Winapp2.ini additions

[Andavari]

New addition:

[Roadkil's Unstoppable Copier*]
LangSecRef=3024
Detect=HKCU\Software\Roadkil
Default=False
RegKey1=HKCU\Software\Roadkil|Source_Unstp
RegKey2=HKCU\Software\Roadkil|Target_Unstp

 

Updated addition, someone else also needs to test this first before it's put into the winapp2.ini file! I used the pre-release SAS v5.0 when making this.

[sUPERAntiSpyware (Logs)*]
; Supports v4 and v5
LangSecRef=3024
Detect=HKCU\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware
Detect2=HKLM\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware
DetectFile=%ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe
Default=False
FileKey1=%CommonAppData%\!SASCORE\AppLogs|*.dmp
FileKey2=%CommonAppData%\!SASCORE\AppLogs|*.SDB
FileKey3=%AppData%\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs|*.dmp
FileKey4=%AppData%\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs|*.SDB
FileKey5=%AppData%\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs|*.log

[Andavari]

Original:

[*Avidemux 2.5 log]

LangSecRef=3023

DetectFile=%ProgramFiles%\Avidemux 2.5\avidemux2.exe

Default=False

FileKey1=%AppData%\avidemux|admlog.txt

Thank you for that original cleaning routine, I didn't realize that admlog.txt would be so huge! Unfortunately getting rid of the version numbers won't work if doing a standard installation using the recommended settings from the setup file, also it wouldn't make any difference because even the registry settings use the version number so no way to change those at all.

 

Updated, now includes the registry key location as detection as well

...and to answer Winapp2.ini I've tested it on Windows XP and it works:

[Avidemux 2.5 (Log)*]
LangSecRef=3023
Detect=HKLM\Software\Avidemux 2.5
DetectFile=%ProgramFiles%\Avidemux 2.5\avidemux2.exe
Default=False
FileKey1=%AppData%\avidemux|admlog.txt

[Winapp2.ini]

Thank you

[paperino]

Hello,

I moved the cache of firefox to another location.

I can not find how to change the winapp2 to allow cleaning.

Can anyone help me.

Thanks

[Miroku4444]

Hello,

I moved the cache of firefox to another location.

I can not find how to change the winapp2 to allow cleaning.

Can anyone help me.

Thanks

Go to options and select include. Click on add and use the drive or folder option. Hit browse and find your new location of the cache folder and select it. Where it says options select "include files and subfolders". Then hit ok. If you haven't done so already check mark "custom files and folders" in the advanced section.

[surrounder]

Removing all the RecentMovie that was used in the Flashplayer.

I don't know how to only remove RecentMovie1,2,3,4 and so on inside the register.

But it works to clear the whole FlashPlayer registry too.

 

[Macromedia Flashplayer*]
LangSecRef=3023
Detect=HKCU\Software\Macromedia\FlashPlayer
Default=False
RegKey1=HKCU\Software\Macromedia\FlashPlayer

 

Tested with Windows 7. Should work in other Windows versions i guess.

[Winapp2.ini]

Try

 

[Macromedia Flashplayer*]
LangSecRef=3023
Detect=HKCU\Software\Macromedia\FlashPlayer
Default=False
RegKey1=HKCU\Software\Macromedia\FlashPlayer|RecentMovie1
RegKey2=HKCU\Software\Macromedia\FlashPlayer|RecentMovie2
RegKey3=HKCU\Software\Macromedia\FlashPlayer|RecentMovie3
RegKey4=HKCU\Software\Macromedia\FlashPlayer|RecentMovie4 

[back_track]

[Toshiba BluetoothStack*]

LangSecRef=3024

Detect=HKLM\SOFTWARE\Toshiba\BluetoothStack

Default=False

FileKey1=C:\Users\Admin\AppData\Local\Toshiba\BluetoothStack\V1.0\tosOBEX\Temp|*.*

 

 

 

I know that the filekey is to long but i can't shorten it. xD

 

 

wow you are fast xD

[Winapp2.ini]

[Toshiba BluetoothStack*]
LangSecRef=3024
Detect=HKLM\SOFTWARE\Toshiba\BluetoothStack
Default=False
FileKey1=%LocalAppData%\Toshiba\BluetoothStack\V1.0\tosOBEX\Temp|*.*

 

fixed

[back_track]

[Downloaded Installations*]
LangSecRef=3025
DetectFile=C:\Users\Admin\AppData\Local\Downloaded Installations
Default=False
FileKey1=C:\Users\Admin\AppData\Local\Downloaded Installations|*.*|REMOVESELF


[samsung Kies*]
LangSecRef=3023
Detect=HKCU\Software\Samsung\Kies2.0
Default=False
FileKey1=C:\Users\Admin\AppData\Roaming\Samsung\Kies\UpdateLog.txt

 

 

Would it be better with |*.txt ?

