[BETA] Techware Uninfector (Clean Infected areas of PC in WinPE or Windows)
#1
Posted 09 October 2015 - 04:41 PM
- pscEx likes this
#2
Posted 09 October 2015 - 04:55 PM
Congratulations for the idea and the beta realisation.
I would like to help, write a plugin for WinBuilder 20xx.
But where to download uninfector.exe?
Peter
#3
Posted 09 October 2015 - 05:05 PM
Congratulations for the idea and the beta realisation.
I would like to help, write a plugin for WinBuilder 20xx.
But where to download uninfector.exe?
Peter
Sorry I put a link up there. For some reason when I attach the zip file the forum isn't adding it to the post. So I put a link directly to the exe.
Thanks! That would be great if you can make a plugin for me!
#4
Posted 09 October 2015 - 06:34 PM
Nice. , BUT:
...
Currently I have been concentrating on cleaning up the registry, task scheduler, services, shortcuts on desktop and start menu, and so on. Soon I will work on file/folder removal. But for now I feel the file/folder removal can wait until I am satisfied with everything else. Currently I have not implemented any quarantine... so anything removed is permanently removed. But I have not had any issues with any computers I have ran this on.
I need your help though! The more users I can have to test this the better.
I am not sure it is such a good idea to test "blindly" something for which no "way back" is provided.
And SURELY I won't run something that automagically connects to the internet to download "definitions", IMHO it would be a good idea if besides the *whatever* automagical provision you have in the executable you could publish an URL from which to download manually such "definitions".
Usually (at least here) cleaning a system is done with the PC disconnected from the internet, one could download definitions before and outside the actual "cleaning session".
As a side note (unless you did it so on purpose) the
is currently an "open directory", still IMHO not the best of the setups.
Queer behaviour about the .zip file, I zipped your .exe and attached to this post seemingly.
Wonko
P.S.: As another side-side note, at first sight the contents of _update-maint.txt seem to me like the thingy will download and install quite a few programs?
#5
Posted 09 October 2015 - 07:18 PM
Nice. , BUT:
I am not sure it is such a good idea to test "blindly" something for which no "way back" is provided.
And SURELY I won't run something that automagically connects to the internet to download "definitions", IMHO it would be a good idea if besides the *whatever* automagical provision you have in the executable you could publish an URL from which to download manually such "definitions".
Usually (at least here) cleaning a system is done with the PC disconnected from the internet, one could download definitions before and outside the actual "cleaning session".
As a side note (unless you did it so on purpose) the
is currently an "open directory", still IMHO not the best of the setups.
Queer behaviour about the .zip file, I zipped your .exe and attached to this post seemingly.
Wonko
P.S.: As another side-side note, at first sight the contents of _update-maint.txt seem to me like the thingy will download and install quite a few programs?
The directory I uploaded Uninfector.exe is a list of many programs i use with another program of mine that provides maintenance. update-maint.txt has nothing to do with Uninfector.exe. Uninfector.exe only downloads Uninfector.ini which is a text file with definitions. Which all antivirus programs do. Of course... you can download the Uninfector.ini manually and place it next to Uninfector.exe if you do not have internet and it should automatically use it if it does not have internet connection. But I haven't tested that feature yet. Since it is beta... I much rather need to ensure that users have the latest defs at all times. When fighting viruses its always best to have the latest version of defs and the program itself. I hope I have at least proven in the years past with the numerous programs I have shared with everyone that I'm not gonna download anything malicious to their computer.
It is beta. So the program is not finished. But it is already very useful.
I went ahead and attached the zip to the top post. I figured out why it wasn't attaching. ;-) I was selecting my file then clicking post without clicking the attach file button first.
#6
Posted 09 October 2015 - 08:32 PM
At the request of Wonko I'm gonna work on the Quarantine functionality today. It shouldn't be very difficult to implement and it would come in handy for testing purposes. Thanks for the feedback Wonko!!
- alacran likes this
#7
Posted 10 October 2015 - 09:08 AM
I hope I have at least proven in the years past with the numerous programs I have shared with everyone that I'm not gonna download anything malicious to their computer.
Sure you have proved over the years you are a good guy .
But still that doesn't mean that is a good idea to automagically connect and download anything.
