Forced Chrome extensions get removed, keep reappearing

Malwarebytes found a family of forced Chrome extensions that can’t be removed because of a policy change that tells users “Your browser is managed”.

In the continued saga of annoying search extensions we have a new end-of-level boss.

Victims have been reporting browser extensions that were removed by Malwarebytes, but “magically” came back later. Since the victims also complained about the message saying their browser was “managed”, we had a pretty good idea where to look.

custom search bar is one of the forced extensions

Search extensions

The culprits turned out to be search extensions. Which is often the case when we spot potentially unwanted programs (PUPs) that use malware tactics to get installed and gain persistence.

The search hijackers “active search bar” and “custom search bar” were both available in the Chrome web store at the time of writing even though we reported them days ago.

active search bar is also available in the webstore


It took some digging to find the origin, since all we had were the extensions. And when the extensions were installed directly from the webstore, nothing happened out of the ordinary. However, some hunting on VirusTotal soon led me to a few recently uploaded PowerShell scripts that included the string “ExtensionInstallForcelist.” I looked for that string because we know from the past that these registry policies account for the “Your browser is managed” warnings.

$CPath = “HKLM:SOFTWAREPoliciesGoogleChromeExtensionInstallForcelist”;

$EPath = “HKLM:SOFTWAREPoliciesMicrosoftEdgeExtensionInstallForcelist”;

The description in the Chromium documentation about the ExtensionInstallForcelist states:

“Specifies a list of apps and extensions that are installed silently, without user interaction, and which cannot be uninstalled nor disabled by the user.”

And to confirm this finding, the victims that provided logs all had one of these PowerShell script listed in their Scheduled Tasks.

The Scheduled Task triggers the PowerShell script

The Scheduled Task was set to run every four hours, which explained why the extensions kept coming back.


But Scheduled Tasks don’t install themselves either and dropping PowerShell scripts in the System32 folder requires Administrator privileges, so we needed to dig a little further to find an installer.

The domain was used as a download location in all the PowerShell scripts so we used that domain as a search parameter in our next stage of VirusTotal hunting. This search eventually returned three installers. What they had in common at first glance was that the filenames all ended with “_x64LTS.exe” and that they were all signed by “Tommy Tech LTD.”

Upon further inspection we noticed that the installers all asked for Administrator privileges twice. The first part installs something that is called “Setup” and the second part installs an application that aligns with the name of the installer. So, it appears that the original installer files were “patched” to add the installer for our browser hijacker. It stands to reason that these installers are offered for download somewhere by the threat actors.

The EULA points to which is unreachable. I was unable to find an installer that actually dropped an extension in Edge, but the “Your browser is managed by your organization” setting does get enforced.

Edge managed by your organization


Malwarebytes customers were protected against these extensions as Malwarebytes’ web protection module blocked the domain wincloudservice[.]com. On inspection, this domain hosted several javascripts including heavily obfuscated files called crypto.js and crypto-js.min.js.

Detection and removal

Malwarebytes detects these browser hijackers as PUP.Optional.ActiveSearchBar and PUP.Optional.CustomSearchBar. Included in the removal procedure are the extension, and the Scheduled Task, which is enough to permanently get rid of the extension.

Some Windows registry changes have been made that will take a system administrator to decide what they want to keep or not.

The registry keys to remove the “Your browser is managed” are:



And another change made by the installer was the registry value:


The installer set that to “Unrestricted” which may not be your favorite setting. If you are not sure or you have never actively set that policy, the default is “Restricted”. Please note that in some organizations PowerShell is required to run.












PowerShell scripts:





custom search bar nniikbbaboifhfjjkjekiamnfpkdieng

active search bar pkofdnfadkamabkgjdjcddeopopbdjhg



  1. The next time I learn a blog, I hope that it doesnt disappoint me as a lot as this one. I mean, I know it was my option to read, however I truly thought youd have something interesting to say. All I hear is a bunch of whining about something that you can repair when you werent too busy on the lookout for attention.

  2. I am glad for writing to let you know what a excellent encounter my cousin’s princess had going through the blog. She picked up lots of pieces, not to mention what it’s like to have an awesome giving character to have other individuals with ease understand specific grueling subject matter. You actually did more than our expectations. Many thanks for coming up with the beneficial, dependable, educational and as well as fun tips on this topic to Mary.

  3. I’d must verify with you here. Which is not one thing I usually do! I get pleasure from reading a publish that will make individuals think. Additionally, thanks for permitting me to comment!

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button