/build/static/layout/Breadcrumb_cap_w.png

Using the K1000 to help manage your PUPs. Presented at Dell World User Forum 2014 - lessons from the field

Use the K1000 to help control your potentially unwanted programs. (Malware. Adware, User Installed software)

Use CIR's to gather information from the common area where the PUPs like to hide

The information gathered in the first 2 CIRS require them to run the query as the current logged in user.  CIR's run as system so that makes it difficult to create a workable CIR script.  I settled on using a Kscript that runs as the current logged in user.  (I piggybacked those couple of extra commands with my script to read the users network drives and printers).  see http://www.itninja.com/blog/view/create-cirs-to-show-current-users-mapped-drives-and-networled-printers-presented-at-dell-world-user-forum-2014-lessions-from-the-field.

Here is the user info gatherer Kscript:  I run it using a custom cron schedule 0 10,12,14,16 * * 1,2,3,4,5
7eL94K.jpeg
This runs it every couple of hours during the work day Monday thru Friday only.



ksadad.jpeg

Invisible.vbs
CreateObject("Wscript.Shell").Run "run.bat",0,True
run.bat
reg.exe query hkcu\software\microsoft\windows\currentversion\run /s > C:\ProgramData\Dell\KACE\user\hkcuRunKeys.txt && if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe query hkcu\software\wow6432node\microsoft\windows\currentversion\run /s >> C:\ProgramData\Dell\KACE\user\hkcuRunKeys.txt

reg.exe query hkcu\software\microsoft\windows\currentversion\uninstall /s /f DisplayName > C:\ProgramData\Dell\KACE\user\hkcuSoftware.txt && if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe query hkcu\software\wow6432node\microsoft\windows\currentversion\uninstall /s /f DisplayName >> C:\ProgramData\Dell\KACE\user\hkcuSoftware.txt

wmic logicaldisk where "drivetype='4'" get deviceid,providername > C:\ProgramData\Dell\KACE\user\NetworkDrives.txt

wmic printer where 'network="true"' get name, default, network > C:\ProgramData\Dell\KACE\user\NetworkPrinters.txt

exit


CIRs:

CIR - HKCU run keys

ShellCommandTextReturn(cmd /c type C:\ProgramData\Dell\KACE\user\hkcurunkeys.txt)

CIR - User Installed software
ShellCommandTextReturn(cmd /c type C:\ProgramData\Dell\KACE\user\hkcuSoftware.txt)

Other CIRS that can run a system

CIR - Running Processes from appdata
ShellCommandTextReturn(cmd /c c:\windows\system32\wbem\WMIC.exe PROCESS where (executablepath like "%%AppDat%%") get executablepath)

CIR - Running Processes from downloads
ShellCommandTextReturn(cmd /c c:\windows\system32\wbem\WMIC.exe PROCESS where (executablepath like "%%downloads%%") get executablepath)

CIR - HKLM run keys
ShellCommandTextReturn(cmd /c reg.exe query hklm\software\microsoft\windows\currentversion\run)

CIR - List jobs in task scheduler
ShellCommandTextReturn(dir c:\windows\tasks\*.job /b)

CIR - Software running from startup
ShellCommandTextReturn(cmd /c cscript /b c:\programdata\dell\kace\user\fsoftware.vbs&type c:\programdata\dell\kace\user\allsw.txt )

Use file sync to load the needed files for this CIR - this allows you to update and resync the bat file when needed.  I rewrote this one to make it more tech friendly by allowing you to document what the filters actually apply to in the batch file.
CROseT.jpeg
Create the vbs and batch file - zip the files and add the zip as a dependancy to the CIR

