Vonteera adware blocks AVs, can install uninstallable Chrome extensions

The Vonteera adware family has been around for quite some time, but it is now slowly starting to cross the line between unwanted, potentially malicious software to outright malware.

According to Malwarebytes researchers, the adware has a new trick in its sleeve: it adds 13 certificates to the targeted systems’ “Untrusted Certificates” list, and they all belong to companies developing popular AV and security software such as Avast, AVG, Baidu, Bitdefender, Malwarebytes, Trend Micro, and others:


The list is used by Windows’ User Account Control (UAC) to keep out untrusted software.

“The effect of this is potentially devastating since your system will refuse to run any applications signed with these certificates,” Malwarebytes researcher Pieter Arntz explained.

This means that an affected user will have trouble cleaning their systems from malware – the fact that this happens only if Vonteera has managed to infect a system without triggering AV software means that the user either doesn’t use protection or that it’s not that good.

So what can users do to get rid of it? One option is to go into Certificate Manager and delete the certificates in question, then download an AV solution – preferably one developed by the aforementioned manufacturers, as they obviously detect the adware – and run it to find and remove the offending software.

“Make sure to check back on the certificates after you have removed the adware, since they might have been re-instated in the meantime,” Arntz advised.

Another option is to temporarily disable UAC so that the needed AV can be downloaded, installed and run, or to use Task Scheduler to bypass UAC.

Another interesting thing about the Vonteera adware is that apart from doing the usual damage – creating tasks to show users advertisements on a regular basis, altering browser shortcuts so the browsers open to specific pages – it can also bring much more trouble to Chrome users.

“For Chrome, [Vonteera] has a special treat as it enables Policies\Chromium\ExtensionInstallForcelist which, and I quote, ‘Specifies a list of apps and extensions that are installed silently, without user interaction, and which cannot be uninstalled by the user. All permissions requested by the apps/extensions are granted implicitly, without user interaction, including any additional permissions requested by future versions of the app/extension. That is not something I would grant any app or extension even if I trust it, since it opens up a whole bunch of attack vectors for anything malicious,” Arntz pointed out.

Don't miss