Well, not really a tool just l33t stuff about Spyware Protection (http://www.kernelmode.info/forum/viewto ... t=60#p4712)
i've used the chiptune ripped by EP_X0 in a post (http://www.kernelmode.info/forum/viewto ... =675#p4614)
~ ASMsimple version:
1: Kill "defender.exe" process
2: Remove the startup regkey (HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Spyware Protection)
3: Delete "defender.exe" in %APPDATA%
Code: Select all
.386 ;Spyware Protection remover, only 17kb :þ
.MODEL FLAT, STDCALL
OPTION CASEMAP:NONE
INCLUDE WINDOWS.INC
INCLUDE USER32.INC
INCLUDE KERNEL32.INC
INCLUDE ADVAPI32.INC
INCLUDE CRYPTOHASH.INC
INCLUDELIB USER32.LIB
INCLUDELIB KERNEL32.LIB
INCLUDELIB ADVAPI32.LIB
INCLUDELIB CRYPTOHASH.LIB
DlgProc PROTO :DWORD,:DWORD,:DWORD,:DWORD
.data
SubKey db "Software\Microsoft\Windows\CurrentVersion\Run\",0
szX db "Spyware Protection",0
szTarget db "defender.exe",0
szCaption db "Spyware Protection Remover",0
szNF db "Spyware Protection Not Found",0
szF db "Spyware Protection Found",0
appdata db "APPDATA", 0
MD5 db "DD18BCE36B184E2901A8AD94E48C30F8",0
slash db "\",0
;ProcError db "An Error has occurred!!",0
;ProcFinish db "Process Terminated successfully!",0
;errSnapshot db "CreateToolhelp32Snapshot failed.",0
;errProcFirst db "Process32First failed.",0
.data?
hInstance dd ?
hKey dd ?
hValue dd ?
hFile dd ?
mFile dd ?
sFile dd ?
mapFile dd ?
szBuffer db 512 dup(?)
buffer db 512 dup(?)
BufferHash db 512 dup(?)
StartupInfo STARTUPINFO <>
ProcessInfo PROCESS_INFORMATION <>
hSnapshot HANDLE ?
ProcEnt PROCESSENTRY32 <?>
.code
start:
invoke GetModuleHandle, NULL
mov hInstance,eax
invoke DialogBoxParam, hInstance, 1001, NULL, addr DlgProc, NULL
invoke ExitProcess,eax
DlgProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
.if uMsg== WM_INITDIALOG
invoke GetEnvironmentVariable,addr appdata,addr buffer,256
invoke lstrcat,addr buffer,addr slash
invoke lstrcat,addr buffer,addr szTarget
CALL TerminateProc
.elseif uMsg == WM_COMMAND
mov eax,wParam
.if eax==1023
invoke RegOpenKeyEx,HKEY_CURRENT_USER,ADDR SubKey,NULL,KEY_READ,addr hKey
invoke RegQueryInfoKey,hKey,0,0,0,0,0,0,0,0,ADDR hValue,0,0
invoke RegQueryValueEx,hKey, ADDR szX,0,0,ADDR szBuffer,ADDR hValue
invoke lstrcmp,ADDR szBuffer,ADDR buffer
.if !eax
invoke RegOpenKeyEx,HKEY_CURRENT_USER,ADDR SubKey,NULL,KEY_ALL_ACCESS,addr hKey
invoke RegDeleteValue,hKey,addr szX
invoke RegCloseKey,hKey
invoke CreateFile,addr buffer,GENERIC_READ,FILE_SHARE_WRITE,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0
.if eax!=-1
mov hFile,eax
invoke CreateFileMapping,hFile,0,PAGE_READONLY,0,0,0
mov mFile,eax
invoke MapViewOfFile,mFile,FILE_MAP_READ,0,0,0
mov mapFile,eax
invoke GetFileSize,hFile,0
mov sFile,eax
invoke MD5Init
invoke MD5Update,mapFile,sFile
invoke MD5Final
invoke HexEncode,eax,MD5_DIGESTSIZE,addr BufferHash
invoke lstrcmp,ADDR MD5,ADDR BufferHash
.if !eax
invoke UnmapViewOfFile,mapFile
invoke CloseHandle,mFile
invoke CloseHandle,hFile
invoke SetFileAttributes,addr buffer,FILE_ATTRIBUTE_NORMAL
invoke DeleteFile,addr buffer
.else
invoke MessageBox,NULL,ADDR szNF,ADDR szCaption,MB_OK+MB_ICONINFORMATION
.endif
.elseif
.endif
.endif
.else
