Topic: [BETA] Techware Uninfector (Clean Infected areas of PC in WinPE or Windows)  (Read 6904 times)

0 Members and 1 Guest are viewing this topic.

Kvark

  • Jr. Chef
  • **
  • Date Registered: Sep 2015
  • Posts: 69
The error message was as follows:

Siginet

  • Jr. Chef
  • **
  • Date Registered: Aug 2015
  • Posts: 76
For now you can not choose where the quarantine folder goes.  But that is just for the time being.  It will be changed in the future.  As for the error.  I have already fixed this issue in v0.0.9.6 which is online at http://Techware.net/Data/Uninfector.exe

I just haven't updated the zip file here yet.  I plan to update the zip file once I finish implementing the auto update options into Uninfector. 0.0.9.6 has some bug fixes in the scanning.  It also uses the new Uninfector.Defs file instead of Uninfector.ini.  It no longer creates the Uninfector_Unknown.log file either.

Kvark

  • Jr. Chef
  • **
  • Date Registered: Sep 2015
  • Posts: 69
Great, the new version is welcomed :).
By the way, where do you get data for your virus definitions?

Kvark

  • Jr. Chef
  • **
  • Date Registered: Sep 2015
  • Posts: 69
New logs, this time from my home computer. The program still creates Uninfector_Unknown.log file.
As per the Uninfector.log, the program has deleted the Mail.ru Cloud software:

Code: [Select]
DELETED - C:\Program Files\Mail.Ru\Cloud\1e12-6569-80ae-eac5=deleted
DELETED - C:\Program Files\Mail.Ru\Cloud\Cloud.exe=deleted
DELETED - C:\Program Files\Mail.Ru\Cloud\Cloud.exe.old=deleted
DELETED - C:\Program Files\Mail.Ru\Cloud\splash.bmp=deleted
DELETED - C:\Program Files\Mail.Ru\Cloud\unins000.dat=deleted
DELETED - C:\Program Files\Mail.Ru\Cloud\unins000.exe=deleted
DELETED - C:\Users\Kvark\AppData\LocalLow\Mail.Ru\GoMailRu.ico=deleted

This is a cloud storage, a definitely legitimate software. This is obviously a bug! Your program shouldn't has deleted it.

I tried to use Urestore.exe. It only offers to restore all deleted items, but doesn't allow to select what should be restored. This is a feature I'd like to see in your "To do" list.
« Last Edit: October 22, 2015, 08:30:57 AM by Kvark »

Siginet

  • Jr. Chef
  • **
  • Date Registered: Aug 2015
  • Posts: 76
New logs, this time from my home computer. The program still creates Uninfector_Unknown.log file.
As per the Uninfector.log, the program has deleted the Mail.ru Cloud software:

Code: [Select]
DELETED - C:\Program Files\Mail.Ru\Cloud\1e12-6569-80ae-eac5=deleted
DELETED - C:\Program Files\Mail.Ru\Cloud\Cloud.exe=deleted
DELETED - C:\Program Files\Mail.Ru\Cloud\Cloud.exe.old=deleted
DELETED - C:\Program Files\Mail.Ru\Cloud\splash.bmp=deleted
DELETED - C:\Program Files\Mail.Ru\Cloud\unins000.dat=deleted
DELETED - C:\Program Files\Mail.Ru\Cloud\unins000.exe=deleted
DELETED - C:\Users\Kvark\AppData\LocalLow\Mail.Ru\GoMailRu.ico=deleted

This is a cloud storage, a definitely legitimate software. This is obviously a bug! Your program shouldn't has deleted it.

I tried to use Urestore.exe. It only offers to restore all deleted items, but doesn't allow to select what should be restored. This is a feature I'd like to see in your "To do" list.

I build my Definitions using many different programs and viewing the logs they create. 

Unfortunately, as noted in the thread Restore only allows the restore all option. Since it is still in beta.  Choosing what to restore will be added eventually. 

