This fake ad blocker locks up your files and hijacks your PC to mine cryptocurrency

News
By published

Beware ad-block installers bearing gifts

A man's hands type on a laptop with the words 'Ad Blocker' displayed on the screen.
(Image credit: Pinone Pantone/Shutterstock)

Be careful if you're trying to install a Windows ad blocker, because it could turn out to be malware.

A very nasty Trojan that combines ransomware and a cryptocurrency miner is posing as an ad blocker called AdShield Pro, says Kaspersky in a new report. The malware has tried to infect more than 7,000 machines since Feb. 1.

The malware also poses as OpenDNS networking software, the NetShield ad blocker and the Malwarebytes anti-malware software, Kaspersky said. The bogus software is often found through malicious websites that turn up in search results. The fake Malwarebytes version targeted more than 100,000 PCs back in August 2020, according to an Avast report.

No matter what kind of software this Trojan pretends to be, the end result is that the XMRig combination ransomware/coin miner is installed on your machine. In fact, the malware locks up your files before it starts harnessing your CPU to mine the Monero cryptocurrency.

"The computer would already start earning money for the cybercriminals just as the user saw the ransom note," said an earlier Kaspersky writeup on XMRig from this past October.

But wait, it gets worse

The malware also downloads and installs a legitimate version of the Transmission Bittorrent client and creates a backdoor so that criminals can remotely access and control the machine. It reroutes the PC's DNS settings so that website-address lookups are resolved by the attackers' own servers and connections to antivirus websites are blocked.

It even tries to evade detection by comparing the actual system profile to what's in the Windows license file. If the two system profiles don't match, then the malware assumes it's running on a virtual machine — often used by information-security researchers — and the installation process stops.

Between the ransomware locking up your files, the coin miner ramping up your CPU, the hijacked DNS sending your web queries God knows where and the human attackers behind the malware gaining control of your machine, you'd be pretty hosed if this managed to get on your PC.

To avoid that unfortunate situation, make sure you download OpenDNS and Malwarebytes only from their official websites. 

We would love to say the same about AdShield and NetShield, but it turns out there are several different programs available online using each of those names, so it might be best to avoid them all. (If you want ad blocking with no fuss, try the Brave browser.) 

And, of course, you should be running one of the best antivirus programs, which will detect and neutralize this threat before it can be installed.

See more Computing News
TOPICS
Paul Wagenseil
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Read more
A laptop displaying the Chrome logo
Don't click this — malicious ads impersonating Google Chrome spreading dangerous malware
A hacker typing quickly on a keyboard
New MassJacker malware is hijacking digital wallets to steal large sums from users
Malware
Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
A hacker typing quickly on a keyboard
Hackers are posing as Apple and Google to infect Macs with malware — don’t fall for these fake browser updates
and image of the Google Chrome logo on a laptop
Google Chrome at risk from shape-shifting browser extensions — how to stay safe
An image of a CAPTCHA
Hackers are using reCAPTCHA to trick users into infecting their own PCs with malware — how to stay safe
Latest in Malware & Adware
Green skull on smartphone screen.
Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
Malware
Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
An FBI agent typing on a computer
FBI issues warning to millions of Americans to avoid these websites that can steal your passwords and banking info
A hacker typing quickly on a keyboard
New MassJacker malware is hijacking digital wallets to steal large sums from users
A person trying to set up a new Wi-Fi router
Thousands of TP-Link routers have been infected by a botnet to spread malware
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Latest in News
Bill Gates in 2019
Bill Gates just predicted the death of every job thanks to AI — except for these three
NYTimes Connections
NYT Connections today hints and answers — Wednesday, March 26 (#654)
Gemini screenshot image
Google unveils Gemini 2.5 — claims AI breakthrough with enhanced reasoning and multimodal power
Samsung Galaxy Z Flip 6 review.
Samsung Galaxy Z Flip 7 design just teased in new cases leak — and the outer display is huge
Google Chrome
Chrome failed to install on Windows PCs, but Google has issued a fix — here's what happened
nyc spring day AI image
OpenAI just unveiled enhanced image generator within ChatGPT-4o — here's what you can do now
More about malware adware
A hacker typing quickly on a keyboard

Hackers are using this little-known file type to drop a nasty Windows worm on vulnerable PCs — how to stay safe
Malware

1.2 million people fooled by fake MidJourney Facebook page used to spread malware — don’t fall for this
NYT Strands on a cellphone

NYT Strands today — hints, spangram and answers for game #388 (Wednesday, March 26 2025)
See more latest
Most Popular
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #388 (Wednesday, March 26 2025)
NYTimes Connections
NYT Connections today hints and answers — Wednesday, March 26 (#654)
Bill Gates in 2019
Bill Gates just predicted the death of every job thanks to AI — except for these three
Google Chrome
Chrome failed to install on Windows PCs, but Google has issued a fix — here's what happened
Gemini screenshot image
Google unveils Gemini 2.5 — claims AI breakthrough with enhanced reasoning and multimodal power
Samsung Galaxy Z Flip 6 review.
Samsung Galaxy Z Flip 7 design just teased in new cases leak — and the outer display is huge
nyc spring day AI image
OpenAI just unveiled enhanced image generator within ChatGPT-4o — here's what you can do now
WWDC logo on yellow background
Apple WWDC 2025 date set for June 9 — iOS 19, Apple Intelligence and more expected
Motorola Razr Plus 2024 cover display
Motorola Razr Plus (2025) leaked specs hint at bigger upgrades — here's what we know
(L-R) Yura Borisov as Igor, Mark Eydelshteyn as Vanya, Karren Karagulian as Toros and Mikey Madison as Anora "Ani" Mikheeva in "Anora"
Hulu top 10 movies — here's what you need to stream right now