Since you managed to attach the file to your post, I will remove the copy from mine so that people won't be confused by the two downloads and you will have a chance to replace the file with updated version.
Wonko
#8
Posted 10 October 2015 - 09:29 AM
Just a technical question:
When the program is started from WINPE, which volume(s) is / are checked? Is there a startup switch to define?
Additional: Usually the drive letters WINPE sees, are different from the "live" system.
I'm working on writing the plugin, but I'll not test the program working, until I'm sure that it will work ONLY on the volume I want.
Currently I have no additional drive to make a complete HDDs backup.
Peter
#9
Posted 10 October 2015 - 09:29 AM
Hello,
This looks very good, but can I ask you to upload the file using the form at http://reboot.pro/in...ction=submit&c=
This way it creates a post on the downloads section here, and the same time makes your tool available through the download section where more people can discover it exists.
#10
Posted 10 October 2015 - 03:45 PM
I wrote a Uninfector plugin for WinBuilder Win7PE.
Currently Uninfector.exe from the first post is attached to the plugin, because WinBuilder cannot (yet) download from URLs like
http://reboot.pro/index.php?app=core&module=attach§ion=attach&attach_id=15744
I started Win7PE in VirtualBox and run Uninfector.
There was nothing visible, but about a minute I saw Uninfector in the task manager with 99% CPU load.
A file Uninfector_Unknown.log was created, containing:
[Suspicious Areas]
FOUND - AppInit_DLLs=SPEHook.dll
[Unknown-> Services]
FBWF=ignore
Ramdisk=ignore
sacdrv=ignore
sacsvr=ignore
WimFsf=ignore
I could not detect a connection to the internet, and also did not find a Uninfector.ini file in the application directory.
Peter
#11
Posted 10 October 2015 - 03:47 PM
Just a technical question:
When the program is started from WINPE, which volume(s) is / are checked? Is there a startup switch to define?
Additional: Usually the drive letters WINPE sees, are different from the "live" system.
I'm working on writing the plugin, but I'll not test the program working, until I'm sure that it will work ONLY on the volume I want.
Currently I have no additional drive to make a complete HDDs backup.
Peter
Actually it auto finds the Windows Registry files for you. First it checks if it is running in Winpe or Windows. Then it checks if there is multiple drives with hives. If it finds multiple drives it asks which drive you want to use. If it only finds one valid windows hive then it automatically uses that hive. It never scans the winpe hive except to detect if it is running in winpe.
Also... if it is launched in windows and it detects any other partitions with a windows hive it will also ask which drive you want to scan. So it will also be useful for those of us who like to pull a customers drive out and plug it into our own workstation to scan it. ;-)
I want it to be as universal as possible.
As requested by Wonka I will also give users the capability to select if they want the Uninfector.exe to auto update itself as well as if they want to allow it to auto update its defs. ;-) Eventually I want to also have an option to auto submit suspicious areas to a database I'll build online for those who would like to help build a database for cleaning up systems.
I am almost finished implementing the quarantine system. For now Quarantine will just be restore all until I find time to build a guide to allow users to select what they want to restore. But users could also easily remove files from the Quarantine folder if they know they do not want to restore them.
- pscEx likes this
#12
Posted 10 October 2015 - 03:52 PM
Actually it auto finds the Windows Registry files for you. First it checks if it is running in Winpe or Windows. Then it checks if there is multiple drives with hives. If it finds multiple drives it asks which drive you want to use. If it only finds one valid windows hive then it automatically uses that hive. It never scans the winpe hive except to detect if it is running in winpe.
Also... if it is launched in windows and it detects any other partitions with a windows hive it will also ask which drive you want to scan. So it will also be useful for those of us who like to pull a customers drive out and plug it into our own workstation to scan it. ;-)
I want it to be as universal as possible.
As requested by Wonka I will also give users the capability to select if they want the Uninfector.exe to auto update itself as well as if they want to allow it to auto update its defs. ;-) Eventually I want to also have an option to auto submit suspicious areas to a database I'll build online for those who would like to help build a database for cleaning up systems.
I am almost finished implementing the quarantine system. For now Quarantine will just be restore all until I find time to build a guide to allow users to select what they want to restore. But users could also easily remove files from the Quarantine folder if they know they do not want to restore them.
