Jump to content











Photo
* * * * * 1 votes

[BETA] Techware Uninfector (Clean Infected areas of PC in WinPE or Windows)


  • Please log in to reply
41 replies to this topic

#1 Siginet

Siginet

    Frequent Member

  • .script developer
  • 173 posts
  •  
    United States

Posted 09 October 2015 - 04:41 PM

I have been working on an executable similar to ADWCleaner by Xplode.  
 
The main difference with this program is that it is built with WinPE in mind.
I feel like there are a lot of great Virus Cleanup programs... but nothing that is actually built for WinPE.  So I decided to create my own.  I have gathered any virus defs I could find to begin building my definitions. I have also begun adding some of my own findings as well. Currently I have been concentrating on cleaning up the registry, task scheduler, services, shortcuts on desktop and start menu, and so on.  Soon I will work on file/folder removal.  But for now I feel the file/folder removal can wait until I am satisfied with everything else.  Currently I have not implemented  any quarantine... so anything removed is permanently removed. But I have not had any issues with any computers I have ran this on.
 
I need your help though!  The more users I can have to test this the better.  Since I am only limited to what I can see and have access to.  Please download the Uninfector.exe and run it on an infected system. (Preferably within WinPE). Once you have finished please upload your Uninfector.log and Unknown_Uninfector.log here in this thread and let me know how well it seemed to have worked for you.
 
I still suggest running adwcleaner and malwarebytes or any other utilities you normally scan with as well afterwards.  If you can upload those logs for me as well that would be great.
 
Thanks go to anyone who is willing to help with this project!    :thumbsup:
 
When you use this make sure the internet is connected so it can get the latest definitions file! If it doesn't have any defs it won't be able to do much of anything.
If you do not intend to use the internet with Uninfector.exe you can manually download the Uninfector.ini file and place it next to Uninfector.exe
 
The latest Uninfector.ini can be downloaded here:
http://Techware.net/.../Uninfector.ini  (Right click and Save As)
 
I further want to add that this program is digitally signed with my company: Techware Solutions, Inc.
This is something that links my company directly to this file and is a way you can determine if it is the real Uninfector.exe and will not be a malicious file.
 
List of features I will currently be working on:
*1. Quarantine Removed Items (Added to Version 0.0.7.6).
2. Ask if the user would like to check for program updates automatically at every launch.
3. Ask if the user would like to check for definition updates automatically at every launch.
4. Folder detection and removal.
5. File detection and removal.
6. Browser Extension Files/registry removal and cleanup.
*7. GUI that shows the information being processed. (Added to Version 0.0.7.6).
8. Move the Definitions into a defs file instead of ini.
*9. Fix a bug that causes Uninfector to not scan the correct hive when running within WinPE. (fixed in Version 0.0.7.7)
*10. RegKeys that only had the (Default) Value in it were not being deleted. (Fixed in 0.0.7.8)
 
For Complete Changelog go to the download page.
 
 
Currently I have not created a Plugin or Script file for your WinBuilder Projects. But the Uninfector.exe can simply just be launched within WinPE. It is fully portable.

  • pscEx likes this

#2 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12707 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 09 October 2015 - 04:55 PM

Congratulations for the idea and the beta realisation.

I would like to help, write a plugin for WinBuilder 20xx.

 

But where to download uninfector.exe?

 

Peter



#3 Siginet

Siginet

    Frequent Member

  • .script developer
  • 173 posts
  •  
    United States

Posted 09 October 2015 - 05:05 PM

Congratulations for the idea and the beta realisation.

I would like to help, write a plugin for WinBuilder 20xx.

 

But where to download uninfector.exe?

 

Peter

Sorry I put a link up there.  For some reason when I attach the zip file the forum isn't adding it to the post.  So I put a link directly to the exe.

 

Thanks!  That would be great if you can make a plugin for me! :D



#4 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 09 October 2015 - 06:34 PM

Nice. :thumbsup:, BUT:

...

