In this series of posts, we will be using the flowchart below to follow the process of determining which adware we are dealing with. Our objective is to give you an idea of how many different types of adware are around for Windows systems. Though most are classified as PUPs, you will also see the occasional Trojan or rootkit, especially for the types that are more difficult to detect and remove.
Once you are aware of the fact that a Scheduled Task is responsible, it is pretty easy to remove them. Be aware that they tend to come in small groups (2 or 3 tasks is what we’re used to seeing in most cases).
How to open the Task Scheduler
Windows XP and Windows 7
To open Scheduled Tasks, click Start, click All Programs, point to Accessories, point to System Tools, and then click Scheduled Tasks.
Windows 8 and Windows 10
Use the Search option to search for “Schedule” and choose “Schedule Task” to open the Task Scheduler.
Identify and delete a Scheduled Task
In the list of Scheduled Tasks find the ones that trigger the process associated with the advertisements. You can find the process name under the Action tab. Note that there may be switches set behind the filename like in the example below (GoogleUpdate.exe is the file name).
Select the Scheduled Task in the overview window and use the Delete option to remove it.
That’s all there is to it. As you can tell from the above, identifying the culprit as a Scheduled Task is the hardest part here. Removing Scheduled Tasks is easy enough once you are sure what to get rid of.
Services
Windows services are programs that work in the background and many of them are crucial for the operation of the system, so be careful when you start disabling them. Also, make note of the following order since you may have to re-enable them in the reverse order. Many services depend on others and are unable to run without the ones they depend on.
How to open the Services console
To see the list of services run services.msc in your Run prompt or from your search box.
When you have found the service that is responsible for the advertisement, you can Stop the service on that same tab and set the Startup type to Disabled.
That should stop the advertisements and prevent the service from starting again. If it does start again, there are other processes involved and you may be dealing with a rootkit. More about those later.
Index
Part 1
- Identify the process
- Clear browser caches
- Remove browser extensions
Part 2
- Proxies
- Winsock hijackers
- DNS hijackers
Part 3
- Type of software
- Uninstall
- Remove file
- Replace file
Part 4
- Scheduled tasks
- Services
Up next, part 5
- DLL’s
- Handles
- Parent process
Pieter Arntz