WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!
Chrome browser extension - virus/malware and unable to uninstall
Hi Experts,
I'm stumped on removing a virus from a computer. It shows up as an extension in Google Chrome. It's called WebSecurity and I can't find more than 5 hits on the internet.
This is the bad extension.
Against this, we've run Hitman Pro, MalwareBytes, AdwCleaner, Spybot, HijackThis.
We're looking for advise on a way to remove the extension permanently.
I'm stumped on removing a virus from a computer. It shows up as an extension in Google Chrome. It's called WebSecurity and I can't find more than 5 hits on the internet.
This is the bad extension.
Against this, we've run Hitman Pro, MalwareBytes, AdwCleaner, Spybot, HijackThis.
We're looking for advise on a way to remove the extension permanently.
Asked:
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Ah, we're way past that. When you try to use the instructions you linked (uninstall an extension) we do not see the option to "Remove from Chrome" nor a little trash can. Instead, we see a office building icon and the hover tip says "Installed by Enterprise Policy." This computer is not part of an enterprise or a domain, etc. It is a home-use computer with a virus.
Also, when using CCleaner, we see in the Startup under Google Chrome only, the Extension called "WebSecurity" version 2. And when we try to use CCleaner to Disable or Delete, it responds, "Some of the selected items cannot be changed as they are protected by the browser."
I am currently researching here. These are the steps I'm following... for now.
Also, when using CCleaner, we see in the Startup under Google Chrome only, the Extension called "WebSecurity" version 2. And when we try to use CCleaner to Disable or Delete, it responds, "Some of the selected items cannot be changed as they are protected by the browser."
I am currently researching here. These are the steps I'm following... for now.
If you are getting pop ups, try the following:
Download, install and run Process Explorer from Microsoft. Look under Explorer on the left side and see if there are any strange (alphanumeric) processes. If so, kill these processes, exit Process Explorer and do NOT restart.
Now run Malwarebytes again to remove these processes while stopped
When that is done, restart.
Download, install and run Process Explorer from Microsoft. Look under Explorer on the left side and see if there are any strange (alphanumeric) processes. If so, kill these processes, exit Process Explorer and do NOT restart.
Now run Malwarebytes again to remove these processes while stopped
When that is done, restart.
Or you can download and install chameleon from malwarebytes.org (malwarebytes.org/chameleo
Also you may wish to try SPYBHOREMOVER and then SPYDLLREMOVER from securityxploded.com.
Also you may wish to try SPYBHOREMOVER and then SPYDLLREMOVER from securityxploded.com.
Elixir2--
What negative events do you experience by leaving Web Security alone?
As mentioned, it is an add-on from Google. I see no indication it is malware or a virus.
What negative events do you experience by leaving Web Security alone?
As mentioned, it is an add-on from Google. I see no indication it is malware or a virus.
I've run Malwarebytes with the services stopped. It looks good until you start Chrome again, and then the plug in comes back. I'll try some of Thomas' ideas, too.
When Chrome is running this extension, CPU use spikes to 100%. We believe it to be part of a spy-ware collection some of which can send data to a third part and log keystrokes. It most definitely is NOT something that comes with Chrome as a default install. It is malware. I have reported it to the Google store (see link in OP if you wish to do the same.)
Better yet, if you have a "Sandbox" go ahead and install this Chrome extension and then see if you can remove it. Tell me how you did it.
When Chrome is running this extension, CPU use spikes to 100%. We believe it to be part of a spy-ware collection some of which can send data to a third part and log keystrokes. It most definitely is NOT something that comes with Chrome as a default install. It is malware. I have reported it to the Google store (see link in OP if you wish to do the same.)
Better yet, if you have a "Sandbox" go ahead and install this Chrome extension and then see if you can remove it. Tell me how you did it.
Uninstall Chrome completely, stop processes / services again, run Malwarebytes again. Shut down, start up and check if any errors occur.
Only after complete cleanup, install the newest version of Chrome.
Only after complete cleanup, install the newest version of Chrome.
Another place worth checking is the properties of the icon to start up Chrome. There may be a command line argument (under target) to add the offending extension in there.
There are manual removal instructions here
https://www.pcrisk.com/removal-guides/8014-web-security-app-adware
https://www.pcrisk.com/removal-guides/8014-web-security-app-adware
Elixir2----
I am not convinced that the WebSecurity Add-on is virus/malware.
I suspect the 100% use of CPU is due to some other application. Have you run Process Explorer (as suggested earlier) to see if any unsuspected application is running?
http://technet.microsoft.com/en-us/sysinternals/bb896653
"When Chrome is running this extension, CPU use spikes to 100%. " Does this mean there are times when you are not running this extension? If so, do not run it.
FWIW--the link posted by davidanders is about WebSecurity App-- not necessarily Google's WebSecurity Add-on.
I am not convinced that the WebSecurity Add-on is virus/malware.
I suspect the 100% use of CPU is due to some other application. Have you run Process Explorer (as suggested earlier) to see if any unsuspected application is running?
http://technet.microsoft.com/en-us/sysinternals/bb896653
"When Chrome is running this extension, CPU use spikes to 100%. " Does this mean there are times when you are not running this extension? If so, do not run it.
