Jump to content

Chrome Hijacked and Redirects to Yahoo on Win10 Machine

Recommended Posts

I have a clean Win 10 64 bit laptop that's been problem free up to this point.  I attached two external hard drives I'd not used for a couple years to clean out old files and migrate to a newer wireless HD.  I also downloaded a copy of “FreeFileSync” to compare and sync the drives so I could just sort through one, rather than two HDs.  I also rebooted my laptop because I thought it was running a little slow and thought a restart might help.  
After restarting, I opened Chrome to my normal Google page, and about 2 seconds later it redirected to a bogus Yahoo page. 
Up to this point my machine’s been clean and trouble free as I just don’t download a lot of shareware or utilities or music.  I use it as work machine. 
I use Windows Defender and its worked well, up to this point.
I read through the “I'm infected - What do I do now?” instructions and posted my MBAM and FRST64 logs from C:
Personally I think the problem came from the external drive I haven’t connected for over two years rather than the FreeFileSync app.  I don’t know.   
One problem I’m having is I can’t get MBAM and FRST to scan my external drive (G:).  It always defaults to C:
Any help you can provide is greatly appreciated.
Malwarebytes Anti-Malware
Scan Date: 12/6/2015
Scan Time: 2:26 PM
Logfile: MBAM_Log.txt
Administrator: Yes
Malware Database: v2015.12.06.05
Rootkit Database: v2015.11.26.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
OS: Windows 10
CPU: x64
File System: NTFS
User: jmpisa
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 451236
Time Elapsed: 44 min, 40 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
Processes: 0
(No malicious items detected)
Modules: 0
(No malicious items detected)
Registry Keys: 0
(No malicious items detected)
Registry Values: 0
(No malicious items detected)
Registry Data: 0
(No malicious items detected)
Folders: 0
(No malicious items detected)
Files: 0
(No malicious items detected)
Physical Sectors: 0
(No malicious items detected)


Link to post
Share on other sites

They call me TwinHeadedEagle around here, and I'll try to help your with your issue.
Before we start please read and note the following:

  • We're primarily oriented on malware removal here, so you must know that some issues just cannot be solved and you must be prepared for this. Some tools we use here will remove your browser search history, so backup your important links and all the files whose loss is unacceptable.
  • Note that we may live in totally different time zones, what may cause some delays between answers.
  • Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
  • Do not paste the logs in your posts, attachments make my work easier. There is a More reply options button, that gives you Upload Files option below which you can use to attach your reports. Always attach reports from all tools.
  • Always execute my instructions in given order. If for some reason you cannot completely follow one instruction, inform me about that.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

:excl: I can't foresee everything, so if anything not covered in my instructions happens, please stop and inform me!
:excl: There are no silly questions. Never be afraid to ask if in doubt!
  warning.gif Rules and policies
We won't support any piracy.
That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!
The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!
Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.

51a612a8b27e2-Zoek.png Scan with ZOEK
Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
createsrpoint;autoclean;emptyclsid;emptyalltemp;ipconfig /flushdns >>"%temp%\log.txt";b
  • Right-click on 51a612a8b27e2-Zoek.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Wait patiently until the main console will appear, it may take a minute or two.
  • In the main box please paste in the following script:
  • Make sure that Scan All Users option is checked.
  • Push Run Script and wait patiently. The scan may take a couple of minutes.
  • When the scan completes, a zoek-results logfile should open in notepad.
  • If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.

Link to post
Share on other sites

Thanks for taking on my case TwinHeadedEagle.  Much appreciated.  I too am an Eastwood fan.  


I hope I followed your instructions correctly.  I disabled Defender and ran Zoek and agreed to the reboot.


Chrome still opens to my Google page then a second later changes to Yahoo.


Here's my Zoek log...






