Windows 10: Can't get rid of browser hijack in Edge.

Got hit with a drive by browser hijack which has set my Edge start page to Yahoo Search - Web Search

It also disabled the Home button and changed my default search from Google to Yahoo.

I tried the Edge reset powershell script. That failed. Microsoft Edge - Reset to Default in Windows 10 - Windows 10 Forums

I tried Method #2 here (also found other places) BEST FIX: Reset Microsoft Edge on Windows 10 FAIL!

Malware Bytes got rid of the hijack in Internet Explorer and Chrome. I presume it also took things out of Firefox too, but simply changing the start page and other settings worked. (Now why can't the other browsers shrug off hijack attempts like that?!)

Superantispyware found *nothing* except a bunch of tracking cookies, which I had it delete.

I'm about to the point of using the script here that forcibly rips Edge out by the roots. Edge browser - remove or uninstall in Windows 10

Is there a way to reinstall Edge after using that, without having to reinstall Windows 10?

If you have something to try that I have not already listed above, I'd like to hear about it. (In other words, do not tell me to do exactly what I've said I already tried which failed to fix the problem.)

:)

 

Can't remove Yahoo from Chrome

some how yahoo has hijacked my google chrome home page. I can't seem to get rid of it. I used windows defender to scan it showed nothing, I've uninstalled google chrome and reinstalled still there I used malware bytes and cleaned it up nut it's still happening.
no idea how too get rid of it.

[Original tile: Browser Hijacker]

 

How to remove Sweetpage.com from Microsoft Edge Windows 10

Hi,

My Microsoft Edge browser has been hijacked by Sweetpage.com and I can not find any instructions on how to remove it. I can find instructions for explorer, chrome, firefox but not edge.

My Avast and AntiMalware Bytes tools do not get rid of it, nor do any Microsoft anti virus tools.

Would be grateful for instructions how to get rid of it please?

Can I uninstall Microsoft Edge and reinstall perhaps?

Regards

 

Hey,

It seems that you are infected with Adware. *Sad

Did you try to run AdwCleaner to remove the infections? Run the program as administrator and choose the scan option, if you are unsure about what has been found you can post the logfile here first, otherwise you can click clean after scanning.

Your system will reboot after you clean it, a logfile will open. Can you post the content of the logfile in your next post?

 

I'll try AdwCleaner and see if it gets rid of this.

Just tried Avast Browser Cleanup. It too has failed, said it found a toolbar protector and removed it. Not a toolbar problem, start page hijack.

 

Let's see what AdwCleaner does, it would be nice if I can receive the logfile so I can help you with other steps if needed.

 

Log attached. I see where it's found the hijack in Chrome and Firefox and IE, but nothing shows for Edge.

Ignore the B1 Free Archiver entries. *Everything* claims it's malware.
Conduit is the Swag Button from Swagbucks, also innocuous yet all the malware/adware removers insist it should be removed. (I get free Amazon gift cards from Swagbucks. Free money = not bad!)

Edit: I unchecked the entries for B1, hit clean then let it reboot. Then I ran CCleaner to clean up, and used its Registry cleaner to clear out references to files and folders Adw deleted.

Launched Edge and... slight change. Still stuck on the hijacked start page, still being blocked from changing the start page. In the settings, the radio button is now staying on a specific page or pages instead of always changing to Start Page, but no changes to the custom startup are saved, it resets to MSN, yet it launches immediately to the hijacked page without even attempting to go to MSN.

It's also no longer resetting the Home button to the hijack page.

So partway cleaned but still has the start page hijacked and changes are blocked. It's hiding somewhere, just have to find it.

 

Hey,

I see that you only used the scan button. Can you start the program again, press Scan and after that please use the Clean button to remove what has been found while scanning.

Please attach the logfile you get after cleaning.

P.S.:
Data Found: HKU\S-1-5-21-3264141754-2789376457-1022515604-1001\Software\Microsoft\Internet Explorer\Main [Search Page] - hxxps://search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
Data Found: HKCU\Software\Microsoft\Internet Explorer\Main [Search Page] - hxxps://search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}

This will also be the problem for Edge If I'm correct, let me know please.