Currently I have been concentrating on cleaning up the registry, task scheduler, services, shortcuts on desktop and start menu, and so on.  Soon I will work on file/folder removal.  But for now I feel the file/folder removal can wait until I am satisfied with everything else.  Currently I have not implemented  any quarantine... so anything removed is permanently removed. But I have not had any issues with any computers I have ran this on.

I need your help though!  The more users I can have to test this the better.  

 

I am not sure :unsure: it is such a good idea to test "blindly" something for which no "way back" is provided.

 

And SURELY I won't run something that automagically connects to the internet to download "definitions", IMHO it would be a good idea if besides the *whatever* automagical provision you have in the executable you could publish an URL from which to download manually such "definitions".

Usually (at least here) cleaning a system is done with the PC disconnected from the internet, one could download definitions before and outside the actual "cleaning session".

 

As a side note (unless you did it so on purpose) the

http://techware.net/Data/

is currently an "open directory", still IMHO not the best of the setups.

 

Queer behaviour about the .zip file, I zipped your .exe and attached to this post seemingly. :dubbio:

 

:duff:

Wonko

 

P.S.: As another side-side note, at first sight the contents of _update-maint.txt seem to me like the thingy will download and install quite a few programs? :w00t: :ph34r:



#5 Siginet

Siginet

    Frequent Member

  • .script developer
  • 173 posts
  •  
    United States

Posted 09 October 2015 - 07:18 PM

Nice. :thumbsup:, BUT:

 

I am not sure :unsure: it is such a good idea to test "blindly" something for which no "way back" is provided.

 

And SURELY I won't run something that automagically connects to the internet to download "definitions", IMHO it would be a good idea if besides the *whatever* automagical provision you have in the executable you could publish an URL from which to download manually such "definitions".

Usually (at least here) cleaning a system is done with the PC disconnected from the internet, one could download definitions before and outside the actual "cleaning session".

 

As a side note (unless you did it so on purpose) the

http://techware.net/Data/

is currently an "open directory", still IMHO not the best of the setups.

 

Queer behaviour about the .zip file, I zipped your .exe and attached to this post seemingly. :dubbio:

 

:duff:

Wonko

 

P.S.: As another side-side note, at first sight the contents of _update-maint.txt seem to me like the thingy will download and install quite a few programs? :w00t: :ph34r:

The directory I uploaded Uninfector.exe is a list of many programs i use with another program of mine that provides maintenance.  update-maint.txt  has nothing to do with Uninfector.exe.  Uninfector.exe only downloads Uninfector.ini which is a text file with definitions. Which all antivirus programs do. ;)  Of course... you can download the Uninfector.ini manually and place it next to Uninfector.exe if you do not have internet and it should automatically use it if it does not have internet connection.  But I haven't tested that feature yet.  Since it is beta... I much rather need to ensure that users have the latest defs at all times.  When fighting viruses its always best to have the latest version of defs and the program itself.  I hope I have at least proven in the years past with the numerous programs I have shared with everyone that I'm not gonna download anything malicious to their computer.

 

It is beta.  So the program is not finished. But it is already very useful.

 

I went ahead and attached the zip to the top post.  I figured out why it wasn't attaching. ;-)  I was selecting my file then clicking post without clicking the attach file button first.



#6 Siginet

Siginet

    Frequent Member

  • .script developer
  • 173 posts
  •  
    United States

Posted 09 October 2015 - 08:32 PM

At the request of Wonko I'm gonna work on the Quarantine functionality today. ;)  It shouldn't be very difficult to implement and it would come in handy for testing purposes.  Thanks for the feedback Wonko!!


  • alacran likes this

#7 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 10 October 2015 - 09:08 AM

I hope I have at least proven in the years past with the numerous programs I have shared with everyone that I'm not gonna download anything malicious to their computer. 

 

Sure you have proved over the years you are a good guy :).

But still that doesn't mean that is a good idea to automagically connect and download anything.

 

Since you managed to attach the file to your post, I will remove the copy from mine so that people won't be confused by the two downloads and you will have a chance to replace the file with updated version.

