Chrome browser extension - virus/malware and unable to uninstall

Hi All,
I have a client with the same question/issue as described: https://www.experts-exchange.com/questions/28694856/Chrome-browser-extension-virus-malware-and-unable-to-uninstall.html
Under the solution provided by Exilir2, I am having trouble isolating the folder in: c:\windows\system32\  WebSecurity  is located. The EU cannot recall when it was installed or when he started having issues.

I have followed the process outlined to manually delete Chrome extensions as described here, but WebSecurity keeps coming back:
https://productforums.google.com/forum/#!topic/chrome/NwWyxq2axrI;context-place=topicsearchin/chrome/authorid$3AAPn2wQfmBaAsKW5QOBDEiE4VI7GpqyoZiiW4qS8ZzI3F2CmEWuLAAt2T0yZ9mg-591Ka5BAfqV7l%7Csort:date%7Cspell:false
PAMurilloAsked:
Who is Participating?
 
Hello ThereSystem AdministratorCommented:
If you use the same installer, the problem might be there. If this doesn't help...

Use Chrome Cleanup Tool and see if it finds any junk. Resetting Google Chrome to its defaults is a part of this tool.

More tips are here.
0
 
Tom CieslikIT EngineerCommented:
Doesn't have to be this folder

c:\windows\system32\ryjoor
New Extension versions can have different locations

Try to find out date hen extension was installed and do search by datemodified in Windows Explorer
You going to be able find folder, so double check if files placed there are part of Windows or not.
Try to check files properties. SOmetime you must use intuition.
If you not true, just change folder name and restart computer.
If Add-Ons will not shows up enymore probabli you've won BINGO

Capture.JPG
0
 
Hello ThereSystem AdministratorCommented:
1. If possible, disconnect from the Internet.
2. Enter the Safe Mode and run Disc Cleanup or anything that deletes all your temp files.
3. Still in Safe Mode... run all necessary scans. Deep scans!
Some free tools: Kaspersky TDSSKiller for removing rootkits, Malwarebytes and HitmanPro for removing malware, AdwCleaner for removing adware.
4. Try to remove all 'unknown publisher' apps as well as recently downloaded files. Also uninstall Google Chrome and delete all its files manually, if they remain.
5. If this doesn't help, try to go back in time using System Restore.
6. If nothing helps, you should consider reinstalling your OS.
Good luck!

Someone had this issue a few days ago.
https://www.experts-exchange.com/questions/29073194/Getting-rid-of-malware.html
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
PAMurilloAuthor Commented:
@Hello There,
I just need to isolate the folder that contains the WebSecurity spyware in c:\windows\system32\ and I can take it out surgical-strike style

@Tom Cieslik
What change can I make to alter the Date Modified folder so I can isolate the folder?
0
 
Hello ThereSystem AdministratorCommented:
HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions (On 32-bit versions of Windows)
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Google\Chrome\Extensions (On 64-bit versions of Windows)
Delete all extensions.

Can you run a System Restore?
0
 
PAMurilloAuthor Commented:
@Hello There
Thanks for the suggestion. I tried your suggestion earlier https://www.experts-exchange.com/questions/28694856/Chrome-browser-extension-virus-malware-and-unable-to-uninstall.html and when I delete the files/folders here, they are re-created when I restart Chrome
0
 
Tom CieslikIT EngineerCommented:
SO it looks like some malware is running on your computer.
Download Sysinternal Suite

Run Procexp64.exe and hunt process that causing problem.

Remember path. Navigate to path, kill process in Process Explorer and Delete file from disk.

It should be OK now
0
 
Hello ThereSystem AdministratorCommented:
You do not know where the malware is, so I'd enter Safe mode with minimum requirements and run all possible scans. I'd start with Malwarebytes and if this will not find anything I would continue with very effective and my favourite Farbar Recovery Scan Tool and RogueKiller (still in Safe Mode).
Yes, it will take some time but it's worth. Malware can be spread in multiple location on your computer so you need to check the whole computer, not only a specific location.

You probably know that the last option is to reinstall your OS. But first, run what I suggest. It usually finds a junk and removes it.
0
 
PAMurilloAuthor Commented:
Currently have an appointment to access the computer this Friday am. Will provide update asap.
0
 
PAMurilloAuthor Commented:
So trying to isolate the folder in c:\windows\system32\ is almost impossible. I tried uninstalling Chrome, going to C:\Users\(user name)\AppData\Google and renamed the folder *I had to do it in Safe Mode as even after uninstalling Chrome, it said a file was open in the folder.

Here's the extension as displayed in Chrome. Note the Greyed out Enable. Turning-on Developer Mode does not un-gray the Enabled check box

WebSecurity
0
 
Hello ThereSystem AdministratorCommented:
Close Chrome and navigate to the following folder on your hard drive: C:\Users\(user account)\AppData\Local\Google\Chrome\User Data\Default\Extensions. Find the folder with the same ID and delete it.
You have to set your Windows Explorer options to show hidden files, and you might have to restart your computer for the fix to take effect.
0
 
PAMurilloAuthor Commented:
@Hello There
So I uninstalled Chrome, Rebooted in Safe Mode, Renamed the C:\Users\(user account)\AppData\Local\Google folder to GoogleOld. Rebooted again, and downloaded and installed Chrome from www.google.com/chrome.

The Google Folder contains the extension C:\Users\(user name)\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpfmidcdnfpaamdaobjiiamaihdigaoj. The extension is also in the same relative folder with renamed to GoogleOld

I have previously tried to delete the folder but it re-creates when Chrome is launched
0
 
Hello ThereSystem AdministratorCommented:
In Safe Mode: Uninstall Chrome, search for that ID in registry and Windows explorer and delete all that is related to that ID. Delete (nor rename) all Google Folders. Reboot. Download a new installer from official websites! Do not use an installer you have downloaded.

Make sure you are not ticking the "Match whole string only" tickbox when searching in registry.

Also check extensions of other browsers!
0
 
PAMurilloAuthor Commented:
Although I can navigate to the extension folder using Chrome, there is no option to delete the folder.

As part of my uninstall/reinstall process earlier, I searched the Registry for entries of that extension and found none. I then proceeded with rebooting into normal mode, downloading and reinstalling Chrome from the official Chrome site.
0
 
PAMurilloAuthor Commented:
@Hello There
The Chrome Cleanup Tool worked. I ran it 2x as an Administrator, rebooted Chrome, and voila! No extension!
0
 
Hello ThereSystem AdministratorCommented:
Amazing! I am glad I coul help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.