7cpKuy.jpeg
fsoftware.vbs
CreateObject("Wscript.Shell").Run "C:\ProgramData\Dell\KACE\user\filteredsoftware.bat",0,True
filteredsoftware.bat
for /f "tokens=* skip=1" %%g in ('WMIC.exe startup list brief') do echo %%g >> c:\programdata\dell\kace\user\tempsw.txt
for %%g in (c:\programdata\dell\kace\user\tempsw.txt) do (findstr /v /b /c:"ECHO is" %%g > c:\programdata\dell\kace\user\allsw.txt) & del c:\programdata\dell\kace\user\tempsw.txt /q
rename c:\programdata\dell\kace\user\allsw.txt tempsw.txt & for %%g in (c:\programdata\dell\kace\user\tempsw.txt) do (findstr /v /b /c:"Public" %%g > c:\programdata\dell\kace\user\allsw.txt) & del c:\programdata\dell\kace\user\tempsw.txt /q
REM ::THIS SECTION BUILDS THE FILTERS TO REMOVE SOFTWARE THAT IS DEEMED OK BY IT::
REM ::this line removes Windows sidebar from the list::
rename c:\programdata\dell\kace\user\allsw.txt tempsw.txt & for %%g in (c:\programdata\dell\kace\user\tempsw.txt) do (findstr /v /b /c:"Sidebar" %%g > c:\programdata\dell\kace\user\allsw.txt) & del c:\programdata\dell\kace\user\tempsw.txt /q
REM ::this line removes Intels privacy icon from the list::
rename c:\programdata\dell\kace\user\allsw.txt tempsw.txt & for %%g in (c:\programdata\dell\kace\user\tempsw.txt) do (findstr /v /b /c:"picon" %%g > c:\programdata\dell\kace\user\allsw.txt) & del c:\programdata\dell\kace\user\tempsw.txt /q
REM ::this line removes Realtek audio from the list::
rename c:\programdata\dell\kace\user\allsw.txt tempsw.txt & for %%g in (c:\programdata\dell\kace\user\tempsw.txt) do (findstr /v /b /c:"RtHDVCpl" %%g > c:\programdata\dell\kace\user\allsw.txt) & del c:\programdata\dell\kace\user\tempsw.txt /q
REM ::this line removes Itunes helper from the list::
rename c:\programdata\dell\kace\user\allsw.txt tempsw.txt & for %%g in (c:\programdata\dell\kace\user\tempsw.txt) do (findstr /v /b /c:"iTunesHelper" %%g > c:\programdata\dell\kace\user\allsw.txt) & del c:\programdata\dell\kace\user\tempsw.txt /q
REM ::this line removes Citrix receiver from the list::
rename c:\programdata\dell\kace\user\allsw.txt tempsw.txt & for %%g in (c:\programdata\dell\kace\user\tempsw.txt) do (findstr /v /b /c:"Citrix Receiver" %%g > c:\programdata\dell\kace\user\allsw.txt) & del c:\programdata\dell\kace\user\tempsw.txt /q
REM ::this line removes Tight VNC from the list::
rename c:\programdata\dell\kace\user\allsw.txt tempsw.txt & for %%g in (c:\programdata\dell\kace\user\tempsw.txt) do (findstr /v /b /c:"tvncontrol" %%g > c:\programdata\dell\kace\user\allsw.txt) & del c:\programdata\dell\kace\user\tempsw.txt /q
REM ::this line removes Intel Rapid store tech from the list::
rename c:\programdata\dell\kace\user\allsw.txt tempsw.txt & for %%g in (c:\programdata\dell\kace\user\tempsw.txt) do (findstr /v /b /c:"IAStorIcon" %%g > c:\programdata\dell\kace\user\allsw.txt) & del c:\programdata\dell\kace\user\tempsw.txt /q
REM ::this line removes Apple Application Support from the list::
rename c:\programdata\dell\kace\user\allsw.txt tempsw.txt & for %%g in (c:\programdata\dell\kace\user\tempsw.txt) do (findstr /v /b /c:"APSDaemon" %%g > c:\programdata\dell\kace\user\allsw.txt) & del c:\programdata\dell\kace\user\tempsw.txt /q
REM ::this line removes K2000 taskengine from the list::
rename c:\programdata\dell\kace\user\allsw.txt tempsw.txt & for %%g in (c:\programdata\dell\kace\user\tempsw.txt) do (findstr /v /b /c:"KACETaskEngine" %%g > c:\programdata\dell\kace\user\allsw.txt) & del c:\programdata\dell\kace\user\tempsw.txt /q
as you see more OK software in the report just add it to the bottom of the batch files to filter that also
REM ::this line removes MS Office 14 sync from the list::
rename c:\programdata\dell\kace\user\allsw.txt tempsw.txt & for %%g in (c:\programdata\dell\kace\user\tempsw.txt) do (findstr /v /b /c:"BCSSync" %%g > c:\programdata\dell\kace\user\allsw.txt) & del c:\programdata\dell\kace\user\tempsw.txt /q

