There is a piece of malware floating around called Security Tool. This malicious program is designed to look like antivirus software, but it is quite the opposite. Security Tool locks down your windows shell and prevents you from doing pretty much anything, and automatically terminates task manager or any known anti-spyware that is capable of removing it. Google searches turned up a lot of disappointment and sales pitches for anti-spyware that I don't want/need, so I wrote this script that does a fine job of nuking the whole program.
The top section of this code was ripped from the examples in AHK's help file.
Code:
;Example Code:
d = `n
s := 4096
Process, Exist
h := DllCall("OpenProcess", "UInt", 0x0400, "Int", false, "UInt", ErrorLevel)
DllCall("Advapi32.dll\OpenProcessToken", "UInt", h, "UInt", 32, "UIntP", t)
VarSetCapacity(ti, 16, 0)
NumPut(1, ti, 0)
DllCall("Advapi32.dll\LookupPrivilegeValueA", "UInt", 0, "Str", "SeDebugPrivilege", "Int64P", luid)
NumPut(luid, ti, 4, "int64")
NumPut(2, ti, 12)
DllCall("Advapi32.dll\AdjustTokenPrivileges", "UInt", t, "Int", false, "UInt", &ti, "UInt", 0, "UInt", 0, "UInt", 0)
DllCall("CloseHandle", "UInt", h)
hModule := DllCall("LoadLibrary", "Str", "Psapi.dll")
s := VarSetCapacity(a, s)
c := 0
DllCall("Psapi.dll\EnumProcesses", "UInt", &a, "UInt", s, "UIntP", r)
Loop, % r // 4
{
id := NumGet(a, A_Index * 4)
h := DllCall("OpenProcess", "UInt", 0x0010 | 0x0400, "Int", false, "UInt", id)
VarSetCapacity(n, s, 0)
e := DllCall("Psapi.dll\GetModuleBaseNameA", "UInt", h, "UInt", 0, "Str", n, "UInt", s)
DllCall("CloseHandle", "UInt", h)
if (n && e)
l .= n . d, c++
}
DllCall("FreeLibrary", "UInt", hModule)
; My Code
Loop, parse, l, `n
{
proc := A_Loopfield
StringReplace, proctemp, proc, .exe,, All
if proctemp is integer
{
Process, Close, %proc%
FileRemoveDir, %A_AppDataCommon%\%proctemp%, 1
proclist := proclist proc "`n"
}
}
MsgBox, Security Tool has been terminated`nRemove the following entries from startup:`n`n%proclist%
Login
Register
FAQ
Search
Indeed, I considered that the integer issue may cause some havoc, but I reasoned that those cases are rare, plus any software using numeric-only processes may be malicious as well. Even so, it would be a small price to pay to rid a system of this foul program.