Chrome Virus: “Recommended That You Update Java”

I was using Google’s Chrome browser. Suddenly I got a popup that said this:

The page at says:

It is recommended that you update Java to the latest version to view this page. Please update to continue.

A quick glance at that URL (i.e., made clear that we were not, after all, talking about a recommendation from Oracle, producer of Java. Here’s what I got from that website:


So, OK, I had something like a virus. Now, what was I supposed to do, to get rid of it? A quick scan with Malwarebytes Anti-Malware noticed nothing amiss. A search for text from the popup led to a site indicating that others had also recently encountered this virus.

I found a MalwareTips webpage with advice on how to proceed. Comments following that webpage indicated that some but not all users found it helpful. I decided to go ahead with its recommended steps.

First, that MalwareTips webpage (MTW) said that I should go into Control Panel > Programs and Features (or Uninstall a Program) and uninstall unrecognized programs. Examples offered included PriceMeter, Supra Savings, and Lollipop. The only thing I had that even came close was IObit Surfing Protection. I knew IObit as the creators of Smart Defrag, which I had used for years before uninstalling. I knew they could be pesky, but I seriously doubted they were responsible for this Chrome virus. Nonetheless, I did remove their Surfing Protection program. MTW said that the program that installed the virus might not actually be installed on my machine. That seemed to be the case for me.

Next, MTW said I should remove the virus ads from Chrome. (They also offered steps for other browsers, but I did not presently seem to need those.) The approach in Chrome was to go to Tools > Extensions (via the link on the right end of Chrome’s address bar) and remove similarly unknown and hokey-sounding items (e.g., RightSaver, PassShow). But here, again, I did not see any such items. I recognized — I had deliberately installed — all of the extensions listed.

The next step advised by MTW was to download and use AdwCleaner. A CNET review indicated that the program was legitimate — indeed, CNET ranked the program as No. 1 in its Popup Blocker category — so I did that. It implicated NCH Software, which I knew as the creators of Debut and other programs that I had used for some years. I did not think NCH was the culprit, so I unchecked those folders. More to the point, it identified folders for Linksicle, Spigot, and two Chrome extensions. It also identified two files. One appeared to be related to my default Firefox profile. I definitely saw no reason to remove that. The other was registry.pol. A search suggested that it might be OK to remove this in connection with an adware-elimination project. AdwCleaner also listed maybe 20 registry keys. Among these, in addition to some already indirectly discussed (involving e.g., Firefox vs. Chrome extensions), I decided to remove keys related to, Conduit, adawarebp (since I was no longer using Ad-Aware, though perhaps I should have been), and Re_Markit. From a search, I could not tell for sure whether to remove a PIP key. I decided to leave it alone for now. AdwCleaner listed something related to Surf Canyon; I decided to leave those lines as-is. (It was not clear whether AdwCleaner was going to remove what it found in that area; there was no checkbox.) Likewise regarding several lines listed under AdwCleaner’s tab for Chrome.

Having completed that review, I clicked AdwCleaner’s Clean button. It came up with a warning:

AdwCleaner – Closing programs

All programs will be closed in order to proceed correctly to the removal of the infections. Please save any work in progress and then click [OK].

I barely had time to register that when my AVG AntiVirus popped up a warning that it was prepared to wipe out AdwCleaner. I told it to allow that program instead. It said it would add it to its list of exceptions. I closed everything and clicked OK. AdwCleaner put up an “Informations” message that advised me, among other things, to enable detection of PUPs in my antivirus program. I clicked OK. Various things happened, and then I got another message, telling me that AdwCleaner was going to reboot the system.

After rebooting, AdwCleaner popped up a file listing what it had done. The contents of that file are appended below. Having finished running AdwCleaner, I investigated that AdwCleaner “Informations” message. A search led to indications that a PUP was a Potentially Unwanted Program. To enable detection of PUPs, I tried to follow advice from Kioskea for AVG (and other antivirus programs), but apparently AVG’s menus had changed. Instead, after some groping around, I went into AVG > Options > Advanced Settings > Computer Protection > AntiVirus > check “Report enhanced set of potentially unwanted programs.” I also checked similar options under AVG’s Email Scanner heading and for each item under its Scans heading. I suspected this was going to be overkill — I did not want AVG stopping me every time I tried to move — but for now I thought I might as well see how much hassle these steps would entail.