 

:duff:

Wonko



#8 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12707 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 10 October 2015 - 09:29 AM

Just a technical question:

 

When the program is started from WINPE, which volume(s) is / are checked? Is there a startup switch to define?

Additional: Usually the drive letters WINPE sees, are different from the "live" system.

 

I'm working on writing the plugin, but I'll not test the program working, until I'm sure that it will work ONLY on the volume I want.
Currently I have no additional drive to make a complete HDDs backup.

 

Peter



#9 Brito

Brito

    Platinum Member

  • .script developer
  • 10616 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 10 October 2015 - 09:29 AM

Hello,

 

This looks very good, but can I ask you to upload the file using the form at http://reboot.pro/in...ction=submit&c=

 

This way it creates a post on the downloads section here, and the same time makes your tool available through the download section where more people can discover it exists.

 

:cheers:



#10 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12707 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 10 October 2015 - 03:45 PM

I wrote a Uninfector plugin for WinBuilder Win7PE.

Currently Uninfector.exe from the first post is attached to the plugin, because WinBuilder cannot (yet) download from URLs like

http://reboot.pro/index.php?app=core&module=attach&section=attach&attach_id=15744

I started Win7PE in VirtualBox and run Uninfector.

 

There was nothing visible, but about a minute I saw Uninfector in the task manager with 99% CPU load.

 

A file Uninfector_Unknown.log was created, containing:

 

 

[Suspicious Areas]
FOUND - AppInit_DLLs=SPEHook.dll

[Unknown-> Services]
FBWF=ignore
Ramdisk=ignore
sacdrv=ignore
sacsvr=ignore
WimFsf=ignore

 

I could not detect a connection to the internet, and also did not find a Uninfector.ini file in the application directory.

 

Peter



#11 Siginet

Siginet

    Frequent Member

  • .script developer
  • 173 posts
  •  
    United States

Posted 10 October 2015 - 03:47 PM

Just a technical question:
 
When the program is started from WINPE, which volume(s) is / are checked? Is there a startup switch to define?
Additional: Usually the drive letters WINPE sees, are different from the "live" system.
 
I'm working on writing the plugin, but I'll not test the program working, until I'm sure that it will work ONLY on the volume I want.
Currently I have no additional drive to make a complete HDDs backup.
 
Peter


Actually it auto finds the Windows Registry files for you. First it checks if it is running in Winpe or Windows. Then it checks if there is multiple drives with hives. If it finds multiple drives it asks which drive you want to use. If it only finds one valid windows hive then it automatically uses that hive. It never scans the winpe hive except to detect if it is running in winpe.

Also... if it is launched in windows and it detects any other partitions with a windows hive it will also ask which drive you want to scan. So it will also be useful for those of us who like to pull a customers drive out and plug it into our own workstation to scan it. ;-)

I want it to be as universal as possible.

As requested by Wonka I will also give users the capability to select if they want the Uninfector.exe to auto update itself as well as if they want to allow it to auto update its defs. ;-) Eventually I want to also have an option to auto submit suspicious areas to a database I'll build online for those who would like to help build a database for cleaning up systems.

I am almost finished implementing the quarantine system. For now Quarantine will just be restore all until I find time to build a guide to allow users to select what they want to restore. But users could also easily remove files from the Quarantine folder if they know they do not want to restore them.
  • pscEx likes this

#12 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12707 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 10 October 2015 - 03:52 PM

Actually it auto finds the Windows Registry files for you. First it checks if it is running in Winpe or Windows. Then it checks if there is multiple drives with hives. If it finds multiple drives it asks which drive you want to use. If it only finds one valid windows hive then it automatically uses that hive. It never scans the winpe hive except to detect if it is running in winpe.

Also... if it is launched in windows and it detects any other partitions with a windows hive it will also ask which drive you want to scan. So it will also be useful for those of us who like to pull a customers drive out and plug it into our own workstation to scan it. ;-)

I want it to be as universal as possible.

