Topic: [BETA] Techware Uninfector (Clean Infected areas of PC in WinPE or Windows)  (Read 8624 times)

0 Members and 1 Guest are viewing this topic.

Siginet

  • Jr. Chef
  • **
  • Date Registered: Aug 2015
  • Posts: 76
This program is intended to be a universally portable Virus removal tool.
Cleanup infected areas of Windows from within WinPE or in a Live Windows System.

I have been working on an executable similar to ADWCleaner by Xplode.

The main difference with this program is that it is built with WinPE in mind.
I feel like there are a lot of great Virus Cleanup programs... but nothing that is actually built for WinPE. So I decided to create my own. I have gathered any virus defs I could find to begin building my definitions. I have also begun adding some of my own findings as well. Uninfector has grown into a full blown Cleanup tool. Which removes infected files and PUP files.

I need your help though! The more users I can have to test this the better. Since I am only limited to what I can see and have access to. Please download the Uninfector.exe and run it on an infected system. (Preferably within WinPE). Once you have finished please upload your Uninfector.log and Unknown_Uninfector.log here in this support thread and let me know how well it seemed to have worked for you.

I still suggest running adwcleaner and malwarebytes or any other utilities you normally scan with as well afterwards. If you can upload those logs for me as well that would be great.

Thanks go to anyone who is willing to help with this project! :thumbsup:

When you use this make sure the internet is connected so it can get the latest definitions file! If it doesn't have any defs it won't be able to do much of anything.
If you do not intend to use the internet with Uninfector.exe you can manually download the Uninfector.Defs file and place it next to Uninfector.exe

The latest Uninfector.Defs can be downloaded here:
http://Techware.net/Data/Uninfector.Defs (Right click and Save As)

I further want to add that this program is digitally signed with my company: Techware Solutions, Inc.
This is something that links my company directly to this file and is a way you can determine if it is the real Uninfector.exe and will not be a malicious file.

Quote
0.1.1.6:
Improved: Services scanning is much faster! Probably saves at least 30 seconds of time.
Fixed: Uninfector.exe is compiled using a newer version of the scripting language, which fixed the odd errors that were reported. Which also seemed to have speed up the scan process as well.
New: If an Uninfector.Defs file is present next to Uninfector.exe then the downloaded Uninfector.Defs file will now overwrite it so that Uninfector.Defs that users manually use are updated if they ever decide to Update through the program.
Fix: When "UpdateDefs=N" in the config file, Uninfector failed to run.  This is now fixed.
New: File Scanning is now added. Specific areas of the System drive are now checked for specific files listed in the Defs. So if an infected file is found in places like the Windows directory, System32, Drivers, Root of the drive, AppData folders, and so on... they will be removed.
New: Google Chrome Files are now processed and removed if listed in the Defs.
New: Mozilla Firefox Files are now processed and removes if listed in the Defs.

0.1.0.7:
Fixed: Bug that was caused by an error that was given that crashed Uninfector while running within WinPE x64. The bug was caused by an internal Function of Autoit (_ArrayUnique). For some reason this function does not seem to work within the x64 WinPE in a x86 compiled autoit executable. Although it seems to work fine within Windows x86 and x64 just fine. I have removed this Function for now. It wasn't really needed anyways.

0.1.0.4:
Fixed: Bug posted by d4vr0s which was caused by my Folder Scanning code. Thanks for reporting d4vr0s!!
0.1.0.2:
Fixed: Numerous scan optimizations. Specific areas were not scanning properly.
Change: Uninfector.ini is no longer used as the Definitions file. Now Uninfector.Defs is used.
New: Update options are now built in. You will be prompted for a choice if you want to update Definitions and the Uninfector.exe. If you select the check box "Do not show again" then a Config.ini file is created next to Uninfector.exe and evry time Uninfector.exe is launched it gets the answers from the config file and no longer asks if you wish to update or not.
New: New Command Line parameter for Updates... /UpdateDefs (Will update Definitions Only) /UpdateAll (Will Update Definitions and Uninfector.exe)

0.0.9.2:
Fixed: Typo in my Unicode change in the previous version which caused the db to become corrupt. Quickly fixed.  Sorry if anyone downloaded the previous version for the 10 minutes it was online.

