Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Could you tell me which :section of the script gets executed for uninstalling? #41

Open
pandaxyz291 opened this issue Oct 20, 2022 · 3 comments
Open

Could you tell me which :section of the script gets executed for uninstalling? #41

pandaxyz291 opened this issue Oct 20, 2022 · 3 comments

Comments

@pandaxyz291
Copy link

Hello,
I am really sorry for bothering you.
Could you tell me which :sections of the script gets executed for the option 3 uninstall?
I'm tryna evade an AV detection which I can't disable and would like to try to run just the uninstall part.

Thank you.
@abbodi1406
Copy link
Owner

:RemoveHook + :cCache
but the sections alone will not work, because it depend on previously set variables and detection

you can use this script alone from the traditional pack, and run from command prompt:
AutoRenewal-Setup.cmd /R

or save the following in a script and run (or paste in command prompt directly):

spoiler 
WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionPath="%SystemRoot%\System32\SppExtComObjHook.dll" Force=True 2>nul
del /f /q "%SystemRoot%\System32\SppExtComObjHook.dll" 2>nul
del /f /q "%SystemRoot%\SysWOW64\SppExtComObjHook.dll" 2>nul
schtasks /delete /f /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcTrigger" 2>nul
set "_wApp=55c92734-d682-4d71-983e-d6ec3f16059f"
set "_oApp=0ff1ce15-a989-479d-af46-f275c6370663"
set "_oA14=59a52881-a989-479d-af46-f275c6370663"
set "IFEO=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"
set "OPPk=SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform"
set "SPPk=SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform"
2>nul reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v NoGenTicket /f 2>nul
2>nul reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v NoAcquireGT /f 2>nul
2>nul reg delete "%IFEO%\SppExtComObj.exe" /f
2>nul reg delete "%IFEO%\sppsvc.exe" /f
2>nul reg delete "%IFEO%\osppsvc.exe" /f
2>nul reg delete "HKLM\%SPPk%" /f /v KeyManagementServiceName
2>nul reg delete "HKLM\%SPPk%" /f /v KeyManagementServicePort
2>nul reg delete "HKLM\%SPPk%" /f /v DisableDnsPublishing
2>nul reg delete "HKLM\%SPPk%" /f /v DisableKeyManagementServiceHostCaching
2>nul reg delete "HKLM\%SPPk%\%_wApp%" /f
2>nul reg delete "HKLM\%SPPk%" /f /v KeyManagementServiceName /reg:32
2>nul reg delete "HKLM\%SPPk%" /f /v KeyManagementServicePort /reg:32
2>nul reg delete "HKLM\%SPPk%\%_oApp%" /f /reg:32
2>nul reg delete "HKLM\%SPPk%\%_oApp%" /f
2>nul reg delete "HKU\S-1-5-20\%SPPk%\%_wApp%" /f
2>nul reg delete "HKU\S-1-5-20\%SPPk%\%_oApp%" /f
2>nul reg delete "HKLM\%OPPk%" /f /v KeyManagementServiceName
2>nul reg delete "HKLM\%OPPk%" /f /v KeyManagementServicePort
2>nul reg delete "HKLM\%OPPk%" /f /v DisableDnsPublishing
2>nul reg delete "HKLM\%OPPk%" /f /v DisableKeyManagementServiceHostCaching
2>nul reg delete "HKLM\%OPPk%\%_oA14%" /f
2>nul reg delete "HKLM\%OPPk%\%_oApp%" /f

@pandaxyz291
Copy link
Author

Many thanks for the help and dedication!

@Macleykun
Copy link

Many thanks for the help and dedication!

can you close the issue, given your question got answered? :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Macleykun @abbodi1406 @pandaxyz291