• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Tip: Removing Chrome spyware plugins installed by "Enterprise policy"

Kaido

Kaido

Elite Member & Kitchen Overlord
Worked on a computer last week that got a spyware bomb. One of those items was a Chrome extension called something like "Savings Wizard" and was unremovable (grayed out) because it was "Installed by enterprise policy". I ran the usual antivirus, antimalware, add/remove programs, etc. and even went as far as uninstalling Chrome & rebooting, but it still persisted. I started pulling my hair out - deleting registry keys, looking for hidden files, etc.

I finally found it by enabling Developer Mode in the extensions, finding the ID (a long string of random characters), and then deleting that entry from the HOSTS file. It had an IP address to a master server, along with the extension's ID, and was auto-loading it from the Internet. VERY sneaky. So if you ever run into a Chome spyware plugin that can't be removed through normal channels, check the HOSTS file to see if there's an entry with the Developer ID & IP for it.
 
Last edited:
I've encountered this Adware before. It should be completely removable from Add/Remove Programs (Uninstall Programs) in the control panel. Might force you to restart though.

Did this instance not completely remove from "Uninstall Programs"?
 
is there anyway to post a simple instructions guide for someone who's not tech savvy?

I have the same problem and don't know what the HOST file is or how to access it.

(and there's no "Uninstall Program" instance to remove from control panel)
 
DerkSeo said:
I've encountered this Adware before. It should be completely removable from Add/Remove Programs (Uninstall Programs) in the control panel. Might force you to restart though.

Did this instance not completely remove from "Uninstall Programs"?
Click to expand...

Yes, this was an unusual spyware bomb. The spyware plugin's own website had uninstall instructions, but because the spyware "bomb" added the line to the HOSTS file, it considered it non-removable from an Enterprise point-of-view. Typically you could either uninstall it from Add/Remove Programs or else simply delete the extension from within Chrome, but neither worked in this case.
 
darklyfallen said:
is there anyway to post a simple instructions guide for someone who's not tech savvy?

I have the same problem and don't know what the HOST file is or how to access it.

(and there's no "Uninstall Program" instance to remove from control panel)
Click to expand...

Here's the easy route:

1. Download the "Everything" search program:

http://www.voidtools.com/

2. Search for "HOSTS"

3. Open in Notepad

There shouldn't be very many things (if anything) in there; if you need further confirmation on which line to delete, go into Chrome & enable Developer Mode on the Extensions page to find the ID of the extension.
 
I have the same problem. However, I don't see the extension ID in my Windows 7 hosts file. Only several *.adobe.com addresses and 2 IP addresses that belong to akamai after a whois check.
 
Goi said:
I have the same problem. However, I don't see the extension ID in my Windows 7 hosts file. Only several *.adobe.com addresses and 2 IP addresses that belong to akamai after a whois check.
Click to expand...

So here's the basic procedure:

1. Try deleting it from extensions (unless it's locked in by Enterprise policy)
2. Try uninstalling it from Add/Remove in Control Panel
3. Try uninstalling & reinstalling Chrome
4. Try doing a search with "Everything" for the Developer ID of the extension (especially anything with a .crx extension = Google Chrome extension)
5. Try the HOSTS file

So if it's not in your HOSTS file & you can't delete it from Enterprise policy, try completely removing Chrome. Also do a search for CRX files. You may have to check the registry as well. It kind of takes the shotgun approach to installation 🙁
 
I'm assuming I'll need to delete my existing Chrome profile and create a new one when I reinstall? Is there a way of backing up my bookmarks and other settings and restoring it later?

Also, what do you mean by #4?
 
I used Everything to find it and deleted all of it. It still shows up in the extensions menu, though. I did another search and it didn't show up. Is it gone or not?
 
SuperDaveHenry said:
I used Everything to find it and deleted all of it. It still shows up in the extensions menu, though. I did another search and it didn't show up. Is it gone or not?
Click to expand...

So you can't delete it and it says installed by Enterprise policy? Did you check the HOSTS file and the Add/Remove Programs list?
 
Oh yeah, here was the entry in the HOSTS file on the infect machine: (IP address + Developer ID for the Chrome Extension installed by Enterprise policy, aka non-user-removable from within Chrome)

54.225.95.126 ajakpekbmnkgnjbpajgkdhimcbeoocam
Click to expand...
 
Hi folks....new here. Looking for help with Enterprise Policy/UTAdRemovalAPp 2.0
ID: dgnpojeblgjaljbmpooffchmcohpopeb

Ok, so what do you do if there is no such data in the HOSTS files? I am assuming (WIN7)
C:win/sys32/drivers/etc yes?

I did find a folder (i used the everything search) dgnpojeblgjaljbmpooffchmcohpopeb
and deleted the dgnpojeblgjaljbmpooffchmcohpopeb
.crx, but other entries are coming up that I can't seem to access and it still shows up in chrome. Tried a complete uninstall before I came here
 
Kaido said:
Here's the easy route:

1. Download the "Everything" search program:

http://www.voidtools.com/

2. Search for "HOSTS"

3. Open in Notepad

There shouldn't be very many things (if anything) in there; if you need further confirmation on which line to delete, go into Chrome & enable Developer Mode on the Extensions page to find the ID of the extension.
Click to expand...

Sorry to Necro this thread, but this just really helped me get rid of the easytoshop spyware extension.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top