The key is part of the line to change is what is after the  /c:"  this is what tells the for-do loop to filter out.
To figure out what text to add to that area use the report you are going to create later.  the items underlined in red are the names you need to use
if5LiN.jpeg


So what do all these CIRs get me, lots of data!
 sample reports:
AVbtPD.jpeg4OlNMv.jpeg

cVbs4K.jpegBRtZmJ.jpeg

now that you got this info create kscripts to get rid of the startup commands
I run all by cleanup scripts using a vb script to call a batch file invisibly to the user.

http://www.itninja.com/blog/view/how-to-hide-running-a-batch-file-from-a-kscript-with-version-5-5

I run them on a cron schedule so they run monday thru friday at staggered intervals.
as example:
7gqXt9.jpeg
the common batch files I run:
cleanuphklm this runs as system
echo off
reg.exe delete hklm\software\microsoft\windows\currentversion\run /v lync /f
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe delete hklm\software\wow6432node\microsoft\windows\currentversion\run /v lync /f
reg.exe delete hklm\software\microsoft\windows\currentversion\run /v swg /f
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe delete hklm\software\wow6432node\microsoft\windows\currentversion\run /v swg /f
reg.exe delete hklm\software\microsoft\windows\currentversion\run /v "QuickTime Task" /f
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe delete hklm\software\wow6432node\microsoft\windows\currentversion\run /v "QuickTime Task" /f
reg.exe delete hklm\software\microsoft\windows\currentversion\run /v "Google Update" /f
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe delete hklm\software\wow6432node\microsoft\windows\currentversion\run /v "Google Update" /f
reg.exe delete hklm\software\microsoft\windows\currentversion\run /v OfficeSyncProcess /f
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe delete hklm\software\wow6432node\microsoft\windows\currentversion\run /v OfficeSyncProcess /f
reg.exe delete hklm\software\microsoft\windows\currentversion\run /v searchprotect /f
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe delete hklm\software\wow6432node\microsoft\windows\currentversion\run /v searchprotect /f
reg.exe delete hklm\software\microsoft\windows\currentversion\run /v isuspm /f
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe delete hklm\software\wow6432node\microsoft\windows\currentversion\run /v isuspm /f
reg.exe delete hklm\software\microsoft\windows\currentversion\run /v "Novell Messenger" /f
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe delete hklm\software\wow6432node\microsoft\windows\currentversion\run /v "Novell Messenger" /f

