Fix: Unremovable “Apps” Extension in Edge or Chrome

Of late, many users are facing a problem where a rogue browser extension named “Apps” appears in Chrome or Edge. Also, the user is unable to remove the extension. Attempting to remove the extension via the registry or deleting the extension folder doesn’t help, as the extension is automatically installed whenever the user opens  Edge or Chrome.

(You may also see the Managed by your organization notice in Chrome and Microsoft Edge.)

The extension ID for the rogue extension may be one of the following:

• macjkjgieeoakdlmmfefgmldohgddpkj
• adakfdcjddkdjolfgopncdandijkdlde
• iglfjaeojcakllgbfalclepdncgidelo
• pejhfhcoekcajgokallhmklcjkkeemgj

And the extension shows up as “Apps” in Edge/Chrome. A note that reads “This extension is not from any known source, and may have been added without your knowledge.” appears at the bottom of the extension. The option to delete the extension is missing.

Cause

The above extension is installed by a crypto-malware that adds the ExtensionInstallForcelist and ExtensionInstallAllowlist registry-based policies to allow / force install the specific extension silently without user input. The files related to the malware extension are stored in one or both of the following locations:

%LocalAppData%\MicroApp\

%LocalAppData%\ServiceApp\

C:\apps-helper\

C:\app.crx

FYI, here’s are the VirusTotal report for this (“macjkjgieeoakdlmmfefgmldohgddpkj”) malware:

• 14c853a40f6e752de66dd981570cbfae5bb73728e2cb45e541d44f79e49d26a3
• a9d5c1acfe3af5f3ac2c4d7caf04da163b21a6f835ea0dfaf36a38b058e7f43e

Resolution

To remove the Edge/Chrome Apps extension, try the following:

Step 1: Run Malwarebytes

Download Malwarebytes Antimalware from https://www.malwarebytes.com/ and run a full scan.

The tasks MSEdgeUpdate (and/or ChromeUpdate) you see in the screenshot are rogue tasks. Eliminate all malware it finds.

---

Step 2: Cleanup the tasks, registry settings, and the extension folder

Malwarebytes should have cleaned up the rogue tasks and the dropped malware files. Anyway, it’s a good idea to do the cleanup manually (in addition). Follow these steps:

Open the admin Command Prompt and execute these commands one by one.

schtasks.exe /delete /tn "\MSEdgeUpdate" /f
schtasks.exe /delete /tn "\ChromeUpdate" /f
rd /s /q "%LocalAppData%\Microsoft\Edge\User Data\Default\Extensions\macjkjgieeoakdlmmfefgmldohgddpkj"
rd /s /q "%LocalAppData%\Google\Chrome\User Data\Default\Extensions\macjkjgieeoakdlmmfefgmldohgddpkj"
rd /s /q "%LocalAppData%\Microsoft\Edge\User Data\Default\Extensions\iglfjaeojcakllgbfalclepdncgidelo"
rd /s /q "%LocalAppData%\Google\Chrome\User Data\Default\Extensions\iglfjaeojcakllgbfalclepdncgidelo"
rd /s /q "%LocalAppData%\Microsoft\Edge\User Data\Default\Extensions\adakfdcjddkdjolfgopncdandijkdlde"
rd /s /q "%LocalAppData%\Google\Chrome\User Data\Default\Extensions\adakfdcjddkdjolfgopncdandijkdlde"
rd /s /q "%LocalAppData%\Microsoft\Edge\User Data\Default\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj"
rd /s /q "%LocalAppData%\Google\Chrome\User Data\Default\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj"
rd /s /q "%LocalAppData%\MicroApp"
rd /s /q "%LocalAppData%\ServiceApp"
rd /s /q "c:\apps-helper"
del c:\apps.crx /a
reg delete HKLM\SOFTWARE\Wow6432Node\Microsoft\Edge\Extensions\macjkjgieeoakdlmmfefgmldohgddpkj  /f
reg delete HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\macjkjgieeoakdlmmfefgmldohgddpkj  /f
reg delete HKLM\SOFTWARE\Microsoft\Edge\Extensions\macjkjgieeoakdlmmfefgmldohgddpkj  /f
reg delete HKLM\SOFTWARE\Google\Chrome\Extensions\macjkjgieeoakdlmmfefgmldohgddpkj  /f
reg delete HKLM\SOFTWARE\Wow6432Node\Microsoft\Edge\Extensions\iglfjaeojcakllgbfalclepdncgidelo /f
reg delete HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\iglfjaeojcakllgbfalclepdncgidelo /f
reg delete HKLM\SOFTWARE\Microsoft\Edge\Extensions\iglfjaeojcakllgbfalclepdncgidelo /f
reg delete HKLM\SOFTWARE\Google\Chrome\Extensions\iglfjaeojcakllgbfalclepdncgidelo /f
reg delete HKLM\SOFTWARE\Wow6432Node\Microsoft\Edge\Extensions\adakfdcjddkdjolfgopncdandijkdlde /f
reg delete HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\adakfdcjddkdjolfgopncdandijkdlde /f
reg delete HKLM\SOFTWARE\Microsoft\Edge\Extensions\adakfdcjddkdjolfgopncdandijkdlde /f
reg delete HKLM\SOFTWARE\Google\Chrome\Extensions\adakfdcjddkdjolfgopncdandijkdlde /f
reg delete HKLM\SOFTWARE\Wow6432Node\Microsoft\Edge\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj /f
reg delete HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj /f
reg delete HKLM\SOFTWARE\Microsoft\Edge\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj /f
reg delete HKLM\SOFTWARE\Google\Chrome\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj /f
reg delete HKCU\SOFTWARE\WOW6432Node\Policies\Microsoft\Edge /f
reg delete HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\Edge /f
reg delete HKCU\SOFTWARE\WOW6432Node\Policies\Google\Chrome /f
reg delete HKLM\SOFTWARE\WOW6432Node\Policies\Google\Chrome /f
reg delete HKCU\SOFTWARE\Policies\Microsoft\Edge /f
reg delete HKLM\SOFTWARE\Policies\Microsoft\Edge /f
reg delete HKCU\SOFTWARE\Policies\Google\Chrome /f
reg delete HKLM\SOFTWARE\Policies\Google\Chrome /f

Tip: You may also save all those commands in a Batch file and run the Batch file as administrator.

The above commands should remove the rogue extension.

---

Step 3: Run the Farbar scanner.

If the problem persists, do the following:

Download Farbar Recovery Scan Tool (FRST64.exe) from BleepingComputer.

• Run FRST64.exe and click “Scan”.
  
• Upload the two logs, FRST.txt and Addition.txt, to your OneDrive and share the link here so that a FixList.txt can be prepared.

(FRST64.exe doesn’t remove anything when you click “Scan.” It simply scans all the launch points, services, and drivers and lists them. After seeing the two logs, a FixList.txt need to be created to remove the malware entries.)