Avatar of Elixir2
Elixir2
Flag for United States of America asked on

Chrome browser extension - virus/malware and unable to uninstall

Hi Experts,
I'm stumped on removing a virus from a computer. It shows up as an extension in Google Chrome. It's called WebSecurity and I can't find more than 5 hits on the internet.
This is the bad extension.

Against this, we've run Hitman Pro, MalwareBytes, AdwCleaner, Spybot, HijackThis.

We're looking for advise on a way to remove the extension permanently.
Web BrowsersAnti-Virus AppsWindows 7

Avatar of undefined
Last Comment
Elixir2

8/22/2022 - Mon
John

It appears to be an extension (add-in) from Google Store. Here is a support page for uninstalling.

https://support.google.com/chrome_webstore/answer/2664769?hl=en

Does this help?
Elixir2

ASKER
Ah, we're way past that. When you try to use the instructions you linked (uninstall an extension) we do not see the option to "Remove from Chrome" nor a little trash can. Instead, we see a office building icon and the hover tip says "Installed by Enterprise Policy." This computer is not part of an enterprise or a domain, etc. It is a home-use computer with a virus.

Also, when using CCleaner, we see in the Startup under Google Chrome only, the Extension called "WebSecurity" version 2. And when we try to use CCleaner to Disable or Delete, it responds, "Some of the selected items cannot be changed as they are protected by the browser."

I am currently researching here. These are the steps I'm following... for now.
John

If you are getting pop ups, try the following:

Download, install and run Process Explorer from Microsoft. Look under Explorer on the left side and see if there are any strange (alphanumeric) processes. If so, kill these processes, exit Process Explorer and do NOT restart.

Now run Malwarebytes again to remove these processes while stopped

When that is done, restart.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Thomas Zucker-Scharff

Or you can download and install chameleon from malwarebytes.org  (malwarebytes.org/chameleon). Run svchosts from the chameleon directory.

Also you may wish to try SPYBHOREMOVER and then SPYDLLREMOVER from securityxploded.com.
jcimarron

Elixir2--
What negative events do you experience by leaving Web Security alone?  
As mentioned, it is an add-on from Google.  I see no indication it is malware or a virus.
Elixir2

ASKER
I've run Malwarebytes with the services stopped. It looks good until you start Chrome again, and then the plug in comes back. I'll try some of Thomas' ideas, too.

When Chrome is running this extension, CPU use spikes to 100%. We believe it to be part of a spy-ware collection some of which can send data to a third part and log keystrokes. It most definitely is NOT something that comes with Chrome as a default install. It is malware. I have reported it to the Google store (see link in OP if you wish to do the same.)

Better yet, if you have a "Sandbox" go ahead and install this Chrome extension and then see if you can remove it. Tell me how you did it.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
John

Uninstall Chrome completely, stop processes / services again, run Malwarebytes again. Shut down, start up and check if any errors occur.

Only after complete cleanup, install the newest version of Chrome.
jcimarron

Elixir2--
If this started only recently, run a System Restore to a time before the problem started.
Mike Sun

Another place worth checking is the properties of the icon to start up Chrome. There may be a command line argument (under target) to add the offending extension in there.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
David Anders

There are manual removal instructions here
https://www.pcrisk.com/removal-guides/8014-web-security-app-adware
jcimarron

Elixir2----
I am not convinced that the WebSecurity Add-on is virus/malware.  
I suspect the 100% use of CPU is due to some other application.  Have you run Process Explorer (as suggested earlier) to see if any unsuspected application is running?
http://technet.microsoft.com/en-us/sysinternals/bb896653

"When Chrome is running this extension, CPU use spikes to 100%. "  Does this mean there are times when you are not running this extension?   If so, do not run it.

FWIW--the link posted by davidanders is about WebSecurity App-- not necessarily Google's WebSecurity Add-on.
Elixir2

ASKER
I'll pick up from my last post and respond in order. Thank you all, Experts, for this, as the rabbit-hole goes deeper. You'll be amazed what we found (or didn't find)...

John Hurst - did the uninstall/reinstall. I used a tool called Complete Uninstall to get rid of all Chrome's keys and folders. MBAM finds nothing, then after reinstalling Chrome's newest version, the bad extension comes back. No joy.

To everyone: this extension is NOT in your Chrome browser so stop suggesting it is a "normal" or "default" thing that I should just live with. LMAO. That is not an option.

jcimarron - we are past the last clean system restore point, as this occurred in May. Good idea tho. Also to your last post - I meant "When Chrome is running, this extension causes CPU to spike to 100%" When I close Chrome it goes away and memory use drops immediately.

Mike Sun - Great idea, checked shortcut after reinstalling Chrome and it is clean. Sorry!

davidanders - that's a different malware, as jcimarron suspected. Not what we are looking at.

I was able to get additional information from the client/end user who had this "befall" him. His ex-girlfriend installed this software on the computer: http://www.webwatcher.com/ 
And paid for a subscription, so it will be tough to get rid of, according to them. We chatted with tech support from Awareness Technologies (maker of WebWatcher) and they provided the attachment needed to be filled out and returned to authorize removal of the software!

So now that we know that name is not just WebSecurity, but that is just a Chrome extension for WebWatcher, we have another lead in this mystery. Hack on Experts! Let me know what you find.
FraudInvestigation.pdf
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Elixir2

ASKER
PS: I am not seeing any pop-ups, FWIW. This is a monitoring software...
Mike Sun

Another place worth checking is the task scheduler. Under "Task Scheduler Library", remove any unknown or unwanted tasks found in there...
ASKER CERTIFIED SOLUTION
Elixir2

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Thomas Zucker-Scharff

Just an FYI, that pirate cd is actually legal in some countries.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Elixir2

ASKER
Thought the Experts' input was helpful, this was not a case that could have been solved without direct access to the PC and the EU.