As requested by Wonka I will also give users the capability to select if they want the Uninfector.exe to auto update itself as well as if they want to allow it to auto update its defs. ;-) Eventually I want to also have an option to auto submit suspicious areas to a database I'll build online for those who would like to help build a database for cleaning up systems.

I am almost finished implementing the quarantine system. For now Quarantine will just be restore all until I find time to build a guide to allow users to select what they want to restore. But users could also easily remove files from the Quarantine folder if they know they do not want to restore them.

 

:thumbsup:

 

Peter



#13 Siginet

Siginet

    Frequent Member

  • .script developer
  • 173 posts
  •  
    United States

Posted 10 October 2015 - 04:02 PM

Hello,
 
This looks very good, but can I ask you to upload the file using the form at http://reboot.pro/in...t§ion=submit&c=
 
This way it creates a post on the downloads section here, and the same time makes your tool available through the download section where more people can discover it exists.
 
:cheers:


Ok. When I finish this next version I'll go ahead and do that. ;-)

Thanks

#14 Siginet

Siginet

    Frequent Member

  • .script developer
  • 173 posts
  •  
    United States

Posted 10 October 2015 - 04:08 PM

I wrote a Uninfector plugin for WinBuilder Win7PE.
Currently Uninfector.exe from the first post is attached to the plugin, because WinBuilder cannot (yet) download from URLs like

http://reboot.pro/index.php?app=core&module=attach&section=attach&attach_id=15744
 
I started Win7PE in VirtualBox and run Uninfector.
 
There was nothing visible, but about a minute I saw Uninfector in the task manager with 99% CPU load.
 
A file Uninfector_Unknown.log was created, containing:
 

 
I could not detect a connection to the internet, and also did not find a Uninfector.ini file in the application directory.
 
Peter
Uninfector currently runs silently and takes about a minute to scan and remove anything it finds. ;-) once completed it creates an Uninfector.log if it removes anything and it creates an Unknown_Uninfector.log if it finds areas unknown to its database.

When it is launched it downloads Uninfector.ini into the %temp% directory and uses it there. If it has no internet connection it checks if an Uninfector.ini file exists in the same folder uninfector.exe is launched in. If it finds one it copys it to %temp% and uses it. :-)

#15 Siginet

Siginet

    Frequent Member

  • .script developer
  • 173 posts
  •  
    United States

Posted 10 October 2015 - 04:12 PM

I wrote a Uninfector plugin for WinBuilder Win7PE.
Currently Uninfector.exe from the first post is attached to the plugin, because WinBuilder cannot (yet) download from URLs like

http://reboot.pro/index.php?app=core&module=attach&section=attach&attach_id=15744
 
I started Win7PE in VirtualBox and run Uninfector.
 
There was nothing visible, but about a minute I saw Uninfector in the task manager with 99% CPU load.
 
A file Uninfector_Unknown.log was created, containing:
 

 
I could not detect a connection to the internet, and also did not find a Uninfector.ini file in the application directory.
 
Peter
On this same computer... if you launch adwcleaner or malwarebytes within windows does it find anything to remove? If so can you post those logs for me?

Thanks for creating the WinBuilder plugin. ;-) I'll implement auto updating capabilities soon and maybe you can update the plugin so people have an option to turn those features on or off when they compile it?

#16 Siginet

Siginet

    Frequent Member

  • .script developer
  • 173 posts
  •  
    United States

Posted 10 October 2015 - 04:16 PM

I think my code for AppInit checking is accidentally checking your winpe hive. I'll fix that in the next release. It's possible my auto detection of the windows drive is flawed too. Because it looks like the services it is showing are winpe services too.

Thanks for the test. ;-) it gives me something to fix. Lol.

#17 Siginet

Siginet

    Frequent Member

  • .script developer
  • 173 posts
  •  
    United States

Posted 10 October 2015 - 04:22 PM

I need to find a good source for purposely infecting my computer so I can test it better in winpe. I have plenty of computers I can test remotely in regular windows systems. Since I remotely work on a bunch of computers. But currently I don't have physical access to pc's I can boot into winpe to test on. So the more people here who are willing to test and post logs the quicker I can get this program working perfectly. ;-)

#18 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12707 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 10 October 2015 - 05:03 PM

@Siginet:

 

Common reply to your last posts, w/o quoting single items.

