Jump to content
Viola

What happens to quarantined items after uninstall?

Recommended Posts

I recently uninstalled Malwarebytes 3, but a few days before that, I did a Threat Scan and it found a threat (called Trojan-something...) so I quarantined it.

Then I forgot about it, and uninstalled Malwarebytes 3, and re-installed it. I did another Threat Scan and no threats were detected.

So my question is, what happened to that quarantined threat when I uninstalled Malwarebytes?

Did it get un-quarantined? Is it now hiding somewhere deep in my computer?

Or was it safely removed along with my previous installation of Malwarebytes?

Is my computer really clean now?

Share this post


Link to post
Share on other sites

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven't done so already, please run these two tools and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Farbar Recovery Scan Tool (FRST)
    1. Download FRST and save it to your desktop
      Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit
    2. Double-click to run FRST and when the tool opens click "Yes" to the disclaimer
    3. Press the "Scan" button
    4. This will produce two files in the same location (directory) as FRST: FRST.txt and Addition.txt
      • Leave the log files in the current location, they will be automatically collected by mb-check once you complete the next set of instructions
  • MB-Check
    1. Download MB-Check and save to your desktop
    2. Double-click to run MB-Check and within a few second the command window will open, press "Enter" to accept the EULA then click "OK" 
    3. This will produce one log file on your desktop: mb-check-results.zip
      • This file will include the FRST logs generated from the previous set of instructions
      • Attach this file to your forum post by clicking on the "Drag files here to attach, or choose files..." or simply drag the file to the attachment area

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Share this post


Link to post
Share on other sites

Quarantined items remain in quarantine even after uninstall.  If you did a clean uninstall using the MB-Clean.exe tool then the quarantined items would have been removed/deleted.  The only way a previously quarantined item gets restored is if you visit the Quarantine tab in Malwarebytes and deliberately restore the item yourself.

Share this post


Link to post
Share on other sites
2 minutes ago, exile360 said:

Quarantined items remain in quarantine even after uninstall.  If you did a clean uninstall using the MB-Clean.exe tool then the quarantined items would have been removed/deleted.  The only way a previously quarantined item gets restored is if you visit the Quarantine tab in Malwarebytes and deliberately restore the item yourself.

I understand. Thank you for your fast reply!

Share this post


Link to post
Share on other sites

You're welcome :)

By the way, there was a false positive recently that has since been corrected.  If the item detected was called Trojan.ServStart and the file detected was C:\WINDOWS\SYSTEM32\WERFAULT.EXE then this was a false positive and the file is actually safe so you should restore it from Quarantine if you can.  If you no longer have the file in Quarantine you can download a copy of the file from this post and replace it as instructed in that post (unzip it and put it back into C:\Windows\System32).

Share this post


Link to post
Share on other sites
On 3/15/2018 at 6:58 PM, exile360 said:

You're welcome :)

By the way, there was a false positive recently that has since been corrected.  If the item detected was called Trojan.ServStart and the file detected was C:\WINDOWS\SYSTEM32\WERFAULT.EXE then this was a false positive and the file is actually safe so you should restore it from Quarantine if you can.  If you no longer have the file in Quarantine you can download a copy of the file from this post and replace it as instructed in that post (unzip it and put it back into C:\Windows\System32).

Oh I think it might have been that file! Thank you for bringing it up! Because I did a sfc scan after that item was quarantined, and it seems my WerFault.exe file became corrupted. That's why I thought maybe my computer was not clean...

But even after I extracted the file from the post you linked to that folder, and I did another sfc scan, that file was still not repaired. Would you happen to know what I might be doing wrong?

Share this post


Link to post
Share on other sites

What version of Windows are you running?  The file I linked you to was for Windows 7 x64 Service Pack 1 (I assume fully patched).  If you're using a different version of Windows that would explain why SFC is reporting the file as being corrupt because the file info wouldn't match what it should be for your operating system.

Share this post


Link to post
Share on other sites
23 hours ago, exile360 said:

What version of Windows are you running?  The file I linked you to was for Windows 7 x64 Service Pack 1 (I assume fully patched).  If you're using a different version of Windows that would explain why SFC is reporting the file as being corrupt because the file info wouldn't match what it should be for your operating system.

I am running Windows 7 x64 SP1, with the most current Windows updates.

So, I tried restarting my computer, and I noticed that startup was a bit slow. There was also a popup asking me to allow WerFault.exe to run, but it said "unknown publisher". I tried clicking on Run anyway, and while my computer did continue to load in, it froze soon after that.

So I restarted my computer again, the popup came up again, I clicked Cancel instead of Run, and now my computer did not freeze. But the WerFault.exe file is still corrupted. Should I be worried..? Is there something on my computer that is preventing the WerFault.exe file to run properly..?