[Winapp2.ini]

[Downloaded Installations*]
LangSecRef=3025
DetectFile=%LocalAppData%\Downloaded Installations
Default=False
FileKey1=%LocalAppData%\Downloaded Installations|*.*|REMOVESELF

fixed

 

[samsung Kies*]
LangSecRef=3023
Detect=HKCU\Software\Samsung\Kies2.0
Default=False
FileKey1=%AppData%\Samsung\Kies|UpdateLog.txt

 

Will work fine if UpdateLog.txt is the only text file that needs to be deleted.

[siliconman01]

[PDF-XChange Viewer*]
LangSecRef=3021
Detect=HKCU\Software\Tracker Software\PDFViewer
Default=False
RegKey1=HKCU\Software\Tracker Software\PDFViewer\Documents\LastOpened
RegKey2=HKCU\Software\Tracker Software\PDFViewer\Documents\LatestView\Bars
RegKey3=HKCU\Software\Tracker Software\PDFViewer\Documents\LatestView\Panes
FileKey1=%LocalAppData%\Tracker Software\LiveUpdate\Updates\|*.*

 

Found old downloaded update in Updates folder, thus the addition of FileKey1 is needed.

[Andavari]

New entries, fully tested and works on Windows XP.

 

[Freemake Video Converter (Logs)*]
LangSecRef=3023
Detect=HKCU\Software\Freemake\FreemakeVideoConverter
Detect2=HKLM\Software\Freemake\FreemakeVideoConverter
DetectFile=%ProgramFiles%\Freemake\Freemake Video Converter\FreemakeVideoConverter.exe
Default=False
FileKey1=%CommonAppData%\Freemake\FreemakeVideoConverter|*.txt

 

[Freemake Video Downloader (Logs)*]
LangSecRef=3023
Detect=HKCU\Software\Freemake\FreemakeVideoDownloader
Detect2=HKLM\Software\Freemake\FreemakeVideoDownloader
DetectFile=%ProgramFiles%\Freemake\FreemakeVideoDownloader\FreemakeVideoDownloader.exe
Default=False
FileKey1=%CommonAppData%\Freemake\FreemakeVideoDownloader|*.txt

[surrounder]

Try

 

[Macromedia Flashplayer*]
LangSecRef=3023
Detect=HKCU\Software\Macromedia\FlashPlayer
Default=False
RegKey1=HKCU\Software\Macromedia\FlashPlayer|RecentMovie1
RegKey2=HKCU\Software\Macromedia\FlashPlayer|RecentMovie2
RegKey3=HKCU\Software\Macromedia\FlashPlayer|RecentMovie3
RegKey4=HKCU\Software\Macromedia\FlashPlayer|RecentMovie4 

 

It's more then 4, i had 12 last time. I don't know how many RecentMovie you can have inside that registry.

Thats why i added the whole folder. Doesn't RecentMovie* work?

[MVE]

Add this please

[Microsoft Security Essentials*]
LangSecRef=3024
DetectFile=%ProgramData%\Microsoft\Microsoft Antimalware
Default=False
FileKey1=%ProgramData%\Microsoft\Microsoft Antimalware\LocalCopy|*.*|RECURSE

[Nergal]

Add this please

[Microsoft Security Essentials*]
LangSecRef=3024
DetectFile=%ProgramData%\Microsoft\Microsoft Antimalware
Default=False
FileKey1=%ProgramData%\Microsoft\Microsoft Antimalware\LocalCopy|*.*|RECURSE

what exactly is removed in this?

[Andavari]

Add this please

[Microsoft Security Essentials*]
LangSecRef=3024
DetectFile=%ProgramData%\Microsoft\Microsoft Antimalware
Default=False
FileKey1=%ProgramData%\Microsoft\Microsoft Antimalware\LocalCopy|*.*|RECURSE

 

You should probably PM the official Piriform bug fixer MrT with this addition since Microsoft AntiMalware is already included in CCleaner by default and can be updated if he deems it safe.

