1. Check if you have the log file with quarantine info in it.
The log files are located:


If there is no quarantine info on the logs there is still a chance it would be in your TEMP folder. It should start with tmp and look like this:



If you can't locate these logs, then unfortunately the only way to restore is to copy the files manually.

2. Download and unzip http://files.clamwin.com/QRestore1.0.zip Works on Windows XP and above. DISCLAIMER - There is no warranty for this software. USE AT YOUR OWN RISK

3. Run the QRestore.exe and click File-Open and navigate to the log file

4. The program will process the log and show the quarantined files.

5. Check that there is enough space on disk to copy the contents of quarantine folder to the destination. You may highlight files you wish to restore and click File-Restore Selected. If you wish to restore all files then click File-Restore All

6. When the restore process is complete the program will open the report.

Hopefully all your required files are restored to their original locations. Once you are satisfied with the recovery result you may empty the quarantine folder.

If you need to restore files using the log from another machine then QRestore 1.1 can produce a batch file instead of copying. Follow the steps 1-5 and click File-Create Recovery Script. When you see the batch script in the Notepad, be sure to save it as ASCII or Windows will have troubles running Unicode BATCH files.

Download QRestore1.1 here:
http://files.clamwin.com/QRestore1.1.zip

... but the log file is limited to 1MB and only includes details of about a third of the files which were quarantined

is this the only log file or are they archived?

thanks for trying

there is still a chance it would be in your TEMP folder. It should start with tmp and look like this:

Code:
XP: C:\Documents and Settings\user\Local Settings\Temp\tmp0bx8st
Win7 and Vista: C:\Users\user\AppData\Local\Temp\tmp0bx8st

It doesn't work for me. I got a message: not a valid win32 application. I'm running Windows 2000 Terminal Server.
It does run on my XP-machine. Never mind, I already restored the files...

Yes - XP+ only

I need to catch some sleep (UTC +10) and will check the messages in the morning.

program works on sbs 2003 but log file was not full, so it has not restored all of the files so the system is no where near repaired.
It looks like I will have to do a repair install of sbs and try and rebuild it.

Thanks anyway

A lesson has been learnt - there should be no compromise for good security and backup software.

Damn.. If this wasn't free all we'd have to do is get someone to make a boot image we can load onto CD/USB and it has repair scripts..

Perhaps we need to start a collections plate to get someone to program a quick fix?

I'm not even able to boot from my main machine.

We need a solution where no logfiles exists!
I have 2 WebServer 2003 down!
Can somw ne share his logfile? In the hope that most of the files are installed in the same way
my config: server 2003 with IIS, Sql 2005, office 2003
Dont want to talk about other installed software.
That really sucks

Just to try and be a voice of encouragement. I was able to get my files restored using QRestore.exe.

My ClamScanLog.txt did not contain the files list, but I was able to locate the log (on my XP professional machine) in "C:\Documents and Settings\<username>\Local Settings\Temp\" In my case the file was named tmpo_elep and it was 4 meg. This was all in the instructions the moderators/developers had posted, but I just wanted to encourage everyone to keep looking. In my case there were 5 files in this temp folder that matched the format for the name for the log file, but the unimportant ones were only 1KB.

Regarding the QRestore.exe, it appears to copy rather than move the files during restore, and in my case I didn't have enough disk space (I had 6 gig of exe's and dll's on the quarantine folder) to have a second copy of everything.

The QRestore event log that opened up when it completed said that it had run out of space, but you need to scroll down to see that not all of the files had made it. I ended up moving the quarantine folder over to a second hard drive and using the "junction" program (http://technet.microsoft.com/en-us/sysinternals/bb896768.aspx) to create a symbolic link from the original location of the clamwin quarantine folder to the new location on the second hard drive. This freed up enough space to complete the restore.

The log file is in a pretty easy to read format, so pretty much any scripting/command language should be able to parse it. If I had ended up stuck coming in with a boot disk, I am sure that it could have been parsed from a bash script. Thankfully I am up and running again.

Anyway, it reminded me that I am too lazy about my backups. I am still a big fan of Clam. I updated the software and got the new definitions file and am ready for my next nightly scan.

Thanks.

I'm happy the problem was recognized so quickly and that Alch wrote that quick program for a fix. Granted, it isn't perfect (for example, QRestore crashes in Win XP Pro when it can't find a file from the log in .quarantine instead of skipping), but my problem is mostly solved. I just had to alter some shortcuts that were autopathed to the *.infected file locations back to the original exe's.

For future releases, I hope ClamWin's .exe's are excluded from scans by default, and that something like QRestore is included for easy file recovery, such that if something crazy happens, we can restore files without downloading software, using separate computers, manual system recovery, etc.

Is it doing something special that it needs to WinXP or above? I have Win2k with 3500 false positives.

I had temp set to C:\TEMP
I found the file in c:\temp\tmp2dnbxl (no extension) and it's restoring now.
I used a USB stick to save a a copy of that and also to transfer qrestore.
I remember noting the other day when there was a false positive that it would have been nice to have a directory of where the files came from in the quarantine directory.

Thanks!

I hope someone can help. My clamwin went crazy last night. I decided that a few thousand files on my system were infected and renamed and moved them to the quarantine directory. The is no scan log to show me why this happened. Any suggestions how to fix it?? Its particular favorites to quarantine were .exe, .dll, and .loc, amongst others. Thanks. Y.

I have a 2003 server that just got 10,000 files quarantined. Printer drivers, SQL Server you name it. 10,000 files from a terabyte of data. I have no earthly idea where this stuff was. The log is there but there are no entries for this stuff (probably because clamwin quarantined itself)

Telling me to recover manually is ridiculous. This kind of screw up can kill the open source movement

I'm better off with a virus