My wife downloaded a program promoted through Facebook advertised as “Facebook Phone Chat” The software now removed I couldn’t analyse it for malicious content, however it did leave some trademarks. It set the home page to
On IE9 this was removed no problem. However on Google Chrome it was a bit more tough.
The home page settings appeared to be set to Google
Switching this to http://www.bing.com reloading Chrome, then back to http://www.google.com.au seemed to fix this issue. (Bing you are getting better all the time but until we see full functionality here in Australia you’ll have to wait as the default homepage)
However now new tabs were still opening with the chatphonesearch page.
Looking through all the config options/settings pages I could not find the setting for home page.
I set a filter to include events where Process is chrome.exe
I saw the following redirect HTML
And it contained the code
I checked Google Extensions and all were disabled (I had done this in previous troubleshooting steps)
So I just deleted the folder
Now I got this error:
So then looking at files opened by ProcMon I notice the Preferences file. I open it in notepad. Ah found the bad little thing.
Actually it had spread itself throughout the Preferences file in multiple places. Deleting the file then..
All gone, no more issue. (note latest Google Chrome lets you configure new tab through user interface)