 

First: Have in mind, that I tested the PE in a VM, so the PE was the only OS!

 

%TEMP%: Uninfector.ini was there during run of Uninfector.exe. After that it was deleted >> everything is ok with internet access, download etc.

hostInfo.ini:

[PEInfo]
System32=X:\windows\system32\
Version=6.1
HiveSystem=X:\windows\system32\config\system
HiveSoftware=X:\windows\system32\config\software
HiveUser=X:\windows\system32\config\default

[HostInfo]
HiveSystem_1=X:\Windows\System32\config\system
HiveSoftware_1=X:\Windows\System32\config\software
HiveUser_1=X:\Windows\System32\config\default
System32_1=X:\Windows\System32\
Version_1=6.1
IsSystem_1=1
hostCount=1

When running in a VM, Uninfector should not ignore WinPE. So you have an easy possibility to test: Just infect your running PE! In every case there is no danger to damage the actual PC's OS.

 

If you need, I have (in Delphi) a module, which lets the running app detect whether it runs live or in a VM. But I think that HostCount = 1 is sufficient.

 

Customisation:

WinBuilder offers a CONFIG task, where you can define some properties for the plugin:

Attached File  Uninfect.gif   15.57KB   0 downloads

Here download options etc can be added.

 

Peter



#19 wimb

wimb

    Platinum Member

  • Developer
  • 3756 posts
  • Interests:Boot and Install from USB
  •  
    Netherlands

Posted 11 October 2015 - 06:54 AM

Attached File  Uninfector2015-10-11_083153.png   526.11KB   0 downloads

 

I tried Uninfector in Win8.1SE x64 and x86 and in Win10PE SE x64 on my computer, which has two drives C: and E: with Installed Windows 10 x64.

I am able to select the hive on the E: drive that I would like to test.

But then on pressing OK, nothing seems to happen and the situation is frozen as in the attached ScreenShot.

After waiting quite some time, I tried to Cancel but still frozen, and then after Close finally the dialoque disappears ...

I guess this is than the relevant log file .....

 

Attached File  Uninfector_Unknown.7z   300bytes   6 downloads

 

I tried also Stinger x64 of McAfee, which works quite well in x64 PE.

It allows me to select specific drive or folder (convenient for testing) to be scanned

and I get progress information and can select either to have Repair or Report only (preferred for testing).

http://www.mcafee.co...ls/stinger.aspx

 

It would be nice if Uninfector would have similar kind of user interface,

so that the user can select what will occur (e.g. scan folder and report only) and can see what the program is doing (what drive\folder it is scanning with progress info).



#20 Siginet

Siginet

    Frequent Member

  • .script developer
  • 173 posts
  •  
    United States

Posted 11 October 2015 - 04:05 PM

attachicon.gifUninfector2015-10-11_083153.png

 

I tried Uninfector in Win8.1SE x64 and x86 and in Win10PE SE x64 on my computer, which has two drives C: and E: with Installed Windows 10 x64.

I am able to select the hive on the E: drive that I would like to test.

But then on pressing OK, nothing seems to happen and the situation is frozen as in the attached ScreenShot.

After waiting quite some time, I tried to Cancel but still frozen, and then after Close finally the dialoque disappears ...

I guess this is than the relevant log file .....

 

attachicon.gifUninfector_Unknown.7z

 

I tried also Stinger x64 of McAfee, which works quite well in x64 PE.

It allows me to select specific drive or folder (convenient for testing) to be scanned

and I get progress information and can select either to have Repair or Report only (preferred for testing).

http://www.mcafee.co...ls/stinger.aspx

 

It would be nice if Uninfector would have similar kind of user interface,

so that the user can select what will occur (e.g. scan folder and report only) and can see what the program is doing (what drive\folder it is scanning with progress info).

