Rogue Chrome Extension - Unlisted and Can't Remove

Nolan Mason
Nolan Mason used Ask the Experts™
on
One of our employees uses his personal Google account in Chrome on one of our office computers.  He came to me with an ESET Nod32 notification about a file infected with JS/Spigot.B; it comes up every time he opens Chrome.  I did all the standard malware removal procedures and removed all his Chrome extensions via the chrome://extensions page, but it turns out that the root of the problem is related to an extension in his Google account, not the computer, even though I removed every extension, about 10 in total.

Any Windows profile on any computer that I use to log into his Google account via Chrome results in the ESET notification of an infected file being detected.  This warning does not occur if I disable syncing of extensions.

While investigating, I went to chrome://sync-internals >> Sync Node Browser >> Extensions and found 5 extensions remaining. One, called Template Hub, has the following ID: hkmndieloknaojdmjdkmhmfcbgaanpdd.
(WARNING: DO NOT INSTALL UNLESS YOU WANT TO RISK HAVING THE SAME PROBLEM)
Googling that ID lead me to:
https://chrome.google.com/webstore/detail/template-hub/hkmndieloknaojdmjdkmhmfcbgaanpdd   

Trying to install this extension results in an error and it fails to install, but then I get the same infected file notification. Thus far, I cannot find a way to remove the extension from the Google account, as I've already removed everything listed under Settings >> Extensions.  Until I can remove it from the Google account, it will continue to pop up on any computer that is used to login via Chrome to his account with syncing of extensions enabled.

Does anybody here know how to resolve this without creating a new Google account?  Thanks for your time!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018
Commented:
You could download the chrome administrative templates and deploy a GPO that blacklists that extension. So it won't be loaded even if it's already installed. See https://medium.com/@rootsecdev/controlling-google-chrome-web-extensions-for-the-enterprise-7414bf8cc326
Nolan MasonIT Professional

Author

Commented:
Fantastic idea, at least for the part that is my responsibility.  Thank you for the link; I knew this was possible, but hadn't looked into it yet.

I'm hoping to fix the root cause and remove the extension, but that may not be in the cards.  I'm going to hold off marking this as resolved for a little while.
Distinguished Expert 2018

Commented:
Sorry, I know of no way to uninstall extensions by a script to give you another way. But blacklisting will definitely keep it inactive.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Robert RComputer Service Technician

Commented:
how about doing a system restore to a point before the viral extension was added? Or maybe uninstall google chrome delete the google folder in the C:\Users\"name of user"\AppData\Local\google you may want to back up your user settings and bookmarks and cookie first. Then restart the computer to make sure nothing is in memory. Then reinstall Google Chrome and then restore your bookmarks.
Mike SunSenior Systems Engineer (IBM - retired)

Commented:
Under Chrome settings, Advanced, at the bottom of the list is a reset option. Perhaps this quicker fix may have been overlooked? Worth trying in the first instance...
Distinguished Expert 2018

Commented:
This leads me to believe that extension is installed at the user's home. Maybe you can talk the user into removing while at home, and also running an AV scan on their machine.
Nolan MasonIT Professional

Author

Commented:
masnrock, I think you may be correct; it makes sense.  He's out of the office today, so I haven't been able to talk to him about it, but I will post back as soon as we address his other machines that are logged into the account.
Distinguished Expert 2018

Commented:
You may also want to make some recommendations on AV products, even if that means using Defender. I'm sure it's been a long time since that system got a proper scanning/cleaning.
Robert RComputer Service Technician

Commented:
Run AdwCleaner which is now owned by Malwarebytes. It may find the stubborn plugin.
AdwCleaner is a free program that searches for and deletes Adware, Toolbars, Potentially Unwanted Programs (PUP), and browser Hijackers from your computer.  By using AdwCleaner you can easily remove many of these types of programs for a better user experience on your computer and while browsing the web.
 You can download it from here: https://www.bleepingcomputer.com/download/adwcleaner/
Nolan MasonIT Professional

Author

Commented:
I disabled syncing of extensions on all computers hooked up to his account,  removed all extensions from every machine, did scans with Nod32 (found nothing), used Chrome's "clean up computer / find harmful software" function on every machine (found nothing), and then reset Chrome to defaults on every machine.  Each machine that I log into Chrome with the user's account (even a machine freshly reloaded with Win10, ESET Nod32 Antivirus, and Chrome installed for the first time) continues to notify of detecting JS/Spigot.B.  The only way I've found to avoid it is to either disable syncing of extensions on all his computers or, just to keep the problem out of my area of responsibility, I'll use a GPO to blacklist the extension, as McKnife suggested.  I haven't tried it yet, but I have no doubt that it will work.  I'll post back after I actually try it at some point.

I told the user that truly fixing the problem will require a new Google account, which felt ridiculous to say.  This is one of those rare problems that seems to have no real solution.  Thanks for your comments everyone!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial