Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Sunday, February 9, 2014

Remove “Installed by enterprise policy” Unwanted Chrome Extensions

Tell your friends:
"Installed by enterprise policy" unwanted or even malicious Chrome extensions are very often installed by adware and potentially unwanted programs (PUPs), for example DomaIQ. As you may already know, Chrome allows other programs on your computer to install browser extensions. Some of them are useful and others are malicious. Such extensions are managed and cannot be removed or disabled via Chrome's Extensions page. The issue is that they install themselves on your computer without your knowledge, and it's debatable how useful they actually are - you probably already have another program on your PC doing exactly what the PUP purports to do – only better. Worse of all, PUPs may mess with your computer's security. Let's take a malicious extension labeled YoutubeAdblocker 1.2. It can access you data on all websites including browsing activity. It can also manage and install other extensions and themes. Furthermore, it usually comes bundled with adware, PUPs and even spyware. So, if you found a rogue or malicious Chrome extension that cannot be removed delete icon is grayed out then then you can be pretty sure that your computer is infected with adware and even spyware. To remove extensions Installed by enterprise policy from Chrome, please follow the steps in the removal guide below.

But first thing's first: what are PUPs and rogue extensions? In short, rogue or malicious extensions are usually installed by PUPs. PUPs are programs that are sometimes added to your computer's operating system without your knowledge or express approval. The 'potentially' part comes in to play because whilst you can't really term a PUP a virus, due to the fact that some people do actually find them useful, they are still, in many cases unnecessary and unwanted.

PUPs can take on a number of guises - as mentioned they may be an extension, or perhaps they're a new home page or search engine. Either way, the choice was not yours, which in turn can make many people suspicious and rather resentful of their existence. After all, surely it's your choice, and your choice alone, what gets downloaded on to your PC.

So how did that PUP find its way on to my computer? Good question. Most PUPs including those that install rogue extensions labeled "Installed by enterprise policy" are bundled together with other software. This is a sneaky tactic used by the creators that ensure their malware or their website finds its way on to your machine - whether you like it or not! Other ways a PUP can infect you is if you've visited a website that has also been infected with the PUP, if you've watched a video online or downloaded wallpaper or emoticons (you know, smiley faces!) - these can also have laid you wide open to the unwelcome attentions of a PUP.

OK, I think I know how I need to avoid PUPs. Yes, you're quite right. To avoid being targeted, (and then annoyed!), by PUPs and rogue Chrome extensions you really do need to watch what you're downloading. And I'm not just talking about cheap looking websites that offer hot model or racing car wallpapers, those weird glittery graphics or crazy shaped cursors. No, you also need to pay attention when downloading reputable software or programs from established providers too as these may have been bundled with a PUP without the publisher's knowledge. The trick is to read the End User License Agreement carefully and don't just click 'OK' and whiz through the process. It really is worth taking your time now and saving yourself the hassle of having to uninstall those Potentially Unwanted Programs later - and you can trust us on that!

OK, so now you know how PUPs and malicious extensions installed by enterprise policy place are distributed and how to avoid them in the future. Let's cover how you could get rid of such extension and related malware. If you have any questions, please leave a comment below. Good luck and be safe online!

Written by Michael Kaur,

Removal instructions:

1. First of all, download recommended anti-malware software and run a full system scan. It will detect and remove this infection from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this infection. Hopefully you won't have to do that.

2. Remove rogue extension/PUP related programs from your computer using the Add/Remove Programs control panel (Windows XP) or Uninstall a program control panel (Windows 7 and Windows 8).

Go to the Start Menu. Select Control PanelAdd/Remove Programs.
If you are using Windows Vista or Windows 7, select Control PanelUninstall a Program.

If you are using Windows 8, simply drag your mouse pointer to the right edge of the screen, select Search from the list and search for "control panel".

Or you can right-click on a bottom left hot corner (formerly known as the Start button) and select Control panel from there.

3. When the Add/Remove Programs or the Uninstall a Program screen is displayed, scroll through the list of currently installed programs and remove the following programs:
  • ggrreatsaver
  • SNT
  • WS-Enabler
  • WS-Supporter 1.80
  • YoutubeAdBlocker
  • UTuBerAodBlOacKeoR

If you are using Windows Vista, Windows 7 or Windows 8, click Uninstall up near the top of that window. When you're done, please close the Control Panel screen.

Remove extensions "Installed by enterprise policy" from Google Chrome:

1. Click on Chrome menu button. Go to ToolsExtensions.

2. Enable Developer mode and take note of the unwanted extension ID shown below the extension title. Close Chrome browser.

3. Open the Registry Editor (regedit.exe).

4. Go to EditFind Next or hit Ctrl+F3. Enter the ID of the unwanted extension and click to find registry key associated with it.

5. Remove the registry key which has a Data value the same as the extension's ID which you noted or saved above (likely 1). Right click on the registry key and select Delete. Accept the warning by selecting Yes. Close Registry Editor.


6. Open Chrome browser once again and navigate to chrome://policy/. Click Show value under Chrome policies.

7. As you can see there's a path on your computer pointing to an extension update file. It is very important find the folder with the ID of the unwanted extension and delete it. Otherwise, it can reinstall itself.

In my case it was located in a folder named YoutubeAdblocker. Yours will be different of course. Delete the entire folder.