Did the uninfector task finish on it's own or did you have to kill the process?  I'm not sure what would have caused it to hang indefinitely if that is what happened?  Currently there is no progress shown and it is run silently in the background. If it removes anything it creates Uninfector.ini and if it finds areas it does not know in it's db it makes the Unknown_Uninfector.ini.  I will create a simple gui window for the next beta so that it shows progress and info about the drive being scanned and so on.

 

When you scanned with Mcafee Stinger did it find anything on that drive that Uninfector did not see? If so please post the log to Mcafee Stinger next time. That way I can verify if there is anything I need to add to the db.



#21 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12707 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 11 October 2015 - 04:19 PM

I had similar experience like Wimb.

 

I booted from Win7PE CD. The host has 2 HDDs with 8 volumes, three of them containing a Windows OS: XP_32, XP_64, Win7_32.

 

The selection dialog appeared, showing the three systems correctly.

 

The dialog did not disappear neither after making a choice, nor after clicking the Abort button.

 

Taskmanager showed Uninfector running, but no change in memory, cpu load. I did not have the feeling that Uninfector did something reasonable.

 

After some minutes I killed Uninfector.

 

Peter



#22 wimb

wimb

    Platinum Member

  • Developer
  • 3756 posts
  • Interests:Boot and Install from USB
  •  
    Netherlands

Posted 11 October 2015 - 05:34 PM

Attached File  Stinger_x64-2015-10-11_190212.png   518.46KB   1 downloads

 

Attached File  Stinger_11102015_183749.html   1.33KB   3 downloads

 

Drive E: with installed Windows 10 was on purpose "infected" with folders UEFI_MULTI-85 and VHD_W7C-85 and VHD_W8C-85

These folders were made by running the 7-zip selfextractor of the downloads from reboot.pro forum.

Stinger x64 scans drive E: in 17 min and identifies my programs as Artemis Trojan, which is however a false positive !

Defender of Windows 10 identifies of these 5 files only VHD_W7_Compact.exe as false positive.

 

By using the taskmgr now I understand better how your program is working.

The OK and Cancel button in the Hive Selection Window have no function (probably not implemented in the code).

When I click the Window Close button X then the program starts running about 1 min 

by creating an Uninfector_Unknown.log file as given earlier and then finishes where the Hive Selection Window closes automatically.

 

Your program scans only registry and no files and that explains the 30 sec scantime ....

It means however that my program folders described above were not scanned by Uninfector

and so the scan results regarding the false positive files cannot be compared yet with Stinger.

 

Could it be that your program scans only the registry of the running system e.g. PE since the Uninfector_Unknown log files contain services typically related to Win8.1SE PE and Win10PE being used and when my  Win10 on E: drive was selected ?

Attached File  Uninfector_UnknownLog.7z   425bytes   3 downloads

 

Could it be that your program when used in normal OS scans the registry of the running system and cleans that registry (maybe unwanted) ?

 

:cheers:



#23 Siginet

Siginet

    Frequent Member

  • .script developer
  • 173 posts
  •  
    United States

Posted 12 October 2015 - 08:31 AM

attachicon.gifStinger_x64-2015-10-11_190212.png

 

attachicon.gifStinger_11102015_183749.html

 

Drive E: with installed Windows 10 was on purpose "infected" with folders UEFI_MULTI-85 and VHD_W7C-85 and VHD_W8C-85

These folders were made by running the 7-zip selfextractor of the downloads from reboot.pro forum.

Stinger x64 scans drive E: in 17 min and identifies my programs as Artemis Trojan, which is however a false positive !

Defender of Windows 10 identifies of these 5 files only VHD_W7_Compact.exe as false positive.

 

By using the taskmgr now I understand better how your program is working.

The OK and Cancel button in the Hive Selection Window have no function (probably not implemented in the code).

When I click the Window Close button X then the program starts running about 1 min 

by creating an Uninfector_Unknown.log file as given earlier and then finishes where the Hive Selection Window closes automatically.

 

Your program scans only registry and no files and that explains the 30 sec scantime ....