Peter
#13
Posted 10 October 2015 - 04:02 PM
Hello,
This looks very good, but can I ask you to upload the file using the form at http://reboot.pro/in...t§ion=submit&c=
This way it creates a post on the downloads section here, and the same time makes your tool available through the download section where more people can discover it exists.
Ok. When I finish this next version I'll go ahead and do that. ;-)
Thanks
#14
Posted 10 October 2015 - 04:08 PM
Uninfector currently runs silently and takes about a minute to scan and remove anything it finds. ;-) once completed it creates an Uninfector.log if it removes anything and it creates an Unknown_Uninfector.log if it finds areas unknown to its database.I wrote a Uninfector plugin for WinBuilder Win7PE.
Currently Uninfector.exe from the first post is attached to the plugin, because WinBuilder cannot (yet) download from URLs likehttp://reboot.pro/index.php?app=core&module=attach§ion=attach&attach_id=15744I started Win7PE in VirtualBox and run Uninfector.
There was nothing visible, but about a minute I saw Uninfector in the task manager with 99% CPU load.
A file Uninfector_Unknown.log was created, containing:
I could not detect a connection to the internet, and also did not find a Uninfector.ini file in the application directory.
Peter
When it is launched it downloads Uninfector.ini into the %temp% directory and uses it there. If it has no internet connection it checks if an Uninfector.ini file exists in the same folder uninfector.exe is launched in. If it finds one it copys it to %temp% and uses it. :-)
#15
Posted 10 October 2015 - 04:12 PM
On this same computer... if you launch adwcleaner or malwarebytes within windows does it find anything to remove? If so can you post those logs for me?I wrote a Uninfector plugin for WinBuilder Win7PE.
Currently Uninfector.exe from the first post is attached to the plugin, because WinBuilder cannot (yet) download from URLs likehttp://reboot.pro/index.php?app=core&module=attach§ion=attach&attach_id=15744I started Win7PE in VirtualBox and run Uninfector.
There was nothing visible, but about a minute I saw Uninfector in the task manager with 99% CPU load.
A file Uninfector_Unknown.log was created, containing:
I could not detect a connection to the internet, and also did not find a Uninfector.ini file in the application directory.
Peter
Thanks for creating the WinBuilder plugin. ;-) I'll implement auto updating capabilities soon and maybe you can update the plugin so people have an option to turn those features on or off when they compile it?
#16
Posted 10 October 2015 - 04:16 PM
Thanks for the test. ;-) it gives me something to fix. Lol.
#17
Posted 10 October 2015 - 04:22 PM
#18
Posted 10 October 2015 - 05:03 PM
@Siginet:
Common reply to your last posts, w/o quoting single items.
First: Have in mind, that I tested the PE in a VM, so the PE was the only OS!
%TEMP%: Uninfector.ini was there during run of Uninfector.exe. After that it was deleted >> everything is ok with internet access, download etc.
hostInfo.ini:
[PEInfo] System32=X:\windows\system32\ Version=6.1 HiveSystem=X:\windows\system32\config\system HiveSoftware=X:\windows\system32\config\software HiveUser=X:\windows\system32\config\default [HostInfo] HiveSystem_1=X:\Windows\System32\config\system HiveSoftware_1=X:\Windows\System32\config\software HiveUser_1=X:\Windows\System32\config\default System32_1=X:\Windows\System32\ Version_1=6.1 IsSystem_1=1 hostCount=1
When running in a VM, Uninfector should not ignore WinPE. So you have an easy possibility to test: Just infect your running PE! In every case there is no danger to damage the actual PC's OS.
If you need, I have (in Delphi) a module, which lets the running app detect whether it runs live or in a VM. But I think that HostCount = 1 is sufficient.
Customisation:
WinBuilder offers a CONFIG task, where you can define some properties for the plugin:
Uninfect.gif 15.57KB 0 downloads
Here download options etc can be added.
Peter
#19
Posted 11 October 2015 - 06:54 AM
I tried Uninfector in Win8.1SE x64 and x86 and in Win10PE SE x64 on my computer, which has two drives C: and E: with Installed Windows 10 x64.
I am able to select the hive on the E: drive that I would like to test.
But then on pressing OK, nothing seems to happen and the situation is frozen as in the attached ScreenShot.
After waiting quite some time, I tried to Cancel but still frozen, and then after Close finally the dialoque disappears ...
