There is no need to download anything to solve this problem.
Exactly what happened to me. Anyway, good news - try running malware bytes again - i did this morning, and it found a couple of dodgy files,.
You may have installed one of the common types of ad-injection malware. Follow the instructions on this Apple Support page to remove it.
Back up all data before making any changes.
One of the steps in the article is to remove malicious Safari extensions. Do the equivalent in the Chrome and Firefox browsers, if you use either of those. If Safari crashes on launch, skip that step and come back to it after you've done everything else.
If you don't find any of the files or extensions listed, or if removing them doesn't stop the ad injection, ask for further instructions.
Make sure you don't repeat the mistake that led you to install the malware. It may have come from an Internet cesspit such as 'Softonic' or 'CNET Download.' Never visit either of those sites again. You might also have downloaded it from an ad in a page on some other site. The ad would probably have included a large green button labeled 'Download' or 'Download Now' in white letters. The button is designed to confuse people who intend to download something else on the same page. If you ever download a file that isn't obviously what you expected, delete it immediately.
Malware is also found on websites that traffic in pirated content such as video. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect more of the same, and worse, to follow. Never install any software that you downloaded from a bittorrent, or that was downloaded by someone else from an unknown source.
In the Security & Privacy pane of System Preferences, select the General tab. The radio button marked Anywhere should not be selected. If it is, click the lock icon to unlock the settings, then select one of the other buttons. After that, don't ignore a warning that you are about to run or install an application from an unknown developer.
Still in System Preferences, open the App Store or Software Update pane and check the box marked
Install system data files and security updates
if it's not already checked.
The behavior looks like this:
- when I search 'baby' with my default search engine google.
- I can see browser address bar shows 'https://www.google.com.hk/?gfe_rd=cr&ei=JjV5WZ--N8TU8AfqgqII#q=baby'
- And then after 1 or 2 seconds, it redirects to 'https://hk.search.yahoo.com/yhs/search?hspart=blp&hsimp=yhs-default&type=hmp_060_695_0&p=baby&rnd=1196689346¶m1=sid%3D695%3Aaid%3D060%3Aver%3D0%3Atm%3D-1%3Asrc%3Dhmp%3Alng%3Den%3Aitype%3De%3Auip%3D1997106063%3Aup%3DYmFieQ%253D%253D'
I have tried below methods, but none of them works
- Reset default search engine to google
- Delete all search engines and create a new one with google search (https://www.google.com/#q=%s)
- Clean chrome extensions
- Clear /Libiary/Internet Plugins
- Reset Chrome
- Reinstall Chrome
I also tried below methods, which could be one of the temp solutions:
- Switch to Incognito window;
- Logout from Chrome;
Any idea about this?
After successfully clean the folder /Users/$USER/Library/Application Support/Google/Chrome/Profile 1/Extensions/bfkmdpfljdpopbemfaelnflapafbflgn, it comes back again after two days.
So when I my chrome has the redirect issue, the folder contents looks like:
After I clean it, it looks like:
So I guess there must some virus either comes from my computer or from Chrome.After some check, I find a non-removable extension:
Hope this helps.
JoshuaJoshua
2 Answers
Try creating another user and see if it persists there.
What about Safari or Firefox? Whether they are infected or not, the answer narrows the problem.
Check your DNS; perhaps it was hijacked. 8.8.8.8 is Google's Public DNS and will help if it's allowed in HK. For a friendly trustworthy network, just setting DHCP-based DNS will usually work.
See if https://www.malwarebytes.com/mac/ will kill it.
Try booting to a Linux LiveCD to see if it's environmental. (Probably not this, but it's worth a look if nothing else works.)
Tim GTim G
I think I find the finally solution for this.There is a extension named 'Plugins Button' installed in chrome with super permission that you can not remove it.
Step1:Quit Chrome;
Step2:
$ rm -rf /Users/$NAME/Library/Application Support/Google/Chrome/Profile $NUMBER/Extensions/bfkmdpfljdpopbemfaelnflapafbflgn/
$ rm -rf ~/Library/Application Support/Google/Chrome/Profile $NUMBER/Sync Extension Settings/bfkmdpfljdpopbemfaelnflapafbflgn/
Step3:
Open 'System Preferences' and click Profiles, you will find a weird profile named 'your name'. By taking a look at the detail, it contains the exact keyword 'bfkmdpfljdpopbemfaelnflapafbflgn', delete the profile.
JoshuaJoshua