Adware Detection

lesleyajohnson76 · May 7, 2018, 9:01pm

Hi,

Does anyone have any advice on how to detect Spigot adware? I did some research on where it might reside in files and registry but this all returns false:

C:\Program Files (x86)\Common Files\Spigot
C:\Program Files\Common Files\Spigot
Display Name = YTD of uninstall registry
Display Name = IOBit of uninstall registry

Other places I am going to try, but reaching out to see if anyone has looked for this specific adware before?

C:\Program Files\IOBit Toolbar
Widgi Toolbar
Search Settings
PDF Forge Toolbar
Dealio Toolbar

Thanks in advance for any input on adware detection.

mel01 · May 7, 2018, 10:24pm

exists keys “HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall{28e56cfb-e30e-4f66-85d8-339885b726b8}” of (x64 registries;x32 registries)

Use this relevance to create a computer group; or you can put this in your action script as a conditional. Personally, I like making groups, and then just throwing whatever I need to at the entire group…

lesleyajohnson76 · May 8, 2018, 3:11pm

Thanks, @mel01. I appreciate your input here! I’ll give this a go.

mwolff · May 8, 2018, 3:19pm

Keep in mind that current user hives are only valid for the user the inspection runs in.

So unless that hive exists in the system hive instead of a logged in user, you won’t get the result you’re looking for.

You can look into this further by looking for the hku hive in regedit or similar, then determining which subkeys under khu have that value.

lesleyajohnson76 · May 8, 2018, 7:06pm

Thank you, @mwolff. I appreciate the advice.

lesleyajohnson76 · May 9, 2018, 8:18pm

@mwolff, do you have any relevance advice on how to “searchlight” for the existence of the adware setting in “HKEY_USERS”? I am testing a task the runs to gather the “HKEY_USERS” hive on a machine known to have the adware, but am ultimately looking to gather knowledge on those machines for which you don’t know the user value (you don’t know where the adware is installed)? Thanks -

mwolff · May 9, 2018, 8:23pm

Sure. You can look through subkeys by using the “of keys” inspector.

Say you want to inspect HKEY_USERS\x\Software. Since we don’t know what X is, we can just substitute every possible value by using relevance.

exists keys “Software” of keys of keys “HKEY_USERS” of (x32 registries;x64 registries)

This is functionally the same as saying "Does the key Software exist in any of the keys underneath HKEY_USERS?, and BigFix will iterate through each subkey one by one.

For example, most standard Windows installs have the admin profile enabled, as well as possibly a guest and some other profiles. Each key value thus becomes a variable:
hku\s-1-5-18\software
khu\s-1-5-20\software
hlu\whatever-the-guid-of-your-account-is\software

lesleyajohnson76 · May 9, 2018, 8:29pm

Thanks for the swift response! I’ll give it a go!

mwolff · May 9, 2018, 8:34pm

Oh, by the way, you can do this with a property or even BigFix Query to get more immediate results compared to a Task.

I would always recommend using the Relevance Tester first, of course, to lessen the impact on your production environment. Bonus points if you have a dev environment to write relevance queries in and test it across multiple machines with BFQ.