Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
> Deal Slider Chrome Extension
Dragon40
post Jan 12 2014, 05:06 PM
Post #1


Newbie


Group: Members
Posts: 9
Joined: 13-June 13
Member No.: 147,023



"Deal Slider" can be installed during the installation of other downloaded software. It adds advertising to web pages. The Control Panel (Vista) easily removes the program itself, but the Chrome extension remains, and is protected. The EXTENSIONS entry looks like this:

Deal Slider 1.0
Deal Slider Permissions Visit website
ID: ilfmkkncnbolkneogaadokmfjoihepgm
(This extension is managed and cannot be removed or disabled.)
Inspect views: background.html

Enabled - Installed by enterprise policy.

You cannot untick the ENABLED entry - I cannot find a way to do so. BD does not detect this PUP - it would be great if it did. The question is "How do I remove the Chrome extension?"

It was easy to remove from FireFox and IE 9.0 - but not Chrome, and it's driving me nuts.
Go to the top of the page
 
+Quote Post
Catalin Salgau
post Jan 12 2014, 06:47 PM
Post #2


Virus Researcher
***

Group: Bitdefender Labs
Posts: 638
Joined: 3-July 08
From: Iasi, Romania
Member No.: 14,578



We'll look into a permanent solution for this.
This specific PUA should have uninstalled itself from Chrome when removed from the Control Panel. The reason that might not have happened is that you were still running Chrome when you uninstalled it (either normally or as a service).

Please close Chrome and use your task manager to terminate any remaining chrome.exe processes.
Find the extension folder under C:\Users\your username\AppData\Local\Google\Chrome\User Data\Default\Extensions\
It should be named ilfmkkncnbolkneogaadokmfjoihepgm. Move (not copy) this folder to your desktop or some other temporary place.
Restart Chrome a few times and see if the extension gets redownloaded. If not, you're mostly good to go. Just remove the backup you did before and you're done.

If it pops up again, you'll have to repeat the steps but also remove the extension description under extensions/settings from the 'Preferences' (no extension) file under C:\Users\your username\AppData\Local\Google\Chrome\User Data\Default\. Make a backup first! This is a JSON file. If you are not familiar with the format or have any doubts about doing this yourself, please contact me via PM. The file may contains some privacy sensitive items so you might not want to upload it to the forums.

Hope this helps!
Go to the top of the page
 
+Quote Post
Dragon40
post Jan 13 2014, 05:11 PM
Post #3


Newbie


Group: Members
Posts: 9
Joined: 13-June 13
Member No.: 147,023



QUOTE (Catalin Salgau @ Jan 12 2014, 09:47 AM) *
We'll look into a permanent solution for this.
This specific PUA should have uninstalled itself from Chrome when removed from the Control Panel. The reason that might not have happened is that you were still running Chrome when you uninstalled it (either normally or as a service).

Please close Chrome and use your task manager to terminate any remaining chrome.exe processes.
Find the extension folder under C:\Users\your username\AppData\Local\Google\Chrome\User Data\Default\Extensions\
It should be named ilfmkkncnbolkneogaadokmfjoihepgm. Move (not copy) this folder to your desktop or some other temporary place.
Restart Chrome a few times and see if the extension gets redownloaded. If not, you're mostly good to go. Just remove the backup you did before and you're done.

If it pops up again, you'll have to repeat the steps but also remove the extension description under extensions/settings from the 'Preferences' (no extension) file under C:\Users\your username\AppData\Local\Google\Chrome\User Data\Default\. Make a backup first! This is a JSON file. If you are not familiar with the format or have any doubts about doing this yourself, please contact me via PM. The file may contains some privacy sensitive items so you might not want to upload it to the forums.

Hope this helps!