Share this post


Link to post
Share on other sites

Hmm, it sounds like the copy of the file you have is broken somehow.  Go ahead and re-download the file from the link I posted above, save it to your desktop, extract the file from the ZIP folder to your desktop, right-click on the file and select Properties and then click the Unblock button if present then click Apply and then OK, then delete the file that is in C:\Windows\System32 and move the file you extracted from your desktop to C:\Windows\System32 and see if that fixes it or not.

Share this post


Link to post
Share on other sites
On ‎3‎/‎15‎/‎2018 at 6:58 PM, exile360 said:

You're welcome :)

By the way, there was a false positive recently that has since been corrected.  If the item detected was called Trojan.ServStart and the file detected was C:\WINDOWS\SYSTEM32\WERFAULT.EXE then this was a false positive and the file is actually safe so you should restore it from Quarantine if you can.  If you no longer have the file in Quarantine you can download a copy of the file from this post and replace it as instructed in that post (unzip it and put it back into C:\Windows\System32).

Thanks exile360 for this information because my Mom got hit with the FP and I told her to leave it quarantined until I had a chance to get over and check it out. Saves me a whole lot of time.

Regards,

Hardhead

Share this post


Link to post
Share on other sites
19 hours ago, exile360 said:

Hmm, it sounds like the copy of the file you have is broken somehow.  Go ahead and re-download the file from the link I posted above, save it to your desktop, extract the file from the ZIP folder to your desktop, right-click on the file and select Properties and then click the Unblock button if present then click Apply and then OK, then delete the file that is in C:\Windows\System32 and move the file you extracted from your desktop to C:\Windows\System32 and see if that fixes it or not.

Ok, I followed your instructions step-by-step, but that did not fix it. After I unblocked it and restarted my computer, my computer froze again.

So I restored my old file from the Recycle Bin, replacing the one that you told me to move into that folder. Then I restarted my computer, and the popup came up again during startup. I clicked on Cancel, and the computer still froze.

I feel lucky that I am finally able to reply back to you... ; - ;

Share this post


Link to post
Share on other sites

Yikes, yeah, that's not good, but I'm sure that we can fix it.

Please do the following:

You should either print or save these instructions because in Safe Mode you don't have internet access.

Boot into Safe Mode:

  • Restart your computer.
  • When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with the Windows Advanced Boot Options menu.
  • Select the option for Safe Mode using the arrow keys.
  • Then press Enter on your keyboard to boot into Safe Mode.

You should then be presented with the Windows Login screen.  Log in to Windows.  Close the help file that is displayed onscreen after logon.

Next, open C:\Windows\System32 and right-click on the werfault.exe file and choose Copy then right-click on the desktop and click Paste, then right-click on the file you just pasted onto the desktop and select Properties and if there is once again an Unblock button present at the bottom, click it, then click Apply then OK.Once that is done, delete the copy that remains in C:\Windows\System32 and place the file on the desktop into C:\Windows\System32 then restart the system and allow it to start normally, and hopefully this time the issue will be fixed.

If it still isn't, then please copy the file to your desktop from C:\Windows\System32 again and right-click on it and hover your mouse over Send to and select Compressed (zipped) folder then attach the ZIP file you just created on your desktop to your next reply so that I can have a look at the file to try and determine what the problem is.

Thanks

Share this post


Link to post
Share on other sites
16 hours ago, exile360 said:

Yikes, yeah, that's not good, but I'm sure that we can fix it.

Please do the following:

I can get into Safe Mode, but once there, all I see is a black screen with the words "Safe Mode" in the four corners of the screen. There is no Start button or anything. I wonder if this is due to an incorrect screen resolution, because the login screen looked really zoomed in, but I have no idea how to fix the screen resolution in Safe Mode. So I don't know how to open the System32 folder in Safe Mode..

EDIT:  There is also no reaction when right-clicking on the black screen.

Edited by Viola
To add info

Share this post


Link to post
Share on other sites

Try pressing CTRL+SHIFT+ESC on your keyboard.  That should bring up Task Manager, and from there you should be able to click File>New Task (Run)... and then enter explorer in the Create New Task dialog and click OK or press Enter and that should bring up the taskbar and START menu for you.

Share this post


Link to post
Share on other sites
25 minutes ago, exile360 said:

Try pressing CTRL+SHIFT+ESC on your keyboard.  That should bring up Task Manager, and from there you should be able to click File>New Task (Run)... and then enter explorer in the Create New Task dialog and click OK or press Enter and that should bring up the taskbar and START menu for you.

Thank you for getting back to me. I entered explorer, clicked OK, but nothing happened.