0.0.9.1:
Removed: Deleted Unicode items from the online database (Uninfector.ini) to keep the file size smaller. All Unicode items are kept internally inside of Uninfector.exe.

0.0.9.0:
Added: User Folder Quarantine Removal. (AppData)

0.0.8.9:
Fixed: WinPE Scanning was only scanning the HKLM64 portion of the registry on x64 Hives.
Improved: Optimized Registry scan.
Improved: Full scan is much faster! 1 minute and 15 seconds to completion on my most recent tests!!!
Added: Folder/File Quarantine/Removal.
Added: Shortcut Removal from Desktop, Start Menu and Quick Launch.

0.0.7.9:
Fixed - Quarantine Restore was restoring some Registry Key Values incorrectly.
« Last Edit: November 03, 2015, 09:39:44 AM by Siginet »

Lancelot

  • Gena Baker
  • Grand Chef
  • *****
  • Date Registered: Sep 2010
  • Posts: 7052
Currently I have not created a Plugin....
Well, you don't need to create plugin  :thumbsup:

AntiX always a fast moving target for a plugin,
 we already have portable plugins for such things  :thumbsup:
  and all have a ufd (usb stick)  :smile:

Good luck on your development  :cheers:

ps: even if required, it only takes 10 seconds to create a plugin with Utils\PC Packed  :wink:

:turtle:
« Last Edit: October 09, 2015, 11:30:26 AM by Lancelot »

Siginet

  • Jr. Chef
  • **
  • Date Registered: Aug 2015
  • Posts: 76
Yeah at this time I'm not worried about a script or plugin.  Since it's still in beta and I'd have to make a script/plugin every time I update it. ;)

Right now I'm just wanting to get some beta testers.

Kvark

  • Jr. Chef
  • **
  • Date Registered: Sep 2015
  • Posts: 69
The program doesn't start under Windows 10 (not PE). The registry folder selection dialog is displayed and it cannot be closed until I exit the script. Pressing OK and Cancel buttons in the dialog doesn't do anything.

Upd: Just tested in my Win10PE SE, the result is the same.
« Last Edit: October 13, 2015, 10:38:03 PM by Kvark »

Kvark

  • Jr. Chef
  • **
  • Date Registered: Sep 2015
  • Posts: 69
Byt the way, why no to use Panda Cloud Cleaner (http://www.pandasecurity.com/usa/homeusers/support/card?id=1680), for example? It runs perfectly under PE environment.

Oh yeh, it doesn't scan the registry of an inactive system. So, I can suggest Universal Virus Sniffer http://dsrt.dyndns.org/. It doesn't have any virus definitions, rather it's intended to desinfect your system manually. But it can scan inactive systems from the PE environment. Just select the Windows folder and go.

Siginet

  • Jr. Chef
  • **
  • Date Registered: Aug 2015
  • Posts: 76
Byt the way, why no to use Panda Cloud Cleaner (http://www.pandasecurity.com/usa/homeusers/support/card?id=1680), for example? It runs perfectly under PE environment.

Oh yeh, it doesn't scan the registry of an inactive system. So, I can suggest Universal Virus Sniffer http://dsrt.dyndns.org/. It doesn't have any virus definitions, rather it's intended to desinfect your system manually. But it can scan inactive systems from the PE environment. Just select the Windows folder and go.
  Thats odd that you had this problem.  I hadn't gotten that issue.  Most of my tests are in Windows 10 x64 and Win 10 PE x86 at the moment. 