Thank you for the clear instructions. Unfortunately, they do not remove Deal Slider. I moved the extension's folder to my desktop, and confirmed that it was gone from the directory. I restarted Chrome, it was still there. I shut down Chrome again, and removed the extension code from "Preferences" as directed (after backing up the Preferences file). The Extension folder "ilfmkkncnbolkneogaadokmfjoihepgm" was still AWOL from the directory, but on my desktop. After removing the code and saving the Preferences, I rebooted Chrome, and Deal Slider was still there. The next step will be to delete the desktop extension folder entirely, and empty the Recycle Bin as well. I will update you after doing so.
Go to the top of the page
 
+Quote Post
Dragon40
post Jan 13 2014, 05:19 PM
Post #4


Newbie


Group: Members
Posts: 9
Joined: 13-June 13
Member No.: 147,023



QUOTE (Dragon40 @ Jan 13 2014, 08:11 AM) *
Thank you for the clear instructions. Unfortunately, they do not remove Deal Slider. I moved the extension's folder to my desktop, and confirmed that it was gone from the directory. I restarted Chrome, it was still there. I shut down Chrome again, and removed the extension code from "Preferences" as directed (after backing up the Preferences file). The Extension folder "ilfmkkncnbolkneogaadokmfjoihepgm" was still AWOL from the directory, but on my desktop. After removing the code and saving the Preferences, I rebooted Chrome, and Deal Slider was still there. The next step will be to delete the desktop extension folder entirely, and empty the Recycle Bin as well. I will update you after doing so.


UPDATE:

I shut down chrome
I purged extension folder ilfmkkncnbolkneogaadokmfjoihepgm from the system, as noted;
I removed the description from the Preferences file;
I rebooted Chrome - the extension is gone.

Thanks again for your help - the one thing missing from your list was the complete removal of the extension folder - moving it did not help, but purging it did.

I will let you know if it shows up again.
Go to the top of the page
 
+Quote Post
Dragon40
post Jan 14 2014, 04:55 PM
Post #5


Newbie


Group: Members
Posts: 9
Joined: 13-June 13
Member No.: 147,023



QUOTE (Dragon40 @ Jan 13 2014, 08:19 AM) *
I will let you know if it shows up again.


Alas, Deal Slider's Chrome extension returned, so I shut down Chrome and began an inspection. It does not appear in "Programs and Features," to the problem seems to be directly related to Chrome.

Once again, I've deleted the Extensions directory, removed the description in the Preferences file, and re-booted Chrome. Checking Tools-Extensions shows that the extension has been removed.

There must either be a specific site I visit that's injecting this beast, or something in my system is restoring it. I'm stumped. Perhaps removing Java from Chrome will solve the problem?
Go to the top of the page
 
+Quote Post
Catalin Salgau
post Jan 16 2014, 01:14 AM
Post #6


Virus Researcher
***

Group: Bitdefender Labs
Posts: 638
Joined: 3-July 08
From: Iasi, Romania
Member No.: 14,578



This does not appear to be part of the Deal Slider copy I managed to obtain, but please check if you have Policies\Google\Chrome\ under either HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER. Extensions may be reinstalled automatically from a local cache if declared in the Extensions key or from a remote source if declared in the ExtensionInstallForcelist.
(if you do find something there, please hit me a PM with the content)
Go to the top of the page
 
+Quote Post
Dragon40
post Jan 17 2014, 03:40 AM
Post #7


Newbie


Group: Members
Posts: 9
Joined: 13-June 13
Member No.: 147,023



QUOTE (Catalin Salgau @ Jan 15 2014, 04:14 PM) *
This does not appear to be part of the Deal Slider copy I managed to obtain, but please check if you have Policies\Google\Chrome\ under either HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER. Extensions may be reinstalled automatically from a local cache if declared in the Extensions key or from a remote source if declared in the ExtensionInstallForcelist.
(if you do find something there, please hit me a PM with the content)


I do not find "Policies\Google\Chrome\" in the registry. No recurrence since removing Java, happily :-)
Go to the top of the page
 
+Quote Post
Dragon40
post Jan 19 2014, 04:40 PM
Post #8


Newbie


Group: Members
Posts: 9
Joined: 13-June 13
Member No.: 147,023



QUOTE (Dragon40 @ Jan 16 2014, 06:40 PM) *
I do not find "Policies\Google\Chrome\" in the registry. No recurrence since removing Java, happily :-)


UPDATE: Deal Slider Extension re-appeared this morning as a popup. No java in the system, no "Policies\Google\Chrome\" that I can locate in the registry.

