August 2008 - Posts - Rickym61 @ MyITForum.com

August 2008 - Posts

sms query/report for spyware? Monday, August 25, 2008 5:09 PM

This question seems to pop up on the list quite frequently, so to save time, here it is. It was originally posted to the list by Mark Mears, so credit goes to him, attached is the sql and sample of what results you may get again from Mark Mears

SQL

select
all RSYS.Name0 AS 'Computer',
RSYS.User_Name0 As 'Last User ID',
SF.FileName As 'File Name',
SF.FileDescription As 'File Description',
SF.FilePath As 'File Path',
SF.FileSize As 'File Size',
SF.FileVersion As 'File Version'
from
V_R_SYSTEM RSYS
LEFT OUTER JOIN V_GS_SoftwareFile SF ON RSYS.ResourceID = SF.ResourceID
where
(
SF.FileName IN
(
'_DLL.exe', -- Troj_Bagle.AC Trojan
'ARR.exe', -- Dial-up Hijacker - high cost toll number
'asart.exe', -- ?
'av.exe',   -- W32.Alphx.Word.A Virus
'BackWeb.exe', -- Spyware - BackWeb Technologies
'Bargains.exe', -- BargainBuddy - Adware/Spyware
'BELT.exe',   -- Spyware - SearchV.com
'Bling.exe', -- W32.SDBot-OH.Worm
'BLSS.exe', -- Spyware - CBlaster Trojan
'Bootconf.exe', -- Sypware - Homepage Hijacker
'BonziBdy.exe', -- Spyware
'botzor.exe', -- W32.ZOTOB.Worm
'BPC.exe', -- Spyware - Grokster
'Bundle.exe', -- Adware.SAHAgent
'businessbg0002.exe', -- Spyware - ?
'cmesys.exe', -- Adware.W32.Claria
'crafty.exe',   -- ?
'CFD.exe', -- Spyware - Motive Cleint Foudation
'csm.exe', -- W32.ZOTOB.B Worm
'Datemanager.exe', -- Pop-Ups via Gator
'DIVX.exe', -- MASTAK Virus or NALDEM Trojan
'DPPS2.exe', -- Don't Panic! Pop-up blocker - Spyware
'DSSagent.exe', -- Adware - Broderbund - Spyware?
'eanthology.exe',   -- eAcceleration Software Station - Spyware?
'EditSRV.exe', -- Spyware - Email_Update.exe
'email_Update.exe', -- StopSign Email Scanner - eAcceleration Software - Spyware?
'EMSW.exe', -- Spyware - Alset Inc.
'Gator.exe', -- Adware.W32.Claria
'gmt.exe', -- Adware.W32.Claria
'haha.exe', -- Myet Trojan
'Hbinst.exe', -- Spyware - HotBar
'HBSRV.exe', -- Spyware - HotBar
'Hotbar.exe', -- Spyware - HotBar
'HXDL.exe', -- HXDL Spyware - Gator
'HXIUL.exe', -- Adware - HelpExpress - Alset Inc.
'IDHost.exe', -- Topicks Spyware
'IEDll.exe', -- Homepage Hijacker
'IEDriver.exe', -- Peer-To-Peer File Sharing
'INFUS.exe', -- Dial-up Hijacker - high cost toll number
'InfWin.exe', -- MSView Parasite
'INTDEL.exe', -- Adware - Pop-ups
'ISTSVC.exe', -- Spyware - Integrated Search Technologies
'KeenValue.exe', -- Spyware - Gator
'loader.exe',   -- Backdoor.Prorat Virus
'lol.exe', -- W32.HLLW.Rackus Virus
'Lspmonitor.exe', -- Spyware - StopSign
'mapisvc32.exe',   -- KX Virus
'MD.exe', -- System MD Virus
'MDie.exe', -- Backdoor.Win32.Rbot.Gen Virus
'MemoryMeter.exe',   -- Grokster Peer-To-Peer File Sharing Suite
'MFIN32.exe', -- Adware - MyFreeInternet Update
'MMod.exe', -- Adware.W32.EarnBundleWare
'MOStat.exe', -- Spyware - Wurld Media
'mousebm.exe', -- W32.ESBot Virus
'mousemm.exe', -- W32.ESBot.A Virus
'MSBB.exe',   -- Adware.W32.BargainBuddy - 180Solutions
'MSCache.exe', -- Spyware - Integrated Search Technologies
'MSCMan.exe', -- Spyware - Odysseus Marketing
'msdefr.exe', -- Spybot Worm
'MSMACROPROTXZ.exe', -- Spybot Worm
'MSMGT.exe',   -- Spyware - Total Velocity
'MSSVR.exe', -- Spyware - 2020DownLoader - 2020 Internet Search Toolbar
'MSUpdater.exe',   -- TrojanDownLoader.Win32.WinShow Trojan
'MWSOEMON.exe', -- MyWebSearch Toolbar
'mwsvm.exe',   -- Adware - Adw.ScanPortAL.A
'Nail.exe', -- Trojan.Win32.Stervis.B Trojan
'nb32ext2.exe', -- MyDoom.BV worm
'nbmanager.exe',   -- Spyware - eAnthology
'netbutler.exe',   -- ?
'onsrvr.exe', -- Spyware - OnWebMedia
'PC32.exe', -- Mastak Virus
'per.exe', -- Worm.ZOTOB.C Virus
'PGMonitr.exe', -- Adware.W32.DelFin
'PowerScan.exe', -- Adware.W32.PowerScan
'PRMVR.exe', -- Spyware - Adtomi.com
'pnpsrv.exe',   -- W32.SDBOT.Worm Virus
'Precisiontime.exe', -- Adware.W32.ClariaPrecision
'PrizeSurfer.exe',-- Spyware - PrizeSurfer
'Prmt.exe', -- Spyware - OpiStat
'RAY.exe', -- Homepage Hijacker
'RB32.exe', -- Adware.W32.RapicBlaster
