internal void DeleteOneDrive()
{
logger.output(
ProcessUtil.RunCmd("/c taskkill /f /im OneDrive.exe > NUL 2>&1"));
logger.output(
ProcessUtil.RunCmd("/c ping 127.0.0.1 -n 5 > NUL 2>&1"));
if (File.Exists(Paths.SysDir + @"Windows\System32\OneDriveSetup.exe"))
{
logger.output(
ProcessUtil.StartProcess(Paths.SysDir + @"Windows\System32\OneDriveSetup.exe", "/uninstall"));
}
if (File.Exists(Paths.SysDir + @"Windows\SysWOW64\OneDriveSetup.exe"))
{
logger.output(
ProcessUtil.StartProcess(Paths.SysDir + @"Windows\SysWOW64\OneDriveSetup.exe", "/uninstall"));
}
logger.output(
ProcessUtil.RunCmd("/c ping 127.0.0.1 -n 5 > NUL 2>&1"));
logger.output(
ProcessUtil.RunCmd("/c rd \"%USERPROFILE%\\OneDrive\" /Q /S > NUL 2>&1"));
logger.output(
ProcessUtil.RunCmd("/c rd \"C:\\OneDriveTemp\" /Q /S > NUL 2>&1"));
logger.output(
ProcessUtil.RunCmd("/c rd \"%LOCALAPPDATA%\\Microsoft\\OneDrive\" /Q /S > NUL 2>&1"));
logger.output(
ProcessUtil.RunCmd("/c rd \"%PROGRAMDATA%\\Microsoft OneDrive\" /Q /S > NUL 2>&1"));
logger.output(
ProcessUtil.RunCmd(
"/c REG DELETE \"HKEY_CLASSES_ROOT\\CLSID\\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\" /f > NUL 2>&1"));
logger.output(
ProcessUtil.RunCmd(
"/c REG DELETE \"HKEY_CLASSES_ROOT\\Wow6432Node\\CLSID\\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\" /f > NUL 2>&1"));
}
internal void disableTelemetryAndKeylogger()
{
// DISABLE TELEMETRY
logger.output("Disable telemetry...");
ProcessUtil.RunCmd("/c net stop DiagTrack ");
ProcessUtil.RunCmd("/c net stop diagnosticshub.standardcollector.service ");
ProcessUtil.RunCmd("/c net stop dmwappushservice ");
ProcessUtil.RunCmd("/c net stop WMPNetworkSvc ");
ProcessUtil.RunCmd("/c sc config DiagTrack start=disabled ");
ProcessUtil.RunCmd("/c sc config diagnosticshub.standardcollector.service start=disabled ");
ProcessUtil.RunCmd("/c sc config dmwappushservice start=disabled ");
ProcessUtil.RunCmd("/c sc config WMPNetworkSvc start=disabled ");
ProcessUtil.RunCmd("/c REG ADD HKLM\\SYSTEM\\ControlSet001\\Control\\WMI\\AutoLogger\\AutoLogger-Diagtrack-Listener /v Start /t REG_DWORD /d 0 /f");
ProcessUtil.RunCmd("/c net stop dmwappushservice");
ProcessUtil.RunCmd("/c net stop diagtrack");
ProcessUtil.RunCmd("/c sc delete dmwappushsvc");
ProcessUtil.RunCmd("/c sc delete \"Diagnostics Tracking Service\"");
ProcessUtil.RunCmd("/c sc delete diagtrack");
ProcessUtil.RunCmd("/c reg add \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Device Metadata\" /v \"PreventDeviceMetadataFromNetwork\" /t REG_DWORD /d 1 /f ");
ProcessUtil.RunCmd("/c reg add \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection\" /v \"AllowTelemetry\" /t REG_DWORD /d 0 /f ");
ProcessUtil.RunCmd("/c reg add \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MRT\" /v \"DontOfferThroughWUAU\" /t REG_DWORD /d 1 /f ");
ProcessUtil.RunCmd("/c reg add \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient\\Windows\" /v \"CEIPEnable\" /t REG_DWORD /d 0 /f ");
ProcessUtil.RunCmd("/c reg add \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppCompat\" /v \"AITEnable\" /t REG_DWORD /d 0 /f ");
