DISINFECTOR
Advanced Minecraft Malware Removal Utility
Join Discord For License Key & Support
discord.gg/vqyRNWApUm
✦ Features ✦
- Malware & Stealer Removal — Detects and eliminates Weedhack / Mojanito payloads
- Persistence Cleanup — Removes scheduled tasks, autoruns, and dropped files
- Windows Defender Restore — Reverses malicious exclusions added by infected mods
- Registry & Startup Cleanup — Wipes malicious autorun entries
- Temporary Payload Removal — Clears extracted DLLs and dropped binaries
- Lightweight & Fast — Minimal footprint, rapid scanning
✦ Designed For ✦
Minecraft players, server owners, modpack users, and anyone affected by malicious mods or infected clients.
Developed by zVault
✦ How It Works ✦
Minecraft players, server owners, modpack users, and anyone affected by malicious mods or infected clients.
Developed by zVault
✦ How It Works ✦
1. Drop your infected mod JAR(s) into the scanner — or paste a path manually
2. Choose a clean mode:
- Disable Only (Recommended) — Removes the malicious entrypoint from
fabric.mod.json. Malware classes stay in the JAR but can never execute. The mod works perfectly and nothing breaks. - Stub Replace — Everything Disable mode does, PLUS inserts empty Java stubs in place of removed classes. Best for mods with deep cross-class references.
⚠ System Cleaner (Run as Administrator) ⚠
Only use this if you already ran an infected mod. This removes Weedhack's persistence — scheduled tasks, folders, Defender exclusions, registry entries.
- Delete persistence folder — Removes
%APPDATA%\Microsoft\SecurityUpdater(malware JAR, VBS launcher, config, lock file) - Remove scheduled task — Deletes
JavaSecurityUpdater(the ONLOGON task that re-runs WeedHack on every login) - Fix Windows Defender exclusion — Removes the
C:\Usersexclusion WeedHack added so antivirus can scan files again - Clean registry autorun — Removes
HKCU\...\Runentries pointing to SecurityUpdater or JavaSecurityUpdater - Remove extracted native DLL — Deletes
dynamiclibs.tmp(the native DLL WeedHack's JNI loader extracts at runtime) - Remove backdoor executables — Searches and deletes
hijack.exe,elevator.jar, and other dropped binaries
✦ Credential & Account Checklist ✦
WeedHack steals browser passwords, Discord tokens, Minecraft sessions, and crypto wallet keys. Tick each step.
- ☐ Changed Minecraft password & signed out all sessions
- ☐ Changed Discord password (invalidates any stolen token)
- ☐ Cleared all saved passwords in Chrome / Edge / Brave / Firefox
- ☐ Checked crypto wallets for unauthorized transactions
- ☐ Revoked browser OAuth sessions & re-logged into important accounts
- ☐ Enabled 2FA on Minecraft, Discord, and email accounts
- ☐ If premium RAT was active — considered full Windows reinstall
✦ Why The Original Mod Still Works After Cleaning ✦
WeedHack adds a separate entrypoint alongside the real one — it does NOT overwrite Sodium's, Iris's, or any legitimate mod's classes. Fabric supports multiple entrypoints; removing the malicious one leaves the original 100% untouched.
Code:
// fabric.mod.json — BEFORE (infected)
"entrypoints": {
"client": "net.caffeiner.SodiumClientMod" ← kept
"main": "com.example.ExampleMod" ← removed
}
// fabric.mod.json — AFTER (cleaned)
"entrypoints": {
"client": "net.caffeiner.SodiumClientMod"
}
✔ Sodium works perfectly. WeedHack has no entry — it can never start.
✦ What Each Mode Does ✦
| Disable Only Mode | Stub Replace Mode |
✔ Removes malicious entrypoint from fabric.mod.json ✔ Removes fake fabric.api.json (campaign UUID) ✔ Removes native DLL .dat resources ✔ All legitimate classes 100% untouched ✔ Zero risk of any class-not-found error ✔ Safest choice — recommended for everyone | ✔ Everything Disable mode does, PLUS... ✔ Inserts empty Java stubs in place of removed classes ✔ Stubs have valid bytecode magic — JVM accepts them ✔ Stubs contain only a constructor — no methods, no code ✔ Best for mods with deep cross-class references ✔ Tested: 0/0 assertions pass |
✦ Detection Methods ✦
| Method | What It Catches |
Package prefix match | com.example, dev.majenito, dev.jvic, mx.mclauncher |
Class name match | ExampleMod, StagingHelper, RPCHelper, Elevator, JVICLoader |
Bytecode IOC scan | C2 domains, Ethereum selectors, Defender bypass strings |
SHA-256 hash match | Known infected JAR hashes |
Shannon entropy heuristic | Obfuscated/packed classes (entropy > 7.2 bits) |
Resource path check | fabric.api.json, dev/jvic/libs/*.dat |
Entrypoint inspection | Malicious classes in fabric.mod.json |
✦ Python CLI Modules ✦
| File | Purpose |
main.py | CLI — --scan, --disable, --stub, --system-clean, --dry-run, --folder |
jar_scanner.py | Detection: package, IOC, entropy, SHA-256, risk score |
jar_cleaner.py | Cleaning: disable, stub, fabric.mod.json patching |
system_cleaner.py | Windows persistence removal |
process_manager.py | Safe process killer with strict allowlist |
Join the Discord for license keys, updates, and support:
discord.gg/vqyRNWApUm
Developed by zVault — Secure. Clean. Protect.
