There's probably no need for a program as pretty much all of the KBs to avoid are now under "recommended" instead of "important" updates (notably except one--the latest cumulative monthly rollup which includes all of the telemetry updates). I don't install anything under "recommended" except perhaps hardware drivers.
A good explanation and list of the offending KBs can be found
here.
"Never check for updates" is indeed the best choice, as otherwise it will check at least every few days (as mentioned this used 100% of one core for hours each time and I think Microsoft were slow to fix it as they wanted to
annoy people into using 10). You can manually run it every month after patch tuesday to get all of the Office, dotnet and iE updates--after manually downloading and running that month's "Security only update." Be sure to untick that month's Monthly rollup under "important" though!
Note if even one of those dastardly Monthly rollups gets installed, then you will have the entire suite of telemetry goodies installed and they will not be listed individually--only under the KB of the monthly rollup. To try to get you to just use the rollups instead, Microsoft has made the Security only updates inconveniently
not cumulative. So on a clean install you will need to download and install
every one of them back to October 2016 when they started having them.
But once this is done, Windows 7 will work just as you remember from before Microsoft started screwing it up to move people to their new advertising platform 10 (ads for OneDrive
in Windows Explorer is something even Google would've been too ashamed to do!)