What does Adware.Adposhel change?
The adware uses Chrome policies to ensure that notification prompts will be shown and add some of their own domains to the list of sites that are allowed to push web notifications. So far not very new. The recent twist however is that it enforces these settings as an administrator. This is done so the regular Chrome user will not be able to change the settings in the Notifications menu.
It seems they have now decided to fully
deploy this tactic as we are seeing complaints about it emerging on computer
forums and Reddit.
Victims will complain about being unable to remove domains from the list of domains that are allowed to show web push notifications and being unable to change the setting that controls whether websites can ask you to allow notifications.
Disabling that setting would stop a user from seeing prompts like these:
If I were to click Allow on that
prompt this domain would be added to my allow list of URLs, but with the
understanding that I would be able to remove it manually in the Notifications
Adware.Adposhel uses the NotificationsAllowedForUrls policy to block users from removing their entries from the Allow list.
Where you would normally see the three dots (ellipsis) menu icon representing the settings menu.
For the entries submitted to a policy by Adware.Adposhel you will see the icon that tells you the setting is enforced by an administrator. And the accompanying text if you hover over the icon.
How do I undo the changes made by Adware.Adposhel?
This does not mean that you can change that setting just because you are the administrator of the system you are working on by the way. But if you are the system administrator you can fix the notifications changes made by the Adposhel installer by applying a simple registry fix:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome] "DefaultNotificationsSetting"=dword:00000001 [-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\NotificationsAllowedForUrls]
This is safe to do unless there were
legitimate URLs in the list of URLs that are allowed to show notifications by
policy, which I doubt. But we always advise to create a backup of the registry
before making any changes.
Backing up Registry with ERUNT
Modifying the registry may create unforeseen results, so we always recommend creating a backup prior to doing that!
Please download ERUNT and save the file to the desktop.
Install ERUNT by following the
prompts, but say No to the portion
that asks you to add ERUNT to the startup folder.
- Right-click on the
icon and select
Run as Administrator to start the tool.
- Leave the default location (C:\WINDOWS\ERDNT)
as a place for your backup.
- Make sure that System registry and Current user registry are ticked.
- The third option Other open users registries is optional.
- Press OK to backup and
then press YES to create the folder.
This tool won’t generate any report.
You may uninstall it after we’re done with the cleaning.
Protection and detection
Malwarebytes detects the installers as Adware.Adposhel.
The URLs enforced by this Adpohel induced Chrome policy are detected as Adware.ForcedNotifications.ChrPRST.
aclassigned.info chainthorn.com cityskyscraper.com concreasun.info dimlitroom.com durington.info efishedo.info enclosely.info insupposity.info nineteducer.info oncreasun.info parliery.info qareaste.info stilysee.info suggedin.info
Stay safe everyone!
The post Adware.Adposhel takes over your web push notifications administration appeared first on Malwarebytes Labs.
* This article was originally published here