Presentation is loading. Please wait.

Presentation is loading. Please wait.

Free Detection/Cleaning Tips and Techniques

Published byArkadiusz Zieliński Modified over 6 years ago

Similar presentations

Presentation on theme: "Free Detection/Cleaning Tips and Techniques"— Presentation transcript:

1 Free Detection/Cleaning Tips and Techniques
Adware & Spyware Free Detection/Cleaning Tips and Techniques François Paget McAfee AVERT Senior Virus Research Engineer November 2005

2 Who are they and what are they
20 September 2018 Adware & Spyware Summary Who are they and what are they Preliminary definitions Some dangers Installation Tools used for tracking them Finding intruders Cleaning intruders Confidential

3 Acronyms which cover 2 particular types of commercial software :
20 September 2018 Adware & Spyware Etymology Acronyms which cover 2 particular types of commercial software : Adware Ads + Ware Advertising Software Spyware Spy + Ware Spying Software These 2 categories are sometimes linked with other groups of tools of various origins (malevolent or not). Confidential

4 PUP : Potentially Unwanted Program Malware : Malevolent Program
20 September 2018 PUPs & Malware PUP : Potentially Unwanted Program Malware : Malevolent Program Adware/Spyware BHO –Browser Helper Object Browser Hijacker Dialer Joke Virus, Worms Logic bombs Trojan / Backdoors Bots Remote Administration Tools Data Hijacking Tools Resource Hijacking Tools Network Attack Tools Unwanted commercial programs, hijacked use, lack of consent… Confidential

5 Adware The adware is a “profiler” Program of a commercial origin,
20 September 2018 Adware The adware is a “profiler” Program of a commercial origin, Does not replicate itself. Binary file (EXE or DLL). Installs itself after initial agreement, Watches browsing habits, Carries out targeted advertising. Makes offers matching a particular profile, Does not collect any personal data intentionally. Confidential

6 Spyware The spyware is a “spy” Program of a commercial origin,
20 September 2018 Spyware The spyware is a “spy” Program of a commercial origin, Does not replicate itself. Binary file (EXE or DLL). Sometimes installs itself without initial agreement, Collect and transfers much personal data intentionally. COMMERCE : Can be used as a springboard by other commercial activities (marketing approach by , post or phone). INFORMATION : Provided for commendable purposes but, distorted from its original intent. Confidential

7 Online registration procedures :
20 September 2018 Adware Main introduction vectors Free or demo software : Downloading utilities, Browsing assistance, Resource sharing software (peer to peer), Screensavers, Games, Hazardous sites : Pornography, Underground world, Electronic mail : Spam, Discussion forums, Online registration procedures : Software licenses, Access to private browsing zones, Virus and Trojan Confidential

8 20 September 2018 Example Before… A clean system is used for this test. It is a minimal VMWARE W2000 temporary disk with: 1 icon on the desktop, 6 applications listed in the Add/Remove Programs facility, 30 processes in memory according to the Task Manager. Confidential

9 20 September 2018 Example During… A sniffer program recorded connections to more than 100 distinct sites. Confidential

10 Example 8 new icons, 16 new applications, 10 new processes, 2 BHO,
20 September 2018 Example After… 8 new icons, 16 new applications, 10 new processes, 2 BHO, 2 new favorites, 1177 keys added in the system registry, 1579 values added or changed in the system registry, 96 new directories in the folders tree and, 649 new files. Confidential

11 Tools used in this tutorial
20 September 2018 Tools used in this tutorial InCtrl5 ( LspFix ( ProcExp ( RegMon ( StartupRun ( Sporder.exe (from Microsoft) Confidential

12 20 September 2018 Finding intruders Applications loaded when Windows boots are visible with SartupRun Confidential

13 20 September 2018 Finding intruders Applications loaded when Windows boots are visible in the registry Run and RunOnce keys Confidential

14 20 September 2018 Finding intruders With InCtrl5 we can compare the registry between two distinct moments Confidential