I tried checking the option to Create new task with administrator privileges, and explorer.exe appeared in the list of Processes, but still no taskbar..

Share this post


Link to post
Share on other sites

OK, if you click Show processes from all users then open that Create New Task dialog window, check the box next to Create this task with administrative privileges then use the Browse button, you can browse to the locations mentioned and you should be able to at least get a copy of the file onto your desktop from System32 (be sure to click the drop-down menu on the bottom of the browse dialog where it says Programs and select All files).  I don't know if you'll be able to zip the file there, but you can at least get to the file and see its properties and click that Unblock button as mentioned earlier.

I've also attached a copy of the file from my own system here (also Windows 7 x64 SP1) and perhaps it will work for you.  By the way, if you have a web browser other than Internet Explorer, I'd suggesting using it as the entire reason the file ends up with that Unblock button is because its metadata gets altered by IE whenever a file is downloaded from the internet through IE.  Other web browsers do not do this.  I could also try emailing you the file if you believe that might be easier for you; just send me a private message here on the forums with your email address (don't post it here in public as we don't want any spambots getting it) and I can send it to you that way if you wish.

Share this post


Link to post
Share on other sites
50 minutes ago, exile360 said:

OK, if you click Show processes from all users then open that Create New Task dialog window, check the box next to Create this task with administrative privileges then use the Browse button, you can browse to the locations mentioned and you should be able to at least get a copy of the file onto your desktop from System32 (be sure to click the drop-down menu on the bottom of the browse dialog where it says Programs and select All files).  I don't know if you'll be able to zip the file there, but you can at least get to the file and see its properties and click that Unblock button as mentioned earlier.

I've also attached a copy of the file from my own system here (also Windows 7 x64 SP1) and perhaps it will work for you.  By the way, if you have a web browser other than Internet Explorer, I'd suggesting using it as the entire reason the file ends up with that Unblock button is because its metadata gets altered by IE whenever a file is downloaded from the internet through IE.  Other web browsers do not do this.  I could also try emailing you the file if you believe that might be easier for you; just send me a private message here on the forums with your email address (don't post it here in public as we don't want any spambots getting it) and I can send it to you that way if you wish.

So, I found werfault.exe in the browse dialog and clicked Unblock, Apply and OK. Then I closed the Task Manager, started typing into the Command Prompt to restart my computer, then suddenly, the taskbar appeared, along with the rest of my desktop. (Hooray!)

So I closed the Command Prompt, and restarted my computer through the Start button. Startup was a bit slow, but no popup this time, and no freezing, so far.

But I did another SFC scan, and the file still shows as corrupted. So, I am going to send you a private message.

But just to let you know, I have not been using IE. I actually use Chrome in incognito mode most of the time, including when I downloaded the file from Malwarebytes, but what you shared is very interesting information, so thank you ^_^

Share this post


Link to post
Share on other sites

Well, unfortunately my email client wouldn't let me send the file because it's an executable and they tend to frown on that sort of thing.  If you have WinRAR installed I might be able to send it in a password protected RAR archive, but ZIP isn't going to work and that's the only format of compressed file Windows natively supports without any third party software.

I went ahead and uploaded a copy of my file here.  You can try downloading and using that one.  Just save it to your desktop and extract it, right-click the extracted copy on your desktop and make sure it is Unblocked, then place it in your System32 folder as you did the previous one and hopefully it resolves the issue.

Share this post


Link to post
Share on other sites
50 minutes ago, exile360 said:

Well, unfortunately my email client wouldn't let me send the file because it's an executable and they tend to frown on that sort of thing.  If you have WinRAR installed I might be able to send it in a password protected RAR archive, but ZIP isn't going to work and that's the only format of compressed file Windows natively supports without any third party software.

I went ahead and uploaded a copy of my file here.  You can try downloading and using that one.  Just save it to your desktop and extract it, right-click the extracted copy on your desktop and make sure it is Unblocked, then place it in your System32 folder as you did the previous one and hopefully it resolves the issue.

Thanks for uploading it, and I made sure that the file was unblocked before moving it to System32, checked it again after it was moved and it was still unblocked. But after another sfc scan, it still shows as corrupted, or more precisely, it still says "hash mismatch". Thanks for trying to help anyway.

Share this post


Link to post
Share on other sites

OK, can you run Windows Update, check for updates and install any that might be available, then reboot if prompted to do so to complete the installation, then see what happens?  I'm thinking we must have different versions of the file if there's a hash mismatch.

By the way, do you have your Windows installation disc handy?  It may exist as a recovery partition on your hard drive if your system didn't come with a Windows disc.  I'm just asking because we might be able to replace the file from your installation media using SFC and that should resolve the problem.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.