Blockit Ad Remover

Hi,

My wife infected her W8.1 (I know this is W7 forum) machine with Blockit Ad Remover when she opened an infected yahoo.mail. It is a Chrome extension and can be easily removed. But it comes back daily when she uses her yahoo.mail and open her legitimate emails.

There is no program to uninstall and no program was added recently.
I went to Chrome privacy settings and cleared all the pop-up and plugin options.

Scanned with:
-malwarebites
-superantispyware
-spybot
-emsisoft
-eset
-adwcleaner
-roguekiller
-ccleaner

It is still coming back and according to my wife is related to her opening her regular emails.
I checked her inbox and they all look OK.

Any suggestions....?

Thanks,
-BBDS

For things that inexplicably come back, I direct people to an offline* scanner.

*offline as in: the operating system is not loaded.

WDO is one such scanner:
What is Windows Defender Offline? - Windows Help
I like to use it via a USB memory stick. You might prefer using a CD.

If you don't like WDO, pick another flavor:
https://www.raymond.cc/blog/13-antiv...t-rescue-disk/

I tried using WDO but the boot options in BIOS got so confusing that I gave up.

I read the article suggested by Jacee and the only tool I have not tried is Hitman Pro.


Thanks,
-BBDS

Did you enable scanning for rootkits (via custom scan) within Malewarebytes?

How about scanning with TDSSKiller?

Yes, rootkit scan in Malwarebites was enabled in settings, no need for custom scan.
TDSSKiller I did not run yet, but if the problem returns I will.

I enabled Extension Developer mode in Chrome and it gave me the Path and ID.
The Path was invalid but I was able to find the ID on my "C" Drive and deleted it.
Because W8 search is not very good I installed "Search Everything" desktop tool to search for that Extension ID.

So far it looks like the bad Extension is gone from Chrome.

I will know for sure in a day or two.

Thanks,
-BBDS

The extension came back, installed silently in Chrome. All stand alone tools have failed to find the intruder.

I went to 2 folders -
c:users/...name.../app data/local/google/chrome/user data/default/extensions
c:users/...name.../app data/local/google/chrome/user data/default/local storage

....and not just deleted the extension id from these folders, but also changed security for these 2 folders - write deny.

Hopefully this will prevent any further unwanted extension installation, we will see.

But I have another question - is there any free tool to monitor/expose the process/program that try to access these folders.

I was trying to use Windows Event Viewer but it did not help, maybe I do not know how to use it for my purpose.

Thanks,
-BBDS

You mentioned in your original post, "It is a Chrome extension and can be easily removed." Did you remove it via Chrome's Settings > Extensions? Or did you just delete the folders?

You should not deny access to those two folders via NTFS permissions. Doing so will prevent Chrome from updating valid/desired extensions (assuming that you have valid/desired extensions). If you are going to modify the NTFS file permissions in an attempt to temporarily work around this issue, then you should (IMO) do so one folder level down. e.g. only deny access to the folder where this undesired extension writes. Those long folder names just below the ...\default\extensions\ folder should be unique to the extension being installed. They are not normally random folder names.


You might be surprised how many times different apps will attempt to write to the folders that you mentioned. Process Monitor can show you what app is writing to the folder, but the app installing/restoring the extension will most likely be Chrome. You would need to figure out what is causing Chrome to add the extension. That might not be obvious in Process Monitor.

If you opt to try Process Monitor, filter the massive amount of results via:
Menu bar > Filter > Filter...
Path > Contains > local\google\chrome\user data\default\extensions\<the unique folder name/id>

You will need to let the extension come back before you will know that unique folder name/id. Or, the unique folder name/ID should be listed in the log file from AdwCleaner - if you still have that log.

If desired, you can exclude Chrome from the results. Right click on Chrome and select Exclude 'Chrome.exe' from the context menu.


Process Monitor is not meant to run for extended periods of time. It will consume lots of virtual memory until it crashes. You can tell Process Monitor to write its info to files via the app's Menu bar > File > Backing Files.... It will produce several log files - starting a new one each time the old one gets too big (~0.5GB).

Of course I deleted the extension from Chrome/Tools/Extensions.

Your post makes a lot of sense and I removed security 'deny' from both folders.

I am pretty sure this extension is not installed by Chrome, it is a very intrusive adware, it floods your screen with ads, makes browsing impossible. It also comes with different names, but seems to have the same extension ID.

I also installed MS Process Monitor and had some dry runs with it, just to get familiar with the filters.

But this extension does not invade my PC all the time, I cannot figure out the pattern. This morning it was there but now it is not. But like a good hunter I will wait for the next time it infects and will strike at it....!!!!!

Thanks,
-BBDS

You are welcome.

I use Chrome, but only for very specific tasks and I only have one Chrome extension.

I'm not sure what the info in this link means:

https://sites.google.com/a/chromium....deployment-faq

It seems to be saying that extensions come from Google's store via Chrome. If another app somehow manages to install a Chrome extension, then maybe that app can fool Chrome into thinking that the extension is to be run in the developer mode.

Happy hunting