NoEscape.exe is a piece of malware created by @Endermanch.
Don't really bother with this unless you have to.
This "tool" does not fix the bootloader problems. Please use TestDisk, Bootdata or something else to restore your partitions.
Created
December 12, 2023 02:16
-
-
Save techguy16/ed658c23eaa8e65e226711ea864f5999 to your computer and use it in GitHub Desktop.
NoEscape.exe Removal Tool (ish...)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import winreg | |
| import time | |
| print(""" | |
| NoEscape.exe Removal Tool | |
| Created by @techguy16 | |
| https://github.com/techguy16 | |
| ------------------------------------------- | |
| =================IMPORTANT================= | |
| DO NOT COUNT ON THIS TOOL TO FIX EVERYTHING. | |
| IT CANNOT, AND WILL NOT EVER RESTORE YOUR | |
| BOOTLOADER. | |
| MODIFYING REGISTRY ENTRIES MAY ALSO BREAK | |
| YOUR COMPUTER. PROCEED AT YOUR OWN RISK. | |
| """) | |
| time.sleep(3) | |
| print("\n=================STARTING=================\n") | |
| time.sleep(2) | |
| print("Removing malicious file 'winnt32.exe'.") | |
| # Delete a file | |
| try: | |
| os.remove(r"C:\Windows\winnt32.exe") | |
| except FileNotFoundError: | |
| print("File not found") | |
| # Function to modify registry values | |
| def modify_registry(path, name, value, type=winreg.REG_SZ): | |
| try: | |
| registry_key = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, path, 0, winreg.KEY_WRITE) | |
| winreg.SetValueEx(registry_key, name, 0, type, value) | |
| winreg.CloseKey(registry_key) | |
| return True | |
| except WindowsError: | |
| return False | |
| # Function to delete registry values | |
| def delete_registry(path, name): | |
| try: | |
| registry_key = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, path, 0, winreg.KEY_WRITE) | |
| winreg.DeleteValue(registry_key, name) | |
| winreg.CloseKey(registry_key) | |
| return True | |
| except WindowsError: | |
| return False | |
| # Modify/Delete registry values | |
| print("Removing bad registry values...") | |
| modify_registry(r"SOFTWARE\Classes\exefile\shell\open\command", "", '"%1" %*') | |
| modify_registry(r"SOFTWARE\Classes\exefile\shell\runas\command", "", '"%1" %*') | |
| delete_registry(r"SYSTEM\CurrentControlSet\Control\Keyboard Layout", "Scancode Map") | |
| delete_registry(r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "AutoAdminLogon") | |
| delete_registry(r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "AutoRestartShell") | |
| delete_registry(r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "DisableCAD") | |
| modify_registry(r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Userinit", "C:\\Windows\\system32\\userinit.exe") | |
| modify_registry(r"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA", 1, winreg.REG_DWORD) | |
| delete_registry(r"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer", "UseDefaultTile") | |
| delete_registry(r"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "shutdownwithoutlogon") | |
| delete_registry(r"SOFTWARE\Policies\Microsoft\Windows\System", "DisableLogonBackgroundImage") | |
| delete_registry(r"Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableRegistryTools") | |
| delete_registry(r"Software\Policies\Microsoft\Windows\System", "DisableCMD") | |
| delete_registry(r"Control Panel\Desktop", "AutoColorization") | |
| delete_registry(r"Control Panel\Mouse", "SwapMouseButtons") | |
| print("All done (hopefully!)") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment