Jump to content











Photo
* * * * * 2 votes

Techware Uninfector

adwcleaner registry cleanup virus malware security antivirus

  • Please log in to reply
89 replies to this topic

#1 Siginet

Siginet

    Frequent Member

  • .script developer
  • 173 posts
  •  
    United States

Posted 13 October 2015 - 05:54 AM

Posted Image

File Name: Techware Uninfector
File Submitter: Siginet
File Submitted: 12 Oct 2015
File Updated: 03 Nov 2015
File Category: Security

This program is intended to be a universally portable Virus removal tool.
Cleanup infected areas of Windows from within WinPE or in a Live Windows System.


I have been working on an executable similar to ADWCleaner by Xplode.

The main difference with this program is that it is built with WinPE in mind.
I feel like there are a lot of great Virus Cleanup programs... but nothing that is actually built for WinPE. So I decided to create my own. I have gathered any virus defs I could find to begin building my definitions. I have also begun adding some of my own findings as well. Uninfector has grown into a full blown Cleanup tool. Which removes infected files and PUP files.

I need your help though! The more users I can have to test this the better. Since I am only limited to what I can see and have access to. Please download the Uninfector.exe and run it on an infected system. (Preferably within WinPE). Once you have finished please upload your Uninfector.log and Unknown_Uninfector.log here in this support thread and let me know how well it seemed to have worked for you.

I still suggest running adwcleaner and malwarebytes or any other utilities you normally scan with as well afterwards. If you can upload those logs for me as well that would be great.

Thanks go to anyone who is willing to help with this project! :thumbsup:

When you use this make sure the internet is connected so it can get the latest definitions file! If it doesn't have any defs it won't be able to do much of anything.
If you do not intend to use the internet with Uninfector.exe you can manually download the Uninfector.Defs file and place it next to Uninfector.exe

The latest Uninfector.Defs can be downloaded here:
http://Techware.net/...Uninfector.Defs (Right click and Save As)

I further want to add that this program is digitally signed with my company: Techware Solutions, Inc.
This is something that links my company directly to this file and is a way you can determine if it is the real Uninfector.exe and will not be a malicious file.

List of features I will currently be working on:
*1. Quarantine Removed Items. (Added to Version 0.0.7.6)
*2. Ask if the user would like to check for program updates automatically at every launch. (Added to Version 0.1.0.2)
*3. Ask if the user would like to check for definition updates automatically at every launch. (Added to Version 0.1.0.2)
*4. Folder detection and removal. (Added to Version 0.0.8.9)
*5. File detection and removal. (Added to Version 0.0.8.9)
*6. Browser Extension Files/registry removal and cleanup. (Added to Version 0.1.1.6)
*7. GUI that shows the information being processed. (Added to Version 0.0.7.6).
*8. Move the Definitions into a defs file instead of ini. (Added to Version 0.1.0.2)
*9. Fix a bug that causes Uninfector to not scan the correct hive when running within WinPE. (fixed in Version 0.0.7.7)

Click here to download this file
  • wimb likes this

#2 steve6375

steve6375

    Platinum Member

  • Developer
  • 7566 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films
  •  
    United Kingdom

Posted 13 October 2015 - 08:55 AM

So it works under Win XP vanilla to Win 10, 32-bit and 64-bit and all Win PE's (no dependencies)?

Does it ask user before deleting each file?


  • Siginet likes this

#3 Siginet

Siginet

    Frequent Member

  • .script developer
  • 173 posts
  •  
    United States

Posted 13 October 2015 - 11:18 AM

So it works under Win XP vanilla to Win 10, 32-bit and 64-bit and all Win PE's (no dependencies)?

Does it ask user before deleting each file?

Yes.  It is meant to work on everything from Win XP and up. Probably 2000 if that still exists somewhere in the world too! LOL!.  But it is in beta right now.  So at the moment it will need to be tested in all versions of windows and WinPE.  Uninfector pulls any Windows paths directly from the registry... so it shouldn't really matter what version of windows it is run in because it should find the correct paths.  I haven't tested it in XP or WinPE XP's... but I am sure it works.  A lot of the WinPE code was pulled from some of my older programs that work well in every version of Windows/WinPE.  Like Gotcha Data Backup and DriverGrabber.  At the current time it only removes items from the registry and very little with File Removal.  But it will get the full treatment soon. ;)  Cleaning the registry of infected items is much better than only cleaning up the files... which is what the majority of the tools we have now do in WinPE.  Of course it sucks right now that it only cleans the registry... but with this tool in it's current form after cleaning up the registry in WinPE we should be able to boot back into a live windows and not receive a bunch of file not found errors.  Then doing a quick scan with something like adwcleaner on the live system should clean up the dormant files.  Since there is nothing in the registry to launch the viruses the files are pretty much harmless since they are nothing but dead weight.

 

I don't really think I have a plan to have Uninfector ask if you want to remove the files... since I'm more of a fan of one click and get it done.  But maybe in the future I'll think about adding that capability for those users who like to have more control.  If I ever do add the capability I'd also add the capability to make is user select-able to use the feature with a config file. But in the beta it's not on my list of things to implement at this time.

 

There shouldn't be any dependencies needed that I can think of.  Especially since there is not much GUI wise at the moment.  Any DLL files it communicates with is built into windows. I suppose I could gather a list of the DLLs it does use so that I can make sure it is known just in case there are WinPE's out there without those DLL's built in.  But I think it's only 1 or maybe 2 DLLs.  It would be great if we can get some tests in a minimal WinPE.



#4 steve6375

steve6375

    Platinum Member

  • Developer
  • 7566 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films
  •  
    United Kingdom

Posted 13 October 2015 - 11:32 AM

For Beta testing I think it is really important to tell the user what is going on and ask before deleting anything at each step.

 

e.g. OK to delete registry entry HKLM\xxxx  value=yyyyy   ?

       OK to delete file   C:\aaa\bbb\ccc ?

 

If you don't remove any files, then what is to prevent the Registry becoming infected again as soon as the user boots?

Any files in the Startup folders or run from .cmd files in \windows\system32, etc. will run and just infect everything again.

 

It would also be useful to have a 'log-only' mode, where no registry entries\files are deleted but a log file is made of what has been detected and flagged for removal. That way the same test system can be used to test new versions and at least we can see what changes would have been made before actually allowing it to make any changes.



#5 wimb

wimb

    Platinum Member

  • Developer
  • 3756 posts
  • Interests:Boot and Install from USB
  •  
    Netherlands

Posted 13 October 2015 - 12:11 PM

So it works under Win XP vanilla to Win 10, 32-bit and 64-bit and all Win PE's (no dependencies)?

 

 

Not all Win PE's can be used, since x64 PE's often have NO 32-bits support and Uninfector.exe is at present 32-bits software.

 

The 8 or 10 x64 PE of Microsoft in their Repair USB-stick have no 32-bits and no GUI support at all   :suda:

 

Win8.1SE x64 and Win10PE SE x64 can be used when SysWOW64 support for 32-bits software is built-in.

 

The most compatible PE for BIOS + UEFI is Win8.1SE x64 or Win10PE x64, which have 32-bit support and are proven to be working for Uninfector.exe

 

http://www.msfn.org/...170546-win81se/

 

I have used Unifector.exe now also in 32-bits Portable XP VHD and in 32-bits LiveXP PE in RAMDISK and it can run in these environments as well,

but you have in XP only access to OS on MBR type harddisk and not to OS on GPT disk.

 

Attached File  UninfectorW81SE-2015-10-13_205559.png   530.81KB   2 downloads --- Attached File  Uninfector10PE-2015-10-13_210108.png   577.81KB   0 downloads --- Attached File  LiveXP-Uninfector-2015-10-13_144440.jpg   196.29KB   0 downloads

 

W8.1SE x64 PE --- W10PE SE x64 --- LiveXP PE x86

 

:cheers:


  • Siginet likes this

#6 Siginet

Siginet

    Frequent Member

  • .script developer
  • 173 posts
  •  
    United States

Posted 13 October 2015 - 03:08 PM

Win10PESE also has Wow64 support now.  It's what I have been using for testing myself. ;)



#7 wimb

wimb

    Platinum Member

  • Developer
  • 3756 posts
  • Interests:Boot and Install from USB
  •  
    Netherlands

Posted 14 October 2015 - 07:22 AM

I have used Uninfector in Win8.1SE x64 and in Win10PE x64 and in Win10 x64 OS on C drive.

