browser - How can I permanently remove a seemingly stealthy ad-ware installer?
2014-04
xenon
For the past one month, there seems to have a stealth installer lingering in my computer that will automatically install malicious plugins to all my browsers. I'm not sure what installer is that and I can never seem to trace them too.
The plugins will show up in names that appear "useful", like Media Player, Video Player, BetterSurf, all sort of crap names. I've uninstalled their browser plugins numerous times, but a few days later, the stealth installer will install another one to my browsers in another name, say Media Player 2 or something.
So recently, after I have been disabling and removing the plugins in the browsers, they have heightened their "security". Now I cannot even uninstall or disable the plugins because, at least in Chrome, it says that the plugin is "installed by enterprise policy".
The most annoying part is it will throw up pop-up advertisements and embed advertisements on webpages:
It does not affect only Chrome, but all my other browsers including IE and Firefox.
I scanned my computer and AVG did find those installers. I removed all of them, but they are not really being removed. A few days later, they all came back again only in different names.
What the heck is this, and how did this come into my computer? Now, how can I remove it permanently, for real?
I'm running on Windows 7.
davidbaumann
If your system once has been compromised, there is no way to trust it before completely wiping it.
Also you should change passwords (PayPal, eBay...).
Yavor Shahpasov
I struggled with the same problem.
I found the force extension under the following registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist
Questioner
My mother's computer recently became infected with some sort of rootkit. It began when she received an email from a close friend asking her to check out some sort of webpage. I never saw it, but my mother said it was just a blog of some sort, nothing interesting.
A few days later, my mother signed in on the PayPal homepage. PayPal gave some sort of security notice which stated that to prevent fraud, they needed some additional personal information. Among some of the more normal information (name, address, etc.), they asked for her SSN and bank PIN! She refused to submit that information and complained to PayPal that they shouldn't ask for it.
PayPal said they would never ask for such information and that it wasn't their webpage. There was no such "security notice" when she logged in from a different computer, only from hers. It wasn't a phishing attempt or redirection of some sort, IE clearly showed an SSL connection to https://www.paypal.com/
She remembered that strange email and asked her friend about it - the friend never sent it!
Obviously, something on her computer was intercepting the PayPal homepage and that email was the only other strange thing to happen recently. She entrusted me to fix everything. I nuked the computer from orbit since it was the only way to be sure (i.e., reformatted her hard drive and did a clean install). That seemed to work fine.
But that got me wondering... my mother didn't download and run anything. There were no weird ActiveX controls running (she's not computer illiterate and knows not to install them), and she only uses webmail (i.e., no Outlook vulnerability). When I think webpages, I think content presentation - JavaScript, HTML, and maybe some Flash.
How could that possibly install and execute arbitrary software on your computer? It seems kinda weird/stupid that such vulnerabilities exist.
If she's using an outdated version of IE (or Firefox) then there are well-known vulnerabilities in the browser itself. Yes, its kinda weird/stupid but writing perfect software is very very very very hard.
There are probably unknown/undisclosed vulnerabilities in the current versions of web browsers (as well as every other piece of software)