Kaseya Community

Spybot 1.4 script does not cleaning spyware fix

  • We are using the sample Spybot script with version 1.4 and it installs Spybot and runs a scan no problem, but it does not actually clean any spyware. Even though the /autofix parameter is there spybot just ends after it is done scanning. The logs show all the various malware it found with "no action taken" next to each of them. As an experiment I removed the /hidetaskbar and /autoclose options and scheduled it again. Spybot ran interactively and then stopped at the screen where it asks if you want to clean the stuff or not.

    Step 2 is working great and writing all the spyware that it found to the script log.

    Any ideas on how to make the /autofix switch functional?

    Thanks for any input!

    Script file used (still minus the autoclose and hide switches)

    Script Name: FC Run Spybot Step 1
    Script Description: Run Spybot /taskbarhide /autoupdate /autocheck /autofix /autoclose /immunize
    Update the script to update deff files if you need to. Step 2 Add /Autoupdate and Step 5

    IF Test File
    Parameter 1 : C:\Program Files\Spybot - Search & Destroy\spybotsd.exe
    Exists :
    THEN
    Write File
    Parameter 1 : C:\Program Files\Spybot - Search & Destroy\Default configuration.ini
    Parameter 2 : VSASharedFiles.Default configuration.ini
    OS Type : 1
    Execute File
    Parameter 1 : C:\Program Files\Spybot - Search & Destroy\spybotsd.exe
    Parameter 2 : /autocheck /autofix /onlyspyware /autoupdate
    Parameter 3 : 3
    OS Type : 1
    Write Script Log Entry
    Parameter 1 : Spybot Run Successfully on XP
    OS Type : 1
    Execute Script - (Continue on Fail)
    Parameter 1 : FC Run Spybot Step 2 (NOTE: Script reference is NOT imported. Correct manually in script editor.
    Parameter 2 :
    Parameter 3 : 0
    OS Type : 1
    ELSE
    Get Variable
    Parameter 1 : 4
    Parameter 2 :
    Parameter 3 : agentDrv
    OS Type : 1
    Write File
    Parameter 1 : #agentDrv#temp\spybotsd.exe
    Parameter 2 : VSASharedFiles.spybotsd14.exe
    OS Type : 1
    Execute File
    Parameter 1 : #agentDrv#temp\spybotsd.exe
    Parameter 2 : /verysilent /nocancel /noicons /components="main"
    Parameter 3 : 3
    OS Type : 1
    Write File
    Parameter 1 : C:\Program Files\Spybot - Search & Destroy\Default configuration.ini
    Parameter 2 : VSASharedFiles.Default configuration.ini
    OS Type : 1
    Write Script Log Entry
    Parameter 1 : Spybot Installed Successfully on XP
    OS Type : 1
    Execute Script
    Parameter 1 : FC Run Spybot Step 2 (NOTE: Script reference is NOT imported. Correct manually in script editor.
    Parameter 2 :
    Parameter 3 : 0
    OS Type : 1

    Script Name: FC Run Spybot Step 2
    Script Description: Second part of the Run Spybot Step 1. This checks to see if Fixes.txt exist and then uploads them to the script log for reporting.

    IF Test File
    Parameter 1 : C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\logs\fixes.txt
    Exists :
    THEN
    Get Variable
    Parameter 1 : 1
    Parameter 2 : C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\logs\fixes.txt
    Parameter 3 : fixes
    OS Type : 0
    Get File
    Parameter 1 : C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\logs\fixes.txt
    Parameter 2 : Spybot-fixes.txt
    Parameter 3 : 1
    OS Type : 0
    Write Script Log Entry
    Parameter 1 : #fixes#
    OS Type : 0
    ELSE
    Write Script Log Entry
    Parameter 1 : No Spyware/Adware found.
    OS Type : 0




    Legacy Forum Name: Spybot 1.4 script does not cleaning spyware fix,
    Legacy Posted By Username: trebligb2
  • Depending on what it finds, the /onlyspyware option keeps it from cleaning it because it dosent consider it "spyware".. Post your results text file and let me see what it finds to see if this is it.

    God Bless,

    Marty




    Legacy Forum Name: Spyware Scripts,
    Legacy Posted By Username: MissingLink
  • Thanks Marty,

    I am pretty sure that is not the case. I hooked up a fresh loaded Windows XP PC with no security software of any kind outside the firewall on the backup DSL connection and had a service tech try to find free screen savers and "warez" versions of Microsoft office. The only rule was he had to accept every pop-up and dialog. It took him less than 30 seconds to have some good stuff happening. Spybot found all kinds of interesting stuff that I recognize as spyware (hotbar, spysheriff, webhancer,and etc). After I was done testing Kaseya he did me a "favor" and cleaned it with spybot manually.