8. Unwanted extension’s files are stored in Chrome's default extensions folder as well. You need to delete the directory corresponding to the noted ID.

Windows Vista/7/8 users: %LOCALAPPDATA%\Google\Chrome\User Data\Default\Extensions

Windows XP users: %USERPROFILE%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions

9. Finally, navigate to C:\Windows\System32\GroupPolicy\Machine (alternatively C:\Windows\System32\GroupPolicy\User).

Look for Registry.pol or other .pol files that reference the extension ID. To do so, simply open the file with Notepad. If it's the file you are looking for, delete it.

10. Last but not least, scan your computer with recommend anti-malware software. As I said, rogue browser extensions come bundled with adware and even spyware. Make sure you PC is clean.


Anonymous said...

Hello! I like your precise guide. I followed your guide step-by-step but up until Step 9, I used notepad to attempt to delete extension ID, but when I was about to save the (edited) file, it stated that Access Denied and barred me from deleting the extension ID.

I was wondering if you could help me out with this? Thank you very much!

Admin said...

Hi, You have to delete the Registry .pol file not to modify it. Delete the file not the extension ID in it. I used notepad in the removal guide to make sure that I'm deleting the right .pol file. So, I guess you found the Registry.pol file, opened it and confirmed that it stores the rogue extension's ID. Don't modify the file. Close and then delete it.

Anonymous said...


Thank you so much for your wonderful step by step guide. It was working great for me up until the step where you paste the ID into the Registry. When I do that it is not found. How do I go about fixing this? I double checked to make sure it is not typed wrong already. Thank you in advance!!!

Morgan Cameron said...

I actually ended up having like 5 of those extension things, thanks so much! This was a perfect guide, even though it took quite a bit for me hahah!

HoWeVeRmine said...

Hey, I've tried to enter the ID into the "Find next" in regedit over and over, and it doesn't take me to any file. When I go into "Google" there is no "Chrome" option, the only option being "Update."
What should I do? If you could help out, it'd be much appreciated!
Thank you!

Anonymous said...

I am not able to find the registry key itself , don't know why, it exists at all other places but no registry keys

Anonymous said...

Thank you so much. The guide was really useful for me.

Anonymous said...

Ahhhh, dude! Thank you so much. Worked like a charm. Totally bookmarking this site in the event this happens again. You're a baller.

Morgan Wyn-Jones said...

Thank you so much for this post. I really appreciate it. Ive had an extension bugging me for weeks and finally its gone.
thank you

Trinh said...

I got stuck at step 5 because I couldn't find the ExtensionInstallForcelist at all. It does not exist or something but the extention is still on my Chrome. There was no Chrome folder when I followed the link HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\ What can I do about it?

Mário Sena Lopes said...

Thank's a lot, your precise explanation was of great help for me. Mission 100% accomplished!

Anonymous said...

THANK YOU!!!!! I was about 5 minutes from Dragon punching this computer... My computer owes you it life... Thanks

Anonymous said...

I have the same problem as HoWeVeRmine please help

Anonymous said...

Okay so, I'm reading up about the malicious junk and all the bull >.> But NONE OF THIS helped me with my problem what so ever. Currently I have a extension called watchitnoads 2.1 or something like that. I looked in the control panel to look for an uninstall, I searched for the extension ID in the regedit. I tried various means of removal and I can't get the damn thing to go away. ANY IDEAS PLEASE. They would be very much appreciated.

Sarah M. Blanton said...

was able to find several files!! hopefully this worked...going to reboot and see what happens :)

Kate said...

Hey, I am having the exact same problem as several other people on here, it sounds like. I've followed all the instructions up to locating the ID in the registry. I've been working on this for more than four hours, and I may do something drastic. I've searched all over online, and found no responses to this particular problem. Please! Save me from catastrophic meltdown!

jeffl1024 said...

If you have a problem finding the files/registry keys, make sure it actually is an "enterprise policy" preventing you from uninstalling it by going to chrome://policy. If it says "No policies set.", then this probably isn't the problem.

Marcelo Corpuz said...

Any suggeated fix for the same issues in a Mac computer?

Matheo said...

I tried every other malware and scanning... nothing worked. This however worked perfectly! Thanks! :)

Anonymous said...

Hi I have a similar problem, with two weird extensions named MS updater and EverSave which have been installed by enterprise policy. It has set my chrome browser to use a proxy while trying to connect. Proxy is disabled. Chrome is my default browser. I have already tried the steps till 9. I could not do the 8 th step as i was denied access to documents and settings. I deleted registry.pol, and openeD chrome. The extensions weren't removed. And it's greyed out preventing me from disabling or deleting it. Pls help.

Anonymous said...

I was also denied access to documents and settings though I deleted registry .pol but both the extensions EVER SAVE and MS UPDATER are not yet removed plz help.

Anonymous said...

Just to anyone else using this guide in order to clear off an infection - if you don't have a registry key, it's probably in the group policy folder. That's where it was for me (in registry.pol, after opening it with notepad), and after deleting that it was fine.

Unknown said...

Evening guys. I too am able to get to step 5 then unable to locate anything in the registry. Policy name is extensioninstallforcelist and the value is a long string of letters then an address (https://clients. no point in going any further if I can't locate this in the registry.......any ideas