Solved Google search via address line of goggle chrome redirects to search, that seems to be yahoo-search

[NLio]

Hey guys,

I hope you can help me, as I'm really no specialist...

Since Thursday February 6th, whenever I do a google search via the browser address line, it redirects me to a search site, that clearly isn't google.
The problem does not appear, if i first go to google via the address line and then do my search.


My normal virus scaner (avast premium security) as well as malwarebates and hitmanpro couldn't solve the issue.

I really hope you can help me with this.

 

[icotonev]

Hello..! Welcome to MalwareTips..!

My name is icotonev and I'm here to help you remove malware ..! Before we begin, please note the following:

• First, please keep in mind most of us at MalwareTips volunteer our assistance for your benefit in your time of need. Please try to match our commitment to you with your patience toward us.Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs.
• It is important to not run any tools or take any steps other than those I will provide for you.Also, do not uninstall or install any software during the procedure, unless I ask you to do so.
• Cracked or pirated programs are not only illegal, but also can make your computer a malware target. Having such programs installed, is the easiest way to get infected. Thus, no need to clean the computer, since, soon or later, it will get infected again. If you have such programs, please uninstall them now, before we start the cleaning procedure.
• Please perform all steps in the order they are listed. If things are not clear or you experience problems be sure to stop and let me know.
• Please attach all logs into your post unless otherwise requested.
• When your computer is clean I will let you know, provide instructions to remove tools and reports, and offer you information about how you can combat future infections.
• If you do not reply to your topic after 5 days I will assume it has been abandoned and I will close it.

Please follow the following instruction ..:

Download Farbar Recovery Scan Tool and save it to your desktop. --> IMPORTANT

If your antivirus software detects the tool as malicious, it’s safe to allow FRST to run. It is a false-positive detection.
If English is not your primary language, right click on FRST.exe/FRST64.exe and rename to FRSTEnglish.exe/FRST64English.exe

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Double-click the FRST icon to run the tool. When the tool opens click Yes to disclaimer.
• Press Scan button and wait for a while.
• The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
• Please attach the content of these two logs in your next reply.

---------------------------------------------------

In your next reply, please include:

• FRST.txt
• Addition.txt

 

[NLio]

Hello icotonev,

here are the scans.

 

[icotonev]

Thank you..!

AV: Malwarebytes (Enabled - Up to date) {0D452135-A081-B000-D6B6-132E52638543}
AV: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: McAfee VirusScan (Enabled - Up to date) {F682A51C-4EAD-6A3A-F460-B9C1D4A2DB09}
AV: Avast Antivirus (Enabled - Up to date) {EB19B86E-3998-C706-90EF-92B41EB091AF}
FW: Avast Antivirus (Enabled) {D322394B-73F7-C65E-BBB0-3B81E063D6D4}
FW: McAfee Firewall (Enabled) {CEB92439-04C2-6B62-DF3F-10F42A719C72}

Please uninstall McAfee using the following instruction:

1. Download the MCPR tool.
2. Double-click MCPR.exe.
3. If you see a security warning, click Yes, Continue, or Run (depending on your version of Windows):
4. On the McAfee Software Removalscreen:
   1. Click Next.
   2. Click Agree to accept the End User License Agreement (EULA).
5. In the Security Validationscreen:
   1. Type the characters exactly as shown on your screen. Validation is case-sensitive.
   2. Click Next. This step prevents the accidental use of MCPR.
      
      
      
6. Wait for the MCPR tool to complete. This might take 20 minutes or more, depending on your type of PC.
7. When you see Removal Complete, the MCPR tool has completed successfully. Restart your PC to complete the removal process.

https://www.mcafee.com/support/s/article/000001616?language=en_US

Farbar Recovery Scan Tool - Fix

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone

Please download the attached file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.

• Copy/paste the following in the Search: box

Searchall: McAfee VirusScan;McAfee Firewall;McAfee

• Click Search Files button
• When completed click OK and a Search.txt document will open on your desktop
• Аttach the report in your reply. If the file is too large zip and upload it here.

