Malwarebytes has issued a detailed report explaining the various tricks Vonteera adware uses to compromise your PC – and it makes for uncomfortable reading.
Unwanted adverts, unknown Windows services, modified shortcuts, forced installation of uninstallable Chrome extensions, even a way to prevent you running antivirus software – it’s all here.
We’ve no doubt other adware uses similar techniques, too, so reading the report may help you detect and fix other problems you’re having.
Some of Vonteera’s strategies are basic. The adware installs an IE Browser Helper Object, for instance, which you can view and modify from Tools > Manage Add-Ons.
Others are more involved, like modifying desktop and Start Menu shortcuts for all your browsers to launch them with a custom site (c:\path\to\firefox.exe http:www.scam.com).
Vonteera’s installer then enables a Chrome setting called Policies\Chromium\ExtensionInstallForcelist, which apparently:
“Specifies a list of apps and extensions that are installed silently, without user interaction, and which cannot be uninstalled by the user. All permissions requested by the apps/extensions are granted implicitly, without user interaction, including any additional permissions requested by future versions of the app/extension.”
In other words, the adware gets to add its own code to Chrome, without you noticing, and even if you do it’s hard to do anything about it.
But the killer blow here is that the adware drops 13 certificates into “Untrusted Certificates”, covering a host of antimalware companies: AVAST, AVG, Avira, Bitdefender, Malwarebytes and more.
Windows then prevents you running anything signed by one of those certificates.
Even if you realise what’s happened, launch Certificate Manager (certmgr.msc), go to Untrusted Certificates > Certificates and delete the certificates, it won’t help for long, because the adware puts them back.
Check out the Malwarebytes report, it’s a great analysis, and may help you understand issues you’re having now.
Download a copy of Malwarebytes Antimalware, too, which has just upgraded Vonteera from “adware” to what it really is: a trojan.