Thursday, December 4, 2014

Remove browser hijacker malware

For conduit, white smoke, babylon, anything opencandy (http://en.wikipedia.org/wiki/OpenCandy), and other browser hijackers I usually do the following.

1. uninstall these and anything unrecognizable from add/remove
2. in EACH browser
  a. remove any add-ins/extensions
  b. change the default web page/home page
  c. remove any search engines that you don't recognize, set default to google
3. delete anything from c:\program files, c:\users\appdata that appears to be from the malware
4. run a full scan of Malwarebytes, and possibly other scans
5. probably also a good idea to clear your cache and cookies

I also heard that some trovi malware is also changing browser shortcuts on the desktop, and has a scheduled task to change these shortcuts. I haven't seen this personally, but it's worth checking. Apparently ADWcleaner is good at removing this.

My rule of thumb is that if it takes longer than 30 minutes to an hour to fix I'm going to re-install the OS. However this isn't always practical.

Sunday, October 5, 2014

Delay dropbox startup in Windows

Dropbox was slowing down my startup after logging in, so I wanted to delay startup by a minute or so to allow my computer to be usable earlier. The normal settings only allow it to either start up immediately, or entirely manually. Below are instructions on how I got it to start after 2 minutes. I did this in Windows 7, but it should work similarly in Windows 8, 8.1, and probably Windows 10. This also works with other programs, so you could stagger startup items instead of having them all hammer the system at once.

1. Disable the normal dropbox startup.

  a. Click on the dropbox icon, click the gear icon, and click Preferences...
  b. Uncheck "Start Dropbox on system startup". Click OK

1. a. Click Preferences...
1. b. Uncheck Start on system startup

2. Open the task scheduler.

  a. From the Start menu, click All Programs, Accessories, System Tools, and Task Scheduler.
  This can also be found in the control panel under System & Security, Administrative Tools, or by searching in Start.

3. Create a new scheduled task.

  a. Click Create Basic Task
  b. Enter Name - Dropbox, and a description if you wish. Click Next.
  c. Trigger. Select "When I Log on". Click Next.
  d. Action. "Start a program"
  e. Start a Program - Program/script - Enter C:\Users\[username]\AppData\Roaming\Dropbox\bin\Dropbox.exe. Be sure to change to your username.
  f. Add arguments - Enter /systemstartup
  g. On Finish check "Open the Properties dialog for this task when I click Finish". Click Finish.
  h. Click the Triggers tab and click Edit...
  i. Check "Delay task for:" and enter the number of minutes that want it to be delayed. Click OK on the open windows and close all other windows.
  j. If this is a laptop, click the conditions tab and uncheck "Start the task only if the computer is on AC power" (if you want).
 
3. a. Task Scheduler - Create Basic Task...

3. b. Create Basic Task - Name

3. c. Create Basic Task - Trigger

3. e. Create Basic Task - Start a Program

3. i. Edit Trigger - Check "Delay task for:"

3. j. Uncheck "Start the task only if the computer is on AC power"


 4. Test by restarting and logging back on. 

Friday, September 5, 2014

Lockdown Browser 1.0.7.02 LAB SCCM deployment

I needed to update from Respondus LockDown Browser Lab version 1.0.5.14 to version 1.0.7.02. This is how I've done it as an SCCM application. This could probably be modified to be used in some other deployment solution, but I've tested it with SCCM 2012 R2 and Windows 7 clients running 32 and 64 bit versions.

After 1.0.7.02 was activated this error shows on 1.0.5.14

Install Shield files and installer folder

First, you'll need to create setup.iss files. Instructions can be found here: http://www.respondus.com/update/2009-11-d.shtml

Here's their instructions for convenience:

First, be sure that Respondus LockDown Browser isn’t already installed on the computer. If it is, then un-install it before continuing.
  1. Download the full installer (LockDownSFX.exe) from the Respondus website. BE SURE to obtain the .exe via the admin login for your institution since the installer differs for each institution.
  2. Run the installer and select the "Click Here" link that appears next to the text, "Problems with the installation program?" This will allow you to extract the setup files to a folder on your local disk (such as "lockdown").
  3. Start the Windows Command Prompt (or run CMD.exe).
  4. Change directories to where the installer was extracted (i.e. the “lockdown” folder).
  5. From the command line run:

    setup /r

    This runs the regular installer but also creates c:\windows\setup.iss
  6. Copy the file c:\windows\setup.iss into the “lockdown” folder.
  7. Un-install Respondus LockDown Browser.
Now you now have a silent installer that can be run using this command:
setup /s /f1"%CD%\setup.iss"


Create three iss files using the same method, setup /r inside the expanded installer files. You will use each of these iss files later in SCCM; the normal silent install won't work to upgrade existing versions, and the third one will be used for uninstallation.

