These Malicious Google Chrome And Firefox Extensions Are Near Impossible To Manually Remove


Isn't it nice when malware authors make it easy to remove their dirty code? Sometimes all you have to do is open the Control Panel and uninstall the offending program, just like any other application. And for browsers, simply nuke the extension that is causing trouble. Unfortunately, some recent browser extensions for Chrome and Firefox are making things difficult on users by cleverly hiding their whereabouts.

The extensions in question hijack Chrome and Firefox to redirect web searches and drive up click counts on YouTube videos, presumably to generate ad revenue. That in and of itself is not unusual, but what is frustrating is that you can't just load up the extensions page and delete them. They do this by closing out pages with extensions and add-ons information, or sending users to a different page altogether, such as an apps overview pages where extensions do not appear.

"In Firefox, this problem is relatively easy to circumvent, but for Chrome it takes a lot of digging—so much so that we suggest the fastest way to resolve the problem is to report it to Chrome or your favorite security solution so they (we) can take care of it. (Malwarebytes Premium and Business users are already protected from these threats by our website protection module.)," Malwarebytes explains.

One of the malicious extensions in Chrome is called Tiempo en colombia en vivo. This is not something that users willingly install, but is essentially forced onto Chrome users when visiting certain websites. After latching on, it then redirects chrome://extensions/ to chrome://apps/?=extensions where only installed apps are shown, and not any installed extensions.

Chrome Command

Blocking JavaScript doesn't help matters, as it only applies to sites and not to Chrome's internal extensions page. To get around this, you have to add the switch --disable-extensions to the command to run Chrome.

"But doing this will not offer you the option to remove any extensions, as Chrome will behave as if it has no extensions whatsoever. So this offers us no way to remove the extension from the list as you normally would," Malwarebytes says.

So what can you do? Well, one workaround is to rename the file 1499654451774.js in the extensions folder. After restarting Chrome, the offending extension will show up as corrupted and won't load properly.

In Firefox, a malicious extension called FF Helper Protection works in a similar fashion by blocking the add-ons page from loading. That means you can't remove it manually. However, what you can do is load Firefox in safe mode by holding down the Shift key when starting up the browser. Extensions are not loaded in safe mode, but you can see and remove them like normal.

"While the extensions have been around for a few weeks, both are still in use in one form or another. In fact, the Tiempo en colombia en vivo extension was still available in the Chrome Web Store at the time of writing. Unfortunately, since both the Chrome and Firefox extensions mostly add themselves through forced installs, it’s not always possible to avoid getting them," Malwarebytes added.

Your best bet is to avoid shady areas of the web. If you still manage to get infected, one of the commenters to the blog post pointed out that Piriform's CCleaner has a browser plugins section that lets you disable and delete extensions, helps, toolbars, plugins, and apps, all without having to open the browser.