Chrome browser extension - virus/malware and unable to uninstall

Hi All,
I have a client with the same question/issue as described:
Under the solution provided by Exilir2, I am having trouble isolating the folder in: c:\windows\system32\  WebSecurity  is located. The EU cannot recall when it was installed or when he started having issues.

I have followed the process outlined to manually delete Chrome extensions as described here, but WebSecurity keeps coming back:!topic/chrome/NwWyxq2axrI;context-place=topicsearchin/chrome/authorid$3AAPn2wQfmBaAsKW5QOBDEiE4VI7GpqyoZiiW4qS8ZzI3F2CmEWuLAAt2T0yZ9mg-591Ka5BAfqV7l%7Csort:date%7Cspell:false
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Tom CieslikIT EngineerCommented:
Doesn't have to be this folder

New Extension versions can have different locations

Try to find out date hen extension was installed and do search by datemodified in Windows Explorer
You going to be able find folder, so double check if files placed there are part of Windows or not.
Try to check files properties. SOmetime you must use intuition.
If you not true, just change folder name and restart computer.
If Add-Ons will not shows up enymore probabli you've won BINGO

Hello ThereSystem AdministratorCommented:
1. If possible, disconnect from the Internet.
2. Enter the Safe Mode and run Disc Cleanup or anything that deletes all your temp files.
3. Still in Safe Mode... run all necessary scans. Deep scans!
Some free tools: Kaspersky TDSSKiller for removing rootkits, Malwarebytes and HitmanPro for removing malware, AdwCleaner for removing adware.
4. Try to remove all 'unknown publisher' apps as well as recently downloaded files. Also uninstall Google Chrome and delete all its files manually, if they remain.
5. If this doesn't help, try to go back in time using System Restore.
6. If nothing helps, you should consider reinstalling your OS.
Good luck!

Someone had this issue a few days ago.
PAMurilloAuthor Commented:
@Hello There,
I just need to isolate the folder that contains the WebSecurity spyware in c:\windows\system32\ and I can take it out surgical-strike style

@Tom Cieslik
What change can I make to alter the Date Modified folder so I can isolate the folder?
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Hello ThereSystem AdministratorCommented:
HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions (On 32-bit versions of Windows)
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Google\Chrome\Extensions (On 64-bit versions of Windows)
Delete all extensions.

Can you run a System Restore?
PAMurilloAuthor Commented:
@Hello There
Thanks for the suggestion. I tried your suggestion earlier and when I delete the files/folders here, they are re-created when I restart Chrome
Tom CieslikIT EngineerCommented:
SO it looks like some malware is running on your computer.
Download Sysinternal Suite

Run Procexp64.exe and hunt process that causing problem.

Remember path. Navigate to path, kill process in Process Explorer and Delete file from disk.

It should be OK now
Hello ThereSystem AdministratorCommented:
You do not know where the malware is, so I'd enter Safe mode with minimum requirements and run all possible scans. I'd start with Malwarebytes and if this will not find anything I would continue with very effective and my favourite Farbar Recovery Scan Tool and RogueKiller (still in Safe Mode).
Yes, it will take some time but it's worth. Malware can be spread in multiple location on your computer so you need to check the whole computer, not only a specific location.

You probably know that the last option is to reinstall your OS. But first, run what I suggest. It usually finds a junk and removes it.
PAMurilloAuthor Commented:
Currently have an appointment to access the computer this Friday am. Will provide update asap.
PAMurilloAuthor Commented:
So trying to isolate the folder in c:\windows\system32\ is almost impossible. I tried uninstalling Chrome, going to C:\Users\(user name)\AppData\Google and renamed the folder *I had to do it in Safe Mode as even after uninstalling Chrome, it said a file was open in the folder.

Here's the extension as displayed in Chrome. Note the Greyed out Enable. Turning-on Developer Mode does not un-gray the Enabled check box

Hello ThereSystem AdministratorCommented:
Close Chrome and navigate to the following folder on your hard drive: C:\Users\(user account)\AppData\Local\Google\Chrome\User Data\Default\Extensions. Find the folder with the same ID and delete it.
You have to set your Windows Explorer options to show hidden files, and you might have to restart your computer for the fix to take effect.
PAMurilloAuthor Commented:
@Hello There
So I uninstalled Chrome, Rebooted in Safe Mode, Renamed the C:\Users\(user account)\AppData\Local\Google folder to GoogleOld. Rebooted again, and downloaded and installed Chrome from

The Google Folder contains the extension C:\Users\(user name)\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpfmidcdnfpaamdaobjiiamaihdigaoj. The extension is also in the same relative folder with renamed to GoogleOld

I have previously tried to delete the folder but it re-creates when Chrome is launched
Hello ThereSystem AdministratorCommented:
In Safe Mode: Uninstall Chrome, search for that ID in registry and Windows explorer and delete all that is related to that ID. Delete (nor rename) all Google Folders. Reboot. Download a new installer from official websites! Do not use an installer you have downloaded.

Make sure you are not ticking the "Match whole string only" tickbox when searching in registry.

Also check extensions of other browsers!
PAMurilloAuthor Commented:
Although I can navigate to the extension folder using Chrome, there is no option to delete the folder.

As part of my uninstall/reinstall process earlier, I searched the Registry for entries of that extension and found none. I then proceeded with rebooting into normal mode, downloading and reinstalling Chrome from the official Chrome site.
Hello ThereSystem AdministratorCommented:
If you use the same installer, the problem might be there. If this doesn't help...

Use Chrome Cleanup Tool and see if it finds any junk. Resetting Google Chrome to its defaults is a part of this tool.

More tips are here.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PAMurilloAuthor Commented:
@Hello There
The Chrome Cleanup Tool worked. I ran it 2x as an Administrator, rebooted Chrome, and voila! No extension!
Hello ThereSystem AdministratorCommented:
Amazing! I am glad I coul help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.