{"id":7585,"date":"2017-05-10T08:10:01","date_gmt":"2017-05-10T16:10:01","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/05\/10\/news-1370\/"},"modified":"2017-05-10T08:10:01","modified_gmt":"2017-05-10T16:10:01","slug":"news-1370","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/05\/10\/news-1370\/","title":{"rendered":"Adware the series, part 3"},"content":{"rendered":"<p><strong>Credit to Author: Pieter Arntz| Date: Wed, 10 May 2017 15:00:30 +0000<\/strong><\/p>\n<p>In this series of posts, we will be using the flowchart below to follow the process of determining which\u00a0<a href=\"https:\/\/blog.malwarebytes.com\/glossary\/adware\/\" target=\"_blank\" rel=\"noopener noreferrer\">adware<\/a>\u00a0we are dealing with. Our objective is to give you an idea of how many different types of adware are around for Windows systems. Though most are\u00a0classified as\u00a0<a href=\"https:\/\/blog.malwarebytes.com\/glossary\/pup\/\" target=\"_blank\" rel=\"noopener noreferrer\">PUPs<\/a>, you will also see the occasional\u00a0<a href=\"https:\/\/blog.malwarebytes.com\/glossary\/trojan\/\" target=\"_blank\" rel=\"noopener noreferrer\">Trojan<\/a>\u00a0or\u00a0<a href=\"https:\/\/blog.malwarebytes.com\/glossary\/rootkit\/\" target=\"_blank\" rel=\"noopener noreferrer\">rootkit<\/a>, especially for the types\u00a0that are more difficult\u00a0to detect and remove.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-17668 size-full\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/flowchart.png\" alt=\"adware diagram\" width=\"609\" height=\"686\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/flowchart.png 609w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/flowchart-266x300.png 266w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/flowchart-533x600.png 533w\" sizes=\"auto, (max-width: 609px) 100vw, 609px\" \/><\/p>\n<h3>Getting rid of files<\/h3>\n<p>In this post, we will discuss several methods to remove the files responsible for showing you the offending advertisements in those cases where the identified process is not a browser.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-17866\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/removalmethods3.png\" alt=\"\" width=\"201\" height=\"286\" \/><\/p>\n<h3>Uninstall<\/h3>\n<p>With many PUPs and sometimes even more intrusive adware, uninstalling the program that is showing you the advertisements will be enough. If this works it\u2019s often the cleanest and easiest method to get rid of the advertisements. Identifying which program to uninstall from your list of installed software and features is sometimes the hardest step in this process. Here are a few tips that might help you to do so:<\/p>\n<ul>\n<li>Use your favorite search engine to look for the process name we found to be responsible for the advertisement window. Sometimes this will reveal the name of the software it belongs to and how it\u2019s listed in your list of installed programs and features.<\/li>\n<li>Sort the list of installed programs and features by date of install. Although this date can easily be spoofed, most software packages in this category won\u2019t. Compare that date to the date when the advertisements first started appearing.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-17864\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/ListPrograms2.png\" alt=\"programs list\" width=\"1095\" height=\"226\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/ListPrograms2.png 1095w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/ListPrograms2-300x62.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/ListPrograms2-600x124.png 600w\" sizes=\"auto, (max-width: 1095px) 100vw, 1095px\" \/><\/p>\n<ul>\n<li>Warning: in cases where you used a <a href=\"https:\/\/blog.malwarebytes.com\/glossary\/bundler\/\" target=\"_blank\" rel=\"noopener noreferrer\">bundler<\/a> there might be several entries with the same date.<\/li>\n<li>Use your favorite search engine to look for the entries in your list of installed programs and features that you don\u2019t recognize or remember installing.<\/li>\n<\/ul>\n<p>Once you have identified the entries you want to remove, select them by clicking on the line in the list, and click on <strong>Uninstall. <\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-17867 size-full\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/selected3.png\" alt=\"programs list uninstall\" width=\"1053\" height=\"232\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/selected3.png 1053w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/selected3-300x66.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/selected3-600x132.png 600w\" sizes=\"auto, (max-width: 1053px) 100vw, 1053px\" \/><\/p>\n<p>It may be necessary to reboot the system for the changes to take effect. If this solves the problem, great. If not, keep reading.<\/p>\n<h3>Delete the file<\/h3>\n<p>If the advertisements don\u2019t stop after trying the user-friendly approach outlined earlier, your next step is to delete the file which is responsible for the advertisements. This is much less a clean solution as it might leave more clutter behind. There are several methods that can be used and I will try to list them according to stubbornness. But first, we need to find the file. Since we already <a href=\"https:\/\/blog.malwarebytes.com\/puppum\/2017\/04\/adware-the-series-part-1\/\" target=\"_blank\" rel=\"noopener noreferrer\">used Process Explorer to identify the process<\/a>, we will also use it to locate the file. Right-click on the selected process and choose <strong>Properties <\/strong>and look at the<strong> Image<\/strong> tab to see the full path to the file.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-17865\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/properties.png\" alt=\"process properties\" width=\"447\" height=\"519\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/properties.png 447w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/properties-258x300.png 258w\" sizes=\"auto, (max-width: 447px) 100vw, 447px\" \/><\/p>\n<p>Make a note of the path as we will need that later on. Then close the properties window and right-click the selected process once more. This time use the <strong>Kill Process Tree<\/strong> option and confirm that you want to kill this process (and if applicable the ones under it). If the process respawns immediately or Process Explorer (running elevated) is unable to kill it, you will have to wait for other parts in this series. If the process dies you can proceed with the deletion methods below.<\/p>\n<ul>\n<li>Easy: navigate to the file path you made a note of earlier, right-click the file and choose <strong>Delete<\/strong>.<\/li>\n<li>If that doesn\u2019t work, there is always <a href=\"https:\/\/www.malwarebytes.com\/fileassassin\/\" target=\"_blank\" rel=\"noopener noreferrer\">FileASSASSIN<\/a>, but you will have to be 100% sure about the file you are going to remove.\n<ul>\n<li>Download and install FileASSASSIN following the prompts.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Browse to the file you want to delete, check all the upper boxes as shown below and click <strong>Execute.<\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-17863\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/assassin.png\" alt=\"\" width=\"423\" height=\"389\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/assassin.png 423w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/assassin-300x276.png 300w\" sizes=\"auto, (max-width: 423px) 100vw, 423px\" \/><\/p>\n<ul>\n<li>You will see a prompt telling you whether the deletion was successful or not.<\/li>\n<li>If this method does not work, give the <strong>Use delete on Windows reboot functions<\/strong>\u00a0of FileASSASSIN a try.<\/li>\n<li>The last method we will discuss here involves <a href=\"https:\/\/www.lifewire.com\/how-to-start-windows-in-safe-mode-using-system-configuration-2626115\" target=\"_blank\" rel=\"noopener noreferrer\">rebooting your computer in <strong>Safe Mode<\/strong><\/a><strong> with Command Prompt<\/strong>. Doing so will cause Windows to only run the bare necessities and lessen the chance of the user being unable to delete the file. In the Command prompt use this command structure: <strong>DEL \/F \/S \/Q \/A &#8220;{full path to the file, including the extension}&#8221;<\/strong>.<\/li>\n<li>Sometimes deleting such a file can cause errors which can be avoided by replacing the file with another (legitimate) one. Again you will want to boot into <strong>Safe Mode with Command Prompt <\/strong>use this command structure <strong>COPY \/V \/Y \u201c{full path to the legitimate file including the extension}\u201d \u201c{location of the file to be replaced}\u201d <\/strong><\/li>\n<\/ul>\n<p>Note that the last part just is the destination folder, there is no need to specify the filename and extension again.<\/p>\n<p>If all of the above do not work for you, you may have to wait for the post that deals with rootkits. See you later. And stay safe out there.<\/p>\n<h3>Index<\/h3>\n<h4><a href=\"https:\/\/blog.malwarebytes.com\/puppum\/2017\/04\/adware-the-series-part-1\/\" target=\"_blank\" rel=\"noopener noreferrer\">Part 1<\/a><\/h4>\n<ul>\n<li>Identify the process<\/li>\n<li>Clear browser caches<\/li>\n<li>Remove browser extensions<\/li>\n<\/ul>\n<h3><a href=\"https:\/\/blog.malwarebytes.com\/puppum\/2017\/05\/adware-the-series-part-2\/\" target=\"_blank\" rel=\"noopener noreferrer\">Part 2<\/a><\/h3>\n<ul>\n<li>Proxies<\/li>\n<li>Winsock hijackers<\/li>\n<li>DNS hijackers<\/li>\n<\/ul>\n<h4>Part 3<\/h4>\n<ul>\n<li>Type of software<\/li>\n<li>Uninstall<\/li>\n<li>Remove file<\/li>\n<li>Replace file<\/li>\n<\/ul>\n<h4>\u00a0Up next, part 4<\/h4>\n<ul>\n<li>Scheduled tasks<\/li>\n<li>Services<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p><em>Pieter Arntz<\/em><\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/puppum\/2017\/05\/adware-the-series-part-3\/\">Adware the series, part 3<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/puppum\/2017\/05\/adware-the-series-part-3\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Pieter Arntz| Date: Wed, 10 May 2017 15:00:30 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/puppum\/2017\/05\/adware-the-series-part-3\/' title='Adware the series, part 3'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/05\/shutterstock_63438517.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>Part 3 in this series deals with removing programs and files responsible for the unsolicited advertisements.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/puppum\/\" rel=\"category tag\">PUP<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/adware\/\" rel=\"tag\">adware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/delete\/\" rel=\"tag\">delete<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/pieter-arntz\/\" rel=\"tag\">Pieter Arntz<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/process-explorer\/\" rel=\"tag\">process explorer<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/pup\/\" rel=\"tag\">PUP<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/rootkit\/\" rel=\"tag\">rootkit<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/trojan\/\" rel=\"tag\">trojan<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/uninstall\/\" rel=\"tag\">uninstall<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/windows\/\" rel=\"tag\">windows<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/puppum\/2017\/05\/adware-the-series-part-3\/' title='Adware the series, part 3'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/puppum\/2017\/05\/adware-the-series-part-3\/\">Adware the series, part 3<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[10468,12215,10523,12216,10566,11002,10833,12217,10525],"class_list":["post-7585","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-adware","tag-delete","tag-pieter-arntz","tag-process-explorer","tag-pup","tag-rootkit","tag-trojan","tag-uninstall","tag-windows"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7585","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7585"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7585\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7585"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7585"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7585"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}