[RKinner]

See if there are any Chrome policies:

 

In Chrome, open a new tab by clicking on the parallelogram  to the right of your current tabs.  Type

 

chrome://policy 

 

hit Enter 

 

Does it show any policies?

[Advertisements]

Applies to Level Source Policy name Policy value Status

Machine

Mandatory

Platform

CookiesBlockedForUrls

Show value

OK

Machine

Mandatory

Platform

ExtensionInstallForcelist

Show value

OK

Machine

Mandatory

Platform

JavaScriptBlockedForUrls

Show value

OK

[tl79]

Applies to Level Source Policy name Policy value Status

Machine

Mandatory

Platform

CookiesBlockedForUrls

Show value

OK

Machine

Mandatory

Platform

ExtensionInstallForcelist

Show value

OK

Machine

Mandatory

Platform

JavaScriptBlockedForUrls

Show value

OK

[tl79]

yes, 3.  The formatting in the last post didn't work, sorry about that!

[RKinner]

This is what I get:

 

 

On yours if you click on Show Value does it show a value?

[tl79]

i've attached a doc file with the 3 policies from a screen capture

[tl79]

Cookiesblockedforurls

 

[*.]100hot.com,[*.]7search.com,[*.]flyswat.com,[*.]focalink.com,[*.]gator.com,[*.]gatoradvertisinginformationnetwork.com,[*.]goclick.com,[*.]hightrafficads.com,[*.]hitbox.com,[*.]hitboxcentral.com,[*.]hitslink.com,[*.]hotlog.ru,[*.]8ad.com,[*.]hotnaughtywives.com,[*.]infinite-ads.com,[*.]internetfuel.com,[*.]link4ads.com,[*.]linkbuddies.com,[*.]linksynergy.com,[*.]lop.com,[*.]sckr.com,[*.]scrk.com,[*.]sdry.com,[*.]911promotion.com,[*.]seld.com,[*.]sfux.com,[*.]sheat.com,[*.]sipo.com,[*.]smds.com,[*.]srib.com,[*.]srox.com,[*.]srsf.com,[*.]ssaw.com,[*.]ssby.com,[*.]acecounter.com,[*.]surj.com,[*.]thko.com,[*.]wfix.com,[*.]wflu.com,[*.]ebch.com,[*.]ebdv.com,[*.]ebdw.com,[*.]ebjp.com,[*.]ebkn.com,[*.]ebky.com,[*.]activemeter.com,[*.]eblv.com,[*.]ebvr.com,[*.]ecwz.com,[*.]ecyb.com,[*.]eduy.com,[*.]eeev.com,[*.]ibmx.com,[*.]icwb.com,[*.]icwo.com,[*.]icwp.com,[*.]adbrite.com,[*.]iddh.com,[*.]idhh.com,[*.]ifiz.com,[*.]iguu.com,[*.]samz.com,[*.]saoe.com,[*.]sbjr.com,[*.]sbnl.com,[*.]sbnt.com,[*.]sbvr.com,[*.]adbureau.com,[*.]scbm.com,[*.]tbvg.com,[*.]tdak.com,[*.]tdko.com,[*.]tefs.com,[*.]tfil.com,[*.]torc.com,[*.]wbkb.com,[*.]mainentrypoint.com,[*.]mainentrypoint.net,[*.]adbutler.com,[*.]marketscore.com,[*.]marketscore.net,[*.]matchcraft.com,[*.]mediaplex.com,[*.]narrowcastmedia.com,[*.]offshoreclicks.com,[*.]opentracker.com,[*.]opentracker.net,[*.]overture.com,[*.]oxcash.com,[*.]adbutler.de,[*.]partnercash.de,[*.]paycounter.com,[*.]paypopup.com,[*.]ru4.com,[*.]pointroll.com,[*.]popupsponsor.com,[*.]popuptraffic.com,[*.]porntrack.com,[*.]porntracker.com,[*.]preferences.com,[*.]adbutler.net,[*.]pstats.com,[*.]questionmarket.com,[*.]radiate.com,[*.]realtracker.com,[*.]realtracker.net,[*.]res99.com,[*.]revenue.net,[*.]roispy.com,[*.]sex-in-www.com,[*.]sexlist.com,[*.]101webstats.com,[*.]addynamix.com,[*.]sextracker.com,[*.]smartadserver.com,[*.]smartclicks.com,[*.]smartclicks.net,[*.]specificpop.com,[*.]spermatrix.com,[*.]spylog.com,[*.]targetnet.com,[*.]targetnet.net,[*.]track-star.com,[*.]adengage.com,[*.]tradedoubler.com,[*.]trafficmp.com,[*.]trafficmarketplace.com,[*.]clickfinders.com,[*.]trafficsupport.com,[*.]trafficvenue.net,[*.]trakkerd.net,[*.]tribalfusion.com,[*.]utopiad.com,[*.]valuead.com,[*.]ad-flow.com,[*.]specificclick.net,[*.]valueclick.com,[*.]valueclick.ne.jp,[*.]valueclick.net,[*.]webads.com,[*.]webtrendslive.com,[*.]s005-01-4-11-234545-68181.com,[*.]wegcash.com,[*.]wegcash.net,[*.]xxxcounter.com,[*.]adforce.com,[*.]xxxtoolbar.com,[*.]yieldmanager.com,[*.]zedo.com,[*.]adhostingsolutions.com,[*.]adinterax.com,[*.]adjuggler.com,[*.]adlegend.com,[*.]ad-logics.com,[*.]adminder.com,[*.]123count.com,[*.]admodus.com,[*.]admonitor.net,[*.]admonitor.com,[*.]adorigin.com,[*.]adrevolver.com,[*.]ads360.com,[*.]ads360.net,[*.]adserver.com,[*.]adservingcentral.com,[*.]adtech.de,[*.]123counts.com,[*.]adtrak.net,[*.]advertising.com,[*.]advertserve.com,[*.]adviva.com,[*.]adviva.net,[*.]affiliatefuel.com,[*.]aggregateknowledge.com,[*.]aureate.com,[*.]atdmt.com,[*.]bankads.com,[*.]247realmedia.com,[*.]bannerbank.net,[*.]bfast.com,[*.]bluestreak.com,[*.]hyperbanner.net,[*.]bpath.com,[*.]bridgetrack.com,[*.]brilliantdigital.com,[*.]burstmedia.com,[*.]burstnet.com,[*.]casalemedia.com,[*.]247media.com,[*.]centrport.net,[*.]centrport.com,[*.]click2net.com,[*.]clickagents.com,[*.]comclick.com,[*.]cometcursors.com,[*.]cometcursor.com,[*.]cometcursors.net,[*.]cometcursor.net,[*.]commission-junction.com,[*.]realmedia.fr,[*.]commission-junction.net,[*.]cj.com,[*.]qksrv.net,[*.]qksrv.com,[*.]commissionpartner.com,[*.]coremetrics.com,[*.]coremetrics.net,[*.]counted.com,[*.]cpxinteractive.com,[*.]dbbsrv.com,[*.]2o7.net,[*.]directnetadvertising.com,[*.]directnetadvertising.net,[*.]directtrack.com,[*.]doubleclick.com,[*.]doubleclick.net,[*.]doubleclick.co.uk,[*.]engage.com,[*.]ads.enliven.com,[*.]epilot.com,[*.]e-plus.cc,[*.]7adpower.com,[*.]euniverseads.com,[*.]ezhits4u.com,[*.]falkag.com,[*.]falkag.de,[*.]falkag.org,[*.]fastadvert.com,[*.]fastclick.com,[*.]fastclick.net,[*.]findwhat.com,[*.]flycast.com  

 

Extensioninstallforcelist

 

dceidjjhomnclmfgflmjaomohekdgdgb;https://clients2.goo...ice/update2/crx  

 

Javascriptblockedforurls

 

[*.]intellitxt.com,[*.]kona.kontera.com,[*.]snap.com,[*.]text-enhance.com,[*.]textsrv.com,[*.]tcr.tynt.com,[*.]vibrantmedia.com

 

these are the 3 Policy Names with the values listed

[RKinner]

OK.  This policy is causing the reinstall:

 

Extensioninstallforcelist

 

dceidjjhomnclmfgflmjaomohekdgdgb;https://clients2.goo...ice/update2/crx  

 

 

 

Is there any way to remove it from that page?  Maybe right click?

 

It should really be in the registry either under HKLM\Software\Policies\Google\Chrome\ExtensionInstallForcelist or HKCU\Software\Policies\Google\Chrome\ExtensionInstallForcelist

 

Don't know why it's not showing up when we search registry.

 

Let's try another fixlist.