ProcessUtil.RunCmd("/c reg add \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppCompat\" /v \"DisableUAR\" /t REG_DWORD /d 1 /f ");
ProcessUtil.RunCmd("/c reg add \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\" /v \"AllowTelemetry\" /t REG_DWORD /d 0 /f ");
ProcessUtil.RunCmd("/c reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\AutoLogger\\AutoLogger-Diagtrack-Listener\" /v \"Start\" /t REG_DWORD /d 0 /f ");
ProcessUtil.RunCmd("/c reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\AutoLogger\\SQMLogger\" /v \"Start\" /t REG_DWORD /d 0 /f ");
ProcessUtil.RunCmd("/c reg add \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Siuf\\Rules\" /v \"NumberOfSIUFInPeriod\" /t REG_DWORD /d 0 /f ");
ProcessUtil.RunCmd("/c reg add \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppCompat\" /v \"DisableUAR\" /t REG_DWORD /d 1 /f ");
ProcessUtil.RunCmd("/c reg add \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient\\Windows\" /v \"CEIPEnable\" /t REG_DWORD /d 0 /f ");
ProcessUtil.RunCmd("/c reg delete \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Siuf\\Rules\" /v \"PeriodInNanoSeconds\" /f ");
// DELETE KEYLOGGER
logger.output("Delete keylogger...");
}
internal void disablehostsandaddfirewall()
{
try
{
string hostslocation = Paths.system32location + @"drivers\etc\hosts";
string hosts = null;
if (File.Exists(hostslocation))
{
hosts = File.ReadAllText(hostslocation);
File.SetAttributes(hostslocation, FileAttributes.Normal);
FileUtil.DeleteFile(hostslocation);
}
File.Create(hostslocation).Close();
File.WriteAllText(hostslocation, hosts + "\r\n");
for (int i = 0; i < HostsDomains.hostsdomains.Length; i++)
{
if (hosts.IndexOf(HostsDomains.hostsdomains[i]) == -1)
{
ProcessUtil.RunCmd(
"/c echo " + "0.0.0.0 " + HostsDomains.hostsdomains[i] + " >> \"" + hostslocation +
"\"");
logger.output("Add to hosts - " + HostsDomains.hostsdomains[i]);
}
}
}
catch (Exception)
{
// fatalerrors++;
logger.output("Error add HOSTS");
}
ProcessUtil.RunCmd("/c ipconfig /flushdns");
logger.output("Add hosts MS complete.");
ProcessUtil.RunCmd("/c netsh advfirewall firewall delete rule name=\"MS Spynet block\"");
ProcessUtil.RunCmd("/c netsh advfirewall firewall add rule name=\"MS Spynet block\" dir=out interface=any action=block remoteip=23.96.0.0/13");
logger.output("Add Windows Firewall rule: \"MS Spynet block\"");
ProcessUtil.RunCmd("/c route -p add 23.218.212.69 MASK 255.255.255.255 0.0.0.0");
ProcessUtil.RunCmd("/c route -p add 65.55.108.23 MASK 255.255.255.255 0.0.0.0");
ProcessUtil.RunCmd("/c route -p add 65.39.117.230 MASK 255.255.255.255 0.0.0.0");
ProcessUtil.RunCmd("/c route -p add 134.170.30.202 MASK 255.255.255.255 0.0.0.0");
ProcessUtil.RunCmd("/c route -p add 137.116.81.24 MASK 255.255.255.255 0.0.0.0");
ProcessUtil.RunCmd("/c route -p add 204.79.197.200 MASK 255.255.255.255 0.0.0.0");
ProcessUtil.RunCmd("/c route -p add 23.218.212.69 MASK 255.255.255.255 0.0.0.0");
}
public static void DeleteFile(string filepath)
{
ProcessUtil.RunCmd("/c del /F /Q " + filepath);
}