Blocktheads is a browser extension and potentially unwanted program (PUP) that infiltrates web browsers under the guise of providing useful features while actually hijacking user searches, injecting advertisements, and tracking browsing activity. First documented in 2015, this extension primarily targets Chrome and Firefox installations, redirecting search queries through suspicious third-party servers and modifying browser settings without explicit user consent. While not technically classified as malware in the traditional sense, Blocktheads exhibits aggressive behavior that degrades system performance, compromises privacy, and creates security vulnerabilities by exposing users to questionable advertising networks.

Blocktheads — cybersecurity illustration
Photo by cottonbro studio on Pexels

The extension presents itself as a legitimate productivity or entertainment tool, often bundled with free software downloads or promoted through deceptive advertising campaigns. Once installed, it operates with elevated permissions that allow it to read and modify data on all websites visited, intercept search queries, and inject content into web pages. Users typically discover the infection when their homepage changes unexpectedly, search results redirect through unfamiliar domains, or their browser becomes noticeably slower due to excessive advertising scripts.

Think you're infected right now? Disconnect from the internet immediately to prevent data exfiltration and avoid clicking on any advertisements or pop-ups. Close your browser completely (check Task Manager to ensure all browser processes have terminated). Do not attempt to use the browser until you've followed the removal steps below or brought the machine to our shop. Time matters — the longer this extension remains active, the more tracking data gets transmitted and the higher your exposure to malicious advertising networks.

Threat Profile

Attribute Details
Threat Classification Potentially Unwanted Program (PUP), Browser Hijacker, Adware Extension
Aliases Block.Heads, Blocktheads Extension, Blocktheads Toolbar
Affected Platforms Windows (Vista through 11), macOS (10.9+); targets Chrome, Firefox, Edge (Chromium)
First Documented Mid-2015; variants continue to appear with updated certificates
Distribution Methods Software bundling, fake updates, deceptive advertisements, freeware installers
Persistence Mechanisms Browser extension installation, modified browser shortcuts, scheduled tasks (some variants), Windows registry entries for auto-launch
Primary Capabilities Search hijacking, advertisement injection, tracking cookie deployment, homepage/new tab modification, data collection from browsing activity
Data Collection Search queries, visited URLs, clicked links, browser metadata, IP address, approximate geolocation, system information
Network Behavior Connects to advertising networks and tracking servers; redirects search queries through intermediary domains; loads remote JavaScript from multiple third-party sources
Typical Artifacts Extension folder in browser profile directory, modified browser preferences JSON files, tracking cookies from multiple domains, scheduled tasks (variant-dependent)
Payload Delivery Risk Moderate — while not directly malicious, creates pathways for drive-by downloads and malvertising exposure
Removal Difficulty Moderate; browser-level removal straightforward, but persistence mechanisms may reinstall extension without thorough cleanup

How It Spreads

Blocktheads primarily spreads through software bundling, a distribution tactic where the extension is packaged with legitimate free software downloads. When users download utilities, media players, PDF converters, or other freeware from third-party hosting sites, the installer often includes Blocktheads as an "optional" component. The catch is that this option is typically pre-checked or presented in a misleading way during the "Custom" or "Advanced" installation process that most users skip by choosing "Express" installation instead. This social engineering technique exploits user behavior patterns, where people click through installation wizards quickly without reading the fine print.

Beyond bundling, the extension spreads through fake update notifications that mimic legitimate browser or software update prompts. These deceptive alerts appear on compromised websites or through existing adware infections, claiming that the user's browser, Flash Player, or video codec is outdated and requires immediate updating. Clicking the update button downloads an installer that deploys Blocktheads along with potentially other unwanted programs. Some distribution campaigns use search engine optimization (SEO) poisoning, where malicious actors manipulate search results for popular software downloads to direct users to download portals hosting bundled installers.

The infection vectors include:

  • Software bundle packages from freeware hosting sites like Softonic, Download.com mirrors, or torrent sites offering "cracked" software
  • Fake update prompts for Adobe Flash Player, browser updates, video codecs, or Java runtime environments displayed on compromised or malicious websites
  • Malvertising campaigns where legitimate advertising networks inadvertently serve malicious ads that trigger automatic downloads or redirect to installer pages
  • Browser exploit kits that take advantage of outdated browser versions to push silent or semi-silent extension installations (less common but documented)
  • Social engineering via email with links to "useful browser tools" or "productivity extensions" from unfamiliar sources
  • Compromised WordPress sites and other CMS platforms serving injected scripts that prompt extension installation through fake security warnings

What It Does On Your Machine

Once installed, Blocktheads requests extensive permissions from the browser that allow it to "read and change all your data on the websites you visit." This permission grants the extension complete visibility into every web page you load, every form you fill out, and every search query you enter. The extension immediately begins modifying your browser's configuration: it changes your default search engine to redirect queries through monetized search intermediaries, alters your new tab page to display its own landing page filled with sponsored links, and may modify your homepage settings. These changes are designed to generate revenue through search redirect affiliate programs where the operators earn money each time a user's search passes through their proxy servers.

