after removal:

Open File Explorer and navigate to:

C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service

Delete the DetectionHistory folder.

Restart your PC.

> Perform Repair in-place upgrade: This will reinstall your Operating System and will keep your files and apps. This will take some time depending on the computer performance and internet speed. You can follow the steps from this link: How to perform repair upgrade in Windows 11 - Microsoft Community

Please let me know if this helps.

Best Regards,

Lonex P.

Microsoft Moderator

Hi D9999_037

Thank you for your reply.

However, if a Trojan was previously detected—even a slightly different variant—it’s worth taking a few extra precautions to ensure your system is fully secure:

Run a Full Scan: Open Windows Security → Virus & Threat Protection → Full Scan (not just Quick Scan). This ensures deeper analysis.

Perform a Microsoft Defender Offline Scan: This scan runs before Windows boots and can detect hidden threats. Find it in the same Windows Security settings under Scan options.

Check for Unusual Activity:

Open Task Manager (Ctrl + Shift + Esc) and check for unknown processes consuming CPU or memory.

Review startup programs (Win + R, type msconfig, and check the Startup tab).

Inspect Your Network Traffic:

Open Command Prompt (Win + R, type cmd) and run netstat -ano to look for suspicious external connections.

If unfamiliar IPs are present, you may want to investigate further.

Update Everything:

Ensure Windows Updates and all drivers are current (Settings > Windows Update).

If you use browsers or third-party apps, update them to patch any vulnerabilities.

It is also best to perform the Repair in-place upgrade.

Best Regards,

Lonex P.

Microsoft Moderator

Thank you for your help again :)

I have not done a repair in place.

On 5/2 Windows defender was able to block and remove a very slightly different issue (Trojan:Win32/Nibtse.c!tsk) the "." between s and c is new compared to the old issue but all my current scans show no issues. Would you still recommend taking additional action?

Thank you

Hi D9999_037

Thank you for your reply.

May I know if you have performed the Repair in-place upgrade?

When Windows Security isn’t accessible in safe mode and shows that message, it’s typically because some components of Windows Defender are intentionally disabled or limited in that mode. Safe mode loads a minimal set of services, and the Windows Security app (a UWP application) may not have full functionality or access to all telemetry it normally uses when Windows is running normally. This is a known limitation—even though it’s not ideal for troubleshooting malware issues.

What This Means for You:

The error "Your IT administrator has limited access to some areas of this app…" is most likely a consequence of safe mode’s limited environment rather than an actual policy or external restriction.

If you’re unable to access Windows Security’s GUI, that doesn’t necessarily mean the underlying Windows Defender engine isn’t working at all; it’s just not exposing the full interface in safe mode.

Workarounds and Next Steps:

> Use PowerShell to Trigger a Scan: You can try running Windows Defender’s scanning engine directly from an elevated PowerShell prompt in safe mode, bypassing the app’s UI. For example:

powershell

Start-MpScan -ScanType FullScan

This command should initiate a full scan even if the Windows Security app isn’t displaying its interface. After the scan, you can review the results through the command line or check the Defender logs.

> Scan in Normal Mode: Although you have issues with the screen during normal mode, if possible you might try to initiate a scan remotely or use another method (for example, remote management tools) to trigger Windows Defender scanning. Alternatively, if you can use one of your test accounts (assuming it boots normally through remote access or similar), that might let you run the Windows Security app properly.

>Temporarily Ignore the Safe Mode Scan Limitation: If none of the above workarounds are viable and you’re confident that your full and offline scans (run from normal mode or advanced boot options) have come up clean, you can consider moving forward without a safe mode scan. However, remain cautious if the initial quick scan did indeed find a threat.

In short, the inability to access the Windows Security interface in safe mode is a limitation of the safe mode environment—not necessarily an indication that the threat is unresolved. I’d recommend either using PowerShell’s command-line scan or a reputable third-party scanner in safe mode for verification, or, if feasible, perform your scan outside of safe mode when the system is less restricted.

Please let me know if this works

Best Regards,

Lonex P.

Microsoft Moderator

Thanks so much!

I've gone through mostly in order of the steps you suggested. I'm at the 'run in safe mode' step.

Beyond some difficulty getting my computer to run in safe mode (the screen went back to the brand loading screen and I had to type in my bitlocker access code without really being able to see it) when I tried to open windows security the computer said

"

Page not available

Your IT administrator has limited access to some areas of this app, and the item you tried to access is not available. Contact IT helpdesk for more information.

"

Do you know a workaround or should I just ignore the safemode step?

Thanks again