Chrome browser extension - virus/malware and unable to uninstall

Hi Experts,
I'm stumped on removing a virus from a computer. It shows up as an extension in Google Chrome. It's called WebSecurity and I can't find more than 5 hits on the internet.
This is the bad extension.

Against this, we've run Hitman Pro, MalwareBytes, AdwCleaner, Spybot, HijackThis.

We're looking for advise on a way to remove the extension permanently.
LVL 1
Elixir2Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
It appears to be an extension (add-in) from Google Store. Here is a support page for uninstalling.

https://support.google.com/chrome_webstore/answer/2664769?hl=en

Does this help?
0
Elixir2Author Commented:
Ah, we're way past that. When you try to use the instructions you linked (uninstall an extension) we do not see the option to "Remove from Chrome" nor a little trash can. Instead, we see a office building icon and the hover tip says "Installed by Enterprise Policy." This computer is not part of an enterprise or a domain, etc. It is a home-use computer with a virus.

Also, when using CCleaner, we see in the Startup under Google Chrome only, the Extension called "WebSecurity" version 2. And when we try to use CCleaner to Disable or Delete, it responds, "Some of the selected items cannot be changed as they are protected by the browser."

I am currently researching here. These are the steps I'm following... for now.
0
JohnBusiness Consultant (Owner)Commented:
If you are getting pop ups, try the following:

Download, install and run Process Explorer from Microsoft. Look under Explorer on the left side and see if there are any strange (alphanumeric) processes. If so, kill these processes, exit Process Explorer and do NOT restart.

Now run Malwarebytes again to remove these processes while stopped

When that is done, restart.
0
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

Thomas Zucker-ScharffSolution GuideCommented:
Or you can download and install chameleon from malwarebytes.org  (malwarebytes.org/chameleon). Run svchosts from the chameleon directory.

Also you may wish to try SPYBHOREMOVER and then SPYDLLREMOVER from securityxploded.com.
0
jcimarronCommented:
Elixir2--
What negative events do you experience by leaving Web Security alone?  
As mentioned, it is an add-on from Google.  I see no indication it is malware or a virus.
0
Elixir2Author Commented:
I've run Malwarebytes with the services stopped. It looks good until you start Chrome again, and then the plug in comes back. I'll try some of Thomas' ideas, too.

When Chrome is running this extension, CPU use spikes to 100%. We believe it to be part of a spy-ware collection some of which can send data to a third part and log keystrokes. It most definitely is NOT something that comes with Chrome as a default install. It is malware. I have reported it to the Google store (see link in OP if you wish to do the same.)

Better yet, if you have a "Sandbox" go ahead and install this Chrome extension and then see if you can remove it. Tell me how you did it.
0
JohnBusiness Consultant (Owner)Commented:
Uninstall Chrome completely, stop processes / services again, run Malwarebytes again. Shut down, start up and check if any errors occur.

Only after complete cleanup, install the newest version of Chrome.
0
jcimarronCommented:
Elixir2--
If this started only recently, run a System Restore to a time before the problem started.
0
Mike SunSenior Systems Engineer (IBM - retired)Commented:
Another place worth checking is the properties of the icon to start up Chrome. There may be a command line argument (under target) to add the offending extension in there.
0
David AndersTechnician Commented:
There are manual removal instructions here
https://www.pcrisk.com/removal-guides/8014-web-security-app-adware
0
jcimarronCommented:
Elixir2----
I am not convinced that the WebSecurity Add-on is virus/malware.  
I suspect the 100% use of CPU is due to some other application.  Have you run Process Explorer (as suggested earlier) to see if any unsuspected application is running?
http://technet.microsoft.com/en-us/sysinternals/bb896653

"When Chrome is running this extension, CPU use spikes to 100%. "  Does this mean there are times when you are not running this extension?   If so, do not run it.

FWIW--the link posted by davidanders is about WebSecurity App-- not necessarily Google's WebSecurity Add-on.
0
Elixir2Author Commented:
I'll pick up from my last post and respond in order. Thank you all, Experts, for this, as the rabbit-hole goes deeper. You'll be amazed what we found (or didn't find)...

John Hurst - did the uninstall/reinstall. I used a tool called Complete Uninstall to get rid of all Chrome's keys and folders. MBAM finds nothing, then after reinstalling Chrome's newest version, the bad extension comes back. No joy.

To everyone: this extension is NOT in your Chrome browser so stop suggesting it is a "normal" or "default" thing that I should just live with. LMAO. That is not an option.

jcimarron - we are past the last clean system restore point, as this occurred in May. Good idea tho. Also to your last post - I meant "When Chrome is running, this extension causes CPU to spike to 100%" When I close Chrome it goes away and memory use drops immediately.

Mike Sun - Great idea, checked shortcut after reinstalling Chrome and it is clean. Sorry!

davidanders - that's a different malware, as jcimarron suspected. Not what we are looking at.

I was able to get additional information from the client/end user who had this "befall" him. His ex-girlfriend installed this software on the computer: http://www.webwatcher.com/ 
And paid for a subscription, so it will be tough to get rid of, according to them. We chatted with tech support from Awareness Technologies (maker of WebWatcher) and they provided the attachment needed to be filled out and returned to authorize removal of the software!

So now that we know that name is not just WebSecurity, but that is just a Chrome extension for WebWatcher, we have another lead in this mystery. Hack on Experts! Let me know what you find.
FraudInvestigation.pdf
0
Elixir2Author Commented:
PS: I am not seeing any pop-ups, FWIW. This is a monitoring software...
0
Mike SunSenior Systems Engineer (IBM - retired)Commented:
Another place worth checking is the task scheduler. Under "Task Scheduler Library", remove any unknown or unwanted tasks found in there...
0
Elixir2Author Commented:
So what I did was this- I used the elements I had gathered like a detective: the exact date the software was installed; the logo of the company creator; some research from the net and from the EU... I pieced together how this works.

I rebooted using H***** and located a folder c:\windows\system32\ryjoor created on the exact date reported by the EU, which has file in it, which reference Skyhook Wireless in the .dll code, which was another click that linked me back to the company logo (which told me I was on the right track).

Their software creates a randomized string of characters to install the windows\system32 folder (and have read that could move around) but the fact that Skyhook Wireless was referenced there in the code on the infected PC as well as online... well, yea.

So in H***** miniXP, I browsed over to c:\windows\system32\ryjoor and nuked the whole thing. It didn't come back in further testing. The processes were invoked from within Chrome still (upon startup), and that part could not be removed. But the files needed to run the processes and resulting services were no longer there. Both processes and services remained terminated/dormant.

Once we rebooted back into normal mode, the DNS was broken (i.e. could not open any websites). That pretty much confirmed for me that we had nailed it. I added static Google DNS in the LAN settings and got back online. I did not have time to test what happened with dynamic DNS.

We monitored internet traffic for days afterward just our of curiosity and saw nothing out of the ordinary. Even thought we ran out of time to get the Chrome browser completely clean, this will give someone else instructions on how to get rid of this without a court order. Or so we think...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Thomas Zucker-ScharffSolution GuideCommented:
Just an FYI, that pirate cd is actually legal in some countries.
0
Elixir2Author Commented:
Thought the Experts' input was helpful, this was not a case that could have been solved without direct access to the PC and the EU.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Browsers

From novice to tech pro — start learning today.