asked on Chrome browser extension - virus/malware and unable to uninstall
Hi Experts,
I'm stumped on removing a virus from a computer. It shows up as an extension in Google Chrome. It's called WebSecurity and I can't find more than 5 hits on the internet.
This is the bad extension.
Against this, we've run Hitman Pro, MalwareBytes, AdwCleaner, Spybot, HijackThis.
We're looking for advise on a way to remove the extension permanently.
I'm stumped on removing a virus from a computer. It shows up as an extension in Google Chrome. It's called WebSecurity and I can't find more than 5 hits on the internet.
This is the bad extension.
Against this, we've run Hitman Pro, MalwareBytes, AdwCleaner, Spybot, HijackThis.
We're looking for advise on a way to remove the extension permanently.
Web BrowsersAnti-Virus AppsWindows 7
Last Comment
Elixir2
ASKER
Ah, we're way past that. When you try to use the instructions you linked (uninstall an extension) we do not see the option to "Remove from Chrome" nor a little trash can. Instead, we see a office building icon and the hover tip says "Installed by Enterprise Policy." This computer is not part of an enterprise or a domain, etc. It is a home-use computer with a virus.
Also, when using CCleaner, we see in the Startup under Google Chrome only, the Extension called "WebSecurity" version 2. And when we try to use CCleaner to Disable or Delete, it responds, "Some of the selected items cannot be changed as they are protected by the browser."
I am currently researching here. These are the steps I'm following... for now.
Also, when using CCleaner, we see in the Startup under Google Chrome only, the Extension called "WebSecurity" version 2. And when we try to use CCleaner to Disable or Delete, it responds, "Some of the selected items cannot be changed as they are protected by the browser."
I am currently researching here. These are the steps I'm following... for now.
If you are getting pop ups, try the following:
Download, install and run Process Explorer from Microsoft. Look under Explorer on the left side and see if there are any strange (alphanumeric) processes. If so, kill these processes, exit Process Explorer and do NOT restart.
Now run Malwarebytes again to remove these processes while stopped
When that is done, restart.
Download, install and run Process Explorer from Microsoft. Look under Explorer on the left side and see if there are any strange (alphanumeric) processes. If so, kill these processes, exit Process Explorer and do NOT restart.
Now run Malwarebytes again to remove these processes while stopped
When that is done, restart.
Or you can download and install chameleon from malwarebytes.org (malwarebytes.org/chameleo
Also you may wish to try SPYBHOREMOVER and then SPYDLLREMOVER from securityxploded.com.
Also you may wish to try SPYBHOREMOVER and then SPYDLLREMOVER from securityxploded.com.
Elixir2--
What negative events do you experience by leaving Web Security alone?
As mentioned, it is an add-on from Google. I see no indication it is malware or a virus.
What negative events do you experience by leaving Web Security alone?
As mentioned, it is an add-on from Google. I see no indication it is malware or a virus.
ASKER
I've run Malwarebytes with the services stopped. It looks good until you start Chrome again, and then the plug in comes back. I'll try some of Thomas' ideas, too.
When Chrome is running this extension, CPU use spikes to 100%. We believe it to be part of a spy-ware collection some of which can send data to a third part and log keystrokes. It most definitely is NOT something that comes with Chrome as a default install. It is malware. I have reported it to the Google store (see link in OP if you wish to do the same.)
Better yet, if you have a "Sandbox" go ahead and install this Chrome extension and then see if you can remove it. Tell me how you did it.
When Chrome is running this extension, CPU use spikes to 100%. We believe it to be part of a spy-ware collection some of which can send data to a third part and log keystrokes. It most definitely is NOT something that comes with Chrome as a default install. It is malware. I have reported it to the Google store (see link in OP if you wish to do the same.)
Better yet, if you have a "Sandbox" go ahead and install this Chrome extension and then see if you can remove it. Tell me how you did it.
Uninstall Chrome completely, stop processes / services again, run Malwarebytes again. Shut down, start up and check if any errors occur.
Only after complete cleanup, install the newest version of Chrome.
Only after complete cleanup, install the newest version of Chrome.
Elixir2--
If this started only recently, run a System Restore to a time before the problem started.
If this started only recently, run a System Restore to a time before the problem started.
Another place worth checking is the properties of the icon to start up Chrome. There may be a command line argument (under target) to add the offending extension in there.
