Chrome and Edge closing down every 30 minutes

barrydobson · 2025-06-30T18:32:14.072Z

One of the users at the charity I work for has a problem where at exactly every 30 minutes Chrome and Edge will shut down. Windows 11 Pro. You can open them again and restore the pages. Its the same with an Incognito window

I have ran malwarebytes and Defender and both came up with nothing (Well two unwanted set up programs now removed)

There is a peculiar extension in both Edge and Chrome though. I have tried removing it and it just keeps coming back. See screen shots attached. Could it be that? Nothing odd in start up and I did look at scheduled tasks but the list is massive.
Any ideas?

emma chrome extension2861×854 90.2 KB

emma chrome extension11342×760 188 KB

Rod-IT · 2025-06-30T20:07:05.890Z

I believe that is a browser hijack extention.

Check here

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist
HKEY_CURRENT_USER\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist

And rename/remove the file in C:\ProgramData\bitsearchdefender

Finally, confirm there is no policy to force load this ext

chrome://policy

Look for the name or ID

barrydobson · 2025-06-30T21:33:34.148Z

Rod-IT:

chrome://policy

Hi Rod

Thanks. I deleted the folder above and that fixed it until a restart and its back again. I can’t see anything obvious in start up and there are no Chrome policies that I can find either in Regedit or Chrome://policy. Edge is exactly the same

Rod-IT · 2025-06-30T21:39:49.220Z

What AV is this device using?

barrydobson · 2025-06-30T21:52:11.176Z

Just standard windows defender (win 11 pro)

barrydobson · 2025-07-01T05:36:32.834Z

Thanks but Its clearly something more serious than that given its been pin pointed to an extension that reinstalls itself on start up or sign up even after removing its data folder. Reinstalling Chrome and Edge wont fix it either I suspect. It will just reappear.

adrian_ych · 2025-07-01T06:52:46.036Z

Then do a AV & Malware scan on the machine…if the user have installed some weird software or weird tools or even if the machine have been infected ?

You can easily google the name of the extension and see the steps to remove the malware on the machine then the browsers.

barrydobson · 2025-07-01T07:04:56.561Z

As said none of the malware tools pick it up but using procmon I have found it just now I think and its being generated by protector.exe

adrian_ych · 2025-07-01T07:23:09.479Z

what are you using ? protector.exe is a malware in a way…

file-intelligence.comodo.com

What is protector.exe Malware | protector.exe virus

Get detailed information about protector.exe malware and how to completely remove it from the system.

barrydobson · 2025-07-01T10:10:24.385Z

I’m running a process find[quote=“adrian_ych, post:10, topic:1219733, full:true, username:adrian_ych”]
what are you using ? protector.exe is a malware in a way…

file-intelligence.comodo.com

What is protector.exe Malware | protector.exe virus

Get detailed information about protector.exe malware and how to completely remove it from the system.

[/quote]

I’m running a process find at the moment to try and find out where protector.exe launches and creates the bitsearchdedender folder. I left it running two hours ago. I had to go out. Removing it seems impossible. Will update when. I get back.

Rod-IT · 2025-07-01T10:35:04.786Z

So it was malware?

barrydobson · 2025-07-01T10:47:42.455Z

It seems so but I am having a hell of a job getting rid of it. ChatGPT has been helpful identifying it but its now suggesting I run this Farbar recovery scan tool Download Farbar Recovery Scan Tool

Rod-IT · 2025-07-01T10:49:23.721Z

And you confirmed the registry keys I provided?

barrydobson · 2025-07-01T11:04:59.706Z

Yes sorry. Nothing in either of those

joebridgeman · 2025-07-01T13:46:19.789Z

If it’s malware, the safest thing to do is back up the data and reinstall the OS. Otherwise you’re going to play wack-a-mole for ages.

barrydobson · 2025-07-01T15:06:24.155Z

Its in control panel add remove programs called Windows protector. You can remove it but as soon as you sign out or reboot its back again. Nothing can get rid of it. Not Malwarebytes, Kapersky etc. If you remove it and kill its processes the browsers work but as soon as you sign out its back and so is the bitsearchdefender folder in program data.

Trouble is this is a key PC in the UK and Im in France remoting into it and I wont be back for a few months. I cant do an OS reinstall from here. I presume setting up a new user account wont work?

Jay-Updegrove · 2025-07-01T15:19:17.978Z

Win 10/11, you can do a ‘reset’ and kick it off remotely, but unless you use something like Intune/Autopilot, you’ll still be sitting with an empty new Windows install (the reset would have to take it back to start to remove). Setting up a new user on a machine infected like this will not work.

Can you setup a new machine where you’re at and ship it to them? Is there an on-site tech or MSP locally who can follow instructions?

barrydobson · 2025-07-01T15:34:14.880Z

Its not too bad as they use Office 365 and everything is in OneDrive. There might be another PC I can get them to use if there is one spare until I get back and can fettle it properly. Otherwise if we reset that one its going to need someone onsite to assist. Its possible.

Alternatively they just live with it. As long as you remove the bitsearchdefender folder the browsers work. Far from ideal though. Looks like it got in on the 22nd of June

Jay-Updegrove · 2025-07-01T15:36:16.744Z

That’s a tough spot to be in, hopefully they’ll have some spare hardware on-hand you can get them up on until you’re back…good luck!

joebridgeman · 2025-07-01T15:44:03.057Z

I mean, who knows what it’s doing while you leave it alone…could be scraping passwords, banking info, whatever. Could be used as an entry point for a larger ransomware attack that spreads laterally on the network. I’d suggest that leaving it online is a bad idea even if you don’t have an instant replacement.