FWIW--the link posted by davidanders is about WebSecurity App-- not necessarily Google's WebSecurity Add-on.
I'll pick up from my last post and respond in order. Thank you all, Experts, for this, as the rabbit-hole goes deeper. You'll be amazed what we found (or didn't find)...
John Hurst - did the uninstall/reinstall. I used a tool called Complete Uninstall to get rid of all Chrome's keys and folders. MBAM finds nothing, then after reinstalling Chrome's newest version, the bad extension comes back. No joy.
To everyone: this extension is NOT in your Chrome browser so stop suggesting it is a "normal" or "default" thing that I should just live with. LMAO. That is not an option.
jcimarron - we are past the last clean system restore point, as this occurred in May. Good idea tho. Also to your last post - I meant "When Chrome is running, this extension causes CPU to spike to 100%" When I close Chrome it goes away and memory use drops immediately.
Mike Sun - Great idea, checked shortcut after reinstalling Chrome and it is clean. Sorry!
davidanders - that's a different malware, as jcimarron suspected. Not what we are looking at.
I was able to get additional information from the client/end user who had this "befall" him. His ex-girlfriend installed this software on the computer: http://www.webwatcher.com/
And paid for a subscription, so it will be tough to get rid of, according to them. We chatted with tech support from Awareness Technologies (maker of WebWatcher) and they provided the attachment needed to be filled out and returned to authorize removal of the software!
So now that we know that name is not just WebSecurity, but that is just a Chrome extension for WebWatcher, we have another lead in this mystery. Hack on Experts! Let me know what you find.
FraudInvestigation.pdf
John Hurst - did the uninstall/reinstall. I used a tool called Complete Uninstall to get rid of all Chrome's keys and folders. MBAM finds nothing, then after reinstalling Chrome's newest version, the bad extension comes back. No joy.
To everyone: this extension is NOT in your Chrome browser so stop suggesting it is a "normal" or "default" thing that I should just live with. LMAO. That is not an option.
jcimarron - we are past the last clean system restore point, as this occurred in May. Good idea tho. Also to your last post - I meant "When Chrome is running, this extension causes CPU to spike to 100%" When I close Chrome it goes away and memory use drops immediately.
Mike Sun - Great idea, checked shortcut after reinstalling Chrome and it is clean. Sorry!
davidanders - that's a different malware, as jcimarron suspected. Not what we are looking at.
I was able to get additional information from the client/end user who had this "befall" him. His ex-girlfriend installed this software on the computer: http://www.webwatcher.com/
And paid for a subscription, so it will be tough to get rid of, according to them. We chatted with tech support from Awareness Technologies (maker of WebWatcher) and they provided the attachment needed to be filled out and returned to authorize removal of the software!
So now that we know that name is not just WebSecurity, but that is just a Chrome extension for WebWatcher, we have another lead in this mystery. Hack on Experts! Let me know what you find.
FraudInvestigation.pdf
Another place worth checking is the task scheduler. Under "Task Scheduler Library", remove any unknown or unwanted tasks found in there...
So what I did was this- I used the elements I had gathered like a detective: the exact date the software was installed; the logo of the company creator; some research from the net and from the EU... I pieced together how this works.
I rebooted using H***** and located a folder c:\windows\system32\ryjoor
Their software creates a randomized string of characters to install the windows\system32 folder (and have read that could move around) but the fact that Skyhook Wireless was referenced there in the code on the infected PC as well as online... well, yea.
So in H***** miniXP, I browsed over to c:\windows\system32\ryjoor
Once we rebooted back into normal mode, the DNS was broken (i.e. could not open any websites). That pretty much confirmed for me that we had nailed it. I added static Google DNS in the LAN settings and got back online. I did not have time to test what happened with dynamic DNS.
We monitored internet traffic for days afterward just our of curiosity and saw nothing out of the ordinary. Even thought we ran out of time to get the Chrome browser completely clean, this will give someone else instructions on how to get rid of this without a court order. Or so we think...
I rebooted using H***** and located a folder c:\windows\system32\ryjoor
Their software creates a randomized string of characters to install the windows\system32 folder (and have read that could move around) but the fact that Skyhook Wireless was referenced there in the code on the infected PC as well as online... well, yea.
So in H***** miniXP, I browsed over to c:\windows\system32\ryjoor
Once we rebooted back into normal mode, the DNS was broken (i.e. could not open any websites). That pretty much confirmed for me that we had nailed it. I added static Google DNS in the LAN settings and got back online. I did not have time to test what happened with dynamic DNS.
We monitored internet traffic for days afterward just our of curiosity and saw nothing out of the ordinary. Even thought we ran out of time to get the Chrome browser completely clean, this will give someone else instructions on how to get rid of this without a court order. Or so we think...
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
Thought the Experts' input was helpful, this was not a case that could have been solved without direct access to the PC and the EU.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Browsers
From novice to tech pro — start learning today.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with premium.
Start your 7-day free trial.
https://support.google.com/chrome_webstore/answer/2664769?hl=en
Does this help?