invoke MessageBox,NULL,ADDR szNF,ADDR szCaption,MB_OK+MB_ICONINFORMATION
.endif
invoke RegCloseKey , hKey
.elseif uMsg == WM_CLOSE
invoke EndDialog, hWnd, 0
.endif
xor eax,eax
ret
DlgProc endp
TerminateProc proc
invoke CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS,0
.IF (eax != INVALID_HANDLE_VALUE)
mov hSnapshot,eax
mov [ProcEnt.dwSize],SIZEOF ProcEnt
invoke Process32First, hSnapshot,ADDR ProcEnt
.IF (eax)
@@:
invoke lstrcmpi, ADDR szTarget,ADDR [ProcEnt.szExeFile]
.IF (eax == 0)
invoke OpenProcess, PROCESS_TERMINATE,FALSE,[ProcEnt.th32ProcessID]
.IF (eax)
invoke TerminateProcess, eax,0
.IF eax==0
;invoke MessageBox,NULL,addr ProcError,NULL,MB_OK
.else
;invoke MessageBox,NULL,addr ProcFinish,NULL,MB_ICONINFORMATION
.endif
.ELSE
;invoke MessageBox,NULL,addr ProcError,NULL,MB_OK
.ENDIF
.ENDIF
invoke Process32Next, hSnapshot,ADDR ProcEnt
test eax,eax
jnz @B
.ELSE
;invoke MessageBox, NULL,ADDR errProcFirst,NULL,MB_OK or MB_ICONERROR
.ENDIF
invoke CloseHandle, hSnapshot
.ELSE
;invoke MessageBox, NULL,ADDR errSnapshot,NULL,MB_OK or MB_ICONERROR
.ENDIF
RET
TerminateProc endp
end start
Code: Select all
And the cryptohash (search it on google):
;This Resource Script was generated by WinAsm Studio.
1001 DIALOGEX 0,0,219,45
CAPTION "Spyware Protection Remover"
FONT 8,"MS Sans Serif"
STYLE 0x10ca0800
EXSTYLE 0x00000000
BEGIN
CONTROL "REMOVE",1023,"Button",0x50010000,10,9,197,25,0x00020000
END
Code: Select all
comment "written by drizz <1of00@gmx.net>"
; CIPHERS
; =======
GOSTSetKey proto pKey:ptr byte
GOSTEncrypt proto pBlockIn:ptr byte,pBlockOut:ptr byte
GOSTDecrypt proto pBlockIn:ptr byte,pBlockOut:ptr byte
CAST128SetKey proto pKey:ptr byte,dwKeylen:dword
CAST128Encrypt proto pBlockIn:ptr byte,pBlockOut:ptr byte
CAST128Decrypt proto pBlockIn:ptr byte,pBlockOut:ptr byte
MARSSetKey proto pKey:ptr byte,dwKeyLen:dword
MARSEncrypt proto pBlockIn:ptr byte,pBlockOut:ptr byte
MARSDecrypt proto pBlockIn:ptr byte,pBlockOut:ptr byte
IDEASetKeyEnc proto pKey:dword
IDEASetKeyDec proto pKey:dword
IDEAEncrypt proto pBlockIn:ptr byte,pBlockOut:ptr byte
IDEADecrypt equ IDEAEncrypt
IDEAEncryptSSE proto pBlockIn:ptr byte,pBlockOut:ptr byte
IDEADecryptSSE equ IDEAEncryptSSE
DESSetKey PROTO pKey:PTR BYTE
DESSetKeyEnc PROTO pKey:PTR BYTE
DESSetKeyDec PROTO pKey:PTR BYTE
DESEncrypt PROTO pBlockIn:PTR BYTE,pBlockOut:PTR BYTE
DESDecrypt PROTO pBlockIn:PTR BYTE,pBlockOut:PTR BYTE
TwofishInit PROTO :DWORD,:DWORD
TwofishEncrypt PROTO :DWORD,:DWORD
TwofishDecrypt PROTO :DWORD,:DWORD
RC2Init proto pKey:DWORD,dwKeyLen:DWORD
RC2Encrypt proto pBlockIn:DWORD,pBlockOut:DWORD
RC2Decrypt proto pBlockIn:DWORD,pBlockOut:DWORD
RC4Init proto pKey:DWORD,:DWORD
RC4Encrypt proto pBlock:DWORD,dwBlockLen:DWORD
RC4Decrypt equ <RC4Encrypt>
RC5Init PROTO pKeys:DWORD
RC5Encrypt PROTO pBlockIn:DWORD,pBlockOut:DWORD
RC5Decrypt PROTO pBlockIn:DWORD,pBlockOut:DWORD
RC6Init PROTO :DWORD,:DWORD
RC6Encrypt PROTO pBlockIn:DWORD,pBlockOut:DWORD
RC6Decrypt PROTO pBlockIn:DWORD,pBlockOut:DWORD
XTEAInit proto :DWORD,:DWORD
XTEAEncrypt proto :DWORD,:DWORD
XTEADecrypt proto :DWORD,:DWORD
RijndaelInit proto :DWORD,:DWORD
RijndaelEncrypt proto :DWORD,:DWORD