It means however that my program folders described above were not scanned by Uninfector

and so the scan results regarding the false positive files cannot be compared yet with Stinger.

 

Could it be that your program scans only the registry of the running system e.g. PE since the Uninfector_Unknown log files contain services typically related to Win8.1SE PE and Win10PE being used and when my  Win10 on E: drive was selected ?

attachicon.gifUninfector_UnknownLog.7z

 

Could it be that your program when used in normal OS scans the registry of the running system and cleans that registry (maybe unwanted) ?

 

:cheers:

 

OK... it sounds like I have a flaw in the drive selection code.  I'll work on fixing that.  I was busy all day implementing the Quarantine code.  (It was a little more difficult to implement then I originally thought it would be lol!)  

 

Yes it only scans the registry at the moment.  It does very little with files.  The registry is the most important stuff. Especially from within WinPE. Once the registry items are removed the files can no longer harm the system.  For now I recommend running adwcleaner or malwarebytes after my program to clean up the files left behind.  

 

I've also made some code changes to the version I am working on that messes up some portions of the latest definition file that is online when used with the version of Uninfector.exe that is uploaded on the thread here. It has been optimized for the next version I am going to release.  I was going to release the current version I have but after reading the latest bug I think I need to code on it a little more tomorrow.

 

The new version works fine in a running Windows OS. But unless I accidentally fixed the WinPE bug that has been found it won't be of much use in WinPE at the moment. ;)

 

The new version now Quarantines things on the drive that is scanned... (X:\Uninfector\Quarantine). If anything is Quarantined Uninfector.exe copy's itself to X:\Uninfector\Urestore.exe.  When Urestore.exe is launched within Windows (Not WinPE) it detects if it sees the Quarantine folder next to it.  If it does then it will ask if you would like to restore the Quarantined items back to the system.

 

Also in the new version it now has a simple GUI that is shown during the scan to show What Drive is being processed, what OS it is scanning, and what areas it is working on.

 

The new version tends to take about 3 minutes to fully scan.



#24 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12707 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 12 October 2015 - 08:41 AM

OK... it sounds like I have a flaw in the drive selection code.  I'll work on fixing that tomorrow.  I was busy all day implementing the Quarantine code.  (It was a little more difficult to implement then I originally thought it would be lol!)  
 
Yes it only scans the registry at the moment.  It does very little with files.  The registry is the most important stuff. Especially from within WinPE. Once the registry items are removed the files can no longer harm the system.  For now I recommend running adwcleaner or malwarebytes after my program to clean up the files left behind.  
 
I've also made some code changes to the version I am working on that messes up some portions of the latest definition file that is online when used with the version of Uninfector.exe that is uploaded on the thread here. It has been optimized for the next version I am going to release.  I was going to release the current version I have but after reading the latest bug I think I need to code on it a little more tomorrow.
 
If anyone wants to test the version I wrote today you can get it here:
http://Techware.net/.../Uninfector.exe
 
Latest Definitions file if you are not using internet is here:
http://Techware.net/.../Uninfector.ini
 
This version works fine in a running Windows OS. But unless I accidentally fixed the WinPE bug that has been found it won't be of much use in WinPE at the moment. ;)

For tests, when Uninfector is running on a PE made by one of my projects, you can compare your drive detection with %Temp%\hostInfo.ini.
 

Spoiler

 
Can you make sure that "always" (during beta phase) the latest uninfector is located at the above link?
 
Peter



#25 Siginet

Siginet

    Frequent Member

  • .script developer
  • 173 posts
  •  
    United States

Posted 12 October 2015 - 09:02 AM

For tests, when Uninfector is running on a PE made by one of my projects, you can compare your drive detection with %Temp%\hostInfo.ini.
 

Spoiler

 
Can you make sure that "always" (during beta phase) the latest uninfector is located at the above link?
 
Peter

 

I updated the post with the new version.  I found a flaw in my code that possibly could have fixed scanning from a WinPE.  I'll have more time to test tomorrow.  But if anyone gets a chance to test it again before I do that would be great. :D






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users