As for Mail.ru... this is another company that has many bad practices.  So unfortunately it is easy for their programs to be placed into cleanup programs to be removed.  Although they may have some software that is good.  They use bad marketing by creating a browser hijacker that gets installed with some of their software.  Which causes people to seek out ways to remove it.  Which in turn places their software into virus definitions. I wish I could just change the definitions to only remove the toolbar... but I can't find enough info online to validate whatever subfolders could possibly be in the mail.ru folder to know what is good and what is bad.  Unfortunately at this time I have to leave the mail.ru in the definitions since most info I find about it is bad.  I'm not seeing much good that comes from it at all.  I don't mean to pry... but why do you choose to use software that has such a bad reputation?  When most people are seeking ways to remove it why would you trust a company with such a poor reputation?  Once I can find the info I need to be able to differentiate what is good and what is bad that is made by this company then I will update the definitions. But at this time I'm afraid it will have to stay.

Sorry

P.S. You are correct about the Unknown.log  I forgot that there is still a couple areas that I did keep the possibility to create the Unknown.log.  But it usually isn't created and in most cases it is created for good reason.  If it was created in your scan please take a look at the file and insure there is nothing suspicious.  If it is an IFEO it is more than likely bad.  If it is in TCPIP then it could be legitimate but please double check it.
« Last Edit: October 22, 2015, 04:23:17 PM by Siginet »

Kvark

  • Jr. Chef
  • **
  • Date Registered: Sep 2015
  • Posts: 69

As for Mail.ru... this is another company that has many bad practices.  So unfortunately it is easy for their programs to be placed into cleanup programs to be removed.  Although they may have some software that is good.  They use bad marketing by creating a browser hijacker that gets installed with some of their software.  Which causes people to seek out ways to remove it.  Which in turn places their software into virus definitions. I wish I could just change the definitions to only remove the toolbar... but I can't find enough info online to validate whatever subfolders could possibly be in the mail.ru folder to know what is good and what is bad.  Unfortunately at this time I have to leave the mail.ru in the definitions since most info I find about it is bad.  I'm not seeing much good that comes from it at all.  I don't mean to pry... but why do you choose to use software that has such a bad reputation?  When most people are seeking ways to remove it why would you trust a company with such a poor reputation?  Once I can find the info I need to be able to differentiate what is good and what is bad that is made by this company then I will update the definitions. But at this time I'm afraid it will have to stay.

I agree with you about the Mail.ru software and their dirty marketing. But the Mail.ru Cloud is a program that contains no  browser hijackers or other potentially unwanted stuff. Moreover, it offers 1 Tb (!) of free cloud space.
Strange or not, I don't use it in my evereday life, preferring Yandex.Disk. But I see no reason to treat Mail.ru Cloud as a malware. Yes, the vendor reputation is no so good, though it doesn't mean that all it's programs should be automatically removed from the end user's computer.

By the way, Virustotal found no malware or PUP in the latest Mail.Ru Cloud installation package.

Siginet

  • Jr. Chef
  • **
  • Date Registered: Aug 2015
  • Posts: 76
I know what you mean.  I have every intention to remove it from the definitions.  But I have to be able to find enough info to know what I can put in the definitions to ensure what is bad is removed and what is good is kept.  At this time I don't have that info.  But I will be on the lookout for it. ;)

Lancelot

  • Gena Baker
  • Grand Chef
  • *****
  • Date Registered: Sep 2010
  • Posts: 7010
hi Siginet,

I wonder, is there defination for
hiderun.exe
on your database ?

Siginet

  • Jr. Chef
  • **
  • Date Registered: Aug 2015
  • Posts: 76
No. Currently the db only searches for folders. Not individual files. So the only way hiderun.exe would be removed is if it is in the folder which is flagged for removal.

Siginet

  • Jr. Chef
  • **
  • Date Registered: Aug 2015
  • Posts: 76
Latest version attached to the top of this thread. v0.1.0.2  :great:

Lancelot

  • Gena Baker
  • Grand Chef
  • *****
  • Date Registered: Sep 2010
  • Posts: 7010
No. Currently the db only searches for folders. Not individual files. So the only way hiderun.exe would be removed is if it is in the folder which is flagged for removal.

Thanks for the info...

I test latest and get
AutoIT Error
Line 3775....
Error: Variable used without being declared...

and here is a virus present to you,
 recently infected my mother pc,
   reason: using usb-flash disk on public pc  :wink:

to me, only "Annoying" kind of Virus ;) , like many on internet who target none-pc-tech people ...

https://www.dropbox.com/s/7xydikl5j9j7j2n/MusaLLaT_Virus_PW_asdf.7z?dl=0
it seems to be Newfolder.exe virus
http://www.wikihow.com/Remove-Newfolder.Exe-Virus

it copies itself to all folders accessed by explorer by renaming itself to foldername,
and it changes lot of registry (taskmanager, cmd.exe permissions.....)