Also for C:\Program Files (x86)\B1 Free Archiver there are a lot of alternatives what are safe, for example Bandizip.

 

norton safe web says this about the domain that the archiver comes from Is This Website Safe | Website Security | Norton Safe Web i would use something else but that software just saying.

 

Safe site or not, something has nailed my start page to it and is blocking it from being changed.

There's a cloud storage site which archives everything to B1's format when downloading, so it has to stick around.

I scanned again and I see the keyword URL line is still in prefs.js. I opened the file in notepad and despite AdwCleaner's log saying it removed it, it did not. So I opened prefs.js in notepad and deleted the line. Saved and closed but did not mark it read only then launched Firefox and opened prefs.js. the line is still gone.

I was hoping something would put the line back, then some process monitor program could watch it to see what accessed it.

Cleaning log and latest scan log attached. Just tried changing the Edge start page to https://www.yahoo.com again, reverted to set to MSN but going to the search.yahoo one. Does Edge have a preferences file somewhere that could have gotten set to read only and that's blocking any user settings changes? Like how a common malware attack on MS Word was to add junk to the normal.dot file then set it to read only to block changes made to it from within Word.

I assume that eventually, sometime, the malware cleaners will get updated to get this one, maybe.

What would fix it is a standalone Edge installer that steamrolls in over *everything* for Edge *everywhere* its files and data are in Windows 10. A 'burn the village to save it' approach to ensure that anything screwed up or infected about it gets overwritten.

 

Hello,

Please download Junkware Removal Tool and save it to your Desktop. Right click the program and choose Run as administrator.

Let the program run, after it has cleaned a reboot can be needed do it, otherwise attach the file JRT.txt in your next post.

 

Still goes to Yahoo Search - Web Search after running JRT.exe and rebooting. Log attached. I see it did away with coupon printer (it's not malware) and the video downloader shortcut (also not harmful) but ignored B1.

But in the settings it's now leaving the custom page to go to at the regular Yahoo URL instead of switching it to MSN. Still ignores that and goes to the URL I don't want. One more step of progress but still not across the finish line.

I'm going to use Agent Ransack and have it search for that URL as a text string inside every @#%^@%# file on C: and see if it finds anything.

 

Here's what Agent Ransack found. I copied them out and saved the paths to the files before deleting them https://dl.dropboxusercontent.com/u/...age-hijack.zip

Feel free to share those files with people who can get them put into malware remover detection databases.

For the one in Edge's cache I just went into each subfolder there and deleted everything. Apparently CCleaner wasn't fully emptying it. For the file in Recovery\Active I had to use Unlocker to delete because despite Edge not running, Windows claimed the file was in use.

Now to reboot and see if Edge launches to the regular Yahoo page. If it's still hijacked, then I don't know what to try next.

Edit: Rebooted, launched Edge and right back to that same page. The same file re-appeared in the \Windows\Caches

Whomever created this hijack has buried something very well to ensure that Edge will always be going to that one site.

I'm scanning all of \AppData under my Username looking for fines containing text string with spigot to see if I missed anything. I stopped Agent Ransack at about 50% (I have a lot of files on C: ) because it had found those files which looked very suspicious due to their locations.

 

Finally found it. The .lnk file in the taskbar had the URL in it. What's the default in it? I tried deleting the URL but then I couldn't go to any sites with Edge, so for now I changed it to the regular Yahoo page.

C:\Windows\explorer.exe microsoft-edge:"https://search.yahoo.com/?type=994519&fr=spigot_edge_hp" <-What should the default be so Edge will go to the proper Start page?

C:\Users\Username\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\MicrosoftEdge.lnk

 

Hey,

Thanks for the file, I've send it to some AV companies.

It seems that something is wrong in Edge, even as cleaned a lot what is good. I found a way to delete and re-install the Edge browser, can you give it a try and tell me if it works?