Jump to content











Photo
* * * * * 1 votes

[BETA] Techware Uninfector (Clean Infected areas of PC in WinPE or Windows)


  • Please log in to reply
41 replies to this topic

#26 wimb

wimb

    Gold Member

  • Developer
  • 2281 posts
  •  
    Netherlands

Posted 12 October 2015 - 01:05 PM

I tried version 0.0.7.6 in 10 x64 PE and in 8 x64 PE and in 8 x86 PE and in 10 x64 OS but without succes  :ph34r:

 

The Hive Selection Window appears, but the OK button does not work .... :( and a log file is NOT made ....

Now the Cancel and Close X button work and Exit the program, so that is an improvement ....

 

If you have PE in mind for your app, then it should certainly be 64-bits whereas now it is 32-bits  :huh:

The most compatible PE for BIOS + UEFI is Win8.1SE x64, which has limited 32-bit support.

 

The 8 or 10 x64 PE of Microsoft have no 32-bits and no GUI support at all  :suda:



#27 Siginet

Siginet

    Frequent Member

  • .script developer
  • 154 posts
  •  
    United States

Posted 12 October 2015 - 04:01 PM

I tried version 0.0.7.6 in 10 x64 PE and in 8 x64 PE and in 8 x86 PE and in 10 x64 OS but without succes  :ph34r:

 

The Hive Selection Window appears, but the OK button does not work .... :( and a log file is NOT made ....

Now the Cancel and Close X button work and Exit the program, so that is an improvement ....

 

If you have PE in mind for your app, then it should certainly be 64-bits whereas now it is 32-bits  :huh:

The most compatible PE for BIOS + UEFI is Win8.1SE x64, which has limited 32-bit support.

 

The 8 or 10 x64 PE of Microsoft have no 32-bits and no GUI support at all  :suda:

Yeah I do plan on making a 64bit version of it.  But for now I plan to stick with 32 bit. Once I finish the 32 bit version I plan to start beta testing a 64 bit version.   I don't think it will be very difficult since the program doesn't actually do very much in the WinPE registry anyways and concentrates more on the offline os.  So it should be pretty simple.  I have a feeling it may be a pain to port a 64bit version over for windows though. So if it is a pain... I will only release a 64 bit version for WinPE.

 

Thanks for confirming the WinPE test for me.  I'll be working on fixing the issue today.



#28 Siginet

Siginet

    Frequent Member

  • .script developer
  • 154 posts
  •  
    United States

Posted 12 October 2015 - 07:23 PM

OK... My first WinPE test for the day went smooth.  I tested with booting up into WinPE on my laptop and scanning my OS.  I also had my code open in WinPE so I could see that it was scanning the correct Registry Hives.  It was scanning the correct drive and Registry.  So there is no issue when scanning a system in WinPE when there is only 1 drive with a Windows OS on it.  Uninfector.exe will auto recognize the 1 Windows System and load it for you. You do not have to select it.

 

For my next test I am going to grab a hard drive out of one of my old laptops and connect it with an external usb so that I will have 2 visible Windows Systems.  This will force Uninfector.exe to show me the selection screen which sounds like the issue Wimb has talked about.  Visually in the code I don't see where there would be an issue.  But once I boot up with 2 windows systems I should easily be able to find the problem.  I'm sure it's something very simple, since having 1 windows os worked very smoothly. ;)

 

On a side note... during the IFEO scanning portion it is normal to see filenames you recognize.  Since this is an area you do not want valid apps to be found.  IFEO is an area Viruses like to use to take over for valid executables.  So when you see ZoneAlarm in the progress window and you have zonealarm installed in your WinPE... do not be alarmed because it is not scanning the WinPE registry at this time... it is showing files listed in the Defs file.



#29 Siginet

Siginet

    Frequent Member

  • .script developer
  • 154 posts
  •  
    United States

Posted 12 October 2015 - 07:34 PM

OK... it sounds like I have a flaw in the drive selection code.  I'll work on fixing that.  I was busy all day implementing the Quarantine code.  (It was a little more difficult to implement then I originally thought it would be lol!)  

 

Yes it only scans the registry at the moment.  It does very little with files.  The registry is the most important stuff. Especially from within WinPE. Once the registry items are removed the files can no longer harm the system.  For now I recommend running adwcleaner or malwarebytes after my program to clean up the files left behind.  

 

I've also made some code changes to the version I am working on that messes up some portions of the latest definition file that is online when used with the version of Uninfector.exe that is uploaded on the thread here. It has been optimized for the next version I am going to release.  I was going to release the current version I have but after reading the latest bug I think I need to code on it a little more tomorrow.

