Mac Google Chrome Searchbar Malware

[dhiggzzz]

So it seems I have some sort of malware on my Google Chrome on Mac. I'm pretty new to this so please bare with me.

For example When I search a random search in Google Chrome this URL briefly shows:

http://www.google.com/url?sa=D&q=http%3A%2F%2Fsearch.operativeeng.com%2Fcps%3Fq%3Dwhere%2Bare%2Byou%26_pg%3DD5AF862B-7C24-5787-AF3D-AEAFF9F8B205

I am then redirected to Yahoo's search engine even though Chrome had always been my default.

When I go to Chrome settings I see this search engine listed but there is no remove option. 

Chrome://management shows my computer is being managed by an outside source (this is a personal laptop).

Going to chrome://policy shows this as default search provider http://search.operativeeng.com/favicon.ico

I ran a Malwarebytes scan, it identified three threats and I quarantined and then restarted. However the malware is still on my chrome. I am wondering if it is embedded into my gmail account somehow.

Thanks for any suggestions, just worried they could steal my passwords/financial information somehow.

 

[alvarnell]

Now that the threat has been removed, you will need to manually change the settings that were modified. Please follow the instructions contained in this pinned posting at the top of the forum, paying particular attention to the Nuke Chrome portions: 

 

[dhiggzzz]

this was so helpful thank you ! I think I've been able to remove the after-effects as you've suggseted.

One thing, I installed a norton antivirus for 30 days just to be sure. While flipping through the web on Chrome I was just given this message on my computer (see attached photo). I told Norton to block it; is this some sort of malware attempting reeentry? I have no idea if it was how I would stop it without Norton turned on

[alvarnell]

Unless there's another macOS user here familiar with Norton, you'll have to ask Norton about it.

If you google "ff02::FB" you'll find a lot of folks have seen it, but the only partial explanation came from this discussion https://discussions.apple.com/thread/6658906 which mostly bashes Norton, but if you click "All Replies" and go to the last one, there's a partial explanation that would indicate that it's might be a bug in your WiFi router. In any case, everything I read indicated that it's coming from something on your local LAN and not anything coming in from the Internet. Whether it should be allowed or blocked isn't clear and may not matter.

[dhiggzzz]

Interesting, I'm also getting this message from Norton. I'll have to do a little more searching.

[alvarnell]

All 224.x.x.x IP addresses are from your local network and many reports I've read about these alerts point to the router.

[dhiggzzz]

Ok thank you for the help, so in other words I can just disregard them ?

[alvarnell]

Well, it's clear that nobody is attempting to do something nefarious using Google Chrome from outside of your local network. There is also ample evidence that these alerts are either False Positives generated by Norton or a bug involving your router. If it were me I would disregard it or if I had time challenge Norton about it and also confirm that these are router IP addresses. What I don't have an opinion on is whether such notifications should be blocked or allowed. I suppose there could be some good reason to do one or the other, but haven't a clue what the result would be.

Edited September 8, 2020 by alvarnell