RijndaelDecrypt proto :DWORD,:DWORD
ThreeWayInit proto :DWORD
ThreeWayEncrypt proto :DWORD,:DWORD
ThreeWayDecrypt proto :DWORD,:DWORD
TEAInit proto :DWORD
TEAEncrypt proto :DWORD,:DWORD
TEADecrypt proto :DWORD,:DWORD
BlowfishInit proto :DWORD,:DWORD
BlowfishEncrypt proto :DWORD,:DWORD
BlowfishDecrypt proto :DWORD,:DWORD
; CHECKSUMS
; =========
INIT_CRC32 equ 0
INIT_CRC16 equ 0
INIT_ADLER32 equ 1
CRC32 proto lpBuffer:DWORD,dwBufLen:DWORD,dwCRC:DWORD; init dwCRC = 0
; for RCRC32 Data must be Readable/Writeable
RCRC32 proto pData:dword,dwDataLen:dword,dwOffset:dword,dwWantCrc:dword; reverse CRC32
CRC16 proto lpBuffer:DWORD,dwBufLen:DWORD,dwCRC:DWORD; init dwCRC = 0
Adler32 proto lpBuffer:DWORD,dwBufLen:DWORD,dwAdler:DWORD; init dwAdler = 1
; HASHES
; ======
MD5_DIGESTSIZE equ 128/8
MD4_DIGESTSIZE equ 128/8
MD2_DIGESTSIZE equ 128/8
RMD128_DIGESTSIZE equ 128/8
RMD160_DIGESTSIZE equ 160/8
RMD256_DIGESTSIZE equ 256/8
RMD320_DIGESTSIZE equ 320/8
SHA0_DIGESTSIZE equ 160/8
SHA1_DIGESTSIZE equ 160/8
SHA256_DIGESTSIZE equ 256/8
SHA384_DIGESTSIZE equ 384/8
SHA512_DIGESTSIZE equ 512/8
WHIRLPOOL_DIGESTSIZE equ 512/8
TIGER_DIGESTSIZE equ 192/8
MD5Init proto
MD5Update proto lpBuffer:DWORD,dwBufLen:DWORD
MD5Final proto
MD4Init proto
MD4Update proto lpBuffer:DWORD,dwBufLen:DWORD
MD4Final proto
MD2Init proto
MD2Update proto lpBuffer:DWORD,dwBufLen:DWORD
MD2Final proto
RMD128Init proto
RMD128Update proto lpBuffer:DWORD,dwBufLen:DWORD
RMD128Final proto
RMD160Init proto
RMD160Update proto lpBuffer:DWORD,dwBufLen:DWORD
RMD160Final proto
RMD256Init proto
RMD256Update proto lpBuffer:DWORD,dwBufLen:DWORD
RMD256Final proto
RMD320Init proto
RMD320Update proto lpBuffer:DWORD,dwBufLen:DWORD
RMD320Final proto
SHA0Init proto
SHA0Update proto lpBuffer:DWORD,dwBufLen:DWORD
SHA0Final proto
SHA1Init proto
SHA1Update proto lpBuffer:DWORD,dwBufLen:DWORD
SHA1Final proto
SHA256Init proto
SHA256Update proto lpBuffer:DWORD,dwBufLen:DWORD
SHA256Final proto
SHA384Init proto
SHA384Update proto lpBuffer:DWORD,dwBufLen:DWORD
SHA384Final proto
SHA512Init proto
SHA512Update proto lpBuffer:DWORD,dwBufLen:DWORD
SHA512Final proto
WhirlpoolInit proto
WhirlpoolUpdate proto lpBuffer:DWORD,dwBufLen:DWORD
WhirlpoolFinal proto
TigerInit proto
TigerUpdate proto lpBuffer:DWORD,dwBufLen:DWORD
TigerFinal proto
HavalInit proto DigestSizeBits:DWORD,Passes:DWORD ; variable digest & passes !!!
HavalUpdate proto lpBuffer:DWORD,dwBufLen:DWORD
HavalFinal proto
; TEXT UTILS
; ==========
HexEncode proto pBuff:dword,dwLen:dword,pOutBuff:dword ; sizeof pOutBuff must be (dwLen)*2+2
HexDecode proto pHexStr:dword,pOutBuffer:dword; sizeof pOutBuff must be StrLen(pHexStr)/2+1
Base64Encode proto pInputData:DWORD,dwDataLen:DWORD,pOutputStr:DWORD; returns b64 string len
Base64Decode proto pInputStr:DWORD,pOutputData:DWORD; result = length
Base2Decode proto pInputStr:dword,pOutputData:dword; result = length
Base2Encode proto pInputData:dword,dwDataLen:dword,pOutputData:dword; result = length
i've used the chiptune ripped by EP_X0 in a post (http://www.kernelmode.info/forum/viewto ... =675#p4614)
Attachments
Spyware Protection Remover
(252.51 KiB) Downloaded 37 times
(252.51 KiB) Downloaded 37 times