Multi-License Discount Quote

Change Region

English
Threat Database Adware BlockTheAds Ads

BlockTheAds Ads

By GoldSparrow in Adware

Threat Scorecard

Popularity Rank: 9,160
Threat Level: 80 % (High)
Infected Computers: 1,338
First Seen: July 8, 2015
Last Seen: April 22, 2026
OS(es) Affected: Windows

BlockTheAds is an application developed by Webpick Internet Holdings. The purpose of this software is to enhance the browsing experience of PC users by blocking unwanted advertisements, and, therefore, improve the browser's performance and reduce clutter. The tool may sound pretty handy for now, but its publishers may have forgotten to mention that their software is ad-supported. BlockTheAds may prevent websites from showing their advertisements, but it won't solve the issue. Instead, it will insert its ads into the place of the original ones, therefore robbing the website's authors from their revenue. This technique is very questionable, and our security researchers recommend that you stay away from BlockTheAds, or any other product coming from Webpick Internet Holdings.

The company is renowned for its adware, and BlockTheAds isn't any different. As soon as you install this app, it may inject BlockTheAds ads in your web browsers. Unfortunately, injecting ads isn't the only thing this frustrating application can do. It may also work in the background and collect data regarding your browsing habits. If this software is installed on your PC, we advise you to use a legitimate anti-malware solution that should easily get rid of the BlockTheAds adware.

Analysis Report

General information

Family Name: Trojan.PShell.A
Signature status: No Signature

Known Samples

MD5: ac2c1ded2b71c48332323c99a4ea0316
SHA1: e1c32d09a5a36124fa8954ae4579a2909ffff0d3
SHA256: 86D34A932F00C3474DD221DCCE143349E4DA599C3E203403735FCAD518205C2E
File Size: 106.50 KB, 106496 bytes
MD5: bdc7820f007748b72ce2e8b17c94433d
SHA1: e0b3e5f3ff145af472bb8cab36653afe4cabcce3
SHA256: 1FBD7887B4468A1397AC82AE5606DC50DED5764BBBF339B0CF04FC10F0C42FA4
File Size: 189.95 KB, 189952 bytes
MD5: 3a8b094fef2965301e39d1d39c7edcf3
SHA1: 66e182f7e132229e5357b64c930691a9ddfd8715
SHA256: D5BF7571A799CD631AB58384ACE1D738DFFB815AB5843A121C35F4FB6FD69A4A
File Size: 322.72 KB, 322720 bytes
MD5: 457ea8d3ec578b3205b48965271f3564
SHA1: c1ffcc849e17b7d73fa7ac50cacfe1375a071f25
SHA256: 84A6F105858141C4F0CE60625DB3562596079A877DCE27C12CEE3107A2283E73
File Size: 154.11 KB, 154112 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has been packed
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name Anss Studio
File Version 2024,1,20,0
Internal Name 10x Pro V4_X
Product Name 10x Pro V4_X
Product Version 10.3.2.8750

Digital Signatures

Signer Root Status
Jayro Jones Jayro Jones Self Signed

File Traits

  • 2+ executable sections
  • HighEntropy
  • No Version Info
  • packed
  • x64

Block Information

Total Blocks: 353
Potentially Malicious Blocks: 17
Whitelisted Blocks: 336
Unknown Blocks: 0

Visual Map

x 0 0 0 0 x x x x 0 x 0 x 0 0 0 x x 0 0 x 0 x 0 0 0 x 0 0 0 x x 0 x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Agent.OCD
  • Bitcoinminer.B
  • Cryptobit.E
  • Gamehack.BQ
  • PShell.A
Show More
  • PShell.B

Files Modified

File Attributes
c:\2b20.tmp\2b21.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\4727.tmp\4728.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\a40b.tmp\a41b.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ba9a.tmp\ba9b.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ba9a.tmp\peshutdown.exe Generic Read,Write Data,Write Attributes,Write extended,Append data

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 正븱Ⴌǜ RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 摞ퟯ瞗ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 軵ퟶ瞗ǜ RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\clsid\{20d04fe0-3aea-1069-a2d8-08002b30309d}\defaulticon:: X:\Program Files\Mr_Virus\ICON\Computer.ico RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe ꌊ⑥쬆ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 킒⑫쬆ǜ RegNtPreCreateKey
Show More
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 埅좽튗ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ᱱ죂튗ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAccessCheckByType
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcAcceptConnectPort
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreatePort
  • ntdll.dll!NtAlpcCreatePortSection
  • ntdll.dll!NtAlpcCreateSectionView
Show More
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtAlpcSetInformation
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtCancelIoFileEx
  • ntdll.dll!NtCancelWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateUserProcess
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtFsControlFile
  • ntdll.dll!NtImpersonateAnonymousToken
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtPowerInformation
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryEvent
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryTimerResolution
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReadVirtualMemory
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationObject
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetSecurityObject
  • ntdll.dll!NtSetTimer2

23 additional items are not displayed above.

Process Shell Execute
  • CreateProcess
  • ShellExecuteEx
  • WriteConsole
Anti Debug
  • IsDebuggerPresent
User Data Access
  • GetUserObjectInformation
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Terminate
  • TerminateProcess

Shell Command Execution

"C:\WINDOWS\system32\cmd" /c "\4727.tmp\4728.bat c:\users\user\downloads\e1c32d09a5a36124fa8954ae4579a2909ffff0d3_0000106496"
open C:\WINDOWS\system32\cmd /c "\A40B.tmp\A41B.bat c:\users\user\downloads\e0b3e5f3ff145af472bb8cab36653afe4cabcce3_0000189952"
C:\WINDOWS\system32\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\DefaultIcon" /v "" /t REG_SZ /d "X:\Program Files\Mr_Virus\ICON\Computer.ico" /f
WriteConsole: The operation co
C:\WINDOWS\system32\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon" /v "Empty" /t REG_SZ /d "X:\Program Files\Mr_Virus\ICON\Empty.ico" /f
Show More
open C:\WINDOWS\system32\cmd /c "\BA9A.tmp\BA9B.bat c:\users\user\downloads\66e182f7e132229e5357b64c930691a9ddfd8715_0000322720"
WriteConsole:
WriteConsole: c:\BA9A.tmp>
WriteConsole: peshutdown.exe
WriteConsole: /reboot
open C:\WINDOWS\system32\cmd /c "\2B20.tmp\2B21.bat c:\users\user\downloads\c1ffcc849e17b7d73fa7ac50cacfe1375a071f25_0000154112"
WriteConsole: c:\users\user\do
WriteConsole: "C:\Program File
WriteConsole: The system canno
WriteConsole: wait
WriteConsole: 'wait' is not re

Trending

Most Viewed

Loading...