15 20 September 2018 Finding intruders Keep an eye on the ShellServiceObjectDelayLoad registry key This location contains only 3 entries in many standards configurations: Network.ConnectionTray Systray WebCheck Confidential

16 20 September 2018 Finding intruders Look at the Internet Explorer Start & Search registry keys Confidential

17 20 September 2018 Finding intruders Look at the Internet Explorer Toolbar registry key for suspicious CLSID Look at the HKCR/CLSID branch for mapping information Confidential

18 20 September 2018 Finding intruders Look at the Advanced Tab of Internet Explorer options Also visible in the registry at : HKLM\SOFTWARE\Microsoft\ Internet Explorer\ AdvancedOptions Confidential

19 20 September 2018 Finding intruders Look at extra items in the Internet Explorer Tools menu Confidential

20 20 September 2018 Finding intruders Search possible StyleSheet hijacking in Internet Explorer Confidential

21 Finding intruders Search for a possible DLL injection
20 September 2018 Finding intruders Search for a possible DLL injection Confidential

22 Finding intruders Search for trusted site 20 September 2018
Confidential

23 Finding intruders Search for Internet Protocol Hijack
20 September 2018 Finding intruders Search for Internet Protocol Hijack Confidential

24 Finding intruders Keep an eye in your Favorites 20 September 2018
Confidential

25 Finding intruders Confirm the suspicion
20 September 2018 Finding intruders Confirm the suspicion Confidential

26 20 September 2018 Cleaning Adware Cleaning the registry and removing the files needs to boot in safe mode ! Run & RunOnce ShellServiceObjectDelayLoad IE Start & Search […] Etc… HKEY_CLASSES_ROOT HKEY_LOCAL_MACHINE\Software\Classes HKEY_CURRENT_USER\Software\Classes MAIN CLSID ENTRIES OTHER ENTRIES Restoring the default values Deleting the others upsetting values HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\ShellServiceObjectDelayLoad, {CLSID-Value} HKEY_CLASSES_ROOT\PROTOCOLS\Filter (Plugin entries) LINKED CLSID ENTRIES DLL and EXE files launched by the here above keys Whole directories when the doubt is absent FILES AND DIRECTORIES Confidential

27 20 September 2018 Cleaning Adware In order to delete the file and to deal with such « file in use » problem… CLEAN INFECTED Confidential

28 20 September 2018 Cleaning Adware In order to delete the file and to deal with such « file in use » problem, we need to eliminate the processes that got created by booting in Safe Mode. SAFE MODE Confidential

29 20 September 2018 Cleaning Adware Example : step_1) Suspicious EXE and DLL must be identified. Confidential

30 4 CLSID (in this example) must be
20 September 2018 Cleaning Adware Example : step_2) CLSID values linked to them must be searched (and deleted) in the registry (HKCR/CLSID) 4 CLSID (in this example) must be deleted Confidential

31 20 September 2018 Cleaning Adware Example : step_3) duplicated CLSID values linked to the previous one must be searched (and deleted) in the registry, step_4) Related files must be deleted. One key must be deleted (in this example) Confidential

32 Sporder can be used as a diagnostic tool
20 September 2018 Cleaning Adware LSPs Cleaning – when adware installation use Winsock 2 (L)ayered and (N)etwork (S)ervice (P)rovider implementation to redirect visits to specific sites CLEAN INFECTED Sporder can be used as a diagnostic tool Confidential

33 LspFix can be used as a cleaning tool
20 September 2018 Cleaning Adware LSPs Cleaning – when adware installation use Winsock 2 (L)ayered and (N)etwork (S)ervice (P)rovider implementation to redirect visits to specific sites LspFix can be used as a cleaning tool I know what I am doing Confidential

34 The new war will happen on the cleaning way.
20 September 2018 Adware & Spyware Conclusion It was very easy to clean most of the viruses and Trojans we encountered some years ago. But now some of the new Trojans are more complicated. And adware and spyware are incredibly complex. The new war will happen on the cleaning way. Confidential

Download ppt "Free Detection/Cleaning Tips and Techniques"

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
®® Microsoft Windows 7 for Power Users Tutorial 7 Enhancing Your Computers Security.