Zoek.exe v5.0.0.1 Updated 05-December-2015
Tool run by jmpisa on Sun 12/06/2015 at 17:42:24.73.
Microsoft Windows 10 Home 10.0.10586  x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\jmpisa\Desktop\Zoek\zoek.exe [scan all users] [script inserted] 
==== System Restore Info ======================
12/6/2015 5:44:57 PM Zoek.exe System Restore Point Created Successfully.
==== Empty Folders Check ======================
C:\PROGRA~2\Cisco deleted successfully
C:\PROGRA~2\Garmin deleted successfully
C:\PROGRA~2\MarkAny deleted successfully
C:\PROGRA~2\MyFree Codec deleted successfully
C:\Program Files\Diskeeper Corporation deleted successfully
C:\Program Files\Common Files\Diskeeper Corporation deleted successfully
C:\PROGRA~3\CanonEPP deleted successfully
C:\PROGRA~3\CanonIJEPPEX2 deleted successfully
C:\PROGRA~3\CanonIJScan deleted successfully
C:\PROGRA~3\Comms deleted successfully
C:\PROGRA~3\Diskeeper Corporation deleted successfully
C:\PROGRA~3\HPSSUPPLY deleted successfully
C:\PROGRA~3\SoftwareDistribution deleted successfully
C:\Users\DefaultAppPool\AppData\LocalLow deleted successfully
C:\Users\jmpisa\AppData\Local\ActiveSync deleted successfully
C:\Users\jmpisa\AppData\Local\EmieSiteList deleted successfully
C:\Users\jmpisa\AppData\Local\EmieUserList deleted successfully
C:\Users\jmpisa\AppData\Local\Garmin deleted successfully
C:\Users\jmpisa\AppData\Local\NetworkTiles deleted successfully
C:\WINDOWS\serviceprofiles\Localservice\AppData\Local\NetworkTiles deleted successfully
==== Deleting CLSID Registry Keys ======================
HKEY_USERS\S-1-5-21-3105082070-2923930377-3165324601-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\oldsearch deleted successfully
HKEY_USERS\S-1-5-21-3105082070-2923930377-3165324601-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{759D9886-0C6F-4498-BAB6-4A5F47C6C72F} deleted successfully
HKEY_USERS\S-1-5-21-3105082070-2923930377-3165324601-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{759D9886-0C6F-4498-BAB6-4A5F47C6C72F} deleted successfully
HKEY_USERS\S-1-5-21-3105082070-2923930377-3165324601-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{21347690-EC41-4F9A-8887-1F4AEE672439} deleted successfully
HKEY_USERS\S-1-5-21-3105082070-2923930377-3165324601-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3785D0AD-BFFF-47F6-BF5B-A587C162FED9} deleted successfully
HKEY_USERS\S-1-5-21-3105082070-2923930377-3165324601-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{3785D0AD-BFFF-47F6-BF5B-A587C162FED9} deleted successfully
HKEY_USERS\S-1-5-21-3105082070-2923930377-3165324601-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F4E39681-15F8-4fda-B8A3-B5C98378F2F3} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\oldsearch deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{759D9886-0C6F-4498-BAB6-4A5F47C6C72F} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{759D9886-0C6F-4498-BAB6-4A5F47C6C72F} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{21347690-EC41-4F9A-8887-1F4AEE672439} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{21347690-EC41-4F9A-8887-1F4AEE672439} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{3785D0AD-BFFF-47F6-BF5B-A587C162FED9} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{3785D0AD-BFFF-47F6-BF5B-A587C162FED9} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully
==== Deleting CLSID Registry Values ======================
HKEY_USERS\S-1-5-21-3105082070-2923930377-3165324601-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully
==== Deleting Services ======================
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMScheduler deleted successfully
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBAMService deleted successfully
==== Batch Command(s) Run By Tool======================
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
==== Deleting Files \ Folders ======================
C:\PROGRA~2\Cisco not found
C:\PROGRA~2\Garmin not found
C:\PROGRA~2\MarkAny not found
C:\PROGRA~2\MyFree Codec not found
C:\windows\SysNative\Tasks\SUPatchForW10Up deleted
C:\PROGRA~3\Ask deleted
C:\PROGRA~3\Best Buy pc app deleted
C:\PROGRA~3\{93E26451-CD9A-43A5-A2FA-C42392EA4001} deleted
C:\PROGRA~3\{FBF3739B-717D-4429-BCEB-98D514E65F29} deleted
C:\PROGRA~3\Package Cache deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk deleted
C:\Users\jmpisa\AppData\LocalLow\AskToolbar deleted
"C:\Users\jmpisa\AppData\Roaming\Samsung" deleted
