Restoring files from Avast quarantine

Anupam · 18. Dec 2010, 10:10 AM

My friend's PC recently got infected with the Win32/Ramnit virus. It came from an infected pen drive(SIGH!), and it soon spread all over the system. It affects the HTML files by injecting some code, and also the exe and dll files. Avast caught the HTML files, and some of the exes, and quarantined them.

I had scanned the PC with Norman Malware Cleaner, and it has the ability to repair the infected files by Ramnit virus. I am actually finding Norman Malware Cleaner a very useful tool. I had used it last time too, when my cousin's PC got infected. The biggest advantage I see is that it is able to repair the files, rather than delete, or quarantine them.

I had scanned the PC with Kaspersky Rescue CD, but it quarantined the infected files, which contained exes, and dlls, of important programs. That is not of much use, because I want to be able to remove the infection, yet retain the installed programs.

So, what I want is that... I want to restore the quarantined items in Avast to their original location, and then scan the PC with Norman Malware Cleaner, so that these infected files are repaired. Although I have read on the internet, that once a PC gets infected with Ramnit, there is no solution. A format is the only way to be sure that the virus has been gotten rid of. Otherwise, there is always a chance of infection remaining. Its a dangerous virus. Still, I want to try and see, if I can remove the infection, since Norman is able to repair the files.

But, I have seen that its difficult to restore files from Avast once they have been quarantined. I have observed this in the past too, when a false positive was quarantined. When I right click file, and click on restore, the file appears in the original place, but still does not get removed from the quarantine list of Avast. And so the program does not work.

So, anyone knows how to restore files from Avast's quarantine successfully?

If I uninstall Avast, will the files in the quarantined be restored, or deleted?

MidnightCowboy · 18. Dec 2010, 10:29 AM

Whatever the situation with Avast! IMO you are about to embark on a pretty fruitless exercise.

As I understand it this virus requires some manual editing of the Windows registry before and in addition to the steps you subsequently take with a malware removal program.

I would just reformat

Anupam · 18. Dec 2010, 10:34 AM

Yes, I know reformat is the last option, and I will have to that route ultimately. But, I still want to try things, and I want to learn. Everytime I have removed infection from PCs, I have learnt something. I want to gain some positives from this too.

I wanted to know how to restore items from Avast's quarantine list anyways.

MidnightCowboy · 18. Dec 2010, 10:57 AM

I applaud your dedication and enthusiasm but suggest it's the machine owners who need to be learning more from this than you

Anupam · 18. Dec 2010, 12:17 PM

Yea, I know. I actually had vaccinated the pen drive he has with Panda USB Vaccine. If he had used that pen drive, he would have been safe. But, I learned that he had used another pen drive(don't know where it came from), to transfer stuff. And that's how the PC became infected.

I plan to teach him to use Wondershare TimeFreeze to check on USB sticks, once this is over.

Another big problem is that his new hard disk is failing too. That is creating problems with the virus removal.

bo.elam · 18. Dec 2010, 02:08 PM

Quote:

Originally Posted by Anupam

But, I have seen that its difficult to restore files from Avast once they have been quarantined. I have observed this in the past too, when a false positive was quarantined. When I right click file, and click on restore, the file appears in the original place, but still does not get removed from the quarantine list of Avast. And so the program does not work.

So, anyone knows how to restore files from Avast's quarantine successfully?

If I uninstall Avast, will the files in the quarantined be restored, or deleted?

You have already restored the file to the original location, what remains in
quarantine is a copy which can be deleted. Avast is not the only AV that
does that, Avira9 also did it. You can uninstall Avast and it wont affect that
file because you have restored it already. The program not working anymore
probably means that the virus damaged it.
Maybe you want to try this tool from Norton.
http://security.symantec.com/nbrt/np...1033&show=beta

Bo

Anupam · 20. Dec 2010, 09:38 AM

Thanks a lot Bo, for the information... it helped. I wonder why would Avast and Avira keep a copy of the files in the quarantine.