®® Microsoft Windows 7 for Power Users Tutorial 7 Enhancing Your Computers Security.
Wichita Public Library Rex Cornelius Electronic Resources Webliography online at:

Wichita Public Library Rex Cornelius Electronic Resources Webliography online at:
Putting It All Together 1.  Maintaining a Hard Drive Ch 4 Lab  Hardware cleaning tips ▪ Microsoft Tips Microsoft Tips ▪ Computer Hope Tips Computer.

Putting It All Together 1.  Maintaining a Hard Drive Ch 4 Lab  Hardware cleaning tips ▪ Microsoft Tips Microsoft Tips ▪ Computer Hope Tips Computer.
Internet Safety Topic 2 Malware This presentation by Tim Fraser Malware is short for malicious software VirusesViruses SpywareSpyware AdwareAdware other.

Internet Safety Topic 2 Malware This presentation by Tim Fraser Malware is short for malicious software VirusesViruses SpywareSpyware AdwareAdware other.
1 of 4 Malicious software, also known as “malware,” is often only a nuisance, but increasingly, malicious software can damage data, computers, and computer.

1 of 4 Malicious software, also known as “malware,” is often only a nuisance, but increasingly, malicious software can damage data, computers, and computer.
Spyware & It’s Remedies CS 526 Research Project Spring 2008 Presented By - Ankur Chattopadhyay Erica Kirkbride University Of Colorado At Colorado Springs.

Spyware & It’s Remedies CS 526 Research Project Spring 2008 Presented By - Ankur Chattopadhyay Erica Kirkbride University Of Colorado At Colorado Springs.
Configuring Windows Vista Security Lesson 8. Skills Matrix Technology SkillObjective DomainObjective # Setting Up Users Configure and troubleshoot parental.

Configuring Windows Vista Security Lesson 8. Skills Matrix Technology SkillObjective DomainObjective # Setting Up Users Configure and troubleshoot parental.
Computer Referbishment The Demonstration. To Do… Virus Protection Schedule A Full System Scan Install Service Pack 3 Clean Up Tools Drive Formatting Install.

Computer Referbishment The Demonstration. To Do… Virus Protection Schedule A Full System Scan Install Service Pack 3 Clean Up Tools Drive Formatting Install.
What is spyware? Supervisor dr. lo’ay tawalbeh Search By Mahmoud al-ashram Soufyan al-qblawe.

What is spyware? Supervisor dr. lo’ay tawalbeh Search By Mahmoud al-ashram Soufyan al-qblawe.
Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.
1 of 4 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

1 of 4 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
MS System Setup Securing A System. Use Automatic Updates For a workstation or server, schedule the updates to occur regularly. –Control panel click on.

MS System Setup Securing A System. Use Automatic Updates For a workstation or server, schedule the updates to occur regularly. –Control panel click on.
Chapter Nine Maintaining a Computer Part III: Malware.

Chapter Nine Maintaining a Computer Part III: Malware.
HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004.

HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid Project 1 Fall 2004.
Malware Spyware & Viruses Overview  What does it look like?  What is it?  How can you prevent it?  What can you do about it when you get it?

Malware Spyware & Viruses Overview  What does it look like?  What is it?  How can you prevent it?  What can you do about it when you get it?
With Microsoft Windows 7© 2012 Pearson Education, Inc. Publishing as Prentice Hall1 PowerPoint Presentation to Accompany GO! with Microsoft ® Windows 7.

With Microsoft Windows 7© 2012 Pearson Education, Inc. Publishing as Prentice Hall1 PowerPoint Presentation to Accompany GO! with Microsoft ® Windows 7.
Security for Seniors SeniorNet Help Desk 631.629.5426

Security for Seniors SeniorNet Help Desk
Adware, Spyware, and Malware Anand Dedhia Bharath Raj ECE 4112 Project 28 April 2005.

Adware, Spyware, and Malware Anand Dedhia Bharath Raj ECE 4112 Project 28 April 2005.
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

Similar presentations

Ads by Google