cleanuphkcu this runs as all logged on users
echo off
reg.exe delete hkcu\software\microsoft\windows\currentversion\run /v lync /f
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe delete hkcu\software\wow6432node\microsoft\windows\currentversion\run /v lync /f
reg.exe delete hkcu\software\microsoft\windows\currentversion\run /v swg /f
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe delete hkcu\software\wow6432node\microsoft\windows\currentversion\run /v swg /f
reg.exe delete hkcu\software\microsoft\windows\currentversion\run /v "QuickTime Task" /f
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe delete hkcu\software\wow6432node\microsoft\windows\currentversion\run /v "QuickTime Task" /f
reg.exe delete hkcu\software\microsoft\windows\currentversion\run /v "Google Update" /f
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe delete hkcu\software\wow6432node\microsoft\windows\currentversion\run /v "Google Update" /f
reg.exe delete hkcu\software\microsoft\windows\currentversion\run /v OfficeSyncProcess /f
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe delete hkcu\software\wow6432node\microsoft\windows\currentversion\run /v OfficeSyncProcess /f
reg.exe delete hkcu\software\microsoft\windows\currentversion\run /v searchprotect /f
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe delete hkcu\software\wow6432node\microsoft\windows\currentversion\run /v searchprotect /f
reg.exe delete hkcu\software\microsoft\windows\currentversion\run /v isuspm /f
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe delete hkcu\software\wow6432node\microsoft\windows\currentversion\run /v isuspm /f
reg.exe delete hkcu\software\microsoft\windows\currentversion\run /v "Novell Messenger" /f
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe delete hkcu\software\wow6432node\microsoft\windows\currentversion\run /v "Novell Messenger" /f

kill unwanted jobs this runs as system
del "c:\windows\tasks\Google Software*.job" /q
del "c:\windows\tasks\GoogleUpdateTaskUser*.job" /q
del "c:\windows\tasks\Digital Sites.job" /q
del "c:\windows\tasks\DigitalSite.job" /q
del "c:\windows\tasks\MySearchDial.job" /q
del "c:\windows\tasks\G2MUpdate*.job" /q
del "c:\windows\tasks\Adobe Flash Player Updater.job" /q
del "c:\windows\tasks\HP Photo Creations Communicator.job" /q
del "c:\windows\tasks\Security Center Update*.job" /q
del "c:\windows\tasks\FacebookUpdateTaskUser*.job" /q
del "c:\windows\tasks\DriverUpdate Startup.job" /q
del "c:\windows\tasks\AVG-Secure-Search-Update*.job" /q
del "c:\windows\tasks\DSite.job" /q
del "c:\windows\tasks\pc-dis-upd.job" /q
del "c:\windows\tasks\SystemToolsDailyTest.job" /q
del "c:\windows\tasks\PCDoctorBackgroundMonitorTask.job" /q
del "c:\windows\tasks\OpenCandy Download Manager.job" /q
del "c:\windows\tasks\Regwork.job" /q
del "c:\windows\tasks\Plus-HD-1.6*.job" /q
del "c:\windows\tasks\Plus-HD-1.2*.job" /q
del "c:\windows\tasks\Reclaimer*.job" /q
del "c:\windows\tasks\MediaPlayerEnhance*.job" /q
del "c:\windows\tasks\SuperLyrics*.job" /q
del "c:\windows\tasks\weDownload Manager*.job" /q
del "c:\windows\tasks\FileCure*.job" /q
del "c:\windows\tasks\ParetoLogic*.job" /q

Comments

  • File sync (FS) with CIR of type FileExistsWithMD5 is a fantastic solution when you're working with vbscript or batch files. This provides an immediate indicator that the code hasn't been modified (as compared to other methods for version/source control when you're looking at the file itself). In actuality, a FS & MI are both in script 6. A FS is essentially (with a few minor differences) an MI without the install command. :)

    Example:
    FileExistsWithMD5(C:\windows\kace\custinv\<yourfile>.vbs,<geneated MD5 hash>)

    A variety of tools exist to generate the hash. I use:
    * MD5Summer
    * kdeploy.exe -hash=<yourfile> - blaise_gregory 10 years ago
  • This is great, thanks for sharing SMal. - SDNBTP 10 years ago
  • update on this CIR - List jobs in task scheduler, the malware has also found a way to get into the system32 task, to add this area to the CIR change the shellcommand to read ShellCommandTextReturn(dir c:\windows\tasks\*.job /b|dir c:\windows\system32\tasks\ /b /a:a) - SMal.tmcc 9 years ago
This post is locked

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