 

My two W10 x64 OS on drive E:(fresh installed by me) and C:(Upgrade from Win8.1 installed by Medion)

were scanned by Uninfector in about 3 min giving Log files as in attachment. (for security OneDrive number was replaced by xx.x.xxxx.xxxx).

 

Attached File  UnLogW.7z   915bytes   5 downloads


  • Siginet likes this

#8 Siginet

Siginet

    Frequent Member

  • .script developer
  • 173 posts
  •  
    United States

Posted 14 October 2015 - 07:49 AM

For Beta testing I think it is really important to tell the user what is going on and ask before deleting anything at each step.

 

e.g. OK to delete registry entry HKLM\xxxx  value=yyyyy   ?

       OK to delete file   C:\aaa\bbb\ccc ?

 

If you don't remove any files, then what is to prevent the Registry becoming infected again as soon as the user boots?

Any files in the Startup folders or run from .cmd files in \windows\system32, etc. will run and just infect everything again.

 

It would also be useful to have a 'log-only' mode, where no registry entries\files are deleted but a log file is made of what has been detected and flagged for removal. That way the same test system can be used to test new versions and at least we can see what changes would have been made before actually allowing it to make any changes.

Uninfector removes mostly things from the registry for now.  But it will have file removal soon. It also removes services, tasks and startup entries. The next portion I plan to implement is Start Up lnk files from the Startup folder in the start menu. Although I don't see many viruses using that feature much anymore. Since it would need admin permission to do so. Since this is beta it isn't quiet intended for users that do not know what they are doing yet. I would hope a tech would not allow a file to run once the computer has been booted up. ;) Uninfector also currently cleans up hijacked browser lnk files as well. Which are pesky things I have been seeing a lot lately. That was what I originally started creating the program to do... but then it has now grown into much more. Hijacked browser lnk files suck since they tend to get backed up and then placed back onto the newly reinstalled system unknowingly.



#9 steve6375

steve6375

    Platinum Member

  • Developer
  • 7566 posts
  • Location:UK
  • Interests:computers, programming (masm,vb6,C,vbs), photography,TV,films
  •  
    United Kingdom

Posted 14 October 2015 - 08:47 AM

If you are going to do a file scan, it would be really cool if you could use the SwiftSearch algorithm on NTFS volumes because that is so much faster than the normal directory search algorithms. https://sourceforge....ts/swiftsearch/

e.g. You can find all .exe files on a 1TB volume in about a second !


  • Siginet likes this

#10 Siginet

Siginet

    Frequent Member

  • .script developer
  • 173 posts
  •  
    United States

Posted 18 October 2015 - 10:25 PM

New version uploaded!!

 

I'm proud to announce that File/Folder removal is now mostly implemented! :)  Currently I have not built a database for files that should be removed from within the Windows system folders yet.  But it does remove files/folders from within Program Files directories as well as Common Files and ProgramData.  This new version is much faster too!!  It does a lot more and scans in less than half of the amount of time of the previous version.  It works very well in WinPE and on Windows. Also on Slaved Drives scanned within Windows or WinPE. ;)

 

Please continue to run tests for me!

 

Thanks!!

 

  • 0.0.8.9:
  • Fixed: WinPE Scanning was only scanning the HKLM64 portion of the registry on x64 Hives.
  • Improved: Optimized Registry scan.
  • Improved: Full scan is much faster! 1 minute and 15 seconds to completion on my most recent tests!!!
  • Added: Folder/File Quarantine/Removal.
  • Added: Shortcut Removal from Desktop, Start Menu and Quick Launch.

  • saddlejib likes this

#11 Siginet

Siginet

    Frequent Member

  • .script developer
  • 173 posts
  •  
    United States

Posted 19 October 2015 - 05:20 AM

Sorry for anyone who may have downloaded v0.0.9.1.  I screwed up the db in that one so the scans with it fail and end quickly.  Please grab v0.0.9.2.  It's fixed now. 0.0.9.2 was only online for 10 minutes... so hopefully not many people got that one. :(



#12 wimb

wimb

    Platinum Member

  • Developer
  • 3756 posts
  • Interests:Boot and Install from USB
  •  
    Netherlands

Posted 19 October 2015 - 08:42 AM

Version 0.0.9.2 was used in Win8.1SE PE for scanning my two Win 10 drives E and C.

It is indeed very fast - scanning in about 1 min

 

Attached File  UnLog-92.7z   849bytes   1 downloads

 

:cheers:

 


  • Siginet likes this

#13 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12707 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 20 October 2015 - 08:55 AM

When booting Win7PE ISO in VirtualBox, Uninfector 9.2 scanns the PE.

 

When booting from WIN7PE CD on real hardware, Uninfector shows correctly the three systemes XP-32, XP-64 and Win7-32.

It scanns any choice without remarkable  issues.

 

Peter



#14 Siginet

Siginet

    Frequent Member

  • .script developer
  • 173 posts
  •  
    United States

Posted 20 October 2015 - 10:31 AM

It was never intended to scan the winpe. But I suppose if it finds no other windows then it just scans the WinPE. It's good to know that it is recognizing every version of windows correctly. ;-) I had not even thought to test it on XP 64. That's a pretty good test.

In the next version of Uninfector I am getting rid of the Uninfector.ini file as the Defs file and will be using an Uninfector.Defs file instead. I think I will also start phasing out the Uninfector_Uknown.log file as well. I don't think there is much need for it anymore. Scanning for unknown areas of the system only slow down the scan anyways. I want to see how fast I can get this program to go. ;-)

I'll also put a zipped up sample quarantine file for beta testers to use soon. So you guys can test it in multiple systems within winpe and in windows.

#15 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12707 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 20 October 2015 - 03:31 PM

May I do a suggestion:

 

Put the virus handling definitions into Uninfector.def, as scheduled.

 

Maybe (or sure) there are different startup options for Uninfector:

  • Load/ignore latest Uninfector.exe
  • Load/ignore latest Uninfector.def
  • Delete/quarantaine suspicious contents
  • etc.

To handle these options with startup switches, can be a huge work for the script writer, because all the different shortcuts with the different startup switches must be provided.

 

It would be good to have an Uninfector.xml file passing all the user options to Uninfector.exe. Creating the xml is no problem for WinBuilder (Not only 2015.??.??, but also for versions below the still used 80 / 82 / 8?)

 

Peter



#16 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 20 October 2015 - 03:36 PM

A plain, normal .ini is too simple and you need a .xml for that? :dubbio:

 

:duff:

Wonko



#17 Siginet

Siginet

    Frequent Member

  • .script developer
  • 173 posts
  •  
    United States

Posted 20 October 2015 - 03:48 PM

May I do a suggestion:

 

Put the virus handling definitions into Uninfector.def, as scheduled.

 

Maybe (or sure) there are different startup options for Uninfector:

  • Load/ignore latest Uninfector.exe
  • Load/ignore latest Uninfector.def
  • Delete/quarantaine suspicious contents
  • etc.

To handle these options with startup switches, can be a huge work for the script writer, because all the different shortcuts with the different startup switches must be provided.

 

It would be good to have an Uninfector.xml file passing all the user options to Uninfector.exe. Creating the xml is no problem for WinBuilder (Not only 2015.??.??, but also for versions below the still used 80 / 82 / 8?)

 

Peter

I will keep those in mind.  I was planning to ask the user at launch if they wish to Auto Update the Uninfector program and Definitions. With a check box for never ask again.  If the never ask again box is checked then a config file is written beside Uninfector.exe with the selected options.  I think this would make it simple to add these options in Winbuilder as well since it would just import a config file based on the users selection in Winbuilder.  Also I feel command line switches are great and I do plan on implementing them soon. At the time I'm concentrating on implementing all of the cleanup areas though. I plan to have switches for Only updating the program with no scan and so on as well.



#18 Siginet

Siginet

    Frequent Member

  • .script developer
  • 173 posts
  •  
    United States

Posted 20 October 2015 - 03:51 PM

A plain, normal .ini is too simple and you need a .xml for that? :dubbio:

 

:duff:

Wonko

Why? I don't understand.  What would be the benefit of an xml file over a simple ini?



