Jump to content

Recommended Posts

What is Adware.Adposhel?

The Malwarebytes research team has determined that Adware.Adposhel is adware. These adware applications display advertisements not originating from the sites you are browsing.
This particular one changes Chrome policies to allow their own web push notifications.

How do I know if my computer is affected by Adware.Adposhel?

You may see this warnings after install:

warning1.png
the installer runs Chrome with a new tab pointing to one of their sites

and you may see these changed settings:

warning5.png

warning6.png

with this text if you hover over one of the icons:

adminsettings.png

How did Adware.Adposhel get on my computer?

Adware applications use different methods for distributing themselves. This particular one was installed by a bundler.

How do I remove Adware.Adposhel?

Our program Malwarebytes can detect and remove this adware program.

  • Please download Malwarebytes for Windows to your desktop.
  • Double-click MBSetup.exe and follow the prompts to install the program.
  • When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen.
  • Click on the Get started button.
  • Click Scan to start a Threat Scan.
  • When the scan is finished click Quarantine to remove the found threats.
  • Reboot the system if prompted to complete the removal process.

Is there anything else I need to do to get rid of Adware.Adposhel?

  • No, Malwarebytes removes Adware.Adposhel completely.

How would the full version of Malwarebytes help protect me?

We hope our application and this guide have helped you eradicate this adware.

As you can see below the full version of Malwarebytes would have protected you against the Adware.Adposhel adware. It would have blocked the installer before it became too late.
Installers of this type can be detected as Adware.Adpohel if the detection is based on file recognition:


 

protection1.png

 

or as Virus.Agent if the detection is done heuristically:
 

protection2.png

 

Technical details for experts

Possible signs in FRST logs:

 

CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION

Significant changes made by the installer:

Registry details 
------------------------------------------------
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
       "DefaultNotificationsSetting"="REG_DWORD", 1
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\NotificationsAllowedForUrls]
       "1"="REG_SZ", "https://[*.]aclassigned.info"
       "2"="REG_SZ", "https://[*.]insupposity.info"
       "3"="REG_SZ", "https://[*.]enclosely.info"

Malwarebytes log:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 2/3/20
Scan Time: 3:59 PM
Log File: bfcb66f0-4695-11ea-bafa-00ffdcc6fdfc.json

-Software Information-
Version: 4.0.4.49
Components Version: 1.0.793
Update Package Version: 1.0.18646
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {computername}\{username}

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 235809
Threats Detected: 6
Threats Quarantined: 6
Time Elapsed: 30 min, 44 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 2
Adware.ForcedNotifications.ChrPRST, HKLM\SOFTWARE\POLICIES\GOOGLE\CHROME, Quarantined, 7033, -1, 0.0.0, , action, 
Adware.ForcedNotifications.ChrPRST, HKLM\SOFTWARE\WOW6432NODE\POLICIES\GOOGLE\CHROME, Quarantined, 7033, -1, 0.0.0, , action, 

Registry Value: 2
Adware.ForcedNotifications.ChrPRST, HKLM\SOFTWARE\WOW6432NODE\POLICIES\GOOGLE\CHROME\NOTIFICATIONSALLOWEDFORURLS|2, Quarantined, 7033, 786861, 1.0.18646, , ame, 
Adware.ForcedNotifications.ChrPRST, HKLM\SOFTWARE\POLICIES\GOOGLE\CHROME\NOTIFICATIONSALLOWEDFORURLS|2, Quarantined, 7033, 786861, 1.0.18646, , ame, 

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
Adware.Adposhel, C:\USERS\{username}\DOWNLOADS\ADPOSHEL.EXE, Quarantined, 535, 508655, 1.0.18646, 1AE8D283FBBFE5398D87D6EB, dds, 00573913

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

As mentioned before the full version of Malwarebytes could have protected your computer against this threat.
We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention

Save yourself the hassle and get protected.

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.