  1. Normal install with no other version installed - named setup.iss
  2. A re-install with version 1.0.5.14 installed - named update.iss
  3. An uninstall of 1.0.7.02 - named uninstall.iss

Put all of the iss files in the installer folder with setup.exe etc.


Install script

Create a bat file with the contents below named installLDB.bat. See in-line comments for what it's doing. Basically it is checking if version 1.05 is installed, running with the update iss file, and otherwise installing with the setup file. The last part is changing the registry entry for versioning because for some reason Respondus doesn't like to do this in their installer. We will also use that key in SCCM for detection.



@echo off

REM Check registry for version 1.0.5
REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3DEC3ECB-D6FB-450E-8248-D05C36AD5FA4} /f "DisplayVersion" | find "1.0.5"
IF %ERRORLEVEL% == 1 goto newinstall
IF %ERRORLEVEL% == 0 goto update


REM If doesn't exist as 1.0.5 run new install
:newinstall
setup /s /f1"%CD%\setup.iss"
goto registry

REM if exists with version 1.0.5 run update
:update
setup /s /f1"%CD%\update.iss"

:registry
REM Update registry to show version 1.0.7.02 instead of 1.0.5
REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3DEC3ECB-D6FB-450E-8248-D05C36AD5FA4} /f "DisplayVersion" | find "1.0.5"
IF %ERRORLEVEL% == 1 goto end
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3DEC3ECB-D6FB-450E-8248-D05C36AD5FA4} /v DisplayVersion /t REG_SZ /d 1.0.7.02 /f

:end



You may want to verify that the registry key matches what actually shows when it is installed. Also create a bat file named uninstall.bat with the line below and copy to your installation folder.



setup /s /f1"%CD%\uninstall.iss"



Copy the folder to your network share or SCCM server.

SCCM Application

Create a new Application (not package). I'm not going to show how to create an application step by step here, but I've included the settings I used, everything else is default. This part is pretty straight forward if you've done it before, and these details are easily viewed for verification after the application is created by going to the application properties.

Name: Respondus LockDown Browser 1.0.7.02 LAB
Administrator Comments: Will update from 1.0.5 or perform a clean install, tested on Windows 7 64 and 32 bit, might not update other versions
Publisher: Respondus
Software Version: 1.0.7.02
Localized Application Name: Respondus LockDown Browser 1.0.7.02 LAB
Localized description: Respondus LockDown Browser 1.0.7.02 for labs only
Deployment type: script

Script
   Name: Lockdown Browser 1.0.7.02
   Content location: [enter UNC path to the folder you copied]
   Installation program: "InstallLDB.bat"
   Uninstall program: "uninstall.bat"
   Run as 32 bit on 64: CHECKED

Detection Method
   Setting Type: Registry
   Hive: HKEY_LOCAL_MACHINE
   Key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3DEC3ECB-D6FB-450E-8248-    D05C36AD5FA4}
   Value: DisplayVersion
   Associated with 32-bit: CHECKED
   Data Type: String
   Operator: Equals
   Value: 1.0.7.02

Install for System
Whether or not a user is logged on
Installation visibility: Normal
Max allowed run time: 20
Estimated installation: 5


It's important to check run as 32 bit on 64 bit machines, and associated with 32 bit in the detection method, or you will have problems on 64 bit Windows.

Deploy (test first) your application and you're done.


Another solution
http://windowsmasher.wordpress.com/2012/03/17/sccm-package-respondus-lockdown-browser/

More about reg command
http://technet.microsoft.com/en-us/library/cc732643.aspx

Respondus LockDown Browser silent install - updated instructions
http://support.respondus.com/support/index.php?/Knowledgebase/Article/View/136/0/does-the-lockdown-browser-lab-edition-support-silent-or-unattended-installs-under-windows

InstallShield Parameters
http://helpnet.installshield.com/installshield18helplib/IHelpSetup_EXECmdLine.htm

Create System Center Configuration Manager Application
http://technet.microsoft.com/en-us/library/gg682159.aspx