In your next reply, please include:

• Fixlog.txt
• Search report

 

[NLio]

Hi again, here are the next documents:

 

[icotonev]

Hello, NLio..! Excellent work..! Is your problem solved..?

Next..:

Temporarily disable Smart Screen and your antivirus (if needed) to download and run the following tool. If you are afraid to turn off the antivirus, so as not to download even more viruses, then additionally temporarily disconnect from the Internet. This tool sometimes gets flagged as suspicious/malicious, but it's a false positive.

Furtivex Malware Removal Script by thisisu

Please download FMRS.exe and save it to your desktop.

Note: Please save all your existing work / windows as this tool will attempt to close all non-essential processes during the course of its scan. This includes the internet browser you're currently using to view this message.

• Right-click FMRS.exe and then click Run as administrator.
• Click Yes to the Disclaimer
• The script will begin to run. Be patient.
• When the scan is finished, a log entitled FMRS_final.txt will open.
• Post the contents of the log into your next reply
• A copy of this log is also saved to your desktop

Fresh FRST logs

Please run FRST tool once more, and attach for me fresh logs:

• Double-click on the FRST icon to run it, as you did before. When the tool opens click Yes to disclaimer.
• Press Scan button and wait for a while.
• The scanner will produce two logs on your Desktop: FRST.txt and Addition.txt.
• Please attach these two logs in your next reply.

 

[NLio]

Hello again icotonev,

unfortunately I still get redirected, so here are the results from the FMRS log

# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #
# Furtivex Malware Removal Script v5.5.4
# Furtivex – Furtivex Computer Solutions
# Microsoft Windows 11 Home x64 24H2 0407 // 1252 // 65001
# 2025_02_09__19_28_04 - nicol -
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #



# Abläufe:

# Treiber:

# Dienste:

# Dateien:

C:\ProgramData\SEC9167.tmp
C:\ProgramData\SECA090.tmp
C:\Users\nicol\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data (507)
C:\Users\nicol\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js (2437)
C:\Users\nicol\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data (19)
C:\Users\nicol\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js (255)
C:\Users\nicol\AppData\Local\Tempwd.tmp
C:\Users\nicol\AppData\LocalLow\Sun\Java\Deployment\cache (0)
C:\WINDOWS\System32\config\systemprofile\AppData\Local\CM297CE.tmp
C:\WINDOWS\System32\config\systemprofile\AppData\Local\CM2CA4F.tmp
C:\WINDOWS\System32\config\systemprofile\AppData\Local\CM2CB3E.tmp
C:\WINDOWS\System32\config\systemprofile\AppData\Local\CM2DC0.tmp
C:\WINDOWS\System32\config\systemprofile\AppData\Local\tw-694-3e60-c58845.tmp

# Ordner:

C:\Users\nicol\AppData\Local\D3DSCache (39)
C:\Users\nicol\AppData\Local\Microsoft\Windows\INetCache\IE (4)
C:\WINDOWS\ServiceProfiles\LocalService\AppData\Local\D3DSCache (2)
C:\WINDOWS\System32\config\systemprofile\AppData\Local (2198)
C:\WINDOWS\System32\config\systemprofile\AppData\Local\D3DSCache (9)