But the latest version can be downloaded here:
http://Techware.net/Data/Uninfector.exe

It has a lot of fixes and better scanning built in.
I'll be updating the thread with a new zip soon.  I have one minor thing I'm gonna work on today before I update the zip file here.

Siginet

  • Jr. Chef
  • **
  • Date Registered: Aug 2015
  • Posts: 76
The program doesn't start under Windows 10 (not PE). The registry folder selection dialog is displayed and it cannot be closed until I exit the script. Pressing OK and Cancel buttons in the dialog doesn't do anything.

Upd: Just tested in my Win10PE SE, the result is the same.

Oh yes this was a bug I fixed.  This bug happens when more than one Windows folder is found.  I had to fix an issue with a Global variable also being used as a local variable in a function and it's now fixed.

You can now scan slave drives within windows as well as the live OS. ;)  Plus you can select which drives to scan within WinPE.

Yes thei are a bunch of programs that you can select drives within WinPE... but most or all of them do not scan the registry.  My program does... and once it is complete it should be very powerful for WinPE. :)

Also... it scans very fast!  On my system a scan takes only 1.5 minutes.  Of course that scan time will be longer once it scans files/folders.  But it will still be very fast and powerful.

Siginet

  • Jr. Chef
  • **
  • Date Registered: Aug 2015
  • Posts: 76
New version uploaded!!

I'm proud to announce that File/Folder removal is now mostly implemented! :)  Currently I have not built a database for files that should be removed from within the Windows system folders yet.  But it does remove files/folders from within Program Files directories as well as Common Files and ProgramData.  This new version is much faster too!!  It does a lot more and scans in less than half of the amount of time of the previous version.  It works very well in WinPE and on Windows. Also on Slaved Drives scanned within Windows or WinPE. ;)

Please continue to run tests for me!

Thanks!!

0.0.8.9:
Fixed: WinPE Scanning was only scanning the HKLM64 portion of the registry on x64 Hives.
Improved: Optimized Registry scan.
Improved: Full scan is much faster! 1 minute and 15 seconds to completion on my most recent tests!!!
Added: Folder/File Quarantine/Removal.
Added: Shortcut Removal from Desktop, Start Menu and Quick Launch.

Kvark

  • Jr. Chef
  • **
  • Date Registered: Sep 2015
  • Posts: 69
Thank you, Siginet, for the new version.

For the moment, I have no infected systems around. But, I ahve run your program on my primary laptop and can now provide the logs.

Guinevere

  • Apprentice
  • *
  • Date Registered: Oct 2015
  • Posts: 9
Great work - just tested on Windows 10 Professional 64-bit

Logs attached

Siginet

  • Jr. Chef
  • **
  • Date Registered: Aug 2015
  • Posts: 76
Thanks for the logs!  It looks like you both had some infections cleaned up. :)  So far so good!

Kvark

  • Jr. Chef
  • **
  • Date Registered: Sep 2015
  • Posts: 69
Thanks for the logs!  It looks like you both had some infections cleaned up. :)  So far so good!

Not sure these are infections. They're more like false alerts. E.g., looking into my log, you can find the following:

DELETED - C:\Users\Vik\AppData\Roaming\pdfforge=deleted
DELETED - C:\Users\Vik\AppData\Local\pdfforge=deleted

PDFForge makes legal apps, not malware.

Further, we can see:

DELETED - HKLM64\SOFTWARE\Microsoft\Active Setup\Installed Components\{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}|=Vivaldi
DELETED - HKLM64\SOFTWARE\Microsoft\Active Setup\Installed Components\{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}=deleted

Vivaldi is a browser! Why has your program deleted those keys?

