Search adware malware

Wednesday, December 30, 2015

Hello Guys

Here I am going to explain you Hows Adware and Malware are get installed in your PC without notifying you  and i am also going to explain how to Avoid them and How to remove them.

Before you read this Go to this url Malware is not only about viruses – companies preinstall it all the time

What is the Adware And how it gets installed in your PC

When you installed any product to you PC as trial or free. Then that company wants you to buy their paid version of that software or they wants you should try there other software also.
     For that purpose they attached or include some .dll's(IE add-on) files or .xpi(eg. firefox add-on) .crx(chrome add-on) in Main installer.

For eg. If you download any software from  from this website then it always contain some other software also
In Below image you can see Here the Main software is "Free PDF to Word Converter" but they forcing to install "Wajam" also which not necessary and also you have not asked it. But they are forcing you to install it by saying "It is recommended" In this way a normal user gets Adware or Malware infected
This one of the way of installing adware or malware in PC. But one good thing here is they are giving optional to not to install and they not silently installing it.

How softonic delivers adware:

But most of the Adwares and Malware are installed silently .
When Adware is installed Silently they will not ask any Agreement rather they will hidden copying of adware and malware files and some registry Entries . in case of Windows OS .

Now I will show you how to detect if any adware or malware is silently installed in you Computer
   Usually Adware or Malware targets the browsers in your PC by installing Add-on.
For eg.In Internet Explore a .dll file is registered, In Firefox .xpi file are extracted and for Chrome .crx files are installed as Adware or Malware.
 To Check in IE
First I am going to Explain about IE add-on as adware or malware how to detect and remove it. 
1 Click on Manage add-on as shown below

2. In below image you can see list of add-on installed in IE . But with only this information we did not come to know which is actual add-on and which is adware(harmful) add-on . As you read this blog you will be able to identify adware from it.

3.Now right click on add-on which you want to check and click on More information as shown below

Note : Fiddler is not a Adware or Malware for only example i am explaining .
 4. After Right click you will get following dialog . In that dialog you will get its File location and folder location.

   5. Now go to that file location , (note: above file location is not show for copyright issue)
Now to check whether that is adware or not close check publisher or search on google for that publisher and file if you found that particular publisher or file is not trusted then , Close IE Cut Paste that file and placed somewhere else  .
After removing file if you found that it is again present there then it's serious issue some updater(exe) is again downloading and placing files there.
In this case you should uninstall that software . and if after uninstalling still files are present then Shift+delete that file.

6. After doing these thing still files are coming there again and again then some hidden exe file is downloading them
To identify that exe we need search specious exe in following location
         Press WinKey+R  one window will open  in that type "msconfig" in that go to startup tab you will see the list of exe which automatically starts when PC reboots every time.

7. Using Class ID(see in above image) also you can search for add-on file location
  for that Press WinKey+R  one "Registry Editor" window will open  in that type "regedit" on window will open in that go Edit->Find Menu and search for that class ID.
For eg HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{768919B3-C6AD-47D4-94E9-A4A2FBAAAAAA}

Now i'll show how to detect add-on (adware) in Firefox and How to Remove It
1.As shown below in Firefox click on Add-on

2. After clicking on Add-on below window will open
In which you can see list of Add-on , In case of firefox there is bug that even if you disabled the add-on it still works if following registry entries are present in "Registry Editor"

"fip"="C:\Program Files (x86)\Mozilla Firefox\distribution\bundles\{88d83554-2fdc-4bb9-8dcd-f2d46d175fAA}"

"{88d83554-2fdc-4bb9-8dcd-f2d46d175fAA}"="C:\Program Files (x86)\Mozilla Firefox\distribution\bundles\{88d83554-2fdc-4bb9-8dcd-f2d46d175fAA}"

if you delete these registry entry or folder location given in this registry entry then that add-on will be deleted

As far now we have discussed that how add-on are installed and how to remove them

Now Lets discuss how add-on(Adware or Malware) can badly steal you information or can harm you PC
1. Adware can track your google searches by sending whole google url and also can track your county and city location . Some of bad adware also inject there own adds on your google page but you will not come to by just seeing them.
2. Some adware does replace google ads with there own ads without user get noticed
3. Some adware reads your cookies and post Ads on website according to cookies
4. Some of can steals you all passwords also

One of the way to identify that whether the information is staled by any software or Browser add-on is by using a tool "fiddler2"
For this just install fiddler and open it while installing any software or
while browsing any website if url catch by fiddler are with different domain than url you have typed in browser then you are infect by adware or malware

List of Adware Companies and Its adware
DefaultTab by Search Results by by js4mt and
EasyPcCleaner  and
Adssite Toolbar
passwordboss by passwordboss
Bonzi Buddy 
Comet Cursor
Crazy Girls
drspeedypc by Ikan Media Inc(

more list you can find here     

If you have any queries please feel free to reply

Tuesday, June 30, 2015

How to detect and avoid keyloggers (hooking)

What is Keylogging 

   keylogging is monitoring of key pressed by user either from physical keyboard or from virtual keyboard

How it works 
As per my knowledge there four ways to do it .
The base for all is hooking , you can find more information on Hooking on Microsoft official website: Hooking 
1. Injecting dll globally in all process or in particular process by finding it window name.
     In this method hooking process can read all messages of all processes .
2. Injecting low level global hook using WH_KEYBOARD_LL.
      This method don't required a separate DLL , in this hooking process can read keyboard messages such as key up , key down , char messages .

Note : both of above method of can be prevent from key logging by using Anti Keylogger
here is example of good free Anti key logger :Zemana AntiLoggerFree
 But Anti Keylogger are  not capable of detecting of above two hooking method for that we need to use either Good Antivirus or Memory reading software like Mandiant. redline.

Further i will discus how to use this Mandiant Redline for detecting hooks and rootkits.
Now let continue on types...
3. Driver level hooks called as Rootkits . These kind of hooks seats between the kbdclass or kbdhid(for usb keyboard)/i8042ptr(for PS2 keyboard) and low level hook , so very difficult to detect for many of antivirus also.

follow the below steps to find your PC may infected by such a hooked keyboard driver other than kbdclass or kbdhid
1. Press Win key + 'R' key . A run prompt will open type "devmgmt.msc" in than and device manager will open.
2. Follow the steps as shown in below images

 below dialog will open in that Go to driver tab and click on "driver details" button as shown below.

below dialog will open in this dialog first see if there is file present other than "kbdclass.sys or kbdhid.sys or i8042ptr.sys" if present then that can of either keylogger or of anti keylogger . Go to that file path and see if it belong to any trusted software or untrusted software by seeing it's properties and digital signature. for that right click on that file and go to "Properties" and go to "Digital Signature" if that is not signed by Microsoft then try to find on internet if it signed by any trusted source or not.

  Completing Soon...