The most noticeable symptom is the injection of advertisements into web pages where they don't belong. Blocktheads uses content script injection to add banner ads, pop-ups, in-text advertising links, and video overlays to websites you visit. These aren't the sites' regular ads — they're extra advertising loaded from third-party networks, often featuring lower-quality or outright suspicious products and services. The extension also tracks your browsing activity meticulously, collecting data about which sites you visit, what you search for, which links you click, and how long you spend on different pages. This behavioral data is aggregated and typically sold to advertising networks or data brokers, creating privacy concerns and potentially exposing sensitive information about your interests, shopping habits, and online behavior patterns.

Performance degradation becomes noticeable as Blocktheads loads multiple external scripts with every page view. Your browser consumes more memory, pages load more slowly, and you may experience frequent freezing or crashing as the extension competes with legitimate page resources. Some variants install persistence mechanisms outside the browser itself, creating scheduled tasks that re-install the extension if you remove it through normal browser settings. The extension may also modify browser shortcut targets on your desktop and taskbar, appending parameters that force the browser to load specific URLs on startup, making removal more complex than simply disabling an extension.

Typical Blocktheads Artifacts (Windows, Chrome example):
Extension installation:
%LOCALAPPDATA%\Google\Chrome\User Data\Default\Extensions\[random-extension-id]\
// Extension ID varies by variant, folder contains extension code
Modified browser preferences:
%LOCALAPPDATA%\Google\Chrome\User Data\Default\Preferences
// JSON file with altered search engine and homepage settings
Persistence scheduled task (some variants):
C:\Windows\System32\Tasks\BlocktheadsUpdate
// Task that reinstalls extension on schedule or at login
Modified browser shortcut target example:
"C:\Program Files\Google\Chrome\Application\chrome.exe" --homepage="http://[redirect-domain].com"
// Desktop/taskbar shortcuts may have appended parameters
Associated tracking cookies from domains like:
adtrack.ministerial-ads.com, sync.advertising-network-domain.net
// Multiple third-party tracking domains set persistent cookies

Manual Removal — Step by Step

01

Disconnect and Document

Disconnect your computer from the internet by unplugging the ethernet cable or turning off WiFi. Take a moment to write down any suspicious symptoms you've noticed: changed homepage URLs, unfamiliar search engines, or advertising domains you've seen repeatedly. This documentation helps verify complete removal later. Close all browser windows completely — don't just minimize them.

02

Boot Into Safe Mode with Networking

Restart your computer into Safe Mode with Networking. On Windows 10/11, hold Shift while clicking Restart, then navigate to Troubleshoot → Advanced Options → Startup Settings → Restart, and press F5 for Safe Mode with Networking. This prevents Blocktheads' persistence mechanisms from running while still allowing you to download removal tools if needed. Safe Mode loads only essential system components, making it harder for PUPs to interfere with removal.

03

Uninstall Suspicious Programs

Open Settings → Apps → Apps & Features (or Control Panel → Programs and Features on older Windows versions). Sort by install date and look for any programs you don't recognize that were installed around the time your browser problems started. Uninstall anything suspicious, especially programs with vague names, no publisher information, or installation dates that coincide with your infection. Common associated programs include "Web Companion," "SearchProtect," "Browser Assistant," or anything with "Blocktheads" in the name.

04

Remove the Browser Extension

Open your affected browser and navigate to the extensions management page (Chrome: chrome://extensions/, Firefox: about:addons, Edge: edge://extensions/). Look for Blocktheads or any extensions you didn't intentionally install. Remove suspicious extensions by clicking the Remove or Uninstall button. Don't just disable them — complete removal is essential. Check all installed browsers on your system, not just your primary one, as the extension may have installed itself in multiple browsers.

05

Delete Persistence Mechanisms

Open Task Scheduler (search for "Task Scheduler" in the Start menu) and examine the Task Scheduler Library. Look for any tasks with suspicious names, especially those that reference browser executables or URLs in their actions. Delete any tasks you don't recognize or that were created around your infection date. Next, press Windows+R, type "shell:startup" and press Enter to open your Startup folder — delete any shortcuts you don't recognize that might reinstall the extension.

06

Clean Browser Shortcuts

Right-click on your browser shortcuts (desktop, taskbar, Start menu) and select Properties. Examine the Target field — it should contain only the path to the browser executable with no additional URLs or parameters appended. If you see anything after the .exe" (including quotation marks), delete everything after the closing quote mark. Click Apply, then OK. Repeat for all browser shortcuts on your system.

07

Reset Browser Settings

In each affected browser, navigate to settings and perform a reset. Chrome: Settings → Reset and clean up → Restore settings to their original defaults. Firefox: Help → More troubleshooting information → Refresh Firefox. Edge: Settings → Reset settings → Restore settings to their default values. This removes modified search engines, homepages, and clears extension-related preferences without deleting your bookmarks or saved passwords.

