Windows – Removing invisible extension “happysale” in google chrome

adwaregoogle-chromemalwaremalware-removalwindows

The extension "happysale" is showing ads by "gifton" in Google Chrome and Mozilla Firefox, and I seem to be unable to remove it.

When I go to extensions in Chrome I can't see it, but when i go to the task manager in Chrome it's there, tagged as extension and I can manually shut it down, but that get's annoying over time.

I've checked the chrome-folder: "C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.71\Extensions", but it's empty except for an empty .json file.
I have also checked the registry, but I can't find it there either. Neither MalwareBytes nor my antivirus Mcafee find anything either. I have also resorted to using Malwarebytes anti-rootkit, but that also didn't give me anything.

I am at a loss as to what to do next.

Here is a copy of what stands in chrome://version:

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" –extensions-on-chrome-urls –test-type –load-extension="c:\Program Files\Google\Chrome\Application\Extensions\chrome\app" –load-component-extension="c:\Program Files\Google\Chrome\Application\Extensions\chrome\man" –flag-switches-begin –flag-switches-end

But in the directory Chrome\Application\Extensions is no folder for "chrome", and therefore no file/folder called "man".

Best Answer

This invisible extension could be loaded via a command-line argument. To confirm that this indeed the case, visit chrome://version and look at the line with label "Command Line:".

The "Command Line" SHOULD have the following pattern:

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --flag-switches-begin --flag-switches-end

If you have ever visited chrome://flags, then there may be some extra flags between --flag-switches-begin and --flag-switches-end. These flags are usually innocent.

I think that some malware has changed your Google Chrome shortcut, to include additional flags that load the invisible extension. This change will show up at the Command Line at chrome://version:

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --[name of flag not shown]=path\to\happysale-adware --flag-switches-begin --flag-switches-end

(I've intentionally hidden the actual flag name to prevent abuse by malware writers who come across this answer.)

To resolve your problem, edit your Chrome shortcut:

  1. Right-click on the Google Chrome icon.
  2. Choose properties.
  3. Click on the Shortcut tab.
  4. Edit the Target textfield, and delete every flag, so it ends with chrome.exe, e.g. "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe".
Related Question