It is the usual annoying very sticky virus ;) so be careful, only test on emulator

Have fun
:turtle:

Siginet

  • Jr. Chef
  • **
  • Date Registered: Aug 2015
  • Posts: 76
Thanks for testing.  I think I got it fixed now.  Please allow Uninfector.exe to update itself and test it again. Thanks!

I'll take a look at that virus and see if it is something I can add to Uninfector. I'm pretty sure it can't remove it at this time.  Since Uninfector does not remove files within the Windows directory just yet. But it's one of the next steps I will be adding.

Lancelot

  • Gena Baker
  • Grand Chef
  • *****
  • Date Registered: Sep 2010
  • Posts: 7010
Please allow Uninfector.exe to update itself and test it again. Thanks!
Yes, I did not allow when testing....
ps: I avoid using network when using PE  :wink:

After a while I will test again....  :great:

*
I don't know how you prepare database, I see not replied yet,
 anyway, avoid false positives when you add file checks ;)

+
Annoying virus never ends  :wink:
 above I removed manually, still need to search all disks for that file (with different names) and deleted...  :lol:
  not a serious virus, only annoying  :smile:

:turtle:
« Last Edit: October 25, 2015, 11:33:04 PM by Lancelot »

Siginet

  • Jr. Chef
  • **
  • Date Registered: Aug 2015
  • Posts: 76
Currently I build my database by running scans after my program runs and looking up things on the web.  So it is a lot of work. But it pays off.  I'm sure I will get an easier system in the future. I maintain a lot of computers across the country. So I have access to many computers that my company does virus scans on. Which helps a lot.

Lancelot

  • Gena Baker
  • Grand Chef
  • *****
  • Date Registered: Sep 2010
  • Posts: 7010
So it is a lot of work.
Sure,
It is always better to do things custom,
 but not everybody have such time  :wink:

Good luck
:turtle:

Siginet

  • Jr. Chef
  • **
  • Date Registered: Aug 2015
  • Posts: 76
v0.1.0.7 is now attached.  Fixed a bug caused in x64 WinPE which caused Uninfector to crash.

Re: [BETA] Techware Uninfector (Clean Infected areas of PC in WinPE or Windows)
« Reply #36 on: November 03, 2015, 09:38:49 AM »

Siginet

  • Jr. Chef
  • **
  • Date Registered: Aug 2015
  • Posts: 76
v0.1.1.6 is now attached.  Many new features added.

Quote
0.1.1.6:
Improved: Services scanning is much faster! Probably saves at least 30 seconds of time.
Fixed: Uninfector.exe is compiled using a newer version of the scripting language, which fixed the odd errors that were reported. Which also seemed to have speed up the scan process as well.
New: If an Uninfector.Defs file is present next to Uninfector.exe then the downloaded Uninfector.Defs file will now overwrite it so that Uninfector.Defs that users manually use are updated if they ever decide to Update through the program.
Fix: When "UpdateDefs=N" in the config file, Uninfector failed to run.  This is now fixed.
New: File Scanning is now added. Specific areas of the System drive are now checked for specific files listed in the Defs. So if an infected file is found in places like the Windows directory, System32, Drivers, Root of the drive, AppData folders, and so on... they will be removed.
New: Google Chrome Files are now processed and removed if listed in the Defs.
New: Mozilla Firefox Files are now processed and removes if listed in the Defs.

0.1.0.7:
Fixed: Bug that was caused by an error that was given that crashed Uninfector while running within WinPE x64. The bug was caused by an internal Function of Autoit (_ArrayUnique). For some reason this function does not seem to work within the x64 WinPE in a x86 compiled autoit executable. Although it seems to work fine within Windows x86 and x64 just fine. I have removed this Function for now. It wasn't really needed anyways.

