Jump to content
cgh

Quarantined .WBT file

Recommended Posts

We have a computer that has a quarantined .wbt file labeled as a Trojan.Dropper.Gen. Would anyone happen to have more info on this? I attached a screenshot from the MBAM console.

malwarebytes-wbt.png.61fe9ad979bd99454938fc45d95a58fc.png

Share this post


Link to post
Share on other sites

There are other .wbt files on the PC that haven't been quarantined. Do you want me to send them?

Share this post


Link to post
Share on other sites

I tried to restore from the Management console and from the client but it wouldn't restore. It's still in the quarantine folder.

Share this post


Link to post
Share on other sites

It didn't state that it was marked to delete on reboot. I rebooted it and it's still quarantined.

Share this post


Link to post
Share on other sites

Give the API a try. Tool location - C:\Program Files (x86)\Malwarebytes' Anti-Malware. Tool is named MBAMAPI.exe. Open an admin elevated CMD prompt. Something like:

CD "C:\Program Files (x86)\Malwarebytes' Anti-Malware"
mbamapi /quarantine -restore file "C:\Windows\Temp\wbxtra_05312018_221755.wbt"


Formatting the command is as follows:

Restore Items from Quarantine
Usage:
mbamapi /quarantine –restore <class> [specification]

Purpose:
This command restores items which have been quarantined by Malwarebytes Anti-Malware. Please note that a reboot is usually required before a quarantined item may be restored, due to Delete On Reboot technology used by the program.

Parameters:

  • all
    • All quarantined threats
  • file
    • File “<drive>\<dir>\<file>”, where string is enclosed in double quotes.
  • folder
    • Folder “<drive>\<dir>”, where string is enclosed in double quotes.
  • key
    • Registry entry “<hive>\<key>”, where string is enclosed in double quotes.
  • value
    • Registry value “<hive>\<key>|<value>”, where string is enclosed in double quotes.

Examples:
mbamapi /quarantine -restore file "C:\Windows\file.exe"
mbamapi /quarantine -restore folder "C:\Windows\folder"
mbamapi /quarantine -restore key "HKLM\Software\key"
mbamapi /quarantine -restore value

Share this post


Link to post
Share on other sites

Just tried your suggestion above and it's still in quarantine. I made sure to run the Command Prompt as Administrator. Is it possible that the program that the file is associated with still needs to be installed on the PC before it can be restored? It appears that the WBT file is part of WebEx and that program is removed from the PC.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.