MTW (above) next advised me to use Malwarebytes Anti-Malware Free. This too felt like overkill — had I not already wiped out the Java Software Update virus? MTW showed what Malwarebytes looked like when it found this virus. But I had already been using Malwarebytes for regular scans — indeed, I had purchased the pro license — and yet Malwarebytes had not helped me in this case. It seemed the virus writers were staying busy. It looked like I might have to enable some additional settings, as I had just done in AVG. In Malwarebytes, I went into the Settings tab > Scanner Settings tab > Action for potentially unwanted programs (PUP) > change from default (“Show in results list and do not check for removal”) to “Show in results list and check for removal.” But that was nothing radical: I almost invariably checked all the results items for removal manually; this was just saving me that step. It appeared Malwarebytes had simply not caught this stuff that AdwCleaner had caught — though, of course, there might have been other items for which the reverse was true.

Finally, MTW advised me to “double-check for the Java Software Update virus with HitmanPro. Maybe I had lost count: I was thinking we were now at the point of triple, not double, checking. But I hadn’t used Hitman Pro before, so I went ahead . . . at least until I found it would cost me $24.95 for its “second opinion” assistance. Still, they were offering a 30-day free trial, so I downloaded and ran it, just to see if it would detect anything that Malwarebytes and AdwCleaner had missed. After all, PC Mag gave it a fairly good review, after noting that its excellent competitors were free. When I ran it, I checked its settings. It was set by default to delete PUPs. The only alternative was Ignore. That made me nervous. HitmanPro did come with a default option to “Create a restore point before removing files,” and that was very nice, but I knew that restore points did not necessarily capture everything. Was Hitman going to show me what it found before it went about deleting things that I might not want deleted? I didn’t really feel like reconstructing my Windows installation in case the answer was no. I did a search for more comments or reviews. This led to a long thread that a more dedicated researcher would read word-for-word. On AlternativeTo, Hitman got only 30 likes, compared to 323 for Malwarebytes and 235 for AVG; Avast was the champ with 592. (Then again, Microsoft Security Essentials got 545 likes, despite a terrible recent virus detection record.) (See also Gizmo.) Editors gave Hitman 4.5 stars on Softpedia and five stars on CNETWikipedia indicated that the program’s developer had gotten into trouble by incorporating other companies’ antivirus programs without their permission, and that the current version was the first to try going it alone without that apparently unauthorized use. I decided, in the end, not to continue the potentially experimental Hitman search, and uninstalled the program. Or, more accurately, I deleted the downloaded executable: the program appeared to be a standalone.

That was the end of the steps advised by MTW. I hoped that I had succeeded in eliminating the virus without eliminating other programs or functionality that I wanted or needed. I expected to update this post if any further problems developed.

Here, in the meantime, are the results that AdwCleaner popped up after that reboot:

