ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
How to recover quarantined files if you have the logs
alch
Site Admin

Joined: 27 Nov 2005
Posts: 0
Reply with quote
1. Check if you have the log file with quarantine info in it.
The log files are located:
Code:
Win7 and Vista: C:\Users\All Users\.clamwin\log\ClamScanLog.txt
XP: C:\Documents and Settings\All Users\.clamwin\log\ClamScanLog.txt


If there is no quarantine info on the logs there is still a chance it would be in your TEMP folder. It should start with tmp and look like this:

Code:
XP: C:\Documents and Settings\user\Local Settings\Temp\tmp0bx8st
Win7 and Vista: C:\Users\user\AppData\Local\Temp\tmp0bx8st


If you can't locate these logs, then unfortunately the only way to restore is to copy the files manually.

2. Download and unzip http://files.clamwin.com/QRestore1.0.zip Works on Windows XP and above. DISCLAIMER - There is no warranty for this software. USE AT YOUR OWN RISK

3. Run the QRestore.exe and click File-Open and navigate to the log file

4. The program will process the log and show the quarantined files.

5. Check that there is enough space on disk to copy the contents of quarantine folder to the destination. You may highlight files you wish to restore and click File-Restore Selected. If you wish to restore all files then click File-Restore All

6. When the restore process is complete the program will open the report.

Hopefully all your required files are restored to their original locations. Once you are satisfied with the recovery result you may empty the quarantine folder.

If you need to restore files using the log from another machine then QRestore 1.1 can produce a batch file instead of copying. Follow the steps 1-5 and click File-Create Recovery Script. When you see the batch script in the Notepad, be sure to save it as ASCII or Windows will have troubles running Unicode BATCH files.

Download QRestore1.1 here:
http://files.clamwin.com/QRestore1.1.zip


Last edited by alch on Tue Nov 30, 2010 4:32 pm; edited 9 times in total
View user's profileSend private message
looks like it would have worked...
kevinowen


Joined: 19 Nov 2010
Posts: 0
Reply with quote
... but the log file is limited to 1MB and only includes details of about a third of the files which were quarantined Sad

is this the only log file or are they archived?

thanks for trying
View user's profileSend private message
Re: looks like it would have worked...
alch
Site Admin

Joined: 27 Nov 2005
Posts: 0
Reply with quote
kevinowen wrote:
... but the log file is limited to 1MB and only includes details of about a third of the files which were quarantined Sad

is this the only log file or are they archived?

thanks for trying


there is still a chance it would be in your TEMP folder. It should start with tmp and look like this:

Code:
XP: C:\Documents and Settings\user\Local Settings\Temp\tmp0bx8st
Win7 and Vista: C:\Users\user\AppData\Local\Temp\tmp0bx8st
View user's profileSend private message
Administrator


Joined: 19 Nov 2010
Posts: 0
Reply with quote
It doesn't work for me. I got a message: not a valid win32 application. I'm running Windows 2000 Terminal Server.
It does run on my XP-machine. Never mind, I already restored the files...
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 0
Reply with quote
Administrator wrote:
It doesn't work for me. I got a message: not a valid win32 application. I'm running Windows 2000 Terminal Server.
It does run on my XP-machine. Never mind, I already restored the files...


Yes - XP+ only
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 0
Reply with quote
I need to catch some sleep (UTC +10) and will check the messages in the morning.
View user's profileSend private message
jasonw


Joined: 19 Nov 2010
Posts: 0
Location: London
Reply with quote
program works on sbs 2003 but log file was not full, so it has not restored all of the files so the system is no where near repaired.
It looks like I will have to do a repair install of sbs and try and rebuild it.

Thanks anyway

A lesson has been learnt - there should be no compromise for good security and backup software.
View user's profileSend private message
ChrisRich


Joined: 19 Nov 2010
Posts: 0
Reply with quote
Damn.. If this wasn't free all we'd have to do is get someone to make a boot image we can load onto CD/USB and it has repair scripts..

Perhaps we need to start a collections plate to get someone to program a quick fix?

