Blockit Ad Remover

[boyboyds]

Hi,

My wife infected her W8.1 (I know this is W7 forum) machine with Blockit Ad Remover when she opened an infected yahoo.mail. It is a Chrome extension and can be easily removed. But it comes back daily when she uses her yahoo.mail and open her legitimate emails.

There is no program to uninstall and no program was added recently.
I went to Chrome privacy settings and cleared all the pop-up and plugin options.

Scanned with:
-malwarebites
-superantispyware
-spybot
-emsisoft
-eset
-adwcleaner
-roguekiller
-ccleaner

It is still coming back and according to my wife is related to her opening her regular emails.
I checked her inbox and they all look OK.

Any suggestions....?

Thanks,
-BBDS

 

[UsernameIssues]

For things that inexplicably come back, I direct people to an offline* scanner.

*offline as in: the operating system is not loaded.

WDO is one such scanner:
What is Windows Defender Offline? - Windows Help
I like to use it via a USB memory stick. You might prefer using a CD.

If you don't like WDO, pick another flavor:
https://www.raymond.cc/blog/13-anti...-compared-in-search-for-the-best-rescue-disk/

 

[Jacee]

Did you try ( and follow through) with these instructions? Remove "BlockIt Ad remover" virus (Removal Guide)

 

[boyboyds]

I tried using WDO but the boot options in BIOS got so confusing that I gave up.

I read the article suggested by Jacee and the only tool I have not tried is Hitman Pro.


Thanks,
-BBDS

 

[UsernameIssues]

Did you enable scanning for rootkits (via custom scan) within Malewarebytes?

How about scanning with TDSSKiller?

 

[boyboyds]

Yes, rootkit scan in Malwarebites was enabled in settings, no need for custom scan.
TDSSKiller I did not run yet, but if the problem returns I will.

I enabled Extension Developer mode in Chrome and it gave me the Path and ID.
The Path was invalid but I was able to find the ID on my "C" Drive and deleted it.
Because W8 search is not very good I installed "Search Everything" desktop tool to search for that Extension ID.

So far it looks like the bad Extension is gone from Chrome.

I will know for sure in a day or two.

Thanks,
-BBDS

 

[boyboyds]

The extension came back, installed silently in Chrome. All stand alone tools have failed to find the intruder.

I went to 2 folders -
c:users/...name.../app data/local/google/chrome/user data/default/extensions
c:users/...name.../app data/local/google/chrome/user data/default/local storage

....and not just deleted the extension id from these folders, but also changed security for these 2 folders - write deny.

Hopefully this will prevent any further unwanted extension installation, we will see.

But I have another question - is there any free tool to monitor/expose the process/program that try to access these folders.

I was trying to use Windows Event Viewer but it did not help, maybe I do not know how to use it for my purpose.

Thanks,
-BBDS

 

[UsernameIssues]

You mentioned in your original post, "It is a Chrome extension and can be easily removed." Did you remove it via Chrome's Settings > Extensions? Or did you just delete the folders?

You should not deny access to those two folders via NTFS permissions. Doing so will prevent Chrome from updating valid/desired extensions (assuming that you have valid/desired extensions). If you are going to modify the NTFS file permissions in an attempt to temporarily work around this issue, then you should (IMO) do so one folder level down. e.g. only deny access to the folder where this undesired extension writes. Those long folder names just below the ...\default\extensions\ folder should be unique to the extension being installed. They are not normally random folder names.


You might be surprised how many times different apps will attempt to write to the folders that you mentioned. Process Monitor can show you what app is writing to the folder, but the app installing/restoring the extension will most likely be Chrome. You would need to figure out what is causing Chrome to add the extension. That might not be obvious in Process Monitor.

If you opt to try Process Monitor, filter the massive amount of results via:
Menu bar > Filter > Filter...
Path > Contains > local\google\chrome\user data\default\extensions\<the unique folder name/id>

You will need to let the extension come back before you will know that unique folder name/id. Or, the unique folder name/ID should be listed in the log file from AdwCleaner - if you still have that log.

If desired, you can exclude Chrome from the results. Right click on Chrome and select Exclude 'Chrome.exe' from the context menu.


Process Monitor is not meant to run for extended periods of time. It will consume lots of virtual memory until it crashes. You can tell Process Monitor to write its info to files via the app's Menu bar > File > Backing Files.... It will produce several log files - starting a new one each time the old one gets too big (~0.5GB).

 

[boyboyds]

Of course I deleted the extension from Chrome/Tools/Extensions.

Your post makes a lot of sense and I removed security 'deny' from both folders.

