www.superfish.com, api.jollywallet.com, istatic.datafastguru.info, these are some of the URLs that pestered me for months and none of the programs I had available could find them. Thanks to Chrome's Console (Right Click > Inspect Element > Console) and the step-by-step descriptions provided here, I identified the foreign object and successfully removed it from my machine - no uninstalls and no system wipes!
(The following is for advanced users - a more descriptive approach can be found in the link provided above)
STEP 1:
- - In the Registry Editor, navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Google\Chrome - - Delete 'ExtensionInstallForcelist' or delete all the data within.
STEP 2:
- - Go to chrome://extensions/ and check 'Developer mode'
- - Search for all extensions that contain the line "Installed by enterprise policy." Save their name and id
(In my case, there was only one extension with the following information, NAME: YTBBloCkeaRApp ID meajhoiolabnglbkdopdglmmphjckgfp) - - Go to chrome://policy/ and click 'Show value'
- - Next to the ID should be a path to the malicious content. Navigate to that folder destination and remove the respective content.
STEP 3:
- Go to %AppData%\Local\Google\Chrome\User Data\Default\Extensions
- Delete the folder with the given ID
STEP 4:
- Go to C:\Windows\System32\GroupPolicy
- Delete 'Machine' and 'User' folders (following this step, Chrome will notify that the unwanted extension has been uninstalled)
BONUS:
- Re-scan to ensure all suspecting evidence is removed.
Back Story:
When browsing the web, I ensure that I have the following Chrome extensions installed and running: HTTPSEverywhere, AdBlocker, ScriptSafe (or no-script), and Blacklist. ScriptSafe has been a wonderful extension that allows me to be selective in what runs under the hood and what doesn't - it's like disabling JavaScript but only for some websites - saving me the worry of malicious scripts installing bad subjects on my system. One of the only downsides to this is that most sites use third-party scripts to help their website function the way they intended it. Some of the most common third-party scripts is jquery.min.js, three.js, and node.js which are like JavaScript libraries that save a developer a lot of time programming and designing.
About month or two ago, when attempting to reestablish functionality to a certain site, I mistakenly enabled an unfamiliar script. It fit right in with the others... I later found my self with about 3 trojans and 12 other objects. Malwarebytes, SpyBot, and CCleaner did what they could, but my browser's settings where altered - a new homepage, a new tabpage. Most of this was resolved with a quick reset, nevertheless, I noticed ScriptSafe displayed traces of www.superfish.com, api.jollywallet.com, and istatic.datafastguru.info. A colleague pointed me to the Chrome Extensions; sure enough there was an unauthorized extension. Removing it solved the problem - for a time.
No comments:
Post a Comment