I'm not even able to boot from my main machine.
View user's profileSend private message
AlexS


Joined: 19 Nov 2010
Posts: 0
Reply with quote
We need a solution where no logfiles exists!
I have 2 WebServer 2003 down!
Can somw ne share his logfile? In the hope that most of the files are installed in the same way
my config: server 2003 with IIS, Sql 2005, office 2003
Dont want to talk about other installed software.
That really sucks
View user's profileSend private message
gingda


Joined: 19 Nov 2010
Posts: 0
Reply with quote
Just to try and be a voice of encouragement. I was able to get my files restored using QRestore.exe.

My ClamScanLog.txt did not contain the files list, but I was able to locate the log (on my XP professional machine) in "C:\Documents and Settings\<username>\Local Settings\Temp\" In my case the file was named tmpo_elep and it was 4 meg. This was all in the instructions the moderators/developers had posted, but I just wanted to encourage everyone to keep looking. In my case there were 5 files in this temp folder that matched the format for the name for the log file, but the unimportant ones were only 1KB.

Regarding the QRestore.exe, it appears to copy rather than move the files during restore, and in my case I didn't have enough disk space (I had 6 gig of exe's and dll's on the quarantine folder) to have a second copy of everything.

The QRestore event log that opened up when it completed said that it had run out of space, but you need to scroll down to see that not all of the files had made it. I ended up moving the quarantine folder over to a second hard drive and using the "junction" program (http://technet.microsoft.com/en-us/sysinternals/bb896768.aspx) to create a symbolic link from the original location of the clamwin quarantine folder to the new location on the second hard drive. This freed up enough space to complete the restore.

The log file is in a pretty easy to read format, so pretty much any scripting/command language should be able to parse it. If I had ended up stuck coming in with a boot disk, I am sure that it could have been parsed from a bash script. Thankfully I am up and running again.

Anyway, it reminded me that I am too lazy about my backups. Smile I am still a big fan of Clam. I updated the software and got the new definitions file and am ready for my next nightly scan.

Thanks.
View user's profileSend private message
IceBlake


Joined: 19 Nov 2010
Posts: 0
Reply with quote
I'm happy the problem was recognized so quickly and that Alch wrote that quick program for a fix. Granted, it isn't perfect (for example, QRestore crashes in Win XP Pro when it can't find a file from the log in .quarantine instead of skipping), but my problem is mostly solved. I just had to alter some shortcuts that were autopathed to the *.infected file locations back to the original exe's.

For future releases, I hope ClamWin's .exe's are excluded from scans by default, and that something like QRestore is included for easy file recovery, such that if something crazy happens, we can restore files without downloading software, using separate computers, manual system recovery, etc.
View user's profileSend private message
beui


Joined: 19 Nov 2010
Posts: 0
Reply with quote
Is it doing something special that it needs to WinXP or above? I have Win2k with 3500 false positives.
View user's profileSend private message
happyguy


Joined: 19 Nov 2010
Posts: 0
Reply with quote
I had temp set to C:\TEMP
I found the file in c:\temp\tmp2dnbxl (no extension) and it's restoring now.
I used a USB stick to save a a copy of that and also to transfer qrestore.
I remember noting the other day when there was a false positive that it would have been nice to have a directory of where the files came from in the quarantine directory.

Thanks!
View user's profileSend private message
Clamwin went crazy
YYCSTEVE


Joined: 19 Nov 2010
Posts: 0
Reply with quote
I hope someone can help. My clamwin went crazy last night. I decided that a few thousand files on my system were infected and renamed and moved them to the quarantine directory. The is no scan log to show me why this happened. Any suggestions how to fix it?? Its particular favorites to quarantine were .exe, .dll, and .loc, amongst others. Thanks. Y.
View user's profileSend private message
Mistaken quarantine files
lcole


Joined: 19 Nov 2010
Posts: 0
Reply with quote
I have a 2003 server that just got 10,000 files quarantined. Printer drivers, SQL Server you name it. 10,000 files from a terabyte of data. I have no earthly idea where this stuff was. The log is there but there are no entries for this stuff (probably because clamwin quarantined itself)

Telling me to recover manually is ridiculous. This kind of screw up can kill the open source movement

I'm better off with a virus
View user's profileSend private message
How to recover quarantined files if you have the logs
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 3  

  
  
 Reply to topic