I am pretty sure this extension is not installed by Chrome, it is a very intrusive adware, it floods your screen with ads, makes browsing impossible. It also comes with different names, but seems to have the same extension ID.

I also installed MS Process Monitor and had some dry runs with it, just to get familiar with the filters.

But this extension does not invade my PC all the time, I cannot figure out the pattern. This morning it was there but now it is not. But like a good hunter I will wait for the next time it infects and will strike at it....!!!!!

Thanks,
-BBDS

 

[UsernameIssues]

You are welcome.

I use Chrome, but only for very specific tasks and I only have one Chrome extension.

I'm not sure what the info in this link means:

https://sites.google.com/a/chromium.org/dev/developers/extensions-deployment-faq

It seems to be saying that extensions come from Google's store via Chrome. If another app somehow manages to install a Chrome extension, then maybe that app can fool Chrome into thinking that the extension is to be run in the developer mode.

Happy hunting

 

[boyboyds]

This link describes my problem precisely, but the suggestion there did not work for me.

Ads by discountex - chrome : techsupport

But your suggestion proved to be correct, though it took me some time before I realized how to connect the dots.

Somehow my Chrome got set to Developer Build version, and when I checked for the latest version it told me that it was up to date. I reinstalled Chrome and a completely different version became the latest.

Now the problem is gone (hopefully for good), though it has been only one day.

I wonder if the virus that corrupted my Chrome is still hiding somewhere.

Thanks,
-BBDS

 

[UsernameIssues]

The Developer Build is different than the Developer mode for extensions.

The Developer Build applies to the version of Chrome itself.

The Developer mode for extensions is sort of explained in this FAQ.

You can have the regular (non Developer Build) version of Chrome and still have extensions that run in the developer mode.


Here is a random screenshot that a search for chrome extensions developer mode turned up:

So......
This link seems to be saying that extensions will only run if they come from:
1) Google's store
or
2) your computer (if Chrome is in the Developer mode).

A bad app on your computer would have to:
1) create these bad extensions
2) tell Chrome to run them in the Developer mode.


In a day or two, you are going to tell me that the bad extensions came back and the Developer mode was not checked. Then I can pull out the rest of my hair

 

[UsernameIssues]

~~~
I wonder if the virus that corrupted my Chrome is still hiding somewhere.
~~~

If you would like, I can ask someone to walk you thru all sort of scans to check for that.

 

[UsernameIssues]

This link describes my problem precisely, but the suggestion there did not work for me.

Ads by discountex - chrome : techsupport
~~~

> ...the suggestion there did not work for me.

The suggestion there might not have worked for the person that started that thread either. It might be too soon to tell for both of you. The infection (if there is one) might stop for a day or two if told to do so by those controlling it.

 

[boyboyds]

Yes, the developer mode you attached is a standard option and it is not checked in my Chrome, I only checked it temporarily while researching the problem. But my Chrome had Developer Build version (About Chrome), which got installed silently somehow.

I will wait to see if the problem comes back, but at least now I am better educated about the issue.
I also fully documented all the info about the extension and the HTML behind it.

Also I did not get any useful info out of the MS Process Monitor, the folder I was including in the filtering had many Explorer.exe processors pointing to it, nothing specific to identify the intruder.

I also forgot to mention that when I discovered the issue initially I ran System Restore to a previous day, but it did not fix it. Also I am not sure that my wife infected it via her email, the source of this infection is unknown.

Thank you for your help,
-BBDS

 

[boyboyds]

So far my PC is running without any issues. I ran a few stand alone scanners and they did not find the virus that caused the issue, maybe it did not even get installed on my PC.

Problem: Chrome browser got set to Development Version and it allowed the bad extension to be added to it.
Solution: Reinstall Chrome, make sure the new Chrome version does not have any "dev" as part of its name.

Thank you all for your help, especially @UsernameIssues.
-BBDS

 

[UsernameIssues]

....Also I did not get any useful info out of the MS Process Monitor, the folder I was including in the filtering had many Explorer.exe processors pointing to it, nothing specific to identify the intruder....

If you ever need to use Process Monitor again, take note that you can right click on Explorer.exe (or any other app/entry within Process Monitor) and exclude it from view. That should leave you with any remaining actors against the folder of interest.

So far my PC is running without any issues. I ran a few stand alone scanners and they did not find the virus that caused the issue, maybe it did not even get installed on my PC.

Problem: Chrome browser got set to Development Version and it allowed the bad extension to be added to it.
Solution: Reinstall Chrome, make sure the new Chrome version does not have any "dev" as part of its name.

Thank you all for your help, especially @UsernameIssues.
-BBDS

Glad to hear that it seems good so far