AutoHotkey Homepage AutoHotkey Community
Let's help each other out
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Security Tool (hijackware) remover

 
Reply to topic    AutoHotkey Community Forum Index -> Scripts & Functions
View previous topic :: View next topic  
Author Message
CodeRage



Joined: 11 Jan 2010
Posts: 16
PostPosted: Mon Jan 11, 2010 7:15 pm    Post subject: Security Tool (hijackware) remover Reply with quote
There is a piece of malware floating around called Security Tool. This malicious program is designed to look like antivirus software, but it is quite the opposite. Security Tool locks down your windows shell and prevents you from doing pretty much anything, and automatically terminates task manager or any known anti-spyware that is capable of removing it. Google searches turned up a lot of disappointment and sales pitches for anti-spyware that I don't want/need, so I wrote this script that does a fine job of nuking the whole program.

The top section of this code was ripped from the examples in AHK's help file.

Code:
;Example Code:
d = `n
s := 4096

Process, Exist 
h := DllCall("OpenProcess", "UInt", 0x0400, "Int", false, "UInt", ErrorLevel)
DllCall("Advapi32.dll\OpenProcessToken", "UInt", h, "UInt", 32, "UIntP", t)
VarSetCapacity(ti, 16, 0) 
NumPut(1, ti, 0)
DllCall("Advapi32.dll\LookupPrivilegeValueA", "UInt", 0, "Str", "SeDebugPrivilege", "Int64P", luid)
NumPut(luid, ti, 4, "int64")
NumPut(2, ti, 12)
DllCall("Advapi32.dll\AdjustTokenPrivileges", "UInt", t, "Int", false, "UInt", &ti, "UInt", 0, "UInt", 0, "UInt", 0)
DllCall("CloseHandle", "UInt", h)

hModule := DllCall("LoadLibrary", "Str", "Psapi.dll")
s := VarSetCapacity(a, s) 
c := 0 
DllCall("Psapi.dll\EnumProcesses", "UInt", &a, "UInt", s, "UIntP", r)
Loop, % r // 4 
{
   id := NumGet(a, A_Index * 4)
   h := DllCall("OpenProcess", "UInt", 0x0010 | 0x0400, "Int", false, "UInt", id)
   VarSetCapacity(n, s, 0)
   e := DllCall("Psapi.dll\GetModuleBaseNameA", "UInt", h, "UInt", 0, "Str", n, "UInt", s)
   DllCall("CloseHandle", "UInt", h)
   if (n && e)
      l .= n . d, c++
}
DllCall("FreeLibrary", "UInt", hModule)


; My Code
Loop, parse, l, `n
{
   proc := A_Loopfield
   StringReplace, proctemp, proc, .exe,, All
   if proctemp is integer
   {
      Process, Close, %proc%
      FileRemoveDir, %A_AppDataCommon%\%proctemp%, 1
      proclist := proclist proc "`n"
   }
}

MsgBox, Security Tool has been terminated`nRemove the following entries from startup:`n`n%proclist%
Back to top
View user's profile Send private message
Fry



Joined: 01 Nov 2007
Posts: 885
PostPosted: Mon Jan 11, 2010 9:18 pm    Post subject: Reply with quote
First off, very nice tool!

My cousin had this virus, and it took me about 30 minutes to actually find the executable.

However, I see one problem, you if statement checks if and integer, however on ones computer, there may be another integer only process name, which may delete or cause some sort of malfunction.

Again, I like it!
Back to top
View user's profile Send private message
CodeRage



Joined: 11 Jan 2010
Posts: 16
PostPosted: Tue Jan 12, 2010 1:15 pm    Post subject: Reply with quote
Thanks for the kind word Smile Indeed, I considered that the integer issue may cause some havoc, but I reasoned that those cases are rare, plus any software using numeric-only processes may be malicious as well. Even so, it would be a small price to pay to rid a system of this foul program.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    AutoHotkey Community Forum Index -> Scripts & Functions All times are GMT
Page 1 of 1

 
Jump to:  
You can post new topics in this forum
You can reply to topics in this forum


Powered by phpBB © 2001, 2005 phpBB Group