In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node]Google\Chrome\Extensions I find one folder, but it begins with "ogcc," so does not appear to be DealSlider. DealSlider's extension folder was time-stamped 6:59 AM, which was when I started browsing. Got to be coming from one of the sites I visit regularly.

This is really ###### me off - would be great if there was a reliable way to prevent it from returning, or a BitDefender flag that intercepted Extensions and asked if you wanted them.

I'm going to start looking for the addition of DealSlider as I login to each website I use, and see if I can pin it down.
Go to the top of the page
 
+Quote Post
Catalin Salgau
post Jan 22 2014, 08:51 AM
Post #9


Virus Researcher
***

Group: Bitdefender Labs
Posts: 638
Joined: 3-July 08
From: Iasi, Romania
Member No.: 14,578



The issue has been solved over PM.
Enterprise management for Chrome on Windows is done over Windows Group Policies, however, starting with version 28, Chrome uses the Group Policy APIs to read them, instead of the registry keys. The registry keys are just a reflection of what windows stores under %SystemRoot%\System32\GroupPolicy\.
Policies are viewable under chrome://policy.
Normally, a user would be able to download the group policy templates from Google and use those with gpedit.msc to change settings. This however is unavailable under the Starter, Home Basic and Home Premium editions of Windows, one of which is what Dragon40 was using.
We've solved this particular case with a small program that removes the policy using features that are available on the platform. Other methods might exist.
Product handling of these cases might be added in the future.
Go to the top of the page
 
+Quote Post
gSe7eN
post Feb 18 2014, 08:00 PM
Post #10


Newbie


Group: Members
Posts: 2
Joined: 18-February 14
Member No.: 177,257



I found this thread from a writeup that Dragon40 wrote for another website. My rogue extension is not the same name but everything else matches to his problem. Unlike Dragon40, I DO have access to gpedit.exe

"We've solved this particular case with a small program that removes the policy using features that are available on the platform" Is this something you could elaborate on? Specifically, where in the Group Policy Editor would I find this specific bit of policy to remove? Most of the other threads easily found on the internet didn't get anywhere close to this step, most of them are stuck on trying to get third party software to remove the bits that cause this to reoccur. chrome://policy isn't helpful, it lists:

ocgjhfhgaljiijlajckpemcnbohjfjoi;http://ocgjhfhgaljiijlajckpemcnbohjfjoi/check/gpchrome/ocgjhfhgaljiijlajckpemcnbohjfjoi

as the only information. That URL was bound to 54.204.28.26 in my host file but I've since blocked that in both HOSTS and my router.

Thanks for your time and apologies for bumping an older thread. I decided it would be best to reply here instead of starting a new one just to have it link here (plus this page ranks high on google search for that rogue IP, any potential reply will help future users in my situation as well).
Go to the top of the page
 
+Quote Post
Catalin Salgau
post Feb 19 2014, 03:37 PM
Post #11


Virus Researcher
***

Group: Bitdefender Labs
Posts: 638
Joined: 3-July 08
From: Iasi, Romania
Member No.: 14,578



If you would like to remove this via gpedit.msc, you can use the steps available here to get access to the policy in gpedit. Download the zip file, load your preferred chrome.adm/chrome.admx file, then check and clear the ExtensionInstallForcelist policy.
Go to the top of the page
 
+Quote Post
gSe7eN
post Feb 19 2014, 05:03 PM
Post #12


Newbie


Group: Members
Posts: 2
Joined: 18-February 14
Member No.: 177,257



QUOTE (Catalin Salgau @ Feb 19 2014, 09:37 AM) *
If you would like to remove this via gpedit.msc, you can use the steps available here to get access to the policy in gpedit. Download the zip file, load your preferred chrome.adm/chrome.admx file, then check and clear the ExtensionInstallForcelist policy.


FANTASTIC!! Thank you so much for this!! Sending a virtual hug to Romania, thank you thank you!

(It worked, I mean)
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 24th July 2014 - 04:44 PM