Tip: Removing Chrome spyware plugins installed by "Enterprise policy"

[Kaido]

Worked on a computer last week that got a spyware bomb. One of those items was a Chrome extension called something like "Savings Wizard" and was unremovable (grayed out) because it was "Installed by enterprise policy". I ran the usual antivirus, antimalware, add/remove programs, etc. and even went as far as uninstalling Chrome & rebooting, but it still persisted. I started pulling my hair out - deleting registry keys, looking for hidden files, etc.

I finally found it by enabling Developer Mode in the extensions, finding the ID (a long string of random characters), and then deleting that entry from the HOSTS file. It had an IP address to a master server, along with the extension's ID, and was auto-loading it from the Internet. VERY sneaky. So if you ever run into a Chome spyware plugin that can't be removed through normal channels, check the HOSTS file to see if there's an entry with the Developer ID & IP for it.

 

[DerkSeo]

I've encountered this Adware before. It should be completely removable from Add/Remove Programs (Uninstall Programs) in the control panel. Might force you to restart though.

Did this instance not completely remove from "Uninstall Programs"?

 

[JEDIYoda]

use to be you could block certain outgoing traffic with Nortons or even Zonealarm and others.....

 

[darklyfallen]

is there anyway to post a simple instructions guide for someone who's not tech savvy?

I have the same problem and don't know what the HOST file is or how to access it.

(and there's no "Uninstall Program" instance to remove from control panel)

 

[Kaido]

I've encountered this Adware before. It should be completely removable from Add/Remove Programs (Uninstall Programs) in the control panel. Might force you to restart though.

Did this instance not completely remove from "Uninstall Programs"?

Yes, this was an unusual spyware bomb. The spyware plugin's own website had uninstall instructions, but because the spyware "bomb" added the line to the HOSTS file, it considered it non-removable from an Enterprise point-of-view. Typically you could either uninstall it from Add/Remove Programs or else simply delete the extension from within Chrome, but neither worked in this case.

 

[Kaido]

is there anyway to post a simple instructions guide for someone who's not tech savvy?

I have the same problem and don't know what the HOST file is or how to access it.

(and there's no "Uninstall Program" instance to remove from control panel)

Here's the easy route:

1. Download the "Everything" search program:

http://www.voidtools.com/

2. Search for "HOSTS"

3. Open in Notepad

There shouldn't be very many things (if anything) in there; if you need further confirmation on which line to delete, go into Chrome & enable Developer Mode on the Extensions page to find the ID of the extension.

 

[Goi]

I have the same problem. However, I don't see the extension ID in my Windows 7 hosts file. Only several *.adobe.com addresses and 2 IP addresses that belong to akamai after a whois check.

 

[Kaido]

I have the same problem. However, I don't see the extension ID in my Windows 7 hosts file. Only several *.adobe.com addresses and 2 IP addresses that belong to akamai after a whois check.

So here's the basic procedure:

1. Try deleting it from extensions (unless it's locked in by Enterprise policy)
2. Try uninstalling it from Add/Remove in Control Panel
3. Try uninstalling & reinstalling Chrome
4. Try doing a search with "Everything" for the Developer ID of the extension (especially anything with a .crx extension = Google Chrome extension)
5. Try the HOSTS file

So if it's not in your HOSTS file & you can't delete it from Enterprise policy, try completely removing Chrome. Also do a search for CRX files. You may have to check the registry as well. It kind of takes the shotgun approach to installation

 

[Goi]

I'm assuming I'll need to delete my existing Chrome profile and create a new one when I reinstall? Is there a way of backing up my bookmarks and other settings and restoring it later?

Also, what do you mean by #4?

 

[SuperDaveHenry]

I used Everything to find it and deleted all of it. It still shows up in the extensions menu, though. I did another search and it didn't show up. Is it gone or not?

 

[Kaido]

I'm assuming I'll need to delete my existing Chrome profile and create a new one when I reinstall? Is there a way of backing up my bookmarks and other settings and restoring it later?

Also, what do you mean by #4?

The Everything procedure is a few posts up:

http://forums.anandtech.com/showpost.php?p=36041605&postcount=6

Yes, you can export your bookmarks in Chrome.

 

[Kaido]

I used Everything to find it and deleted all of it. It still shows up in the extensions menu, though. I did another search and it didn't show up. Is it gone or not?

So you can't delete it and it says installed by Enterprise policy? Did you check the HOSTS file and the Add/Remove Programs list?

 

[Kaido]

Oh yeah, here was the entry in the HOSTS file on the infect machine: (IP address + Developer ID for the Chrome Extension installed by Enterprise policy, aka non-user-removable from within Chrome)

54.225.95.126 ajakpekbmnkgnjbpajgkdhimcbeoocam

 

[tfwall112]

Hi folks....new here. Looking for help with Enterprise Policy/UTAdRemovalAPp 2.0
ID: dgnpojeblgjaljbmpooffchmcohpopeb

Ok, so what do you do if there is no such data in the HOSTS files? I am assuming (WIN7)
C:win/sys32/drivers/etc yes?

I did find a folder (i used the everything search) dgnpojeblgjaljbmpooffchmcohpopeb
and deleted the dgnpojeblgjaljbmpooffchmcohpopeb
.crx, but other entries are coming up that I can't seem to access and it still shows up in chrome. Tried a complete uninstall before I came here

 

[tfwall112]

Just rebooted after deleting the crx, but it's still there.

 

[steve wilson]

Here's the easy route:

1. Download the "Everything" search program:

http://www.voidtools.com/

2. Search for "HOSTS"

3. Open in Notepad

There shouldn't be very many things (if anything) in there; if you need further confirmation on which line to delete, go into Chrome & enable Developer Mode on the Extensions page to find the ID of the extension.

Sorry to Necro this thread, but this just really helped me get rid of the easytoshop spyware extension.