MacOS Chrome default search is redirected to yahoo

The behavior looks like this:

when I search "baby" with my default search engine google.
I can see browser address bar shows "https://www.google.com.hk/?gfe_rd=cr&ei=JjV5WZ--N8TU8AfqgqII#q=baby"
And then after 1 or 2 seconds, it redirects to "https://hk.search.yahoo.com/yhs/search?hspart=blp&hsimp=yhs-default&type=hmp_060_695_0&p=baby&rnd=1196689346&param1=sid%3D695%3Aaid%3D060%3Aver%3D0%3Atm%3D-1%3Asrc%3Dhmp%3Alng%3Den%3Aitype%3De%3Auip%3D1997106063%3Aup%3DYmFieQ%253D%253D"

I have tried below methods, but none of them works

Reset default search engine to google
Delete all search engines and create a new one with google search (https://www.google.com/#q=%s)
Clean chrome extensions
Clear /Libiary/Internet Plugins
Reset Chrome
Reinstall Chrome

I also tried below methods, which could be one of the temp solutions:

Switch to Incognito window;
Logout from Chrome;

Any idea about this?

== After successfully clean the folder /Users/$USER/Library/Application\ Support/Google/Chrome/Profile\ 1/Extensions/bfkmdpfljdpopbemfaelnflapafbflgn, it comes back again after two days.

So when I my chrome has the redirect issue, the folder contents looks like:

After I clean it, it looks like:

So I guess there must some virus either comes from my computer or from Chrome. After some check, I find a non-removable extension:

Hope this helps.

Joshua

Posted 2017-07-28T00:37:01.567

Reputation: 131

Answers

I think I find the finally solution for this. There is a extension named "Plugins Button" installed in chrome with super permission that you can not remove it.

Step1: Quit Chrome;

Step2:

$ rm -rf /Users/$NAME/Library/Application\ Support/Google/Chrome/Profile $NUMBER/Extensions/bfkmdpfljdpopbemfaelnflapafbflgn/

$ rm -rf ~/Library/Application\ Support/Google/Chrome/Profile\ $NUMBER/Sync\ Extension\ Settings/bfkmdpfljdpopbemfaelnflapafbflgn/

Step3:

Open "System Preferences" and click Profiles, you will find a weird profile named "your name". By taking a look at the detail, it contains the exact keyword "bfkmdpfljdpopbemfaelnflapafbflgn", delete the profile.

Joshua

Posted 2017-07-28T00:37:01.567

Reputation: 131

Try creating another user and see if it persists there.

What about Safari or Firefox? Whether they are infected or not, the answer narrows the problem.

Check your DNS; perhaps it was hijacked. 8.8.8.8 is Google's Public DNS and will help if it's allowed in HK. For a friendly trustworthy network, just setting DHCP-based DNS will usually work.

See if https://www.malwarebytes.com/mac/ will kill it.

Try booting to a Linux LiveCD to see if it's environmental. (Probably not this, but it's worth a look if nothing else works.)

Tim G

Posted 2017-07-28T00:37:01.567

Reputation: 411

1After scan computer with Malwarebytes: I found this one "2017-07-29 09:03:24 : Removing Extension Item: /Users/Joshua/Library/Application Support/Google/Chrome/Profile 1/Extensions/bfkmdpfljdpopbemfaelnflapafbflgn". Now it works fine!!! It's a pity that I didn't take a look of file content before deleting it. – Joshua – 2017-07-29T01:06:44.223