 

 

I've got to walk the dog so will be away for a few minutes.

 

 

 

[tl79]

All I see is show value or hide value.  I'll try the fixlist

[tl79]

Hope the dogs enjoyed their walk!  I've been trying to do about 5 things at once too!  here's the results of latest fixlist:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 29-06-2017

Ran by LLL (30-06-2017 16:46:09) Run:7

Running from C:\Users\LLL\Downloads

Loaded Profiles: LLL (Available Profiles: LLL & DefaultAppPool)

Boot Mode: Normal

==============================================

 

fixlist content:

*****************

REG: reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist" /s

REG: reg query "HKEY_CURRENT_USER\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist" /s

 

 

 

*****************

 

 

========= reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist" /s =========

 

ERROR: The system was unable to find the specified registry key or value.

 

 

========= End of Reg: =========

 

 

========= reg query "HKEY_CURRENT_USER\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist" /s =========

 

ERROR: The system was unable to find the specified registry key or value.

 

 

========= End of Reg: =========

 

 

==== End of Fixlog 16:46:09 ====

[RKinner]

Just one dog and I don't think he liked it too much.  It's raining.

 

Let's try another tact.  We will add the bad guy to the blacklist and see which wins.

 

Try this fixlist:

 

 

Then restart Chrome and see if the cookie extension is still active

 

 

[tl79]

Fix result of Farbar Recovery Scan Tool (x64) Version: 29-06-2017

Ran by LLL (30-06-2017 17:32:14) Run:8

Running from C:\Users\LLL\Downloads

Loaded Profiles: LLL (Available Profiles: LLL & DefaultAppPool)

Boot Mode: Normal

==============================================

 

fixlist content:

*****************

REG: reg add HKLM\Software\Policies\Google\Chrome\ExtensionInstallBlacklist /v 1 /t REG_SZ /d "dceidjjhomnclmfgflmjaomohekdgdgb" /f

 

 

 

 

 

*****************

 

 

========= reg add HKLM\Software\Policies\Google\Chrome\ExtensionInstallBlacklist /v 1 /t REG_SZ /d "dceidjjhomnclmfgflmjaomohekdgdgb" /f =========

 

The operation completed successfully.

 

 

 

========= End of Reg: =========

 

 

==== End of Fixlog 17:32:14 ====

[tl79]

re-started chrome cookies on-off 1.0.1 is still listed in extensions

[RKinner]

OK let's try this fixlist.

 

 

Supposedly it will remove the bit about being set by admin policy and allow you to remove the extension.

[tl79]

Fix result of Farbar Recovery Scan Tool (x64) Version: 29-06-2017

Ran by LLL (30-06-2017 18:01:14) Run:9

Running from C:\Users\LLL\Downloads

Loaded Profiles: LLL (Available Profiles: LLL & DefaultAppPool)

Boot Mode: Normal

==============================================

 

fixlist content:

*****************

REG: reg add HKLM\Software\Policies\Google\Chrome\ExtensionInstallBlacklist /v 1 /t REG_SZ /d "dceidjjhomnclmfgflmjaomohekdgdgb;https://clients2.goo...ce/update2/crx"/f

CMD: rd /S /Q “%WinDir%\System32\GroupPolicyUsers” 

CMD: rd /S /Q “%WinDir%\System32\GroupPolicy”

CMD: gpupdate /force

 

 

 

 

 

 

*****************

 

 

========= reg add HKLM\Software\Policies\Google\Chrome\ExtensionInstallBlacklist /v 1 /t REG_SZ /d "dceidjjhomnclmfgflmjaomohekdgdgb;https://clients2.goo...ce/update2/crx"/f =========

 

The operation completed successfully.

 

 

 

========= End of Reg: =========

 

 

========= rd /S /Q “%WinDir%\System32\GroupPolicyUsers” =========

 

The filename, directory name, or volume label syntax is incorrect.

 

========= End of CMD: =========

 

 

========= rd /S /Q “%WinDir%\System32\GroupPolicy” =========

 

The filename, directory name, or volume label syntax is incorrect.

 

========= End of CMD: =========

 

 

========= gpupdate /force =========

 

Updating policy...

 

 

 

Computer Policy update has completed successfully.

 

User Policy update has completed successfully.

 

 

 

 

========= End of CMD: =========

 

 

==== End of Fixlog 18:01:25 ====

[RKinner]

Doesn't look like it worked.  Was there any change?