{"id":7453,"date":"2017-04-26T08:10:32","date_gmt":"2017-04-26T16:10:32","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/04\/26\/news-1244\/"},"modified":"2017-04-26T08:10:32","modified_gmt":"2017-04-26T16:10:32","slug":"news-1244","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/04\/26\/news-1244\/","title":{"rendered":"Adware the series, part 1"},"content":{"rendered":"

Credit to Author: Pieter Arntz| Date: Wed, 26 Apr 2017 15:00:50 +0000<\/strong><\/p>\n

In this series, we will be using the flowchart below to follow the process of determining which adware<\/a> we are dealing with. Our objective is to give you an idea of how many different types of adware are around for Windows systems. Though most adware will be classified as PUPs<\/a>, you will also see the occasional Trojan<\/a> or rootkit<\/a>, especially in the types of adware that are harder to detect and remove.<\/p>\n

\"\"<\/p>\n

Advertisements<\/h3>\n

It all starts with advertising.<\/p>\n

To give you an idea how much money goes around in this industry, the US online ad spending for 2016 was estimated at $ 62 Billion<\/a>. Anyone that is able to grab a chunk of that will be very happy to do so, even if the methods are considered iffy. Some will not shy away from criminal behavior when that kind of money is involved. Two of the fraudulent methods to grab some of that money are called ad fraud<\/a> and adware. If you want to learn the difference between these two please read my blog post, Adware vs Ad fraud<\/a>. In this post, we will concentrate on adware, which basically boils down to some program on your computer showing you advertisements that do not come from the websites you are visiting.<\/p>\n

Identify the source<\/h3>\n

We will use Process Explorer<\/a> to identify the process that is behind an advertisement. Usually, this will be a browser and you will recognize it as such. But sometimes, these advertisements pop up as windows without title bars. In cases like these, you can use the cross-hairs in the Process Explorer menu, as shown below:<\/p>\n

\"\"<\/p>\n

Drag and drop the cross-hairs on the window you are curious about and in the Process Explorer list of running processes the process responsible for the window will be selected (showing in blue).<\/p>\n

\"process<\/p>\n

You now have the name of the process and, in case there are more instances of that process, the Process Identification (PID) associated with it.<\/p>\n

Check where the process is connecting to<\/h3>\n

This is optional since it almost never provides any information that is useful in the removal process. Extra research, however, could tell us what family the adware belongs to and what characteristics you may expect as a result.<\/p>\n

So, if you like, you can use the Windows built-in (after XP) tool Resource Monitor (resmon). To start Resource Monitor, you can use Windows Key + \u201cR\u201d, type \u201cresmon\u201d in the \u201cRun\u201d box and click OK.<\/p>\n

\"resmon\"<\/p>\n

Under the Network tab > Network activity, you will find the most specific information for any connected process.<\/p>\n

If one process has several open connections you can click the \u201cImage\u201d column header to sort the processes alphabetically, which provides a better overview of what a given process might be doing. Also, check if the PID listed in Process Explorer matches the one in Resource Monitor. This should be done to make sure that you are looking at the process that is showing the advertisement.<\/p>\n

Browsers first<\/h3>\n

As this will be the most common case, let\u2019s deal with it first. The window showing the advertisement is a window or new tab of your default browser. Some adware authors find it easier or more effective to open the Microsoft browser that came with the OS<\/a>, so they will open Edge for Windows 10 and Internet Explorer (IE) for earlier versions.<\/p>\n

Clear your browser’s cache<\/h4>\n

In Edge, the procedure is:<\/p>\n

    \n
  1. Click the Hub icon, click \u201cClear History\u201d<\/li>\n
  2. Select the appropriate options. Note that clearing the \u201cCookies and saved website data\u201d will result in you having to login at every site again.<\/li>\n
  3. Click the \u201cClear\u201d button.<\/li>\n<\/ol>\n

    \"edge\"<\/p>\n

     <\/p>\n

    For Internet Explorer:<\/p>\n