This fake ad blocker locks up your files and hijacks your PC to mine cryptocurrency

A man's hands type on a laptop with the words 'Ad Blocker' displayed on the screen.
(Image credit: Pinone Pantone/Shutterstock)

Be careful if you're trying to install a Windows ad blocker, because it could turn out to be malware.

A very nasty Trojan that combines ransomware and a cryptocurrency miner is posing as an ad blocker called AdShield Pro, says Kaspersky in a new report. The malware has tried to infect more than 7,000 machines since Feb. 1.

The malware also poses as OpenDNS networking software, the NetShield ad blocker and the Malwarebytes anti-malware software, Kaspersky said. The bogus software is often found through malicious websites that turn up in search results. The fake Malwarebytes version targeted more than 100,000 PCs back in August 2020, according to an Avast report.

No matter what kind of software this Trojan pretends to be, the end result is that the XMRig combination ransomware/coin miner is installed on your machine. In fact, the malware locks up your files before it starts harnessing your CPU to mine the Monero cryptocurrency.

"The computer would already start earning money for the cybercriminals just as the user saw the ransom note," said an earlier Kaspersky writeup on XMRig from this past October.

But wait, it gets worse

The malware also downloads and installs a legitimate version of the Transmission Bittorrent client and creates a backdoor so that criminals can remotely access and control the machine. It reroutes the PC's DNS settings so that website-address lookups are resolved by the attackers' own servers and connections to antivirus websites are blocked.

It even tries to evade detection by comparing the actual system profile to what's in the Windows license file. If the two system profiles don't match, then the malware assumes it's running on a virtual machine — often used by information-security researchers — and the installation process stops.

Between the ransomware locking up your files, the coin miner ramping up your CPU, the hijacked DNS sending your web queries God knows where and the human attackers behind the malware gaining control of your machine, you'd be pretty hosed if this managed to get on your PC.

To avoid that unfortunate situation, make sure you download OpenDNS and Malwarebytes only from their official websites. 

We would love to say the same about AdShield and NetShield, but it turns out there are several different programs available online using each of those names, so it might be best to avoid them all. (If you want ad blocking with no fuss, try the Brave browser.) 

And, of course, you should be running one of the best antivirus programs, which will detect and neutralize this threat before it can be installed.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.