# Aufgaben:

# Registrierung:

HKLM\Software\Policies\Mozilla\Firefox
HKLM\Software\Microsoft\Tracing\HPWarrantyChecker_RASAPI32
HKLM\Software\Microsoft\Tracing\HPWarrantyChecker_RASMANCS
HKLM\Software\Microsoft\Tracing\SolutionFinder_RASAPI32
HKLM\Software\Microsoft\Tracing\SolutionFinder_RASMANCS
HKLM\Software\Microsoft\Tracing\Squirrel_RASAPI32
HKLM\Software\Microsoft\Tracing\Squirrel_RASMANCS
HKLM\Software\Microsoft\Tracing\Update_RASAPI32
HKLM\Software\Microsoft\Tracing\Update_RASMANCS
HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\\SubscribedContent-338388Enabled
HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\\SubscribedContent-338389Enabled
HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\\SubscribedContent-88000326Enabled
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\CiscoMeetingDaemon
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\com.squirrel.Teams.Teams
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\HPSEU_Host_Launcher
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\MicrosoftEdgeAutoLaunch_B9B257C7C4ABB38D87EB5195476F971F
HKLM\System\CurrentControlSet\Control\CrashControl\\AutoReboot [1] => [0]

# Verschiedenes:

AntiVirus Software: Avast
AntiVirus Software: Malwarebytes
AntiVirus Software: McAfee
AntiVirus Software: Windows Defender
Wiederherstellungspunkt: Furtivex Malware Removal Script - Erstellt

HKLM\Software\Microsoft\Windows Defender\Exclusions\Extensions

HKLM\Software\Microsoft\Windows Defender\Exclusions\IpAddresses

HKLM\Software\Microsoft\Windows Defender\Exclusions\Paths

HKLM\Software\Microsoft\Windows Defender\Exclusions\Processes

HKLM\Software\Microsoft\Windows Defender\Exclusions\TemporaryPaths

C:\Users\nicol\AppData\Local\CrashDumps\click_and_teach.exe.12476.dmp
C:\Users\nicol\AppData\Local\CrashDumps\click_and_teach.exe.13228.dmp
C:\Users\nicol\AppData\Local\CrashDumps\click_and_teach.exe.13464.dmp
C:\Users\nicol\AppData\Local\CrashDumps\click_and_teach.exe.13860.dmp
C:\Users\nicol\AppData\Local\CrashDumps\click_and_teach.exe.1416.dmp
C:\Users\nicol\AppData\Local\CrashDumps\click_and_teach.exe.14784.dmp
C:\Users\nicol\AppData\Local\CrashDumps\click_and_teach.exe.17288.dmp
C:\Users\nicol\AppData\Local\CrashDumps\click_and_teach.exe.4796.dmp
C:\Users\nicol\AppData\Local\CrashDumps\ctfmon.exe.10260.dmp
C:\Users\nicol\AppData\Local\CrashDumps\slicer.exe.6380.dmp
C:\WINDOWS\System32\config\systemprofile\AppData\Local\CrashDumps\iprntsrv.exe.5760.dmp
C:\WINDOWS\System32\config\systemprofile\AppData\Local\CrashDumps\iprntsrv.exe.7480.dmp
C:\FRST\Quarantine\C\Program Files\HitmanPro\HitmanPro.exe
C:\FRST\Quarantine\C\Program Files\HitmanPro\hmpsched.exe
C:\FRST\Quarantine\C\ProgramData\HitmanPro\HitmanPro.key
C:\FRST\Quarantine\C\ProgramData\HitmanPro\HitmanPro.lic
C:\FRST\Quarantine\C\ProgramData\HitmanPro\Remnants.bin
C:\FRST\Quarantine\C\ProgramData\HitmanPro\Logs\HitmanPro_20250209_0636.log
C:\FRST\Quarantine\C\ProgramData\HitmanPro\Logs\HitmanPro_20250209_1559.log
C:\FRST\Quarantine\C\ProgramData\HitmanPro\Quarantine\quarantine.xml
C:\FRST\Quarantine\C\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro\HitmanPro 3.8 entfernen.lnk
C:\FRST\Quarantine\C\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro\HitmanPro.lnk
C:\FRST\Quarantine\C\Users\nicol\Downloads\HitmanPro_x64.exe.xBAD
C:\FRST\Quarantine\C\WINDOWS\System32\Tasks\HPDataRetriever.xBAD
C:\FRST\Quarantine\C\WINDOWS\System32\Tasks\HPSupportTool.xBAD
C:\FRST\Quarantine\C\WINDOWS\System32\Tasks\Opera scheduled Autoupdate 1612079694.xBAD
C:\FRST\Quarantine\C\WINDOWS\System32\Tasks\Microsoft\Windows\Location\Notifications.xBAD
C:\FRST\Quarantine\C\WINDOWS\System32\Tasks\Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser.xBAD
C:\FRST\Quarantine\C\WINDOWS\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\MusUx_LogonUpdateResults.xBAD
C:\FRST\Quarantine\C\WINDOWS\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\MusUx_UpdateInterval.xBAD
C:\FRST\Quarantine\C\WINDOWS\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_AC.xBAD
C:\FRST\Quarantine\C\WINDOWS\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_Battery.xBAD
C:\FRST\Quarantine\C\WINDOWS\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker.xBAD


# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #

The FRST logs are once again attached.
Thanks for your quick and easy to understand responses!

 

[icotonev]

NLio , unfortunately tonight I will not be able to answer you .. I am involved with my family. Tomorrow I will review all the logs provided and continue ..! Thank you for your understanding..!

Check out the instructions of this connection and make them for your available browsers:

How to Change Your Browser's Default Search Engine

Information on how to change the default search engine used with a specific Internet browser.

www.computerhope.com

 

[NLio]

Hey icotonev,

that's alright. Enjoy the time with your family.

Info for tomorrow:
I changed my default search engine to another one (bing), but still get redirected.

 

[icotonev]

I changed my default search engine to another one (bing), but still get redirected.

Hello, NLio..! And did you delete yahoo..? You need to do it for all the browser's you have installed on your computer ..!

Clicking the  icon next to a non-default entry lets you change it to the default search engine or remove it from the list.

Farbar Recovery Scan Tool - Fix

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone

Please download the attached file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.


In your next reply, please include:

• Fixlog.txt

 

[NLio]

Hello, NLio..! And did you delete yahoo..? You need to do it for all the browser's you have installed on your computer ..!

yes I deleted it on chrome and on edge as well (no more browsers installed as far as I know), and the funny thing was, that in edge, some of the suggested search enginges had the yahoo-search-fake-url as well, so i deleted them too, but the problem persists even after the last fix.

Could there be more browsers pre-installed, where I would have to delete yahoo-search? How could I find that out?

Once again the fixlog is added

 

[icotonev]

Could there be more browsers pre-installed, where I would have to delete yahoo-search? How could I find that out?

Hmmm .. very stubbornly this redirection ..! According to the logs you have Edge, Chrome and Firefox installed ..! Your logs do not show the presence of malware ..

Malwarebytes

Open Malwarebytes you have already installed.
Click the little gear on the top right (Settings) and when it opens, click the General tab. Under the title Windows Security Center, make sure the option is disabled.
Click the Scan and Detections tab and under the Scan options title, enable Scan for rootkits option. Do not change any other option.
Return to the Dashboard and choose Scan.
When finished, you will see the Threat Scan Summary window open.
If threats are not found, click View Report and proceed to the two last steps below.
If threats are found, make sure that all threats are selected, and click on Quarantine/Remove selected.

• You may need to restart the computer.
• Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
• Click on Export and then Copy to Clipboard.
• Paste its content here, in your next reply.

Malwarebytes AdwCleaner

• Please download AdwCleaner and save it to your Desktop
• Close all open programs and browsers
• Right click on the icon and select Run as administrator
• Click Scan now
• Uncheck any detected items you would to keep then click Next
• If a Preinstalled software was found! screen appears review it if you'd like then click OK

The section at the bottom under Pre-Installed Software is software that was apparently installed when the device was new by your PC manufacturer.Personally, I don't keep anything from this software that I don't use/need. But it's your computer, so the decision is yours.