'RCSync.exe', -- Spyware - PrizeSurfer
'Run32DLL.exe', -- Key Recorder - Screen Capture - PAL PC Spy
'SAHAgent.exe', -- Adware.W32.CyDoor - CyDoor Desktop Media
'savenow.exe', -- Coupons - WhenU.com
'SBHC.exe',   -- IE Plugin - GIGATech Software
'ShowBehind.exe', -- Adware - MicroSmarts Enterprise
'SLMSS.exe',   -- Spyware - 2nd Thourgh by CPM Media
'SRNG.exe', -- Spyware - Search Hijacker
'STCLoader.exe',   -- Spyware - 2nd Thourgh by CPM Media
'SUSP.exe', -- Spyware - ABetterInternet
'SVCINIT.exe',   -- Backdoor.Sinit Trojan
'svnlitup32.exe', -- Worm.RBOT.CBJ
'syscpy.exe',   -- Backdoor.Hogle Trojan
'Systesm32.exe', -- Spyware - Bling.exe
'thefourthcoming.exe', -- ?
'Trickler.exe', -- Spyware - Gator GAIN (Gator Advertising and Info Network)
'TSADBot.exe', -- Adware
'TVMD.exe',   -- Spyware
'TVTMD.exe', -- Spyware
'UCMWESKU.exe', -- ?
'Updates32.exe', -- Spyware - Bling.exe
'uptodate.exe', -- Adware - BrowserPal
'veloz.exe',   -- StopSign Email Scanner - eAcceleration Software
'velozsys.exe',   -- StopSign Email Scanner - eAcceleration Software
'Weather.exe', -- Adware
'webcel.exe',   -- eAcceleration Software - Spyware - ?
'WebDev.exe', -- ?
'Win32US.exe', -- Dial-up Hijacker - high cost toll number
'WinActive.exe', -- Homepage Hijacker
'windrg32.exe', -- W32.ZOTOB.D Worm
'WinMain.exe', -- Trojan.KonDeli
'WinNet.exe', -- Adware/Spyware - CommonName I.E. Search
'winpnp.exe', -- W32.SDBOT.Worm
'WinServN.exe', -- Adware.W32.PurityScan - ClickSpring LLC
'WinStart.exe', -- Homepage Hijacker - iGetNet
'WinStart001.exe', -- Adware
'wintbp.exe', -- W32.ZOTOB.E Worm
'wintbpx.exe', -- W32.BOZORI.Worm.B
'WNAD.exe', -- Spyware - TwistedHumor.com
'wpa.exe', -- ESBOT Worm
'ygpmrgsb.exe', -- ?
'zeus.exe',   -- Zeus:Master of Olympus game
'zmanager.exe' -- Spyware - eAcceleration
)
)
OR
SF.FileDescription like '%doom%' OR -- DOOM Game
SF.FileDescription like '%GNUTE%' OR -- MP3 Resources
SF.FileDescription like '%l0pht%'OR   -- Password cracker
SF.FileDescription like 'Lime%' OR   -- Peer-to-Peer file sharing
SF.FileDescription like '%nuke%' OR -- DOOM Game
SF.FileDescription like '%orafice%' OR -- Keystroke mapper
SF.FileDescription like '%sniff%' OR -- Network sniffer
SF.FileDescription like '%unreal%' OR -- Games
SF.FileName like '%as-101%' OR
SF.FileName like '%babylon%' OR
SF.FileName like '%bearshare%' OR
SF.FileName like '%bindery%' OR
-- SF.FileName like '%bindin%' OR
SF.FileName like '%bo2k%' OR
SF.FileName like '%chknull%' OR
SF.FileName like '%Cracker%' OR -- Password cracker
SF.FileName like '%Craserv%' OR
SF.FileName like '%doom%' OR -- DOOM game
SF.FileName like '%EbatesMoeMoney%' OR -- Spyware
SF.FileName like '%expolit%' OR
SF.FileName like 'gator%' OR   -- Gator Spyware/Adware
SF.FileName like '%getadmin%' OR
SF.FileName like '%gnucleus%' OR
SF.FileName like '%GNUTE%' OR -- MP3 Resources
SF.FileName like '%GROK%' OR
SF.FileName like '%hack%' OR -- Password cracker
SF.FileName like '%hotbar%' OR -- IE Toolbar - Spyware/Adware
SF.FileName like '%kazaa%' OR   -- Peer-to-Peer file sharing
SF.FileName like 'keygen%'OR -- Password cracker
SF.FileName like '%l0phtcrack%' OR -- Password cracker
SF.FileName like '%lc252install%' OR   -- Password cracker
SF.FileName like '%LIME%' OR   -- Peer-to-Peer file sharing
SF.FileName like '%morpheus%' OR
SF.FileName like '%Napster%' OR   -- Peer-to-Peer file sharing - MP3 Resources
SF.FileName like '%nbsvr%' OR
SF.FileName like '%nbtscan%' OR
SF.FileName like '%ndssnoop%' OR
SF.FileName like '%netbusr%' OR
SF.FileName like '%nmapNT%' OR
SF.FileName like '%nuke%' OR   -- DOOM Game
SF.FileName like '%nwpcrack%' OR
SF.FileName like '%orafice%' OR -- Keaystroke mapper
SF.FileName like '%otglove%' OR
SF.FileName like '%precisiontime%' OR
SF.FileName like '%pwdump%' OR -- Password cracker
SF.FileName like '%quake%' OR -- DOOM game
SF.FileName like '%Retina%' OR
SF.FileName like '%RFPoison%' OR
SF.FileName like '%smbdie%' OR
SF.FileName like '%smurf%' OR
SF.FileName like '%unreal%' OR
SF.FileName like '%XUPITER%' OR
SF.FileName like 'POPSRV%'