 

Also that location to clean in WinXP would need this added as a FileKey2 path (albeit that LocalCopy folder is empty on my system and I haven't a clue what it's for):

%CommonAppData%\Microsoft\Microsoft Antimalware\LocalCopy

[MVE]

In that folder located malware detected by MSE. I think only malware for transferring into Microsoft Malware Protection Center, cuz quarantine is located in %ProgramData%\Microsoft\Microsoft Antimalware\Quarantine. It's safe to delete.

[ricktendo64]

CCleaner v3.09
   * Added wildcard support to folders.

[Nergal]

Here is what Local copy is

http://answers.microsoft.com/en-us/protect/forum/protect_scanning/what-are-the-contents-of-this-folder-of-mse/e3836026-ac4d-464a-a886-fae1544598af

The LocalCopy directory is a working directory that holds a local copy of detected threats. For instance when I downloaded the eicar.com test file, the detailed information for the detection specified:

 

 

 

file:C:\Documents and Settings\Greg\Desktop\eicar.com

 

filelocalcopy:C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\<GUID>-eicar.com

 

webfile:C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\<GUID>-eicar.com|http://www.eicar.org/download/eicar.com

 

webfile:C:\Documents and Settings\Greg\Desktop\eicar.com|http://www.eicar.org/download/eicar.com

 

 

 

The file specified as the local copy was present in the LocalCopy folder after the detection, but was removed upon cleaning the eicar.com file on the desktop. To test whether the local copy was an active copy of the file, I saved it in another folder, and then scanned it after the desktop file had been cleaned. The local copy was detected as eicar.com. So in this case it looks like some glitch or bug prevented the local copies from being removed along with the originals as they should have been.

 

 

 

I have several other files in this directory that I suspect might be local copies of heuristic detections that were saved for submission to the Dynamic Signature Service, but that?s only speculation on my part. The only detection I?ve had in this folder was by the Kaspersky Online Scanner, when I did some double-checking for things that Security Essentials might have missed. That detection would also tend to confirm that the local copies are active.

[Winapp2.ini]

I will update the file today to include all of the above!

 

I am incredibly excited for the wildcard folder support.

[CSGalloway]

re : ; Application Cleaning files

; Version: v1.0.110727

 

[secunia PSI*]

LangSecRef=3021

DetectFile=%ProgramFiles%\Secunia\PSIsua.exe

Detect=HKCU\Software\Secunia\PSI

Default=False

FileKey1=%ProgramFiles%SecuniaPSI|sualog.txt

FileKey2=%ProgramFiles%SecuniaPSI|psialog.txt

FileKey3=%ProgramFiles%\Secunia\PSI|psialog.txt2

 

should be:

 

[secunia PSI*]

LangSecRef=3021

DetectFile=%ProgramFiles%\Secunia\PSIsua.exe

Detect=HKCU\Software\Secunia\PSI

Default=False

FileKey1=%ProgramFiles%\Secunia\PSI|sualog.txt

FileKey2=%ProgramFiles%\Secunia\PSI|psialog.txt

FileKey3=%ProgramFiles%\Secunia\PSI|psialog.txt2

 

leaving out the "\" in the FileKeys...

 

Also what happens if the DetectFile= is false and the Detect= is true = will the File and Reg Keys be executed?

[Winapp2.ini]

It looks for either / or so if one is true the entry shows

[CSGalloway]

I use Windows XP and recently tried to remove Windows Live Essentials. The uninstall EXE could not be found. I usually run CCleaner with [Windows Live Messenger More*] selected. I looked in the registry and saw the pertinent files for the uninstall are in:

 

%ProgramFiles%\Common Files\Windows Live\.cache|*.*

%LocalLowAppData%\Microsoft\Windows Live\Setup|*.*

 

folders. Can a warning be added to he entry warning that if selected the user will no longer be able top remove any Windows Live Essential product? Or if not delete the two entries in the Winapp2.ini please?

 

Also can the revised file be posted soon - at least for4 the Secunia PSI modification I posted a few hours earlier? Thank you.

[CSGalloway]

Add the following line to: [Windows Live Messenger More*]

 

ExcludeKey1=FILE|%ProgramFiles%\Common Files\Windows Live\.cache|*.msi|RECURSE

 

to correct the problem I was having and posted about a little while ago.