• Review the list of Preinstalled software and place a check mark in those you do not wish to keep
• Click Quarantine, then Continue
• When completed click View Log File
• Copy and paste the contents in your reply
• Close the AdwCleaner window

Sophos Scan & Clean

• Download Sophos Scan & Clean and save it to your Desktop
• Right click on the icon and select Run as administrator
• Click Next, review the Terms and conditions and if you agree click Next again
• When completed click Next twice
• Click Save Log and save the log onto the Desktop
• Copy and paste the contents of the report in your reply

In your next reply please post:

1. AdwCleaner report
2. The Malwarebytes report
3. Sophos report

 

[NLio]

Hmmm .. very stubbornly this redirection ..! According to the logs you have Edge, Chrome and Firefox installed ..! Your logs do not show the presence of malware ..

This ist strange! I can't find Firefox in my apps... even if I type it into the windows search bar it only offers me to download it

Reports attached as usual

 

[icotonev]

Everything looks good..!

This ist strange! I can't find Firefox in my apps...

Farbar Recovery Scan Tool SearchAll

• Right click on FRST and select Run as administrator
• Copy/paste the following in the Search: box

SearchAll: FireFox

• Click Search Files
• When completed click OK and a Search.txtdocument will open on your desktop
  • Please attach this log in your next reply.

In your next reply, please post:

• Search.txt

 

[NLio]

Here you go for the next round

 

[icotonev]

Farbar Recovery Scan Tool - Fix

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone

Please download the attached file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.

In your next reply, please include:

• Fixlog.txt

 

[icotonev]

Hello, NLio..! I have any doubts therefore do the following:

1. On your computer, open Chrome.
2. At the top right, select Profile
   
   
   Sync is on.
3. Select Turn off.

To delete synced info from your Google Account:

1. On your computer, open Chrome.
2. Go to chrome.google.com/sync.
3. Select Delete data.

Sign in and sync in Chrome - Computer - Google Chrome Help

When you sign in to Chrome with your Google Account, you can get your info on all your devices and use additional Chrome features. When you sign in You can get your bookmarks, passwords, and

support.google.com

You can delete your Chrome browsing history and other browsing data, like saved form entries, or just delete data from a specific date.

1. On your computer, open Chrome.
2. At the top right, click More
   
   
   Delete browsing data.
3. Choose a time range, like Last hour or All time.
4. Select the types of information you want to remove.
5. Click Delete data.
   • If you delete cookies while signed in to Chrome, you won't be signed out of your Google Account.

Delete browsing data in Chrome - Android - Google Chrome Help

You can delete your Chrome browsing history and other browsing data, like saved form entries, or just delete data from a specific date. What happens to your info Data th

support.google.com

+

Reset Google Chrome To Its Default Settings [Full Guide]

This guide teaches you how to reset Google Chrome settings to their original default by following easy step-by-step instructions.

malwaretips.com

===========================================================================================================================

Reset Sync in Microsoft Edge and Delete Sync Data

How to Reset Sync in Microsoft Edge and Delete Sync Data Microsoft Edge now allows resetting the sync data locally and remotely. When you perform the

winaero.com

+

Reset Microsoft Edge To Its Default Settings [Full Guide]

This guide teaches you how to reset Microsoft Edge settings to their original default by following easy step-by-step instructions.

malwaretips.com

 

[NLio]

Hey icotonev,

I just came home after a evry long workday and just to be sure: Should I run the fixlist you posted yesterday and then today's suggestions or should I skip you're post from yesterday?

 

[icotonev]

I just came home after a evry long workday and just to be sure: Should I run the fixlist you posted yesterday and then today's suggestions or should I skip you're post from yesterday?

Hello, NLio..! The fix of yesterday is to remove all the remains of Firefox..! So rest tonight ..! Do everything tomorrow ..! Have a nice evening ..!

 

[NLio]

Hi icotonev,

here's a new fixlog for a new day^^

After turning of googlesync, when I wanted to delete saved data, it said, there was none... is this an error? Everything else went just fine