08

Scan with Malwarebytes

Reconnect to the internet, download Malwarebytes Free from malwarebytes.com, and run a full Threat Scan. Malwarebytes excels at detecting PUPs like Blocktheads and associated bundled software. Let the scan complete (typically 20-45 minutes), then quarantine all detected items. Restart your computer when prompted. This catches any remnants or related PUPs that manual removal might have missed.

09

Clear Browser Data and Cookies

Open each browser's settings and clear all browsing data, focusing on cookies and cached files from the time period when Blocktheads was active. This removes tracking cookies planted by the extension's advertising network partners. Chrome: Settings → Privacy and security → Clear browsing data → select "All time" and check Cookies and Cached images. Be aware this will sign you out of websites, so have your passwords ready.

10

Verify and Test

Restart your computer in normal mode. Open your browser and verify that your homepage and search engine are what you expect. Visit several websites and confirm that no unexpected advertisements appear. Perform a few searches and check that results come from your chosen search engine, not an unfamiliar redirect service. Monitor your system over the next few days for any signs of re-infection. If problems return, there may be a persistence mechanism you missed — bring it to the shop.

Prevention

  1. Always choose Custom installation. When installing any free software, never click "Express" or "Recommended" installation. Always select "Custom" or "Advanced" and carefully read each screen, unchecking any pre-selected optional software, browser extensions, or toolbars. Legitimate software respects your choice to decline bundled offers.
  2. Download from official sources only. Get software directly from the developer's official website, not from third-party download portals like Softonic, Download.com aggregators, or torrent sites. These intermediary sites often repackage legitimate software with bundled PUPs to generate revenue. If you must use a download portal, verify it's the official mirror listed on the software developer's actual website.
  3. Keep browsers and plugins updated. Enable automatic updates for your browser and remove outdated plugins like Flash Player (which Adobe discontinued in 2020) that create security vulnerabilities. Modern browsers handle most media natively and don't require third-party plugins that PUPs often impersonate with fake update prompts.
  4. Install a reputable ad blocker. Extensions like uBlock Origin (not uBlock — check carefully) block malicious advertising networks and many of the fake update prompts used to distribute PUPs. Ad blockers also reduce your exposure to malvertising campaigns that can initiate drive-by downloads or redirect you to infected sites.
  5. Review browser extensions regularly. Once per month, open your browser's extension management page and audit what's installed. Remove extensions you no longer use and investigate any you don't remember installing. Even legitimate extensions can be sold to new owners who transform them into adware or data collection tools.
  6. Don't click fake update warnings. Legitimate software updates through Windows Update, the browser's built-in updater, or the application's official auto-update mechanism — never through pop-up warnings on websites. If a site claims your Flash, Java, codec, or browser needs updating, close the page and check for updates through official channels manually.
  7. Use standard user accounts for daily computing. Don't browse the web or open email while logged in as an administrator. Create a standard user account for everyday use. This limits the ability of malicious software to install system-wide persistence mechanisms, making infections easier to clean and sometimes preventing them entirely.
  8. Maintain healthy skepticism. If an offer seems too good to be true (free premium software, amazing deals, urgent security warnings), it probably is. Legitimate companies don't advertise through pop-ups, don't claim your system is infected through web pages, and don't require you to install browser extensions to view content or claim prizes.
Our 90-Day Warranty — When we remove Blocktheads or any other infection from your machine, we back our work with a 90-day reinfection warranty. If the same threat returns within 90 days through no fault of your own (not from reinstalling the same infected software or visiting the same malicious sites), we'll clean it again at no charge. We also provide a written report of what we found and removed, along with personalized prevention recommendations based on how the infection occurred on your specific system.

Bring It In

If you've followed these removal steps and still see symptoms — unexpected ads, redirected searches, changed browser settings that keep reverting — the infection is likely more complex than standard Blocktheads alone. Some PUP infections involve multiple components that reinstall each other, or the initial infection served as a delivery mechanism for additional threats. Blocktheads may have been the visible symptom of a broader compromise. Our diagnostic process at Computer Repair Roswell examines not just the obvious infections but the entire chain of compromise, identifying how the infection entered your system and what other changes it made while active.

We're located in Roswell, Georgia, and we handle these browser hijacker infections daily. Most Blocktheads removals take 2-3 hours for thorough cleaning including verification, system hardening, and testing to ensure nothing reinstalls. We'll also examine your browser extension habits and installation practices to identify what allowed the infection in the first place, so you can avoid repeat infections. Call us at (770) 223-0771 or stop by our shop at 1295 Hembree Road. We're open Monday through Friday 9 AM to 6 PM, and Saturday 10 AM to 4 PM. Bring the infected machine in — no appointment necessary for diagnostics, and we'll give you an honest assessment of what needs to be done and what it will cost before we do any work.