A malicious extension is most likely installed when the browser opens unwanted pages or the default search engine, and homepage are changed arbitrarily; how to recognize and remove it?
Even today, one of the problems that afflict users who install software taken from the Internet without carrying out some checks on their identity and the addons, generally superfluous and unwanted, present in the official package, concerns the appearance of anomalies of various kinds in the web browsers present on the system.
If while browsing, Google Chrome or Mozilla Firefox open pages that have nothing to do with the sites you are visiting; if unwanted advertisements appear with a worrying frequency (often even replacing the positions occupied by the advertisements generally provided by individual websites); if the ads that appear are always the same and advertise “dubious” products and services, then it is highly probable that the browser configuration has been modified by some adware or malicious component that has settled on the system.
In the article Unwanted software is installed even when one denies it, we saw that in some cases, it could happen that “snooping” components, capable of modifying the behavior of the installed browsers and monitoring the content of all the web pages opened by the user, install themselves in Windows without any explicit permission. The behavior of Chrome and Firefox can be changed through the installation, even unaware of extensions of dubious origin, capable of controlling all the pages visited by the user or specific sites.
Fortunately, Google has decided to “crackdown” on the extensions whose installation was until now proposed while surfing the net: Google will no longer allow inline installations of Chrome extensions. Malicious browser extensions can open unwanted web pages, display useless advertisements, and change the search engine and homepage set in Chrome or Firefox preferences.
The fact that by changing the default home page or the search engine in the browser settings, these settings are changed again is a symptom of the action of a malicious extension installed in the browser.
Remove Dangerous Extensions From Chrome And Firefox Manually
As we saw in the article Removing viruses manually, here’s how to do it, it is always clear about the approach used by the various threats to settle at the operating system level. Antimalware may be slow in recognizing a malicious file or process. Therefore, it is reasonable to acquire those basic rudiments that allow you to ascertain whether suspicious software elements have been loaded into the system.
The same approach should be followed in the case of web browsers: checking the installed extensions allows you to solve the appearance of pages that open by themselves and prevent unwanted advertising messages. It should be noted that both Chrome and Firefox offer thorough documentation for developers wishing to develop extensions (see here and here ).
Some programmers have therefore devised strategies to make their extensions as hidden as possible. Chrome extensions are saved in the following locations:
- %LOCALAPPDATA%\Google\Chrome\User Data\Default\Extensions\ EXTENSION_ID (each extension uses a 32-character identifier)
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\ EXTENSION_ID - HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ EXTENSION_ID (extensions for 32-bit browsers running on 64-bit versions of Windows are stored in this folder)
Firefox extensions are stored in the following locations:
- %APPDATA%\Mozilla\Firefox\Profiles\\extensions\{ EXTENSION_ID }.xpi
- %APPDATA%\Mozilla\Extensions\{ EXTENSION_ID }.xpi HKEY_CURRENT_USER
- \Software\Mozilla\Firefox\Extensions
- HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions
- %appdata% and %localappdata% are two environment variables typed, for example, in the Open field of the window that appears by pressing the Windows+R key combination, allow you to access the various subfolders mentioned (see also AppData: what is the folder and what information it contains ).
The paths above offer a helpful indication of the memory locations where the various extensions loaded by Chrome and Firefox can be hidden. Before proceeding, however, we suggest that you press Windows+R and type appwiz.CPL then uninstalls all potentially useless software or software that can be connected with the abnormal behavior of the browser.
To extrapolate the identifiers corresponding to the extensions to be removed, we suggest – in Chrome – to type chrome://extensions in the address bar. With a click on Details, you can note the identifier of the extension to be removed, which appears in the address bar. In the case of Firefox, type about: debugging# addons: you will immediately read the identifier of each extension in correspondence with the Extension ID.
Before manually deleting the subfolders containing the “malicious” extension files, removing all references to them in the Chrome and Firefox configuration files is a good idea. In the case of Firefox, you must type about: config, then enter the extension ID to be removed in the Search box.
Right-clicking on the configuration parameters found by Firefox and choosing Restore will automatically restore the default values by eliminating any reference to malicious extensions.
The picture is more complex in the case of Chrome because information about extensions is kept in the configuration file %localappdata%\Google\Chrome\User Data\Default\Preferences.
Here, with the browser closed, it is possible to search for the IDs of the malicious extensions and eliminate them (perhaps by creating a backup copy of the Preferences file ). To automate the removal of browser extensions that cause the opening of unwanted pages or change the default home page and search engine, we suggest using the excellent free AdwCleaner utility.
AdwCleaner allows the automatic removal of redundant components from all browsers installed on the system, thus speeding up navigation and protecting the confidentiality of your data.
Acquired in 2016 by Malwarebytes, AdwCleaner has recently embraced the same user interface as the well-known and well-regarded antimalware. AdwCleaner allows you to directly repair web browsers by deleting harmful or privacy-threatening elements and placing them in quarantine.
Even if no threat is detected, the utility allows you to restore the Windows Winsock and restore some operating system settings to their default state. In this way, if problems are found with the connection, restoring the system components to the standard configuration will still be possible.
Compared to the previous versions (see the Settings section ), the new AdwCleaner is capable of receiving the indications for the removal of specific threats via the cloud and allows you to decide which settings the Basic Repair function should eventually restore to the default configuration: Windows firewall, tracking keys, IPSec, prefetch, BITS, proxy, Internet Explorer policy, Chrome policy, Winsock, TCP/IP protocol implementation, HOSTS file content and IFEO keys used for debugging activities.
Also Read: 10 Essential Chrome Extensions For Startups