==== Firefox Extensions Registry ======================
"{5D3F3872-91E9-4d59-AD9F-AA174A3145DD}"="C:\Program Files\Logitech\FlowScroll\LogiSmoothFirefoxExt" [04/12/2013 07:29 PM]
==== Chromium Look ======================
Google Chrome Version: 46.0.2490.86
geooogfhpjdpeiphckpbgkhpbeobcaoi - C:\ProgramData\Logitech\LogiSmoothChromeExt.crx[02/08/2012 02:07 PM]
lifbcibllhkdhoafpjfnlhfpfgnpldfl - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx[10/12/2015 09:31 AM]
apdfllckaahabafndbhieahigkjlhalf - C:\Users\jmpisa\AppData\Local\Google\Drive\user_default\apdfllckaahabafndbhieahigkjlhalf_live.crx[12/03/2015 01:34 PM]
lmjegmlicamnimmfhcmpkclmigmmcbeh - No path found[]
Logitech Flow Scroll - jmpisa\AppData\Local\Google\Chrome\User Data\Default\Extensions\geooogfhpjdpeiphckpbgkhpbeobcaoi
Skype Click to Call - jmpisa\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl
Google Drive App Launcher - jmpisa\AppData\Local\Google\Chrome\User Data\Default\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh
==== Chromium Fix ======================
C:\Users\jmpisa\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_searchmoreknow-a.akamaihd.net_0.localstorage deleted successfully
C:\Users\jmpisa\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_searchmoreknow-a.akamaihd.net_0.localstorage-journal deleted successfully
C:\Users\jmpisa\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_c.betrad.com_0.localstorage deleted successfully
C:\Users\jmpisa\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_c.betrad.com_0.localstorage-journal deleted successfully
C:\Users\jmpisa\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_c.betrad.com_0.localstorage deleted successfully
C:\Users\jmpisa\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_c.betrad.com_0.localstorage-journal deleted successfully
C:\Users\jmpisa\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_localpropertysearches.com_0.localstorage deleted successfully
C:\Users\jmpisa\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_localpropertysearches.com_0.localstorage-journal deleted successfully
==== Set IE to Default ======================
Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}] not found
New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
==== All HKLM and HKCU SearchScopes ======================
HKLM\SearchScopes "DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"
HKLM\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKLM\Wow6432Node\SearchScopes "DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"
HKLM\Wow6432Node\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&form=SMSTDF&pc=MASM&src=IE-SearchBox
HKCU\SearchScopes "DefaultScope"="{012E1000-F331-11DB-8314-0800200C9A66}"
HKCU\SearchScopes\{012E1000-F331-11DB-8314-0800200C9A66} - http://www.google.com/search?q={searchTerms}
HKCU\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02
HKCU\SearchScopes\{91E863B9-659D-4A49-9EFB-3F859D7E50FB} - http://www.bing.com/search?q={searchTerms}&form=BIE9SE&pc=BIE9&src=IE-SearchBox
==== Deleting Registry Keys ======================
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google+ Auto Backup deleted successfully
==== Empty IE Cache ======================
C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\jmpisa\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\jmpisa\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\jmpisa\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\jmpisa\AppData\Local\Microsoft\Windows\INetCache\Low\IE emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
==== Empty FireFox Cache ======================
No FireFox Profiles found
==== Empty Chrome Cache ======================
C:\Users\jmpisa\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
==== Empty All Flash Cache ======================
No Flash Cache Found
==== Empty All Java Cache ======================
Java Cache cleared successfully
==== C:\zoek_backup content ======================
C:\zoek_backup (files=147 folders=49 43952157 bytes)
==== Empty Temp Folders ======================
C:\WINDOWS\Temp will be emptied at reboot
==== After Reboot ======================
==== Empty Temp Folders ======================
C:\WINDOWS\Temp successfully emptied
C:\Users\jmpisa\AppData\Local\Temp successfully emptied
==== Empty Recycle Bin ======================
C:\$RECYCLE.BIN successfully emptied
==== EOF on Sun 12/06/2015 at 18:33:47.01 ======================
Link to post
Share on other sites