order by
RSYS.Name0
group by SF.Filename

by Rickym61 | 1 comment(s)

Filed under: sms, sql, spyware

Capturing HKCU Settings via HINV Sunday, August 24, 2008 2:46 PM

For those who use the SaveData application (or maybe also use SMS/SCCM Companion from www.SCCMExpert.com (shameless plug Big Smile ), they provide a freeware utility which allows the user to defer a shutdown, so that their machines don't get shutdown via the automated route that the product provides, the attached script will allow you to capture (catch out) those users who are using this functionality and find out what *stupid* defer shutdown times are being set.

With the starting point here from Sherry Kissinger (thanks again), I have managed to get it all working, hopefully this will help others who use it Big Smile , we are at SMS 2003 SP3

SaveData-HKCU-Registry-Capture.vbs

VB script which checks the logged on user via WMI, then checks for the users SID in HKEY_USERS and captures the settings and imports to HKLM, in order to get round the issue of user not having permissions to write to HKLM, we didn't query HKCU which is where SaveData writes to in registry. Nice neat trick from one of our packagers.

SaveData-Client.mof

Create the WMI Classes to capture the new reg keys created by above.

SaveData-SMS_def-MOF.mof

Reporting classes for SMS_def.mof

SaveDataSMSReport.sql

SQL to create the SMS Report (sanitized to protect the guilty)

Create the advert to run on a daily basis, package properties use as follows.

by Rickym61 | with no comments

Filed under: vbs, sms, ConfigMgr

Rickym61 @ MyITForum.com

August 2008 - Posts

This Blog

Tags

Navigation

Archives

Syndication