Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Blockit Ad Remover

03 Jul 2015   #1
boyboyds

Windows 7 Home 64bit
 
 
Blockit Ad Remover

Hi,

My wife infected her W8.1 (I know this is W7 forum) machine with Blockit Ad Remover when she opened an infected yahoo.mail. It is a Chrome extension and can be easily removed. But it comes back daily when she uses her yahoo.mail and open her legitimate emails.

There is no program to uninstall and no program was added recently.
I went to Chrome privacy settings and cleared all the pop-up and plugin options.

Scanned with:
-malwarebites
-superantispyware
-spybot
-emsisoft
-eset
-adwcleaner
-roguekiller
-ccleaner

It is still coming back and according to my wife is related to her opening her regular emails.
I checked her inbox and they all look OK.

Any suggestions....?

Thanks,
-BBDS


My System SpecsSystem Spec
.
03 Jul 2015   #2
UsernameIssues

W7 Pro SP1 64bit
 
 

For things that inexplicably come back, I direct people to an offline* scanner.

*offline as in: the operating system is not loaded.

WDO is one such scanner:
What is Windows Defender Offline? - Windows Help
I like to use it via a USB memory stick. You might prefer using a CD.

If you don't like WDO, pick another flavor:
https://www.raymond.cc/blog/13-antiv...t-rescue-disk/
My System SpecsSystem Spec
03 Jul 2015   #3
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Did you try ( and follow through) with these instructions? Remove "BlockIt Ad remover" virus (Removal Guide)
My System SpecsSystem Spec
.

04 Jul 2015   #4
boyboyds

Windows 7 Home 64bit
 
 

I tried using WDO but the boot options in BIOS got so confusing that I gave up.

I read the article suggested by Jacee and the only tool I have not tried is Hitman Pro.


Thanks,
-BBDS
My System SpecsSystem Spec
04 Jul 2015   #5
UsernameIssues

W7 Pro SP1 64bit
 
 

Did you enable scanning for rootkits (via custom scan) within Malewarebytes?

How about scanning with TDSSKiller?
My System SpecsSystem Spec
04 Jul 2015   #6
boyboyds

Windows 7 Home 64bit
 
 

Yes, rootkit scan in Malwarebites was enabled in settings, no need for custom scan.
TDSSKiller I did not run yet, but if the problem returns I will.

I enabled Extension Developer mode in Chrome and it gave me the Path and ID.
The Path was invalid but I was able to find the ID on my "C" Drive and deleted it.
Because W8 search is not very good I installed "Search Everything" desktop tool to search for that Extension ID.

So far it looks like the bad Extension is gone from Chrome.

I will know for sure in a day or two.

Thanks,
-BBDS
My System SpecsSystem Spec
11 Jul 2015   #7
boyboyds

Windows 7 Home 64bit
 
 

The extension came back, installed silently in Chrome. All stand alone tools have failed to find the intruder.

I went to 2 folders -
c:users/...name.../app data/local/google/chrome/user data/default/extensions
c:users/...name.../app data/local/google/chrome/user data/default/local storage

....and not just deleted the extension id from these folders, but also changed security for these 2 folders - write deny.

Hopefully this will prevent any further unwanted extension installation, we will see.

But I have another question - is there any free tool to monitor/expose the process/program that try to access these folders.

I was trying to use Windows Event Viewer but it did not help, maybe I do not know how to use it for my purpose.

Thanks,
-BBDS
My System SpecsSystem Spec
11 Jul 2015   #8
UsernameIssues

W7 Pro SP1 64bit
 
 

You mentioned in your original post, "It is a Chrome extension and can be easily removed." Did you remove it via Chrome's Settings > Extensions? Or did you just delete the folders?

You should not deny access to those two folders via NTFS permissions. Doing so will prevent Chrome from updating valid/desired extensions (assuming that you have valid/desired extensions). If you are going to modify the NTFS file permissions in an attempt to temporarily work around this issue, then you should (IMO) do so one folder level down. e.g. only deny access to the folder where this undesired extension writes. Those long folder names just below the ...\default\extensions\ folder should be unique to the extension being installed. They are not normally random folder names.