Anyways, I think my strategy worked. I booted the PC in Safe Mode, and I restored all files from Avast quarantine. Then, I scanned the PC with Norman Malware Cleaner. It deleted the infected HTML files that it found, and repaired the dll, and the exe files. So, I think it has been able to repair and remove the infection. I am very impressed by Norman Malware Cleaner I must say.

I then scanned the PC with other scanners, like Dr. Web Live CD. It found some infected HTML files, which I think Norman missed. I deleted those files.

I scanned the PC with MBAM, and SAS, and they both found nothing.

I repeated the scan with Norman Malware Cleaner 2-3 times, just to make sure the infection was not returning. It did not find anything in these scans.

I scanned the PC with Microsoft Malware Remover, and it did not find anything.

Currently scanning the PC with Kaspersky Rescue CD, and I think it will come up clean too.

So, I think I have succeeded in my plan in dealing with the virus. Although, one installed program does not work, and has to be reinstalled, but the rest looks OK. The PC is not connected to the internet, and so its not going to be a problem if the infection is still remaining. If anything surfaces again, I will format the PC.

I would suggest anyone with an infected PC to first give Norman Malware Cleaner a try. I am very impressed with it... particularly because it can repair the infection, a thing which I find lacking in other antimalware software.

torres-no-tan-magnifico · 20. Dec 2010, 11:55 AM

Hi Anupam,

Just visited the Norman site: http://www.norman.com/products/en

However, I couldn't see Norman Malware Cleaner listed on the site; is the aforemantioned the correct name?

Anupam · 20. Dec 2010, 12:35 PM

You can find it here :

http://www.norman.com/support/suppor...lware_cleaner/

It is also available on other download sites like MajorGeeks.

jim · 20. Dec 2010, 01:19 PM

I downloaded and tried it today. Took just over an hour to check my main C drive (650gb). Beware though, it deleted a couple of files without asking me. They were very old ones that I had forgotten about and didn't need so it doesn't matter but I don't think they were infected as it thought.

18. Dec 2010, 10:10 AM	#1 (permalink)
Anupam Moderator Join Date: Jul 2008 Location: India Posts: 9,484	Restoring files from Avast quarantine My friend's PC recently got infected with the Win32/Ramnit virus. It came from an infected pen drive(SIGH!), and it soon spread all over the system. It affects the HTML files by injecting some code, and also the exe and dll files. Avast caught the HTML files, and some of the exes, and quarantined them. I had scanned the PC with Norman Malware Cleaner, and it has the ability to repair the infected files by Ramnit virus. I am actually finding Norman Malware Cleaner a very useful tool. I had used it last time too, when my cousin's PC got infected. The biggest advantage I see is that it is able to repair the files, rather than delete, or quarantine them. I had scanned the PC with Kaspersky Rescue CD, but it quarantined the infected files, which contained exes, and dlls, of important programs. That is not of much use, because I want to be able to remove the infection, yet retain the installed programs. So, what I want is that... I want to restore the quarantined items in Avast to their original location, and then scan the PC with Norman Malware Cleaner, so that these infected files are repaired. Although I have read on the internet, that once a PC gets infected with Ramnit, there is no solution. A format is the only way to be sure that the virus has been gotten rid of. Otherwise, there is always a chance of infection remaining. Its a dangerous virus. Still, I want to try and see, if I can remove the infection, since Norman is able to repair the files. But, I have seen that its difficult to restore files from Avast once they have been quarantined. I have observed this in the past too, when a false positive was quarantined. When I right click file, and click on restore, the file appears in the original place, but still does not get removed from the quarantine list of Avast. And so the program does not work. So, anyone knows how to restore files from Avast's quarantine successfully? If I uninstall Avast, will the files in the quarantined be restored, or deleted? __________________ Anupam

18. Dec 2010, 10:29 AM	#2 (permalink)
MidnightCowboy Site Manager Join Date: Aug 2008 Location: South American Banana Republic, third bunch from the left Posts: 9,250	Whatever the situation with Avast! IMO you are about to embark on a pretty fruitless exercise. As I understand it this virus requires some manual editing of the Windows registry before and in addition to the steps you subsequently take with a malware removal program. I would just reformat __________________ Knows nothing and cares even less