FRST.gif Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.

    (XP users click run after receipt of Windows Security Warning - Open File).

  • Make sure that Addition and Shortcut.txt options are checked.
  • Press Scan button and wait.
  • The tool will produce three logfiles on your desktop: FRST.txt, Shortcut.txt and Addition.txt.
Please attach them into your next reply.
Link to post
Share on other sites

Next time, please do not change any other options within tools (FRST), unless I ask you. I am getting much more unneeded data, and it makes it harder for me to analyze reports.
FRST.gif Fix with Farbar Recovery Scan Tool

icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif
icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif

Download attached fixlist.txt file and save it to the Desktop:
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.


Link to post
Share on other sites

FRST.gif Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.

    (XP users click run after receipt of Windows Security Warning - Open File).

  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.
Please include their content into your next reply.
Link to post
Share on other sites

Uninstall Chrome

Export your bookmarks


Close all Chrome windows and tabs.

Go to the Start menu > Control Panel.

Click Programs and Features.

Double-click Google Chrome.

Click Uninstall from the confirmation dialog. Delete your user profile information, like your browser preferences, bookmarks, and history, select the "Also delete your browsing data" checkbox.

Click Start, copy in search %LOCALAPPDATA%\ and remove folder Google

Download Chrome


Link to post
Share on other sites

Looks like that resolved my problem.  Thank you for your precious time and expertise.  I WILL donate via PayPal.  You can count on that.  How can I buy you a beer?  You're my new best friend.


Question:  Is there a way to scan my external HD G: ?  I believe that's where all this started.  It's a drive I haven't connected for a couple years and would like to make sure it's clean before i move it's contents to a newer networked drive.  

Link to post
Share on other sites

We can scan your external drive if it is used for spreading the infection and we can remove the trigger.
Please download MCShield from one of the following links:
MCShield -Official download link

  • Double click on MCShield-Setup to install the application.
    Next => I Agree => Next => Install ... per installation click on Run! button.
  • Wait a few seconds to MCShield finish initial HDD scan...
  • Connect all your USB storage devices to the computer one at a time. Scanning will be done automatically.
  • When all scanning is done, you need to post a logreport that MCShield has created.

Under Logs tab (in Control Center) for AllScans.txt log section click on Save button. AllScanst.txt report shall be located on your Desktop.
=> Post here AllScanst.txt
Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

Link to post
Share on other sites

Done.  Here is the MCShield AllScans log result.  It ran very quickly and said all drives were clean....  What do you think?


>>> MCShield AllScans.txt <<<
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
>>> v / DB: 2015.12.6.1 / Windows 8.1 <<<
12/7/2015 5:48:37 PM > Drive C: - scan started (no label ~365 GB, NTFS HDD )...
=> The drive is clean.
12/7/2015 5:48:37 PM > Drive D: - scan started (no label ~545 GB, NTFS HDD )...
=> The drive is clean.
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
>>> v / DB: 2015.12.6.1 / Windows 8.1 <<<
12/7/2015 5:50:18 PM > Drive G: - scan started (Elements ~1863 GB, NTFS HDD )...
>>> G:\autorun.inf > Legitimate file.
=> The drive is clean.
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
>>> v / DB: 2015.12.6.1 / Windows 8.1 <<<
12/7/2015 5:51:02 PM > Drive F: - scan started (LACIE ~233 GB, FAT32 HDD )...
=> The drive is clean.
Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.