You might be surprised how many times different apps will attempt to write to the folders that you mentioned. Process Monitor can show you what app is writing to the folder, but the app installing/restoring the extension will most likely be Chrome. You would need to figure out what is causing Chrome to add the extension. That might not be obvious in Process Monitor.

If you opt to try Process Monitor, filter the massive amount of results via:
Menu bar > Filter > Filter...
Path > Contains > local\google\chrome\user data\default\extensions\<the unique folder name/id>

You will need to let the extension come back before you will know that unique folder name/id. Or, the unique folder name/ID should be listed in the log file from AdwCleaner - if you still have that log.

If desired, you can exclude Chrome from the results. Right click on Chrome and select Exclude 'Chrome.exe' from the context menu.


Process Monitor is not meant to run for extended periods of time. It will consume lots of virtual memory until it crashes. You can tell Process Monitor to write its info to files via the app's Menu bar > File > Backing Files.... It will produce several log files - starting a new one each time the old one gets too big (~0.5GB).
My System SpecsSystem Spec
12 Jul 2015   #9
boyboyds

Windows 7 Home 64bit
 
 

Of course I deleted the extension from Chrome/Tools/Extensions.

Your post makes a lot of sense and I removed security 'deny' from both folders.

I am pretty sure this extension is not installed by Chrome, it is a very intrusive adware, it floods your screen with ads, makes browsing impossible. It also comes with different names, but seems to have the same extension ID.

I also installed MS Process Monitor and had some dry runs with it, just to get familiar with the filters.

But this extension does not invade my PC all the time, I cannot figure out the pattern. This morning it was there but now it is not. But like a good hunter I will wait for the next time it infects and will strike at it....!!!!!

Thanks,
-BBDS
My System SpecsSystem Spec
12 Jul 2015   #10
UsernameIssues

W7 Pro SP1 64bit
 
 

You are welcome.

I use Chrome, but only for very specific tasks and I only have one Chrome extension.

I'm not sure what the info in this link means:

https://sites.google.com/a/chromium....deployment-faq

It seems to be saying that extensions come from Google's store via Chrome. If another app somehow manages to install a Chrome extension, then maybe that app can fool Chrome into thinking that the extension is to be run in the developer mode.

Happy hunting :-)
My System SpecsSystem Spec
Reply

 Blockit Ad Remover




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Focus Rectangle Remover Needed
Hi everyone, This post may seem odd but, it is a request from me to you.There is a member on this site named loclhost who did a Universal Focus Rectangle Remover, it almost remove any dotted line,focus rectangle from the system but not all of them.I am using 3rd party modelling and photo...
Customization
Outlook 2010 Duplicate Remover
Hello Everyone, My Outlook has some duplicates of holidays and other appointments that I have in the future. I am looking for a tool that will automatically delete these on a one time basis, by prompting me. I do not want to have something installed in Outlook tht stays there as a plug-in,...
Microsoft Office
Driver remover
Whats the best way to remove nvidia drivers? I have updated a few times ,i have used beta drivers 2 of them and whent back to stock nvidia drivers , i think i may have leftover stuff ,i have been having driver stoped and recovered and now some restarting from time to time thanks
General Discussion
Partition remover
What it is, I have this 100mb partition left over from when my OEM OS was on the drive. I installed a retail version of 7, and now the partition wont budge. Any body any ideas on hoe to get rid of that 100mb partition. http://img228.imageshack.us/img228/7103/capture1lm.png
General Discussion
The best Spyware Remover?
:cry: I think i have some spyware or a virus on my pc lawls im running Avast pro. :mad: :cry: anyways my IE fails to load msn sometimes and i keep geting random add popups when surfing -.- (this Just Started) :rolleyes:
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 02:25.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App