# AdwCleaner v3.307 - Report created 17/08/2014 at 19:10:28
# Updated 17/08/2014 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)
# Username : Ray - ACER
# Running from : W:\Start Menu\Programs\Online\Security\Antivirus & Malware\adwcleaner_3.307.exe
# Option : Clean
***** [ Services ] *****
***** [ Files / Folders ] *****
[x] Not Deleted : C:\ProgramData\NCH Software
[x] Not Deleted : C:\Program Files (x86)\NCH Software
Folder Deleted : C:\Program Files (x86)\Common Files\Spigot
Folder Deleted : C:\Program Files\Linksicle
[x] Not Deleted : C:\Users\Ray\AppData\Roaming\NCH Software
Folder Deleted : C:\Users\Ray\AppData\Local\Google\Chrome\User Data\Default\Extensions\bpegkgagfojjbcpkihigfmkojdmmimdf
Folder Deleted : C:\Users\Ray\AppData\Local\Google\Chrome\User Data\Default\Extensions\ehgldbbpchgpcfagfpfjgoomddhccfgh
File Deleted : C:\Windows\System32\GroupPolicy\Machine\Registry.pol
[x] Not Deleted : C:\Users\Ray\AppData\Roaming\Mozilla\Firefox\Profiles\vc47j7yk.default\user.js
***** [ Scheduled Tasks ] *****
***** [ Shortcuts ] *****
***** [ Registry ] *****
[x] Not Deleted : HKCU\Software\Mozilla\Firefox\Extensions [{d59ba74c-1d23-439e-8b3b-64c895083f46}]
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\bpegkgagfojjbcpkihigfmkojdmmimdf
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ehgldbbpchgpcfagfpfjgoomddhccfgh
[x] Not Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\
[x] Not Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{74F475FA-6C75-43BD-AAB9-ECDA6184F600}
[x] Not Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
[x] Not Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
[x] Not Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{62155D33-3CE2-401E-8967-5A270628A3D5}
[x] Not Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{2AD2D8CA-D24D-40D2-A8FC-46952409BA9A}
[x] Not Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}
[x] Not Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{62155D33-3CE2-401E-8967-5A270628A3D5}
[x] Not Deleted : HKCU\Software\AVG Secure Search
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\adawarebp
Key Deleted : HKCU\Software\AppDataLow\Software\Re_Markit
Key Deleted : HKLM\SOFTWARE\Conduit
[x] Not Deleted : HKLM\SOFTWARE\PIP
[x] Not Deleted : [x64] HKCU\Software\AVG Secure Search
***** [ Browsers ] *****
-\\ Internet Explorer v11.0.9600.17239
-\\ Mozilla Firefox v26.0 (en-US)
[ File : C:\Users\Ray\AppData\Roaming\Mozilla\Firefox\Profiles\vc47j7yk.default\prefs.js ]
Line Deleted : user_pref("extensions.fvd_single.surfcanyon.ramp.start_time", "1394042667029");
-\\ Google Chrome v36.0.1985.143
[ File : C:\Users\Ray\AppData\Local\Google\Chrome\User Data\Default\preferences ]
Deleted [Search Provider] : hxxp://{searchTerms}
Deleted [Search Provider] : hxxp://{searchTerms}
Deleted [Search Provider] : hxxp://{searchTerms}
Deleted [Startup_urls] : hxxp://
Deleted [Startup_urls] : hxxp://
Deleted [Extension] : bpegkgagfojjbcpkihigfmkojdmmimdf
Deleted [Extension] : ehgldbbpchgpcfagfpfjgoomddhccfgh
Deleted [Extension] : hbcennhacfaagdopikcegfcobcadeocj
Deleted [Extension] : mhkaekfpcppmmioggniknbnbdbcigpkk
Deleted [Extension] : pfndaklgolladniicklehhancnlgocpp
AdwCleaner[R0].txt - [3576 octets] - [17/08/2014 18:36:19]
AdwCleaner[S0].txt - [3968 octets] - [17/08/2014 19:10:28]
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [4028 octets] ##########

A later post offers a workaround that seemed to help with some Chrome virus situations.

This entry was posted in Uncategorized and tagged , , , , , , , , , , , , , . Bookmark the permalink.

2 Responses to Chrome Virus: “Recommended That You Update Java”

  1. What a performance. I have the same issue but not your persistence. Mine is a corporate machine so it is time to request a re-image or maybe something newer.

  2. hitman pro runs fine as a free version. it will scan for free, you only need the paid version for cleanup. it is useful for pointing out detections, which you will have to manually uninstall (or use another product for cleanup). it does cleanup some small tracking cookies or something for free. the 30 day trial gives you full cleanup, however. after a scan, it will show you the detections and you select the action to take.

    use ESET online scanner. its one of the best engines and sigs, and offers cleanup. hitman pro is fast though, so i use it for quick checks.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.