Removing blocknsurf adware infection

10 Jul 2015

Recently I was doing some family Windows tech support. We had been given a laptop and I wanted to square it away so my wife could use it and pass on her current laptop to one of the kids. So it was the usual routine - uninstall lots of stuff, run Windows Update, install Open Office, generally make it safe for humanity.

Chrome and other browsers kept behaving weirdly though. A page would load, but then a couple of addresses would be displayed in the status bar and the page would get all fouled up - ads would appear, various words would get munged so that they had an ad-loading overlay when clicked, links would be similarly munged, various Javascript window slideins would interfere with the page, etc. All of this stuff had a "blocknsurf" logo at the bottom. Googled that, obvious adware infection. Checked the browser extensions - nothing. Checked the installed programs - nothing. Set up an ad blocker - no effect. Ran a adware checker utility, it found some misc files and deleted them and rebooted - no effect. Reset Chrome to defaults - nothing.

What puzzled me was that I didn't see another process in the task manager; there wasn't a proxy service or something like that running. Then it hit me. Blocknsurf must have modified Chrome. It must have wrapped the Chrome launcher, or one of the executables or DLLs so that when launched it would include the blocknsurf code in-process. Perhaps it automatically loaded an extension and hid it from the extensions list; that would have been consistent with the observed behavior.

The fix was to simply uninstall Chrome and then download and reinstall it. With the new binary in place, all was well; no more blocknsurf ads!