PDA

View Full Version : Removing malware-added command line parameters from Chrome



Agent_24
08-04-2015, 05:46 PM
I have been cleaning up a machine with a bunch of browser hijacks\adware etc, all done except that Chrome is being loaded with some extra commands for malware files that no longer exist.
From chrome://flags these are:


"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --extensions-on-chrome-urls --test-type --load-extension="c:\Program Files\Google\Chrome\Application\Extensions\chrome\ app\37.1329.7.14" --load-component-extension="c:\Program Files\Google\Chrome\Application\Extensions\chrome\ man" --flag-switches-begin --flag-switches-end

I have checked all Chrome shortcuts but do not find these additions anywhere.

Where is it likely that these have been added? I do not normally use Chrome....

kahawai chaser
08-04-2015, 08:50 PM
I think it's a invisible extension targeted from the Chrome shortcut. Right Click Crome Icon... go to shortcut....properties. In Start In: text should be "C:\Program Files\Google\Chrome\Application". Maybe it is not ...so try changing it.

- Might also show in chrome://version/ in chrome url. Check the executable/command path: should be Executable Path: C:\Program Files\Google\Chrome\Application\chrome.exe (for executable)

Agent_24
10-04-2015, 11:35 AM
The path is correct - aside from being in 'Program Files (x86)' since it's a 64-Bit Win7 Pro.

The executable path in chrome://version is also correct

I tried renaming the Default profile folder, a new profile did not make a difference.

Agent_24
10-04-2015, 03:39 PM
Still don't know where it came from, but I removed Chrome with Revo Uninstaller and reinstalled, problem is gone.

Driftwood
10-04-2015, 08:50 PM
Just deviating slightly, but still on the Chrome topic.
Why is it, the entries under the Chrome tab in the start up area of ccleaner, can't be disabled or deleted?

kahawai chaser
10-04-2015, 10:15 PM
Still don't know where it came from, but I removed Chrome with Revo Uninstaller and reinstalled, problem is gone.

Might be worth evaluating any log files generated.

To find executable processes (dll injections, threads, Stacks, etc) then sysinternals (https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx) (MS site) process explorer should be able to find them and they can be stopped. Case studies here (https://technet.microsoft.com/en-us/sysinternals/bb963890) from developer. Example here (http://www.howtogeek.com/school/sysinternals-pro/lesson3/2/) (How to Geek). But requires involves sleuthing about and knowing valid windows processes. Though colour coded in Process Explorer.

kahawai chaser
10-04-2015, 10:17 PM
Just deviating slightly, but still on the Chrome topic.
Why is it, the entries under the Chrome tab in the start up area of ccleaner, can't be disabled or deleted?

Worked on my PC, i.e. greyed out for Chrome.

Agent_24
20-04-2015, 03:51 PM
Might be worth evaluating any log files generated.

To find executable processes (dll injections, threads, Stacks, etc) then sysinternals (https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx) (MS site) process explorer should be able to find them and they can be stopped. Case studies here (https://technet.microsoft.com/en-us/sysinternals/bb963890) from developer. Example here (http://www.howtogeek.com/school/sysinternals-pro/lesson3/2/) (How to Geek). But requires involves sleuthing about and knowing valid windows processes. Though colour coded in Process Explorer.

As far as I could see there was no longer any active malware, otherwise I'm sure it would have been right back after I reinstalled Chrome anyway. Will find out if it [the machine] comes back I guess!

Good articles there, though.