#19 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12707 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 20 October 2015 - 04:01 PM

A plain, normal .ini is too simple and you need a .xml for that? :dubbio:

 

:duff:

Wonko

Under us Dinosaurs:

 

INI is DOS time, xml is state of the art.

I do not see advantages.

 

Peter :wheelchair:



#20 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 20 October 2015 - 04:38 PM

Under us Dinosaurs:

 

INI is DOS time, xml is state of the art.

I do not see advantages.

 

Peter :wheelchair:

Neither do I.

With xml you have a more complex (and larger) file without any added value (for this simple use).

Why not using a Registry hive then, it's even more "state of the art", if you perceive "state of the art" as "what people in the leading worldwide OS firm use" it might also do nicely.

And BTW you can still map a .ini to Registry, if you want to make it even more complex.

 

Come on guys :), a .ini is more than enough for this scope, there is no need to add a library dependency (or whatever) to parse the .xml format, .ini is plain text, it is easy to parse and extremely easy to read by human eyes and more than enough for the scope at hand.

 

:duff:

Wonko 



#21 Siginet

Siginet

    Frequent Member

  • .script developer
  • 173 posts
  •  
    United States

Posted 20 October 2015 - 08:21 PM

Yes, I do not really think an xml is the way to go at this time.

I actually am going away from ini for the Defs file as well. Since there is limitations with ini files and arrays. But xml isn't my choice. I actually have changed the Defs file to use an ini-like structure... but without the array limitations and no more key=data. I don't have a need for the =data portion. ;-) But for configuration settings I do think the ini file would be best in this case. Maybe that will change in the future. I don't think I'll need to add anything to the registry either. I'd like to avoid adding anything to the registry if I can. Since its intended to be portable I'd like to stay away from leaving stuff behind on the users registry.

But please keep the requests coming! :-) I appreciate any input.

Today I did find a bug with x86 scanning on an x86 computer that I am working on fixing now. But other then that it seems to be functioning very well! I have so many plans to improve on this program and I think it will become very useful. :-D

#22 d4vr0s

d4vr0s

    Member

  • Advanced user
  • 38 posts
  • Location:The greatest computer in the universe of time and space, designed by Deep Thought
  •  
    United States

Posted 25 October 2015 - 03:03 PM

So far all the versions I've tried since 0.9.2 have given me this error while the progress windows shows 'Scanning: AppInit_DLLs':

 

AutoIt Error

Line 875 (File "X:\Tools\unifector.exe"):

Error: Variable must be of type "Object".

 

 

Any ideas?

 



#23 Siginet

Siginet

    Frequent Member

  • .script developer
  • 173 posts
  •  
    United States

Posted 25 October 2015 - 03:14 PM

So far all the versions I've tried since 0.9.2 have given me this error while the progress windows shows 'Scanning: AppInit_DLLs':
 
AutoIt Error
Line 875 (File "X:\Tools\unifector.exe"):
Error: Variable must be of type "Object".
 
 
Any ideas?


That's odd. I haven't seen that at all. Have you tried this version:
http://Techware.net/.../Uninfector.exe

I'll look into the code for that area.

#24 d4vr0s

d4vr0s

    Member

  • Advanced user
  • 38 posts
  • Location:The greatest computer in the universe of time and space, designed by Deep Thought
  •  
    United States

Posted 25 October 2015 - 03:38 PM

That's odd. I haven't seen that at all. Have you tried this version:
http://Techware.net/.../Uninfector.exe

I'll look into the code for that area.

 

Yes, I have a scheduled script that checks for new versions of the utilities I use and downloads accordingly on a hourly basis.

 

I'm running a pretty vanilla WinPE 8 (6.3.9600) if that helps any.



#25 Siginet

Siginet

    Frequent Member

  • .script developer
  • 173 posts
  •  
    United States

Posted 25 October 2015 - 03:47 PM

In the newer builds there is no longer use for Uninfector.ini.  The Defs is now Uninfector.Defs.  Do you have Uninfector.Defs downloaded next to Uninfector.exe?  Because if you do not have internet in your WinPE you will need to have the defs file there.







Also tagged with one or more of these keywords: adwcleaner, registry, cleanup, virus, malware, security, antivirus

3 user(s) are reading this topic

0 members, 3 guests, 0 anonymous users