Possible Malicious Chrome Extension?

[SamDiCola]

 

Sent from Mail for Windows

Hi everyone,

I could really use some help here.

Not sure if this is a possible false alarm or anything but I would rather be safe than sorry, plus this could help the next person if they have a similar problem.

 

I left my laptop on while I was out for about an hour because I was in the middle of something. Came back and I had an alert by my antivirus (Kaspersky), that I had a Trojan (Script). It had the option to remove the threat, and I had clicked to remove it, but it didn't work. So I attempted to shut down my PC but it was not allowing me to shut down when clicking to shut down.

 

I opened the system tray in the bottom right to see if I could open my antivirus again and noticed that the windows security icon was red, and when I went to click on it, got an error message. I don't remember exactly what it said, but it was along the lines of "you may not have permission to open this". I also attempted to open some photos but nothing would open.

 

So I force shut down my laptop by holding the power button, and when I turned it back on I had the same issue, Kaspersky popped up straight away, nothing was working again, but this time the threat removal worked.

 

Kaspersky then did some system repair process to revert anything it thought the virus/malware may have damaged.

I restarted the PC and everything seemed normal. Ran another virus scan, and luckily, no threats. I also then downloaded Malwarebytes and got the free trial and scanned, no threats detected there either.

 

I then investigated where I may have gotten this virus or malware from, as I am very careful with the websites I visit, and programs I download. I had not remembered downloading a program for a very long time so something seemed off. I checked the quarantine centre in Kaspersky and opened where the file was located. It was located in a Google Chrome extension folder. The file had obviously been removed but the folder it was in was still accessible. I had not downloaded an extension for a long time. The only ones I had were an Adblocker, the same one I have used for years, and Kaspersky Protection extension for Chrome.

 

I went and opened extensions on Chrome, and to my suprise there was a new one, that I have never used before or seen. It was also disabled. The extension was 'UltraSurf Security, Privacy & Unblock VPN'. I do not remember ever installing this. I deleted the extension, and sure enough, the folder the threat was located in was gone.

 

Now I am unsure if this was some sort of false alarm from Kaspersky, or a genuine threat. It seems to have been removed. Should I be worried, is there any more steps I should take?

 

Does anyone know if this extension being malicious?

 

Sorry for the essay, I am just worried, and would like to know if I should do anything else to ensure my system is safe to use.

 

Thanks so much in advance!

 

[BiotechBen]

Honestly I'd replace Kaspersky with something like Bitdefender. Even before there were boycotts of products and manufacturers, I didn't find Kaspersky to be a particularly good antivirus. 

[Agall]

People use antivirus here?

 

Whenever I'd manually clean out malware I'd find on client's computers, I'd ensure to check program files and appdata for it, sometimes stored under a subtle root folder, especially in appdata.

[SamDiCola]

6 hours ago, Agall said:

People use antivirus here?

 

Whenever I'd manually clean out malware I'd find on client's computers, I'd ensure to check program files and appdata for it, sometimes stored under a subtle root folder, especially in appdata.

That's where it picked it up to be in appdata. I use antivirus because I wouldn't know how to remove it myself

 

 

 

 

 

[Agall]

1 minute ago, SamDiCola said:

That's where it picked it up to be in appdata. I use antivirus because I wouldn't know how to remove it myself

 

 

 

 

 

I look at gaming PCs like Rick Sanchez looks at clones. As soon as one is compromised in any way, you just shoot it in the head and make a new clone. Metaphorically, this would be similar to just reinstalling Windows.

[SamDiCola]

30 minutes ago, Agall said:

I look at gaming PCs like Rick Sanchez looks at clones. As soon as one is compromised in any way, you just shoot it in the head and make a new clone. Metaphorically, this would be similar to just reinstalling Windows.

Would fresh install work by doing it through windows itself? Like the remove all data and settings or would I need the installation media?

 

Because I don't have the USB or disc to re install with I'd have to do it through windows itself.

 

Also what kind of virus do you believe this to be? What would its purpose be?

 

 

[Agall]

11 minutes ago, SamDiCola said:

Would fresh install work by doing it through windows itself? Like the remove all data and settings or would I need the installation media?

 

Because I don't have the USB or disc to re install with I'd have to do it through windows itself.

 

Also what kind of virus do you believe this to be? What would its purpose be?

 

 

You can make Win10/11 USB drives for free directly from MS.

 

Download Windows 10 (microsoft.com)

 

Your motherboard's UEFI stores the product key, so you shouldn't have to worry about ripping it like we used to pre UEFI. A 16GB flash drive is enough to create one.

 

The internal 'reset this PC' function might be fine, but when I'm already reinstalling Windows and wiping out installed programs, I just go scorched earth. A reset should be fine most the time, but why not just do it the sure way. 

 

Looks like some sort of VPN greyware/adware with questionable use, if its actually 'UltraSurf'. VPN that's freeware probably uses the proxy to sell data.

[SamDiCola]

35 minutes ago, Agall said:

You can make Win10/11 USB drives for free directly from MS.

 

Download Windows 10 (microsoft.com)

 

Your motherboard's UEFI stores the product key, so you shouldn't have to worry about ripping it like we used to pre UEFI. A 16GB flash drive is enough to create one.

 

The internal 'reset this PC' function might be fine, but when I'm already reinstalling Windows and wiping out installed programs, I just go scorched earth. A reset should be fine most the time, but why not just do it the sure way. 

 

Looks like some sort of VPN greyware/adware with questionable use, if its actually 'UltraSurf'. VPN that's freeware probably uses the proxy to sell data.

Ok thank you for all your help.

 

Im running Windows 11 so I'll need to create a drive with W11

 

Yeah it seems very odd, I did not install it myself so maybe it came bundled with a program I downloaded, but I haven't downloaded anything for ages, so it must of been sitting there undetected for a while

 

Thanks again!

[Agall]

3 minutes ago, SamDiCola said:

Ok thank you for all your help.

 

Im running Windows 11 so I'll need to create a drive with W11

 

Yeah it seems very odd, I did not install it myself so maybe it came bundled with a program I downloaded, but I haven't downloaded anything for ages, so it must of been sitting there undetected for a while

 

Thanks again!

Download Windows 11 (microsoft.com)