Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!
Rogue Chrome Extension - Unlisted and Can't Remove
One of our employees uses his personal Google account in Chrome on one of our office computers. He came to me with an ESET Nod32 notification about a file infected with JS/Spigot.B; it comes up every time he opens Chrome. I did all the standard malware removal procedures and removed all his Chrome extensions via the chrome://extensions page, but it turns out that the root of the problem is related to an extension in his Google account, not the computer, even though I removed every extension, about 10 in total.
Any Windows profile on any computer that I use to log into his Google account via Chrome results in the ESET notification of an infected file being detected. This warning does not occur if I disable syncing of extensions.
While investigating, I went to chrome://sync-internals >> Sync Node Browser >> Extensions and found 5 extensions remaining. One, called Template Hub, has the following ID: hkmndieloknaojdmjdkmhmfcbg
(WARNING: DO NOT INSTALL UNLESS YOU WANT TO RISK HAVING THE SAME PROBLEM)
Googling that ID lead me to:
https://chrome.google.com/webstore/detail/template-hub/hkmndieloknaojdmjdkmhmfcbgaanpdd
Trying to install this extension results in an error and it fails to install, but then I get the same infected file notification. Thus far, I cannot find a way to remove the extension from the Google account, as I've already removed everything listed under Settings >> Extensions. Until I can remove it from the Google account, it will continue to pop up on any computer that is used to login via Chrome to his account with syncing of extensions enabled.
Does anybody here know how to resolve this without creating a new Google account? Thanks for your time!
Any Windows profile on any computer that I use to log into his Google account via Chrome results in the ESET notification of an infected file being detected. This warning does not occur if I disable syncing of extensions.
While investigating, I went to chrome://sync-internals >> Sync Node Browser >> Extensions and found 5 extensions remaining. One, called Template Hub, has the following ID: hkmndieloknaojdmjdkmhmfcbg
(WARNING: DO NOT INSTALL UNLESS YOU WANT TO RISK HAVING THE SAME PROBLEM)
Googling that ID lead me to:
https://chrome.google.com/webstore/detail/template-hub/hkmndieloknaojdmjdkmhmfcbgaanpdd
Trying to install this extension results in an error and it fails to install, but then I get the same infected file notification. Thus far, I cannot find a way to remove the extension from the Google account, as I've already removed everything listed under Settings >> Extensions. Until I can remove it from the Google account, it will continue to pop up on any computer that is used to login via Chrome to his account with syncing of extensions enabled.
Does anybody here know how to resolve this without creating a new Google account? Thanks for your time!
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You could download the chrome administrative templates and deploy a GPO that blacklists that extension. So it won't be loaded even if it's already installed. See https://medium.com/@rootsecdev/controlling-google-chrome-web-extensions-for-the-enterprise-7414bf8cc326
Fantastic idea, at least for the part that is my responsibility. Thank you for the link; I knew this was possible, but hadn't looked into it yet.
I'm hoping to fix the root cause and remove the extension, but that may not be in the cards. I'm going to hold off marking this as resolved for a little while.
I'm hoping to fix the root cause and remove the extension, but that may not be in the cards. I'm going to hold off marking this as resolved for a little while.
Sorry, I know of no way to uninstall extensions by a script to give you another way. But blacklisting will definitely keep it inactive.
how about doing a system restore to a point before the viral extension was added? Or maybe uninstall google chrome delete the google folder in the C:\Users\"name of user"\AppData\Local\google
Under Chrome settings, Advanced, at the bottom of the list is a reset option. Perhaps this quicker fix may have been overlooked? Worth trying in the first instance...
This leads me to believe that extension is installed at the user's home. Maybe you can talk the user into removing while at home, and also running an AV scan on their machine.
masnrock, I think you may be correct; it makes sense. He's out of the office today, so I haven't been able to talk to him about it, but I will post back as soon as we address his other machines that are logged into the account.
You may also want to make some recommendations on AV products, even if that means using Defender. I'm sure it's been a long time since that system got a proper scanning/cleaning.
Run AdwCleaner which is now owned by Malwarebytes. It may find the stubborn plugin.
AdwCleaner is a free program that searches for and deletes Adware, Toolbars, Potentially Unwanted Programs (PUP), and browser Hijackers from your computer. By using AdwCleaner you can easily remove many of these types of programs for a better user experience on your computer and while browsing the web.
You can download it from here: https://www.bleepingcomputer.com/download/adwcleaner/
AdwCleaner is a free program that searches for and deletes Adware, Toolbars, Potentially Unwanted Programs (PUP), and browser Hijackers from your computer. By using AdwCleaner you can easily remove many of these types of programs for a better user experience on your computer and while browsing the web.
You can download it from here: https://www.bleepingcomputer.com/download/adwcleaner/
I disabled syncing of extensions on all computers hooked up to his account, removed all extensions from every machine, did scans with Nod32 (found nothing), used Chrome's "clean up computer / find harmful software" function on every machine (found nothing), and then reset Chrome to defaults on every machine. Each machine that I log into Chrome with the user's account (even a machine freshly reloaded with Win10, ESET Nod32 Antivirus, and Chrome installed for the first time) continues to notify of detecting JS/Spigot.B. The only way I've found to avoid it is to either disable syncing of extensions on all his computers or, just to keep the problem out of my area of responsibility, I'll use a GPO to blacklist the extension, as McKnife suggested. I haven't tried it yet, but I have no doubt that it will work. I'll post back after I actually try it at some point.
I told the user that truly fixing the problem will require a new Google account, which felt ridiculous to say. This is one of those rare problems that seems to have no real solution. Thanks for your comments everyone!
I told the user that truly fixing the problem will require a new Google account, which felt ridiculous to say. This is one of those rare problems that seems to have no real solution. Thanks for your comments everyone!
Premium Content
You need an Expert Office subscription to comment.Start Free Trial