I guess this is than the relevant log file .....
I tried also Stinger x64 of McAfee, which works quite well in x64 PE.
It allows me to select specific drive or folder (convenient for testing) to be scanned
and I get progress information and can select either to have Repair or Report only (preferred for testing).
http://www.mcafee.co...ls/stinger.aspx
It would be nice if Uninfector would have similar kind of user interface,
so that the user can select what will occur (e.g. scan folder and report only) and can see what the program is doing (what drive\folder it is scanning with progress info).
#20
Posted 11 October 2015 - 04:05 PM
Uninfector2015-10-11_083153.png
I tried Uninfector in Win8.1SE x64 and x86 and in Win10PE SE x64 on my computer, which has two drives C: and E: with Installed Windows 10 x64.
I am able to select the hive on the E: drive that I would like to test.
But then on pressing OK, nothing seems to happen and the situation is frozen as in the attached ScreenShot.
After waiting quite some time, I tried to Cancel but still frozen, and then after Close finally the dialoque disappears ...
I guess this is than the relevant log file .....
I tried also Stinger x64 of McAfee, which works quite well in x64 PE.
It allows me to select specific drive or folder (convenient for testing) to be scanned
and I get progress information and can select either to have Repair or Report only (preferred for testing).
http://www.mcafee.co...ls/stinger.aspx
It would be nice if Uninfector would have similar kind of user interface,
so that the user can select what will occur (e.g. scan folder and report only) and can see what the program is doing (what drive\folder it is scanning with progress info).
Did the uninfector task finish on it's own or did you have to kill the process? I'm not sure what would have caused it to hang indefinitely if that is what happened? Currently there is no progress shown and it is run silently in the background. If it removes anything it creates Uninfector.ini and if it finds areas it does not know in it's db it makes the Unknown_Uninfector.ini. I will create a simple gui window for the next beta so that it shows progress and info about the drive being scanned and so on.
When you scanned with Mcafee Stinger did it find anything on that drive that Uninfector did not see? If so please post the log to Mcafee Stinger next time. That way I can verify if there is anything I need to add to the db.
#21
Posted 11 October 2015 - 04:19 PM
I had similar experience like Wimb.
I booted from Win7PE CD. The host has 2 HDDs with 8 volumes, three of them containing a Windows OS: XP_32, XP_64, Win7_32.
The selection dialog appeared, showing the three systems correctly.
The dialog did not disappear neither after making a choice, nor after clicking the Abort button.
Taskmanager showed Uninfector running, but no change in memory, cpu load. I did not have the feeling that Uninfector did something reasonable.
After some minutes I killed Uninfector.
Peter
#22
Posted 11 October 2015 - 05:34 PM
Drive E: with installed Windows 10 was on purpose "infected" with folders UEFI_MULTI-85 and VHD_W7C-85 and VHD_W8C-85
These folders were made by running the 7-zip selfextractor of the downloads from reboot.pro forum.
Stinger x64 scans drive E: in 17 min and identifies my programs as Artemis Trojan, which is however a false positive !
Defender of Windows 10 identifies of these 5 files only VHD_W7_Compact.exe as false positive.
By using the taskmgr now I understand better how your program is working.
The OK and Cancel button in the Hive Selection Window have no function (probably not implemented in the code).
When I click the Window Close button X then the program starts running about 1 min
by creating an Uninfector_Unknown.log file as given earlier and then finishes where the Hive Selection Window closes automatically.
Your program scans only registry and no files and that explains the 30 sec scantime ....
It means however that my program folders described above were not scanned by Uninfector
and so the scan results regarding the false positive files cannot be compared yet with Stinger.
Could it be that your program scans only the registry of the running system e.g. PE since the Uninfector_Unknown log files contain services typically related to Win8.1SE PE and Win10PE being used and when my Win10 on E: drive was selected ?
Could it be that your program when used in normal OS scans the registry of the running system and cleans that registry (maybe unwanted) ?
#23
Posted 12 October 2015 - 08:31 AM
Stinger_x64-2015-10-11_190212.png
Drive E: with installed Windows 10 was on purpose "infected" with folders UEFI_MULTI-85 and VHD_W7C-85 and VHD_W8C-85
These folders were made by running the 7-zip selfextractor of the downloads from reboot.pro forum.