Siginet

  • Jr. Chef
  • **
  • Date Registered: Aug 2015
  • Posts: 76
Those are both considered PUP files. They are usually programs that sneak onto your system while installing something else.  Are these programs you actually use or are they programs that snuck onto your system? Because they are usually considered unwanted. It's common practice for cleanup tools to remove PUP files. But you can restore them by launching the C:/Uninfector/uRestore.exe file. ;-)

http://www.shouldiremoveit.com/pdfforge-Toolbar-8620-program.aspx

https://www.symantec.com/security_response/writeup.jsp?docid=2014-121721-0035-99&tabid=2
« Last Edit: October 20, 2015, 12:54:50 AM by Siginet »

Kvark

  • Jr. Chef
  • **
  • Date Registered: Sep 2015
  • Posts: 69
Are these programs you actually use or are they programs that snuck onto your system? Because they are usually considered unwanted. It's common practice for cleanup tools to remove PUP files. But you can restore them by launching the C:/Uninfector/uRestore.exe file. ;-)

These are programs I actually use. 

Siginet

  • Jr. Chef
  • **
  • Date Registered: Aug 2015
  • Posts: 76
I went ahead and changed the database to only remove the pdfforge Toolbar and PDFCreator Toolbar for now.  Unless it becomes a problem for others.  Although... personally I could never trust software that promotes installing their own Browser Hijacker.  CutePDF is a good PDF Creator software that does not install any hijacker.  I also removed the guid {7D2B3E1D-D096-4594-9D8F-A6667F12E0AC} as well for now. Although it looks like Vivaldi may be using the same GUID as a known file infection.  I'll keep an eye on both.

Kvark

  • Jr. Chef
  • **
  • Date Registered: Sep 2015
  • Posts: 69
Thank you, Siginet.

Siginet

  • Jr. Chef
  • **
  • Date Registered: Aug 2015
  • Posts: 76
Thank you, Siginet.

Thank you!  Without your tests we don't find things like this. ;)

Kvark

  • Jr. Chef
  • **
  • Date Registered: Sep 2015
  • Posts: 69
It would be great to have some GUI to tweak the program.
How can I change the default location of the Quarantine folder?
And one more question: is it safe to use the program? Can it damage my system by deleting some critical files/folders and/or registry entries?
« Last Edit: October 20, 2015, 09:04:05 PM by Kvark »

Siginet

  • Jr. Chef
  • **
  • Date Registered: Aug 2015
  • Posts: 76
The program is still being built.  So You will see many things added. Eventually I will implement a gui where you will have more control.  I feel the program is safe.  But with any program there is a risk.  Even well known antiviruses have been known to mess up someones system.  Especially when dealing with Viruses. Since viruses a lot of time intend to damage things.  Some viruses are built in a way that renders a system unusable after it is removed.  So there is always a chance.  I have not seen it happen with Uninfector and I would hope it never would.  Today I cleaned up a customers computer which had over 2,000 infected files removed with Uninfector. Afterwards both Adwcleaner and Malwarebytes found nothing and the customers system is working very well now.

On the upside... Uninfector can be launched within WinPE.  So if in the future a system was messed up after scanning with Uninfector they could boot into WinPE and restore the files / registry entries that broke the system. ;)  (Although WinPE restore is not functioning at the moment, I have every intention on implementing that feature soon. ;) )  We are  still in beta.  But it is a very promising beta, and Uninfector was coded very quickly in terms of how long I figured it would take for me to code a program that does this much stuff. I've wanted a full-fledged virus cleanup tool I could use in WinPE for at least a decade. But I never found one that worked in WinPE just as good as in Windows.  I actually think Uninfector will function better within WinPE.  In WinPE it would have the capabilities of doing things that can't (or would be very difficult) to do in Windows.  There's all kinds of possibilities. ;)

Kvark

  • Jr. Chef
  • **
  • Date Registered: Sep 2015
  • Posts: 69
Great to hear all that, Siginet. However, my question about the Quarantine folder location remains unanswered.
More, yesterday I scanned a potentially infected computer (leaping ahead, it was infected by Adware) with Uninfector. This time the scan was extremely short because the program suddenly stopped working displaying Autoit error. The log is attached.

 

Powered by EzPortal