{"id":7793,"date":"2017-05-31T07:10:18","date_gmt":"2017-05-31T15:10:18","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/05\/31\/news-1578\/"},"modified":"2017-05-31T07:10:18","modified_gmt":"2017-05-31T15:10:18","slug":"news-1578","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/05\/31\/news-1578\/","title":{"rendered":"Adware the series, part 4"},"content":{"rendered":"

Credit to Author: Pieter Arntz| Date: Wed, 31 May 2017 14:00:18 +0000<\/strong><\/p>\n

In this series of posts, we will be using the flowchart below to follow the process of determining which\u00a0adware<\/a>\u00a0we are dealing with. Our objective is to give you an idea of how many different types of adware are around for Windows systems. Though most are\u00a0classified as\u00a0PUPs<\/a>, you will also see the occasional\u00a0Trojan<\/a>\u00a0or\u00a0rootkit<\/a>, especially for the types\u00a0that are more difficult\u00a0to detect and remove.<\/p>\n

\"flowchart<\/p>\n

Scheduled Tasks and Services<\/h3>\n

Two popular methods to deliver advertisements to your computer at regular intervals are Scheduled Tasks and Services. Both can easily be used to set a timer and show you a new advertisement at a set interval. The interval can be hours or mere minutes. For the advertiser, an interval in the range of hours has the advantage of being more inconspicuous as the user may close the advertisement and think nothing more of it. But a short interval brings in more money if you get paid by the impression (or by the\u00a0number of unique views).<\/p>\n

Scheduled Tasks<\/h3>\n

The Windows Task Scheduler is like an alarm clock that you can set, to start a procedure under specified circumstances. You can set them to start at a certain time, and repeat at a set interval, or you can set them to start at a certain occasion, most commonly when the computer boots up. Scheduled Tasks are the containers, that hold the information about what has to happen and when. Since the introduction of Task Scheduler 2.0, Scheduled Tasks have the format of XML files and the job extension.<\/p>\n

\"\"<\/p>\n

Once you are aware of the fact that a Scheduled Task is responsible, it is pretty easy to remove them. Be aware that they tend to come in small groups (2 or 3 tasks is what we\u2019re used to seeing in most cases).<\/p>\n

How to open the Task Scheduler<\/h3>\n

Windows XP and Windows 7<\/strong><\/h4>\n

To open Scheduled Tasks, click Start, click All Programs, point to Accessories, point to System Tools, and then click Scheduled Tasks.<\/p>\n

Windows 8 and Windows 10<\/strong><\/h4>\n

Use the Search option to search for \u201cSchedule\u201d and choose \u201cSchedule Task\u201d to open the Task Scheduler.<\/p>\n

Identify and delete a Scheduled Task<\/h3>\n

In the list of Scheduled Tasks find the ones that trigger the process associated with the advertisements. You can find the process name under the Action<\/strong> tab. Note that there may be switches set behind the filename like in the example below (GoogleUpdate.exe<\/em> is the file name).<\/p>\n

\"Task<\/p>\n

Select the Scheduled Task in the overview window and use the Delete<\/strong> option to remove it.<\/p>\n

\"delete<\/p>\n

That\u2019s all there is to it. As you can tell from the above, identifying the culprit as a Scheduled Task is the hardest part here. Removing Scheduled Tasks is easy enough once you are sure what to get rid of.<\/p>\n

Services<\/h3>\n

Windows services are programs that work in the background and many of them are crucial for the operation of the system, so be careful when you start disabling them. Also, make note of the following order since you may have to re-enable them in the reverse order. Many services depend on others and are unable to run without the ones they depend on.<\/p>\n

How to open the Services console<\/h4>\n

To see the list of services run services.msc<\/strong> in your Run prompt or from your search box.<\/p>\n

\"\"<\/p>\n

Identify and disable a Service<\/h4>\n

If you right-click a line in the list of services and click Properties<\/strong>, you can see the path to the executable on the General <\/strong>tab.<\/p>\n

\"\"<\/p>\n

When you have found the service that is responsible for the advertisement, you can Stop <\/strong>the service on that same tab and set the Startup type to Disabled<\/strong>.<\/p>\n

\"\"<\/p>\n

That should stop the advertisements and prevent the service from starting again. If it does start again, there are other processes involved and you may be dealing with a rootkit. More about those later.<\/p>\n

Index<\/h3>\n

Part 1<\/a><\/h4>\n