 

The new version works fine in a running Windows OS. But unless I accidentally fixed the WinPE bug that has been found it won't be of much use in WinPE at the moment. ;)

 

The new version now Quarantines things on the drive that is scanned... (X:\Uninfector\Quarantine). If anything is Quarantined Uninfector.exe copy's itself to X:\Uninfector\Urestore.exe.  When Urestore.exe is launched within Windows (Not WinPE) it detects if it sees the Quarantine folder next to it.  If it does then it will ask if you would like to restore the Quarantined items back to the system.

 

Also in the new version it now has a simple GUI that is shown during the scan to show What Drive is being processed, what OS it is scanning, and what areas it is working on.

 

The new version tends to take about 3 minutes to fully scan.

Does Mcafee Stinger only scan for files?  Or does it load registry hives?  Cause the log you posted for stinger is only showing False Positives on files.  I'm not seeing anything found in the registry.

 

I suggest that you get a Digital Signature for your executables.  It will help with avoiding most false positives. ;)  Tucows has the best price I have found for them.  They only tend to charge about $75 per year which is pretty good.

https://author.tucow...36&software_id=



#30 Siginet

Siginet

    Frequent Member

  • .script developer
  • 154 posts
  •  
    United States

Posted 12 October 2015 - 08:04 PM

Haha!  I found the culprit that was causing the selection OK button not to function when multiple windows OS's are found.

 

All it was was that I had a Variable setup as a Global variable... but in the Function for the OK button I also had that variable setup as a Local variable.  Of course the Local variable took over and caused the global variable to fail.  Which meant the OK button never updated the variable to tell it to close the selection window and never begin the scan. ;)

 

I'll upload the fixed version in a few minutes.

 

Thanks a lot for testing guys!!  Now we can really start testing in WinPE. ;)


  • wimb likes this

#31 Siginet

Siginet

    Frequent Member

  • .script developer
  • 154 posts
  •  
    United States

Posted 12 October 2015 - 08:15 PM

Latest Version attached. ;)



#32 wimb

wimb

    Gold Member

  • Developer
  • 2281 posts
  •  
    Netherlands

Posted 13 October 2015 - 05:11 AM

Ok, Uninfector is working now !  :cheerleader:

 

After booting with 10 x64 PE then my two W10 OS on drive E:(fresh installed by me) and C:(Upgrade from Win8.1 installed by Medion)

were scanned by Uninfector giving Log files as in attachment. (for security OneDrive number was replaced by xx.x.xxxx.xxxx).

 

Attached File  UnLogWimb.7z   718bytes   1 downloads

 

I need a simple and harmless way to "infect" my registry. May be you have some .reg file that I can use for testing.

 

According to Settings, Stinger scans for Processes, Registry and BootSectors.

 

:cheers:



#33 Siginet

Siginet

    Frequent Member

  • .script developer
  • 154 posts
  •  
    United States

Posted 13 October 2015 - 05:14 AM

Hello,

 

This looks very good, but can I ask you to upload the file using the form at http://reboot.pro/in...ction=submit&c=

 

This way it creates a post on the downloads section here, and the same time makes your tool available through the download section where more people can discover it exists.

 

:cheers:

I had to use a different link to submit. For some reason that link I created was only visible to me. But the link wimb sent me worked.  ;)

 

Is it possible to merge the relevant info from this thread into the support topic for that download?

http://reboot.pro/to...are-uninfector/

 

Thanks!



#34 Siginet

Siginet

    Frequent Member

  • .script developer
  • 154 posts
  •  
    United States

Posted 13 October 2015 - 05:37 AM

Ok, Uninfector is working now !  :cheerleader:

 

After booting with 10 x64 PE then my two W10 OS on drive E:(fresh installed by me) and C:(Upgrade from Win8.1 installed by Medion)

were scanned by Uninfector giving Log files as in attachment. (for security OneDrive number was replaced by xx.x.xxxx.xxxx).

 

attachicon.gifUnLogWimb.7z

 

I need a simple and harmless way to "infect" my registry. May be you have some .reg file that I can use for testing.

 

According to Settings, Stinger scans for Processes, Registry and BootSectors.

 

:cheers:

Thanks for verifying Wimb!  I'm glad we got that fixed. :)

 

I'll put together a harmless reg file I can share.  That's a great idea!  

 

I'm curious.... you say Stinger scans for Processes... but Processes would not be running within WinPE.  I haven't found any info that it actually scans the remote registry in WinPE yet.  I see that it says it can run in winpe... but does it actually load the registry hives of the offline system?  If so it's definitely a tool I will start recommending users to scan with in winpe after Uninfector to see what it's log finds that Uninfector does not so that I can add items to my database as well. :)  

 

I hope to learn how to scan for rootkits as well so I can have Uninfector scan for them someday. ;)  I'm pretty impressed with the registry cleanup of Uninfector at this time.  It seems to work very well. I hope to begin adding File/Folder cleanup soon.