0.1.0.4:
Fixed: Bug posted by d4vr0s which was caused by my Folder Scanning code. Thanks for reporting d4vr0s!!
0.1.0.2:
Fixed: Numerous scan optimizations. Specific areas were not scanning properly.
Change: Uninfector.ini is no longer used as the Definitions file. Now Uninfector.Defs is used.
New: Update options are now built in. You will be prompted for a choice if you want to update Definitions and the Uninfector.exe. If you select the check box "Do not show again" then a Config.ini file is created next to Uninfector.exe and evry time Uninfector.exe is launched it gets the answers from the config file and no longer asks if you wish to update or not.
New: New Command Line parameter for Updates... /UpdateDefs (Will update Definitions Only) /UpdateAll (Will Update Definitions and Uninfector.exe)

0.0.9.2:
Fixed: Typo in my Unicode change in the previous version which caused the db to become corrupt. Quickly fixed.  Sorry if anyone downloaded the previous version for the 10 minutes it was online.

0.0.9.1:
Removed: Deleted Unicode items from the online database (Uninfector.ini) to keep the file size smaller. All Unicode items are kept internally inside of Uninfector.exe.

0.0.9.0:
Added: User Folder Quarantine Removal. (AppData)

0.0.8.9:
Fixed: WinPE Scanning was only scanning the HKLM64 portion of the registry on x64 Hives.
Improved: Optimized Registry scan.
Improved: Full scan is much faster! 1 minute and 15 seconds to completion on my most recent tests!!!
Added: Folder/File Quarantine/Removal.
Added: Shortcut Removal from Desktop, Start Menu and Quick Launch.

0.0.7.9:
Fixed - Quarantine Restore was restoring some Registry Key Values incorrectly.

Re: [BETA] Techware Uninfector (Clean Infected areas of PC in WinPE or Windows)
« Reply #37 on: December 13, 2015, 10:38:27 PM »

Kvark

  • Jr. Chef
  • **
  • Date Registered: Sep 2015
  • Posts: 69
Thanks for your job, Siginet. Your utility is really helpful.
After a recent malware infection I scanned my system with Techware Uninfector. See the log attached.
However, using HiJackThis revealed some other infection traces missed by Techware Uninfector. Three services were found, they definitely were created by the maware. Here they are:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zizusyju
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\doxuvihu
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rizyqibe

All services were pointing to malware files located in the C:\Program Files (x86)\4C4C4544-1449815407-4A10-8053-B3C04F315131\ directory.

josywong

  • Apprentice
  • *
  • Date Registered: Mar 2017
  • Posts: 4
im getting

Line 9247 (File "[drivepath]\Techware\Uninfector.exe):

Error: Variable must be type "Object".

uninfector v0.2.3.6 in win10pese

Siginet

  • Jr. Chef
  • **
  • Date Registered: Aug 2015
  • Posts: 76
im getting

Line 9247 (File "[drivepath]\Techware\Uninfector.exe):

Error: Variable must be type "Object".

uninfector v0.2.3.6 in win10pese

Sorry about that.  I think you may have downloaded v0.2.3.6 when I temporary uploaded a bad copy of it. Since then I have also uploaded v0.2.3.7.  Please try it and let me know if it works okay for you.

There has been so many changes since I posted this onto this forum.  The program is a full blown malware/PUP file cleanup tool now.  It's extremely fast... if not the fastest cleanup tool on the planet.  Works well on a live system... as well as on slaved drives and offline in the WinPE environment.  The virus definition's database is coming together nicely and seems to remove most of the infections people tend to have on their computers nowadays. 

The areas I am working on now are the Restore functionality.  So users will be able to choose what items can be restored back to their computer.  I'm also working on the website... which will be able to communicate with the program, if the user wishes to submit info to help improve the malware database.

I also plan to be implementing a help desk function to it.  So technicians can create a Technician account on the site which will have a landing page for their company.  When a user goes to the technicians landing page and downloads Uninfector they are given the option to create a Client account, which will force the program to communicate with that Technicians account for branding of that company as well as support for the client scanning their computer.

Once I get all of these features implemented I plan on a new public release of it and I'm sure every Technician will love it! :D  I'm utilizing many ideas from other virus cleanup programs, plus implementing my own new features to make this program a truly one of a kind experience for Technicians and Users alike. ;)  I hope you all will enjoy it.  I have spent many countless hours on it.

 

Powered by EzPortal