There are manual removal instructions here
https://www.pcrisk.com/removal-guides/8014-web-security-app-adware
https://www.pcrisk.com/removal-guides/8014-web-security-app-adware
Elixir2----
I am not convinced that the WebSecurity Add-on is virus/malware.
I suspect the 100% use of CPU is due to some other application. Have you run Process Explorer (as suggested earlier) to see if any unsuspected application is running?
http://technet.microsoft.com/en-us/sysinternals/bb896653
"When Chrome is running this extension, CPU use spikes to 100%. " Does this mean there are times when you are not running this extension? If so, do not run it.
FWIW--the link posted by davidanders is about WebSecurity App-- not necessarily Google's WebSecurity Add-on.
I am not convinced that the WebSecurity Add-on is virus/malware.
I suspect the 100% use of CPU is due to some other application. Have you run Process Explorer (as suggested earlier) to see if any unsuspected application is running?
http://technet.microsoft.com/en-us/sysinternals/bb896653
"When Chrome is running this extension, CPU use spikes to 100%. " Does this mean there are times when you are not running this extension? If so, do not run it.
FWIW--the link posted by davidanders is about WebSecurity App-- not necessarily Google's WebSecurity Add-on.
ASKER
I'll pick up from my last post and respond in order. Thank you all, Experts, for this, as the rabbit-hole goes deeper. You'll be amazed what we found (or didn't find)...
John Hurst - did the uninstall/reinstall. I used a tool called Complete Uninstall to get rid of all Chrome's keys and folders. MBAM finds nothing, then after reinstalling Chrome's newest version, the bad extension comes back. No joy.
To everyone: this extension is NOT in your Chrome browser so stop suggesting it is a "normal" or "default" thing that I should just live with. LMAO. That is not an option.
jcimarron - we are past the last clean system restore point, as this occurred in May. Good idea tho. Also to your last post - I meant "When Chrome is running, this extension causes CPU to spike to 100%" When I close Chrome it goes away and memory use drops immediately.
Mike Sun - Great idea, checked shortcut after reinstalling Chrome and it is clean. Sorry!
davidanders - that's a different malware, as jcimarron suspected. Not what we are looking at.
I was able to get additional information from the client/end user who had this "befall" him. His ex-girlfriend installed this software on the computer: http://www.webwatcher.com/
And paid for a subscription, so it will be tough to get rid of, according to them. We chatted with tech support from Awareness Technologies (maker of WebWatcher) and they provided the attachment needed to be filled out and returned to authorize removal of the software!
So now that we know that name is not just WebSecurity, but that is just a Chrome extension for WebWatcher, we have another lead in this mystery. Hack on Experts! Let me know what you find.
FraudInvestigation.pdf
John Hurst - did the uninstall/reinstall. I used a tool called Complete Uninstall to get rid of all Chrome's keys and folders. MBAM finds nothing, then after reinstalling Chrome's newest version, the bad extension comes back. No joy.
To everyone: this extension is NOT in your Chrome browser so stop suggesting it is a "normal" or "default" thing that I should just live with. LMAO. That is not an option.
jcimarron - we are past the last clean system restore point, as this occurred in May. Good idea tho. Also to your last post - I meant "When Chrome is running, this extension causes CPU to spike to 100%" When I close Chrome it goes away and memory use drops immediately.
Mike Sun - Great idea, checked shortcut after reinstalling Chrome and it is clean. Sorry!
davidanders - that's a different malware, as jcimarron suspected. Not what we are looking at.
I was able to get additional information from the client/end user who had this "befall" him. His ex-girlfriend installed this software on the computer: http://www.webwatcher.com/
And paid for a subscription, so it will be tough to get rid of, according to them. We chatted with tech support from Awareness Technologies (maker of WebWatcher) and they provided the attachment needed to be filled out and returned to authorize removal of the software!
So now that we know that name is not just WebSecurity, but that is just a Chrome extension for WebWatcher, we have another lead in this mystery. Hack on Experts! Let me know what you find.
FraudInvestigation.pdf
ASKER
PS: I am not seeing any pop-ups, FWIW. This is a monitoring software...
Another place worth checking is the task scheduler. Under "Task Scheduler Library", remove any unknown or unwanted tasks found in there...
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Just an FYI, that pirate cd is actually legal in some countries.
ASKER
Thought the Experts' input was helpful, this was not a case that could have been solved without direct access to the PC and the EU.
https://support.google.com/chrome_webstore/answer/2664769?hl=en
Does this help?