In this post, we will be using the flowchart below to follow the process of determining which adware we are dealing with. Our objective is to give you an idea of how many different types of adware are around for Windows systems. Though most are classified as PUPs, you will also see the occasional Trojan or rootkit, especially for the types that are more difficult to detect and remove.
Reroute and intercept
We will discuss a few methods to reroute, intercept, and change your internet traffic. They are:
- Proxies, using a third party server between the machine and the internet.
- LSP hijacks, inserting a third party file into the winsock.
- DNS hijacks, connecting to another site by altering the Domain Name System results.
If a system-wide proxy on a Windows computer is set, you will almost always find it in the Microsoft browser. In Internet Explorer, you can find it under Menu (gear icon) > Internet Options > on the Connections tab click the LAN settings button:
Remove the tick under Proxy server to remediate the problem.
In Edge, in the Menu (three dots) select Settings > View Advanced Settings > Open proxy settings > Turn Use a proxy server to Off to disable the proxy.
Browser specific proxies are rare, but I wanted to list the options to change the proxy in your favorite browser anyway.
- Click the menu icon
- Choose Settings (alternatively paste chrome://settings/ into your address bar)
- Click on Show advanced settings…
- In the “Network” Section, click Change Proxy Settings. This will open the Internet Properties window, where you can access the LAN Settings as shown above.
- Click the menu icon
- Choose Options
- Select the Advanced tab (alternatively paste about:preferences#advanced into your address bar)
- Select the Network tab
- Under Connection click on Settings and you will see the proxy configuration options
- Open the menu
- Choose Settings
- Open the Browser tab
- Under Network click the Change proxy settings… button
- This will open the Internet Properties window, where you can access the LAN Settings as shown earlier.
If you notice that the proxy is running through a port on your localhost (127.0.0.1), there is a way to find out which process is responsible. Using the command netstat –ab in a command prompt (elevated as an Administrator) will reveal which process is listening on the port (8003 in our example below).
BetterAds adware having control over port 8003
A Layered Service Provider (LSP) is a file (usually a DLL) using the Winsock API to insert itself into the TCP/IP stack. There it can intercept, filter, and modify all the traffic between the internet and a system’s applications. LSPs are stacked parts of the Windows Sockets API (Winsock 2). The layering order of all providers is kept in the Winsock Catalog. As a consequence, LSPs have to be uninstalled. Just ripping out the file that acts as the LSP could result in a broken internet connection. If Malwarebytes removes an LSP hijacker from your system it will require a reboot to prevent this disconnection from happening.
(a) DNS cache poisoning
By feeding your DNS resolving process false data (in such a case, the wrong IP for a certain domain), the system will at some point no longer query the DNS server for the IP but use the wrong data it has in his cache.
Remediation: To clear the Windows DNS cache use the command ipconfig /flushdns in an elevated command prompt.
(b) Hosts file hijacks
The hosts file is a special file located in %windir%System32driversetc that can be used to store IP addresses that you want to associate with certain domains. This can be used to block advertisements and malicious sites or to map out a local intranet. Adware sometimes uses hosts file of their own making to replace the one on the victim’s system to hijack traffic.
Remediation: You can edit the hosts file in notepad (elevated). Even though it has no extension it is a text file.
(c) DNS server settings
The DNS server settings are normally stored under the registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters in the NameServer value which should hold two comma-separated IP addresses that represent the DNS servers for the internet connection that is currently in use.
Remediation: Change the DNS servers for the active internet connection by looking at the properties of the connection in the “Network and Sharing Center”.
For most ISPs this is the recommended setting. If yours are different you may find the necessary information on the provider’s site.
- Identify the process
- Clear browser caches
- Remove browser extensions
- Winsock hijackers
- DNS hijackers
Up next, part 3
- Type of software
- Remove file
- Replace file