Chromeupdate.crx and Medfos.B Trojan

14 posts in this topic

I am not exactly sure where to put this since it could be a legitimate infection or a false positive.

Microsoft security essentials active protection has been flagging chromeupdate.crx as a variant of the Medfos.B trojan. When I scan that file with SE, MalwareBytes, and ESET, nothing comes up, only in SE active protection.

I have done a full system scan using all three AV's listed above, nothing.

I have since uninstalled Microsoft SE and installed a trial of Nod32. Nod32 active protection does not flag this file as an issue, nor does a system scan come up with anything.

Here is a list of suspcious files:




The .json file was never flagged, but its registry key points to chromeupdate.crx

None of these files are on my other computers that have Chrome installed.

Uninstalling and reinstalling Google Chrome does not change anything. No other symptoms of an infection other than the flagged file.

Lastly, in the Google Chrome browser extensions list there is an extension that is called GoogleChromeUpdater that I am 99% certain is not legitimate. This last bit is what convinced me that this is not a false positive, but in fact an infection that is evading major AV programs.

Attached is a screen shot of the Google Chrome Extensions.

Any help is apprectiated. Thank you.


Share this post

Link to post
Share on other sites

Hello fatfett,

A beginning observation: Whenever one might suspect an infection or even a false positive, one call always scan the questionable file(s) using some online resources. Switching out an antivirus is generally not a good idea....until you have proved that it is really called for.

There is such a thing as a legitimate Googleupdater.

Submit your questionable files (upload for analysis) at http://www.virustotal.com/en/indexf.html

and http://virscan.org/index.php

and let us know what the results are.

Share this post

Link to post
Share on other sites

Thank you Maurice Naggar for your response and thank you for the online resources. Virus total does not come up with any indication of an infection. Virscan comes up with an infection of Trojan: JS/Medfos.B under Microsoft only and nothing else.

While I am no expert, and while ChromeUpdateManager may be a legitimate extension, I feel it is not. Considering the only results for a search of "ChromeUpdateManager" comes up with threads about viruses and the logo of the extension appears very inconsistant compared to Google's other products, I believe this is something to be concerned about.

And to give you a little background, I have been dealing with this for a few days now. I did not switch out Microsoft SE for Nod32 on a whim, I did it after considerable research and various basic procedures in dealing with viruses.

In my research I came up with this thread: http://social.technet.microsoft.com/Forums/en-US/FCSNext/thread/c28665c4-8786-4549-9b51-3d513474b3e0, which is the exact same issue I have been having. It appears that some solutions have been to reinstall Java and to update the virus definitions. I do not have Java installed and I have updated virus definitions beyond the version stated in this thread and I still have the problem.

So, in summary, a Google search gives me no indication that chromeupdate.crx and ChromeUpdateManager extension are legitimate. And, there IS an indication that they may be ILLEGITIMATE from the results of a Google search, Microsoft SE, and Virscan.org (however Microsoft is the only source that claims this is a trojan).

I am not incredibly concerned with this, it is mostly annoying. But it makes me wonder how this file appeared out of no where, why the extension appeared out of no where and why it looks out of place (again neither the extension or the file are on other computers with Chrome installed), and why Microsoft seems to claim this as a trojan while no other AV does.

Share this post

Link to post
Share on other sites

I suggest you delete the occurences of chromeupdate.crx

Then make a Chrome update check/run.

Then do a full scan of your system with NOD32

Share this post

Link to post
Share on other sites


I have been struggling with this issue for the past couple of days. Is there a way solve this issue? Any sggestion will be help ful....

Share this post

Link to post
Share on other sites

Hello UdayArveti and welcome to MalwareBytes forums,

You should provide enough details on your system & it's specific problem issues.

What is your Windows version?

Did you run a Full scan with MBAM?

a full scan with your antivirus ?

Is the problem issue in Chrome browser ? or in another browser?

Share this post

Link to post
Share on other sites

Hi Maurice,

My machine is currently running on Windows 7. I tried scanning my PC with Kaspersky Internet Scurity 2012 and also with microsoft security essentials. When doing so Kaspersky is not able to recognise chrome update crx as a malware but when doing with MSE it is giving an issue saying the below:


Category : Trojan

Description: This program is dangerous and executed the commands by attacker

Recommended Action: Remove this soft ware immediately.


Container File: C:/Users/[username]/AppData/Local/chromeupdate.crx

file: C:/Users/[username]/AppData/Local/chromeupdate.crx --> manager.js

Even after removing that trojan it pops after every 7 minutes in MSE browser. Not sure what has to be done with this?

Finally I un installed the chrome from PC though that even didn't solved my problem. I think there is some script which gets executed at start up of my machine that causes this. Manually removing this chrome update.crx file also doesn't help me. Also I have deleted the chrome registry keys manually. No luck with all these things!!!! :(

Please suggest how to take this fwd?

Share this post

Link to post
Share on other sites

You should only have 1 active antivirus program. IF you did not buy Kaspersky, then uninstall Kasperky and reboot.

If you did buy and have a current license for Kaspersky, then uninstall MS Security Essentials and reboot/restart the system.

Tell me which one you kept. Having more than 1 active antivirus program will lead to deadlocks.

Next, Unistall Chrome browser, and restart the system.

Then get a new Chrome browser and do the setup ..... if you want to have Chrome browser.

You may instead, consider either Opera or Safari browser.

Save and close any work documents, close any apps that you started.

Temporarily turn off (disable) your antivirus program

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.

Do a Full Scan. i_arrow-l.gif

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

When all done, Copy & paste the MBAM scan log into a new reply.

Tell me, How is the system ?

Re-enable your antivirus program.

Share this post

Link to post
Share on other sites

Thanks for your reply Maurice.

Currently I have only one antivirus running in the system which is MSE. I have unistalled chrome and restarted my system. Currently I dont have traces of chrome in my system.

Where can I get this MBAM MalwareBytes' Anti-Malware? Can you please direct me?

Share this post

Link to post
Share on other sites

I have stopped all the anti virsus which have been running....After doing so I have uploaded the chromeupdae.crx file for scanning on virustotal site....

And two malware programs have determined this file as malicious...One is MSE and other is AntiVir...

MalwareBytes Anti-Malware hasn't detected it as a Virus....Please let me know what needs to be done over here...


Share this post

Link to post
Share on other sites

Malwarebytes (MBAM) has NOT detected a "virus". MBAM has detected a trojan as Microsoft defined with the detection of; Trojan:JS/Medfos.B

Which means a Trojan JavaScript (JS) named "Medfos" version B

Please read -- I'm infected - What do I do now?

Then create a post in -- Malware Removal - HijackThis Logs

Share this post

Link to post
Share on other sites

Cheers & Thank you, David.

Closing this thread to prevent any further me-too posts.

Share this post

Link to post
Share on other sites
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.