I use both Chrome and Internet Explorer at different times for different reasons. Recently I've had trouble with a search engine hijack which affected both browsers. After a lot of searching and self-help attempts, I think I finally have the (current) root cause, but I'd like some advice before proceeding.
I removed 7-zip, Google toolbar for IE, Java, and Flash Player; all of these were either installed or updated within the last couple days. That got me some improvement with no longer seeing a bitmotion tab hijack - oh and let's not forget the "Warning! Microsoft Update required to remove malicious software!" verbal threat coming from my speakers which started in IE and migrated to Chrome. That seems to be gone now.
I keep getting a "secure search" bar at the top of the page any time I use Google in either browser which captures the cursor and redirects to Bing. There is an X which will close it, but then the links on the Google results page don't work until the page is refreshed. That is fixed now - sort of - as detailed below.
I found advice on changing the proxy settings and located where my LAN setting were set to use an automatic configuration script and unchecked that box and blanked the text box with "http://unstopaccess.com/wpad.dat? . . . "
That's where my progress stopped. The box under LAN setting is unchecked on both browsers, but erasing the text in the automatic configuration script doesn't take. It's the same on both browsers. Further digging got me into regedit and NOW I want advice before proceeding further:
I found the unstopaccess entry under HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/services/NlaSvc/Parameters/Internet/ManualProxies/Default
F3 only got me the one instance and I've exited regedit without making changes. The hijack is dormant for now. I assume it's safe to delete the entry, but I know how quickly I could screw things up, thus: HELP!
My one saving grace in this is that I know what I know and I know what I don't know, so I know when to seek greater wisdom.
Ah, multiple passes of Avast don't find viruses, MalwareBytes no longer finds issues, TDSSKiller didn't find anything, and the "easy fix" option from MicroSoft said I had the wrong version of IE for it to work.
Couple hours later: I gotta say, I THOUGHT I had most things under control. I still have some kind of new tab hijack on Chrome and I closed it before noting the address, also the secure search bar came back once. They won't repeat after I closed them, so I guess I gotta completely close the program before it will show me the behavior again. I'm in the middle of something so I will update again when I have further details.
Second update: The new tab hijacker in Chrome is an address of https://secure-surf.net/ and I saw it change the standard blank new tab to a faux new tab which is actually a webpage. Chrome is my primary browser.
Edited by mwaurelius, 02 May 2017 - 02:03 PM.