Quarantined File Disappeared From The Manager
Berry Spitsberg
I recently went to remove a mobile device from quarantined devices, and I couldn't find this management page in the new Exchange Admin Center. I had to go to the classic Exchange Admin Center to view the mobile device quarantine. I opened a case with support, and they said the only other way this can be done is via Powershell.
I finally understand that I need to add exclusions before trying to restore. I added the folder of the file path to the exclusion list and tried to restore again.
But this doesn't work, the file is still deleted. And there is no such file in the quarantine area.
I don't know where I can retrieve my files. I am pretty sure this is not a Trojan file.
Thank you for your answer.
After the file has been deleted to the quarantine area several times, the file cannot be found in the quarantine area now. How can I retrieve my files?
Will KIS delete the file permanently after quarantining the same file multiple times?
Your answer has made me understand how to set the whitelist correctly.
But the files previously quarantined by KIS have disappeared.
The KIS log shows that the file was quarantined after the backup was created, but I did not see it in the quarantine area.
The file size is less than 500KB.
Quarantined items remain in quarantine even after uninstall. If you did a clean uninstall using the MB-Clean.exe tool then the quarantined items would have been removed/deleted. The only way a previously quarantined item gets restored is if you visit the Quarantine tab in Malwarebytes and deliberately restore the item yourself.
By the way, there was a false positive recently that has since been corrected. If the item detected was called Trojan.ServStart and the file detected was C:\WINDOWS\SYSTEM32\WERFAULT.EXE then this was a false positive and the file is actually safe so you should restore it from Quarantine if you can. If you no longer have the file in Quarantine you can download a copy of the file from this post and replace it as instructed in that post (unzip it and put it back into C:\Windows\System32).
Oh I think it might have been that file! Thank you for bringing it up! Because I did a sfc scan after that item was quarantined, and it seems my WerFault.exe file became corrupted. That's why I thought maybe my computer was not clean...
What version of Windows are you running? The file I linked you to was for Windows 7 x64 Service Pack 1 (I assume fully patched). If you're using a different version of Windows that would explain why SFC is reporting the file as being corrupt because the file info wouldn't match what it should be for your operating system.
So, I tried restarting my computer, and I noticed that startup was a bit slow. There was also a popup asking me to allow WerFault.exe to run, but it said "unknown publisher". I tried clicking on Run anyway, and while my computer did continue to load in, it froze soon after that.
So I restarted my computer again, the popup came up again, I clicked Cancel instead of Run, and now my computer did not freeze. But the WerFault.exe file is still corrupted. Should I be worried..? Is there something on my computer that is preventing the WerFault.exe file to run properly..?
Hmm, it sounds like the copy of the file you have is broken somehow. Go ahead and re-download the file from the link I posted above, save it to your desktop, extract the file from the ZIP folder to your desktop, right-click on the file and select Properties and then click the Unblock button if present then click Apply and then OK, then delete the file that is in C:\Windows\System32 and move the file you extracted from your desktop to C:\Windows\System32 and see if that fixes it or not.
So I restored my old file from the Recycle Bin, replacing the one that you told me to move into that folder. Then I restarted my computer, and the popup came up again during startup. I clicked on Cancel, and the computer still froze.
If it still isn't, then please copy the file to your desktop from C:\Windows\System32 again and right-click on it and hover your mouse over Send to and select Compressed (zipped) folder then attach the ZIP file you just created on your desktop to your next reply so that I can have a look at the file to try and determine what the problem is.
I can get into Safe Mode, but once there, all I see is a black screen with the words "Safe Mode" in the four corners of the screen. There is no Start button or anything. I wonder if this is due to an incorrect screen resolution, because the login screen looked really zoomed in, but I have no idea how to fix the screen resolution in Safe Mode. So I don't know how to open the System32 folder in Safe Mode..
OK, if you click Show processes from all users then open that Create New Task dialog window, check the box next to Create this task with administrative privileges then use the Browse button, you can browse to the locations mentioned and you should be able to at least get a copy of the file onto your desktop from System32 (be sure to click the drop-down menu on the bottom of the browse dialog where it says Programs and select All files). I don't know if you'll be able to zip the file there, but you can at least get to the file and see its properties and click that Unblock button as mentioned earlier.
I've also attached a copy of the file from my own system here (also Windows 7 x64 SP1) and perhaps it will work for you. By the way, if you have a web browser other than Internet Explorer, I'd suggesting using it as the entire reason the file ends up with that Unblock button is because its metadata gets altered by IE whenever a file is downloaded from the internet through IE. Other web browsers do not do this. I could also try emailing you the file if you believe that might be easier for you; just send me a private message here on the forums with your email address (don't post it here in public as we don't want any spambots getting it) and I can send it to you that way if you wish.
7fc3f7cf58