18. Dec 2010, 10:34 AM	#3 (permalink)
Anupam Moderator Join Date: Jul 2008 Location: India Posts: 9,484	Yes, I know reformat is the last option, and I will have to that route ultimately. But, I still want to try things, and I want to learn. Everytime I have removed infection from PCs, I have learnt something. I want to gain some positives from this too. I wanted to know how to restore items from Avast's quarantine list anyways. __________________ Anupam

18. Dec 2010, 10:57 AM	#4 (permalink)
MidnightCowboy Site Manager Join Date: Aug 2008 Location: South American Banana Republic, third bunch from the left Posts: 9,250	I applaud your dedication and enthusiasm but suggest it's the machine owners who need to be learning more from this than you __________________ Knows nothing and cares even less

18. Dec 2010, 12:17 PM	#5 (permalink)
Anupam Moderator Join Date: Jul 2008 Location: India Posts: 9,484	Yea, I know. I actually had vaccinated the pen drive he has with Panda USB Vaccine. If he had used that pen drive, he would have been safe. But, I learned that he had used another pen drive(don't know where it came from), to transfer stuff. And that's how the PC became infected. I plan to teach him to use Wondershare TimeFreeze to check on USB sticks, once this is over. Another big problem is that his new hard disk is failing too. That is creating problems with the virus removal. __________________ Anupam

20. Dec 2010, 09:38 AM	#7 (permalink)
Anupam Moderator Join Date: Jul 2008 Location: India Posts: 9,484	Thanks a lot Bo, for the information... it helped. I wonder why would Avast and Avira keep a copy of the files in the quarantine. Anyways, I think my strategy worked. I booted the PC in Safe Mode, and I restored all files from Avast quarantine. Then, I scanned the PC with Norman Malware Cleaner. It deleted the infected HTML files that it found, and repaired the dll, and the exe files. So, I think it has been able to repair and remove the infection. I am very impressed by Norman Malware Cleaner I must say. I then scanned the PC with other scanners, like Dr. Web Live CD. It found some infected HTML files, which I think Norman missed. I deleted those files. I scanned the PC with MBAM, and SAS, and they both found nothing. I repeated the scan with Norman Malware Cleaner 2-3 times, just to make sure the infection was not returning. It did not find anything in these scans. I scanned the PC with Microsoft Malware Remover, and it did not find anything. Currently scanning the PC with Kaspersky Rescue CD, and I think it will come up clean too. So, I think I have succeeded in my plan in dealing with the virus. Although, one installed program does not work, and has to be reinstalled, but the rest looks OK. The PC is not connected to the internet, and so its not going to be a problem if the infection is still remaining. If anything surfaces again, I will format the PC. I would suggest anyone with an infected PC to first give Norman Malware Cleaner a try. I am very impressed with it... particularly because it can repair the infection, a thing which I find lacking in other antimalware software. __________________ Anupam

20. Dec 2010, 11:55 AM	#8 (permalink)
torres-no-tan-magnifico Copy Editor Join Date: Sep 2009 Posts: 622	Hi Anupam, Just visited the Norman site: http://www.norman.com/products/en However, I couldn't see Norman Malware Cleaner listed on the site; is the aforemantioned the correct name? __________________ Torres-no-tan-magnifico

20. Dec 2010, 12:35 PM	#9 (permalink)
Anupam Moderator Join Date: Jul 2008 Location: India Posts: 9,484	You can find it here : http://www.norman.com/support/suppor...lware_cleaner/ It is also available on other download sites like MajorGeeks. __________________ Anupam

20. Dec 2010, 01:19 PM	#10 (permalink)
jim Moderator Join Date: Apr 2008 Location: near Ashford Kent England Posts: 304	I downloaded and tried it today. Took just over an hour to check my main C drive (650gb). Beware though, it deleted a couple of files without asking me. They were very old ones that I had forgotten about and didn't need so it doesn't matter but I don't think they were infected as it thought.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode