{"id":8385,"date":"2017-07-19T08:10:12","date_gmt":"2017-07-19T16:10:12","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/07\/19\/news-2159\/"},"modified":"2017-07-19T08:10:12","modified_gmt":"2017-07-19T16:10:12","slug":"news-2159","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/07\/19\/news-2159\/","title":{"rendered":"Adware the series, the final: Tools section"},"content":{"rendered":"

Credit to Author: Pieter Arntz| Date: Wed, 19 Jul 2017 15:00:46 +0000<\/strong><\/p>\n

So far in this series, we have handed you some methods to recognize and remediate adware. We used this diagram as a guideline.<\/p>\n

 <\/p>\n

\"flowchart\"<\/p>\n

During this journey, we have touched upon several free tools that we used to get some insight on what type of infection we were dealing with and where the adware could be hiding. Our objective has been to give you an idea of how many different types of adware are around for Windows systems. Though most are\u00a0classified as\u00a0PUPs<\/a>, you will also see the occasional\u00a0Trojan<\/a>\u00a0or\u00a0rootkit<\/a>.<\/p>\n

This, the final part of the series, will provide you with download-locations and a description of the tools. One word of warning: even though all the tools are free for personal use, that doesn’t make them less powerful. If you want to use these tools to remediate a problem, make sure you know what you are doing or have some kind of backup at hand, in case anything goes terribly wrong. If you want to learn more about removing malware, there are several online schools<\/a> that offer free malware removal training.<\/p>\n

The tools<\/h3>\n

Process Explorer (Microsoft\/Sysinternals)<\/h4>\n

Site:\u00a0 https:\/\/technet.microsoft.com\/en-us\/sysinternals\/processexplorer.aspx<\/a><\/p>\n

We used Process Explorer to identify the process that belongs to a window<\/a> and to identify parent\/child processes and look at DLLs and handles<\/a>. An introduction to Process Explorer<\/a> and some more advanced information<\/a> can be found on our blog.<\/p>\n

Resource Monitor (Microsoft)<\/h4>\n

Built into Windows since Windows 7.<\/p>\n

We explained how to use Resource Monitor to check which processes are connecting where<\/a>.<\/p>\n

FileASSASSIN (Malwarebytes)<\/h4>\n

Site: https:\/\/www.malwarebytes.com\/fileassassin\/<\/a><\/p>\n

FileAssassin is a tool to delete any type of locked file<\/a>.<\/p>\n

Malwarebytes anti-rootkit BETA (Malwarebytes)<\/h4>\n

Site: https:\/\/www.malwarebytes.com\/antirootkit\/<\/a><\/p>\n

Malwarebytes anti-rootkit BETA is the tool of choice when you are dealing with difficult to remove and even invisible infections<\/a>.<\/p>\n

FRST (Farbar)<\/h4>\n

Site: https:\/\/www.bleepingcomputer.com\/download\/farbar-recovery-scan-tool\/<\/a><\/p>\n

There is a 32-bit and 64-bit version. Make sure you download the correct one for your system.<\/p>\n

The Farbar Recovery Scan Tool (FRST) is a very useful diagnostic tool. It can also be used as a manual remediation tool, but I want to focus on reading the scan output it produces and which sections to focus on when we are looking for adware. So unless you have cured the problem using Process Explorer, MBAM, MBAR or FileAssassin we are now going to have a look at FRST. FRST works equally well in normal or safe mode and when a machine has boot up problems it will even work in the Windows Recovery Environment.<\/p>\n

\"Farbar<\/p>\n

The output of the FRST scans is nicely formatted in a way that makes it easy to check most of the problem areas that we have pointed out during the course of this series.<\/p>\n

Browser sections<\/strong><\/h3>\n

These are divided per installed browser and there is a general section.<\/p>\n

==================== Internet (Whitelisted) ====================<\/p>\n

This section contains information like DNS servers that are in use in the format:<\/p>\n

TcpipParameters: [DhcpNameServer] {IP address 1} {IP address 2}<\/code><\/p>\n

Tcpip..Interfaces{CLSID}: [DhcpNameServer] {IP address 1} {IP address 2}<\/code><\/p>\n

Internet Explorer:<\/p>\n

==================<\/p>\n

This section has the add-ons for Internet Explorer listed in the format:<\/p>\n

BHO: {name} -> {CLSID} -> {path + filename} [{date of install}] [{signed-by-company-name}]<\/code><\/p>\n

It also list other items like Startpage, Searchscopes, Handlers, Toolbars, Filters and ActiveX objects<\/p>\n

FireFox:<\/p>\n

========<\/p>\n

This section holds the extensions for Firefox in the format:<\/p>\n

FF Extension: {name} \u2013 {folder to the extension} [{date of install}] [{signed-by-company-name}]<\/code><\/p>\n

And the Plugins in these format types:<\/p>\n

FF Plugin: @{company}\/{name} -> {path + filename} [{date of install}] ({signed-by-company-name})<\/code><\/p>\n

FF Plugin ProgramFiles\/Appdata: {path + filename} [date of install}] ({signed-by-company-name})<\/p>\n

It also list other information about Firefox like Homepage, Default search engine and the presence of user.js files.<\/p>\n

Chrome:<\/p>\n

=======<\/p>\n

This section holds the extensions for each Chrome profile in these formats:<\/p>\n

CHR Extension: ({name}) \u2013 {path to the extension folder} [{date of install}]<\/code><\/p>\n

CHR HKLM...ChromeExtension: [{extension identifier string}] \u2013 [{update_url}]<\/code><\/p>\n

It also lists information about the Homepage and policies that may be active.<\/p>\n

Opera:<\/p>\n

=======<\/p>\n

This section holds the extensions for Opera in the format:<\/p>\n

OPR Extension: ({name}) \u2013 {path to the extension folder} [{date of install}]<\/code><\/p>\n

It also shows StartupUrls and StartMenuInternet where applicable.<\/p>\n

Loaded modules<\/strong><\/h3>\n

You can find some information about loaded modules in the section:<\/p>\n

==================== Loaded Modules (Whitelisted) ==============<\/p>\n

In the format:<\/p>\n

{Date\/time on system} \u2013 {Date\/time created} \u00a0- {filesize} {permissions} () {path to file}{filename + extension}<\/code><\/p>\n

Note: it lists only unsigned files. Even if the files are signed by known malware publishers, they will not be listed.<\/p>\n

Scheduled Tasks<\/strong><\/h3>\n

Scheduled Tasks are flagged in the Addition log of FRST in the following format:<\/p>\n

Task: {CLSID} - System32 or WindowsTasks{jobname} => {path to the file}{filename} [date] (signature)<\/code><\/p>\n

Services<\/strong><\/h3>\n

Services are reported along with their startup method and whether they are running or not.

R=Running<\/code><\/p>\n

S=Stopped<\/code><\/p>\n

U=Unknown<\/code><\/p>\n

The startup type numbers are:

0=Boot<\/code><\/p>\n

1=System<\/code><\/p>\n

2=Auto<\/code><\/p>\n

3=Demand<\/code><\/p>\n

4=Disabled<\/code><\/p>\n

5=Unknown<\/code><\/p>\n

In the format:<\/p>\n

{Letter}{number}{name of the service};{path to the file}{byte-size creation-date}{signed by}<\/code><\/p>\n

LSP hijackers<\/strong><\/h3>\n

As the order of the LSP layers is stored in the Winsock Service Provider you will find LSP entries listed in the Winsock section of a FRST log.<\/p>\n

Example:<\/p>\n

Winsock: Catalog5 000000000001\\LibraryPath => restored successfully (%SystemRoot%system32NLAapi.dll)<\/code><\/p>\n

The catalog numbers are important to keep in mind. Whenever you want to remove a Winsock:Catalog9 entry, it is recommended to use “netsh winsock reset”. This is to avoid the user ending up with a broken internet connection. You may have to repeat this after a reboot.<\/p>\n

DNS hijackers and proxies<\/strong><\/h3>\n

\u00a0<\/strong>On the victim’s computer there are a few options for DNS hijacks:<\/p>\n