  • wimb likes this

#35 wimb

wimb

    Gold Member

  • Developer
  • 2281 posts
  •  
    Netherlands

Posted 13 October 2015 - 05:37 AM

I submitted the latest version at the link you gave me and Updated this thread with a link to there for download. ;)

 

 

Link is giving Error.

 

Use procedure as for your DriverGrabber.

Go to http://reboot.pro/fi...tegory/2-tools/and use Upload File button.

After Upload then Support topic is auto made in section Groups > Project forge



#36 Siginet

Siginet

    Frequent Member

  • .script developer
  • 154 posts
  •  
    United States

Posted 13 October 2015 - 05:47 AM

Link is giving Error.

 

Use procedure as for your DriverGrabber.

Go to http://reboot.pro/fi...tegory/2-tools/ and use Upload File button.

After Upload then Support topic is auto made in section Groups > Project forge

That's odd.  For some reason the link Nuno sent me I can only find my Download if I am logged in.  

I'll try using the link you sent as well. Then we can delete the non working one.

 

Update: The new link should be working:

http://reboot.pro/fi...are-uninfector/

 

I'm not sure what was different.



#37 Siginet

Siginet

    Frequent Member

  • .script developer
  • 154 posts
  •  
    United States

Posted 13 October 2015 - 06:10 AM

I wrote a Uninfector plugin for WinBuilder Win7PE.

Currently Uninfector.exe from the first post is attached to the plugin, because WinBuilder cannot (yet) download from URLs like

http://reboot.pro/index.php?app=core&module=attach&section=attach&attach_id=15744

I started Win7PE in VirtualBox and run Uninfector.

 

There was nothing visible, but about a minute I saw Uninfector in the task manager with 99% CPU load.

 

A file Uninfector_Unknown.log was created, containing:

 

 

I could not detect a connection to the internet, and also did not find a Uninfector.ini file in the application directory.

 

Peter

What type of links can Winbuilder download the latest version from?  I have my own hosting.  So I can go ahead and make sure it's uploaded at a working link for the plugin. ;)

 

The latest version can always be downloaded here for the time being:

http://Techware.net/.../Uninfector.exe

 

And Definitions:

http://Techware.net/.../Uninfector.ini



#38 wimb

wimb

    Gold Member

  • Developer
  • 2281 posts
  •  
    Netherlands

Posted 13 October 2015 - 06:34 AM

Update: The new link should be working:

http://reboot.pro/fi...are-uninfector/

 

 

Download Link is working now OK and Support Topic for Techware Uninfector is created in Groups > Security  :thumbsup:

 

I have no indication that Stinger is actually loading hives to scan registry, allthough it claims scanning registry according to Settings.

 

Your program is a very nice and fast way to clean the registry   :thumbsup:

Test Infections of the registry can help to compare the different cleaners for their capacity to detect and clean infections.



#39 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12686 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 13 October 2015 - 07:54 AM

What type of links can Winbuilder download the latest version from?  I have my own hosting.  So I can go ahead and make sure it's uploaded at a working link for the plugin. ;)

 

The latest version can always be downloaded here for the time being:

http://Techware.net/.../Uninfector.exe

 

And Definitions:

http://Techware.net/.../Uninfector.ini

The external link is ok. But I have some timing issues. The .exe is not yet completelly downloaded when winbuilder is statring to copy it. Can you offer uninfector.zip?

 

Peter



#40 Siginet

Siginet

    Frequent Member

  • .script developer
  • 154 posts
  •  
    United States

Posted 13 October 2015 - 08:35 AM

How about this:

http://techware.net/...eUninfector.zip

 

I'll upload the same zip file I submit on the forums to this location specifically for the plugin. ;)



#41 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12686 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 13 October 2015 - 09:06 AM

How about this:

http://techware.net/...eUninfector.zip

 

I'll upload the same zip file I submit on the forums to this location specifically for the plugin. ;)

This double work is not longer necessary.

I managed to download from reboot.pro from inside the plugin.

 

Peter



#42 Siginet

Siginet

    Frequent Member

  • .script developer
  • 154 posts
  •  
    United States

Posted 13 October 2015 - 11:04 AM

This double work is not longer necessary.

I managed to download from reboot.pro from inside the plugin.

 

Peter

Awesome that sounds great! Thanks Peter!!  :good:






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users