    I am in the process of reinfecting the PC and will put up the results of it after a kaseya scan.

    Bill


    Legacy Forum Name: Spyware Scripts,
    Legacy Posted By Username: trebligb2
  • Yes, you need two execute it twice and add some more options.



    Execute File
    Parameter 1 : C:\Program Files\Spybot - Search & Destroy\spybotsd.exe
    Parameter 2 : /taskbarhide /autoupdate /autoclose
    Parameter 3 : 1
    OS Type : 1
    Execute File
    Parameter 1 : C:\Program Files\Spybot - Search & Destroy\spybotsd.exe
    Parameter 2 : /taskbarhide /autoimmunize /autoclose /autocheck /autofix
    Parameter 3 : 3
    OS Type : 1



    I've been running it this way for over a year and it works just fine.


    Legacy Forum Name: Spyware Scripts,
    Legacy Posted By Username: bpenland
  • Basically /autoupdate and /autofix cannot be run at the same time.


    Legacy Forum Name: Spyware Scripts,
    Legacy Posted By Username: bpenland
  • Thanks! Spliting it into two parts worked great.



    It might be a good idea for Kaseya to edit the sample script in the next update...


    Legacy Forum Name: Spyware Scripts,
    Legacy Posted By Username: trebligb2
  • I'm having a similar problem in that when I run Spybot with the GUI, it finds issues (14 cookies), but when I run Spybot frommy Kaseya script, it doesn't see any issues (says its clean).

    Here's what Iran for my scans and the results:

    (1)From GUI - found 14 entries.

    (2) From Kscript (Update & Scan) -Step1 = /taskbarhide /autoupdate /autoclose, Step2 =/autocheck /autofix /autoclose (no /taskbarhide). Found 0 entries.

    (3) From Kscript (Scan only) -Step1= /taskbarhide /autocheck /autoclose. Found 0 entries.

    (4) From cmd prompt (Scan only) - ran with /autocheck /autoclose. Found 14 entries.

    (5) From Kscriptwith Exec as User/Wait (instead of System/Wait) - Step1 = /autocheck /autoclose. Found 14 entries.

    (6) From Kscript with Exec as User/Wait and machine logged off(Update & Scan) -Step1 = /taskbarhide /autoupdate /autoclose, Step2 =/autocheck /autofix /autoclose (no /taskbarhide). Found 0 entries.

    (7) From Kscript with Exec as User/Wait and machine logged on(Update & Scan) -Step1 = /taskbarhide /autoupdate /autoclose, Step2 =/autocheck /autofix /autoclose (no /taskbarhide). Found and Fixed 14 entries.

    Anyone else had any issues like this? Any suggestions?

    Thanks!




    Legacy Forum Name: Spyware Scripts,
    Legacy Posted By Username: billmccl
  • Hi Bill,

    have you got the output of the scan? What were those 14 entries? Perhaps they are things that only exsist in the user profile, when that user is logged in?

    If you got the same result from the command line as from the Kaseya script, at least it has ruled out any issue with Kaseya, in fact there is no issue at all really - this is obviously just how Spybot works; when you are running it manually from the command line, it's running as whomever you are logged in as - the user, same with the GUI. In the script if you use System, it's running using the System User. I bet if you do a 'run as' from the command line and use the system account you will also get 0 entries found.

    It looks as if whatever method you are using to run spybot only works when the user is logged in, so just set up a 'test' IF at the start of the script to make sure a user is logged in, if they aren't then the Else sectioncan be used toreschedule the script for 1 hour later and tries again...it will keep going until a user is logged in.




    Legacy Forum Name: Spyware Scripts,
    Legacy Posted By Username: raybarber
  • Are you manually creating the spybot/log folder?

    When I run it on a clean machine the agent log says it completed but it never creates the dir or the fixes.txt Possilby because there are no fixes?

    It finishes in 20 seconds, which makes me think it's not running correctly. Any ideas how to verify?


    Legacy Forum Name: Spyware Scripts,
    Legacy Posted By Username: nvelocity
  • Oops, double post. Sad


    Legacy Forum Name: Spyware Scripts,
    Legacy Posted By Username: nvelocity