Stinger x64 scans drive E: in 17 min and identifies my programs as Artemis Trojan, which is however a false positive !
Defender of Windows 10 identifies of these 5 files only VHD_W7_Compact.exe as false positive.
By using the taskmgr now I understand better how your program is working.
The OK and Cancel button in the Hive Selection Window have no function (probably not implemented in the code).
When I click the Window Close button X then the program starts running about 1 min
by creating an Uninfector_Unknown.log file as given earlier and then finishes where the Hive Selection Window closes automatically.
Your program scans only registry and no files and that explains the 30 sec scantime ....
It means however that my program folders described above were not scanned by Uninfector
and so the scan results regarding the false positive files cannot be compared yet with Stinger.
Could it be that your program scans only the registry of the running system e.g. PE since the Uninfector_Unknown log files contain services typically related to Win8.1SE PE and Win10PE being used and when my Win10 on E: drive was selected ?
Could it be that your program when used in normal OS scans the registry of the running system and cleans that registry (maybe unwanted) ?
OK... it sounds like I have a flaw in the drive selection code. I'll work on fixing that. I was busy all day implementing the Quarantine code. (It was a little more difficult to implement then I originally thought it would be lol!)
Yes it only scans the registry at the moment. It does very little with files. The registry is the most important stuff. Especially from within WinPE. Once the registry items are removed the files can no longer harm the system. For now I recommend running adwcleaner or malwarebytes after my program to clean up the files left behind.
I've also made some code changes to the version I am working on that messes up some portions of the latest definition file that is online when used with the version of Uninfector.exe that is uploaded on the thread here. It has been optimized for the next version I am going to release. I was going to release the current version I have but after reading the latest bug I think I need to code on it a little more tomorrow.
The new version works fine in a running Windows OS. But unless I accidentally fixed the WinPE bug that has been found it won't be of much use in WinPE at the moment.
The new version now Quarantines things on the drive that is scanned... (X:\Uninfector\Quarantine). If anything is Quarantined Uninfector.exe copy's itself to X:\Uninfector\Urestore.exe. When Urestore.exe is launched within Windows (Not WinPE) it detects if it sees the Quarantine folder next to it. If it does then it will ask if you would like to restore the Quarantined items back to the system.
Also in the new version it now has a simple GUI that is shown during the scan to show What Drive is being processed, what OS it is scanning, and what areas it is working on.
The new version tends to take about 3 minutes to fully scan.
#24
Posted 12 October 2015 - 08:41 AM
OK... it sounds like I have a flaw in the drive selection code. I'll work on fixing that tomorrow. I was busy all day implementing the Quarantine code. (It was a little more difficult to implement then I originally thought it would be lol!)
Yes it only scans the registry at the moment. It does very little with files. The registry is the most important stuff. Especially from within WinPE. Once the registry items are removed the files can no longer harm the system. For now I recommend running adwcleaner or malwarebytes after my program to clean up the files left behind.
I've also made some code changes to the version I am working on that messes up some portions of the latest definition file that is online when used with the version of Uninfector.exe that is uploaded on the thread here. It has been optimized for the next version I am going to release. I was going to release the current version I have but after reading the latest bug I think I need to code on it a little more tomorrow.
If anyone wants to test the version I wrote today you can get it here:
http://Techware.net/.../Uninfector.exe
Latest Definitions file if you are not using internet is here:
http://Techware.net/.../Uninfector.ini
This version works fine in a running Windows OS. But unless I accidentally fixed the WinPE bug that has been found it won't be of much use in WinPE at the moment.
For tests, when Uninfector is running on a PE made by one of my projects, you can compare your drive detection with %Temp%\hostInfo.ini.
Can you make sure that "always" (during beta phase) the latest uninfector is located at the above link?
Peter
#25
Posted 12 October 2015 - 09:02 AM
For tests, when Uninfector is running on a PE made by one of my projects, you can compare your drive detection with %Temp%\hostInfo.ini.
Spoiler
Can you make sure that "always" (during beta phase) the latest uninfector is located at the above link?
Peter
I updated the post with the new version. I found a flaw in my code that possibly could have fixed scanning from a WinPE. I'll have more time to test tomorrow. But if anyone gets a chance to test it again before I do that would be great.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users