Adware the series, part 4

Credit to Author: Pieter Arntz| Date: Wed, 31 May 2017 14:00:18 +0000

In this series of posts, we will be using the flowchart below to follow the process of determining which adware we are dealing with. Our objective is to give you an idea of how many different types of adware are around for Windows systems. Though most are classified as PUPs, you will also see the occasional Trojan or rootkit, especially for the types that are more difficult to detect and remove.

flowchart adware

Scheduled Tasks and Services

Two popular methods to deliver advertisements to your computer at regular intervals are Scheduled Tasks and Services. Both can easily be used to set a timer and show you a new advertisement at a set interval. The interval can be hours or mere minutes. For the advertiser, an interval in the range of hours has the advantage of being more inconspicuous as the user may close the advertisement and think nothing more of it. But a short interval brings in more money if you get paid by the impression (or by the number of unique views).

Scheduled Tasks

The Windows Task Scheduler is like an alarm clock that you can set, to start a procedure under specified circumstances. You can set them to start at a certain time, and repeat at a set interval, or you can set them to start at a certain occasion, most commonly when the computer boots up. Scheduled Tasks are the containers, that hold the information about what has to happen and when. Since the introduction of Task Scheduler 2.0, Scheduled Tasks have the format of XML files and the job extension.

Once you are aware of the fact that a Scheduled Task is responsible, it is pretty easy to remove them. Be aware that they tend to come in small groups (2 or 3 tasks is what we’re used to seeing in most cases).

How to open the Task Scheduler

Windows XP and Windows 7

To open Scheduled Tasks, click Start, click All Programs, point to Accessories, point to System Tools, and then click Scheduled Tasks.

Windows 8 and Windows 10

Use the Search option to search for “Schedule” and choose “Schedule Task” to open the Task Scheduler.

Identify and delete a Scheduled Task

In the list of Scheduled Tasks find the ones that trigger the process associated with the advertisements. You can find the process name under the Action tab. Note that there may be switches set behind the filename like in the example below (GoogleUpdate.exe is the file name).

Task action

Select the Scheduled Task in the overview window and use the Delete option to remove it.

delete a scheduled task

That’s all there is to it. As you can tell from the above, identifying the culprit as a Scheduled Task is the hardest part here. Removing Scheduled Tasks is easy enough once you are sure what to get rid of.

Services

Windows services are programs that work in the background and many of them are crucial for the operation of the system, so be careful when you start disabling them. Also, make note of the following order since you may have to re-enable them in the reverse order. Many services depend on others and are unable to run without the ones they depend on.

How to open the Services console

To see the list of services run services.msc in your Run prompt or from your search box.

Identify and disable a Service

If you right-click a line in the list of services and click Properties, you can see the path to the executable on the General tab.

When you have found the service that is responsible for the advertisement, you can Stop the service on that same tab and set the Startup type to Disabled.

That should stop the advertisements and prevent the service from starting again. If it does start again, there are other processes involved and you may be dealing with a rootkit. More about those later.

Index

Part 1

  • Identify the process
  • Clear browser caches
  • Remove browser extensions

Part 2

  • Proxies
  • Winsock hijackers
  • DNS hijackers

Part 3

  • Type of software
  • Uninstall
  • Remove file
  • Replace file

 Part 4

  • Scheduled tasks
  • Services

Up next, part 5

  • DLL’s
  • Handles
  • Parent process

 

Pieter Arntz

The post Adware the series, part 4 appeared first on Malwarebytes Labs.

https://blog.malwarebytes.com/feed/