How to remove NebulaNanoel Extension from Chrome and other browsers

We created this page to address a malware infection with a fake extension called NebulaNanoel. If you are reading this, you are probably bombarded with redirects to sites like Boyu and fake bing searches. There is also another extension that serves the same purpose as this one. It’s called Fortyfy. The NebulaNanoel extension specifically targets chrome users but we designed the guide to be compatible with other browsers in case this changes.

At any rate, the guide below is guaranteed to work. We tested it.

NebulaNanoel is missing from the Chrome web store.
NebulaNanoel is completely illegitimate and does not appear in the Chrome Web Store.

NebulaNanoel Extension Removal Guide (for Chrome)

We hope you did not press allow for any push notifications if you were asked to do so. This gives NebulaNanoel further leverage to tamper with your system. But we will deal with this later.

Note: We are showing Chrome for the guide, but the same applies for other Chromium-based browsers like Edge and Brave, if it turns out they are infected as well. For example when we tell you to type chrome://extensions, just substitute your browser name for “chrome” (e.g. edge://extensions) and it’s the same.


Type Browser Hijacker
Detection Tool

First off, the NebulaNanoel extension enforces an active policy. Modern hijackers use this to prevent you from removing any URLs and search engines they want to redirect you to. 

They do so through a “managed by organization” state typically reserved for work networks that don’t want you to have full admin privileges. We need to remove such a state before we can make changes.

Start up Chrome and enter chrome://management/ in the address bar. If anything is enforced on you, you are locked out of some settings.

AD 4nXf 2roDeASszPKX3ewNjekMUW7F HVkCAITE0TBJ2Ztv2 S7n5NURVW7ZQAnjX9SsFHKcnfOZ5sojlU5smE7Rta23eeUeRXd6uQyBKo J15g8C5wGwBZEQ86g5KR 5174UGqh3KiU4jd4PDcVeyTzg7NSrO?key=kFCQ 78aELoAz7EcUhJPkQ

Take notice of what shows up on that screen and don’t do anything yet.

The next stop is to check whether you have in your browser any suspicious extensions. Type and enter chrome://extensions/ in the address bar. 

AD 4nXf2iDPugIAdbPZOtHIvgUfbwAQ8vhGK4 YFFHnvbdss02zeS7t0aNAo75S NK XJX0IrU7UgDcsE8dqVubap3Shi37ypq01o6t LMwkDGkX6RoQDdfMNyHVLrlo WdcfZoDH3ljkaA4URmENy6lD8BpdAdY?key=kFCQ 78aELoAz7EcUhJPkQ

Look for anything you haven’t seen before and/or it has the “Remove” button greyed out. Such extensions drive the redirects. Don’t even read their “details” tab, just exercise common sense and remove anything you don’t like. If it’s legitimate, you can put it back on later. If anything showed up in the previous step, you can look for it here.

At the top right of the Extensions page turn on “Developer Mode.” You will now be able to see the dedicated ID of any extension. AD 4nXcCcj6jBHKjC0Aw00O 0re5b9B3TSG ObdASjrWzMJsGVzgxtz0tYdr0sDdhSQyGv83XCT38lI7C8AOP8difWOCBoqWrnJxhUtW5S96fvE1FaSW3QNPJGEScNmqWqs7Im5tMiL54sAi2oAEZ4ql6iVneBG0?key=kFCQ 78aELoAz7EcUhJPkQHighlight and copy the ID of anything infected with Ctrl+C. Store the IDs in a text editor, you will need them later.

AD 4nXeLvlMjGvDxUGCgvFjqkN3o40iHZ8UVhM1nDfTbWsnDFSMmOqbFITSQ7N0sQMnlRXWCm TglqurOxZJhUMPAy5STy5K4MtCoufgztuHFRaBtHqCCyVzSX8HLuS8V0bLT0h0141P3tmfkWvpTnYVEw5Xh9HK?key=kFCQ 78aELoAz7EcUhJPkQ

The last places to check are your Search Engine and On Startup tabs. 

Type and enter chrome://settings/ in the address bar. You want to look at the tabs I highlighted.

AD 4nXc74uTJnn81y67QOfrUYdVhIuKz9dGcnZGP8aioQUyWBROWUtSuHx5t27KwiQF3YwqlGG1bdIn GmRT L31pcCeTgA9xuOgz1j058Yyicp1fXcOnQLgvWmBbty2IaDMfp0xUL22KOE JTmsp4qe CTB9ORD?key=kFCQ 78aELoAz7EcUhJPkQ

Look, I’m not going to state obvious stuff here, but take a look at what these are set set as. If a search engine can’t be removed and has “details” next to the name, then it is enforced by an “organization” again. Similarly, The On Startup tab can be set to a specific page or tab – take note of these. 

After we remove the managed by organization state, you’ll have to go back to these settings to fix them. You just can’t right no while they are locked.

Remove NebulaNanoel with the Group Policy Editor

Type Edit Group Policy in the Windows Start Menu, open it, and expand the Computer Configuration entry.

  1. Right-click on Administrative Templates and click Add/Remove Templates.
  2. If you see any items in the list that shows up, select them and select Remove.
  3. Restart the PC, then Chrome. See if the settings you saw earlier are still locked. If they aren’t you should change the settings and remove the NebulaNanoel extension. After that we recommend going through the registries (the step below) or it may return.

Deleting NebulaNanoel from the Registry

If you clean the Group Policy Editor NebulaNanoel’s entries should be gone. But that doesn’t mean anything it installed aside from itself is gone as well, since not all malware use the managed organization state. We urge you to check the registries. Take note of all the extensions ID’s you wrote down earlier. Now is the time to search for them.

  1. First, go into your browser and visit one of the following URLs depending on what browser you are using: chrome://policy for Chrome.
  2. See if there is a policy with a Value that consists of letters and/or numbers.
  3. If there is, copy its value and story it for later.
  4. Now go to your Registry (type regedit in the Start Menu, right-click the Editor > Run as administrator).
  5. Press Ctrl + F and paste and ID you wrote until now, one by one. If you find anything, delete it. You can’t mess up badly here. You will only delete whatever this ID does – which is part of the malware.
  6.  Repeat the search, delete the next item, rinse and repeat until no more search results are shown.

Now that the Registry is also cleaned, your browser should no longer be locked by any rogue thrid-party policies. Restart your PC and check if the browser is free. If it’s not, you’ve probably missed something. We recommend downloading an anti-malware program.

Clean up NebulaNanoel’s leftover parts from Chrome

These are some additional steps to clean up Chrome. If you are on another browser, the steps are the same, only certain names and placements might be different. But the method should be consistently the same throughout.

  1. Start Chrome and navigate to Extensions, and Remove anything unwanted you couldn’t earlier. 
  2. Open the Chrome menu again, and go to Settings > Privacy and Security.
  3. Select Delete browsing data > Advanced, leave only Passwords unchecked, and click Delete Data.
  4. Go to the Privacy and Security tab —> Site Settings —> Notifications. We recommend checking Don’t allow sites to send notifications under Default Behavior. I frankly don’t know who would want to receive notifications and why this isn’t the default setting.

Also go through the settings in the earlier steps and restore these to the defaults. I’m talking about stuff in Search Engine and On startup. If anything there was changed, you should now be free to modify it.

About the author


Nathan Bookshire

Leave a Comment