I cannot figure this one out. I noticed my search results were a little "different" as of late.

  • I'm not signed in when I do a google search, but if I click "Images" or "Videos" I am shown as signed in.
  • There's no wikipedia information in the sidebar of the search page.
  • If I disable Ghostery and uBlock, many of the results are ads.

I decided to check developer tools and noticed there was a SyntaxError in the page, I clicked it and it actually leads to a javascript function that replaces the google web address.

The problem seems to only occur in Chrome, here is a side-by-side with firefox: http://i.imgur.com/7J1G9mR.png

I tried to attach Fiddler Web Debugger to capture traffic so I could see where I am being redirect to. But as soon as I attach a web debugger it all goes away and I'm served the actual search page.... The page source when Fiddler is capturing is completely different.

Below is a screen capture gifv showing it. It starts with the hijacked page and I circle my cursor around some sketchy additional javascript source files. I then tell Fiddler to capture traffic and refresh my search results. The page I'm served is completely different. Finally I disable traffic capture again and refresh the page to show the hijacked page and take you to the function with the syntax error that is supposed to replace the web address.


I ran Malwarebytes and got no results. Spybot came up with a few hits but removing them did not fix the issue. I've also completely reset chrome using Googles provided tool. If I use a different web profile, such as the one I do my bills in, I get no search results. If I enable fiddler, suddenly I get results. enter image description here

    Google uses HTTPS to serve you results. Check their site certificate and make sure that it's signed by Google Internet Authority G2. If not, somebody has added a new root certificate to your computer and is hijacking your traffic.
  • You might be onto something here. It was signed by "DO_NOT_TRUST_FiddlerRoot", so it might not be a coincidence that it works when fiddler is capturing traffic. i.imgur.com/b61IkYc.png I removed all Fiddler Certificates using certmgr.cfg. Was fiddler targeted? Since removing FiddlerRoot, I cannot access google.com Commented Feb 2, 2016 at 0:33
    Looks like Fiddler has been associated with HTTPS adware in the past, right here on Super User. You might want to get rid of Fiddler. Probably change your passwords, too, once you're on secure computer.
  • After a restart, I can access Google again and the certificate is signed by "Google Internet Authority G2", but only if I have Fiddler set to Capture Traffic. When fiddler is not capturing or uninstalled, Google goes back to using the invalid cert. I do not have time to reinstall everything... Commented Feb 2, 2016 at 1:03
  • Various pieces of malware check whether Fiddler is in use, and if so, they stop doing their malicious activities in order to attempt to hide their actions.
Some malware was probably impersonating Fiddler, as the original developer of Fiddler, Eric Lawrence, pointed out:

Various pieces of malware check whether Fiddler is in use, and if so, they stop doing their malicious activities in order to attempt to hide their actions.


Fiddler is a web debugging tool. It has no malicious behavior whatsoever, and it is never installed unless you personally install it using the installer downloaded from Telerik. The scenario described here is a piece of malware which is attempting to avoid detection by making itself look like Fiddler.



The clearest sign of malware is that Google Chrome doesn't load HTTPS websites as intended unless you are using Fiddler to capture traffic. Fiddler is not designed to interfere with your normal web browsing when it isn't in use.

In order for the malware to hide itself, it needs to hijack the Fiddler proxy and resign HTTPS traffic with the Fiddler certificate's private key. It is trivial to change the proxy settings, and it is possible to obtain a copy of your Fiddler installation's private key.

Root Certificate

You had Fiddler install a root certificate on your computer, which allows it to insert itself as a man-in-the-middle (MitM) to monitor the data contents being sent over HTTPS:

Screenshot from https://superuser.com/questions/1034394/google-search-hijacked-only-when-not-being-observed-attaching-a-debugger-return?noredirect=1#comment1443606_1034394

In contrast, here's how https://www.google.com/ is normally trusted:

Screenshot of proper Google HTTPS security chain

Your computer trusts the DO_NOT_TRUST_FiddlerRoot certificate because it was installed to your operating system's certificate trust store.

Proxy to Intercept HTTPS

You indicated that HTTPS behaves properly on Mozilla Firefox, which can be configured to use its own independent proxy rules rather than the operating system's proxy rules. Google Chrome uses the operating system proxy without an easy option to do otherwise.

Going through Fiddler's operating system-level proxy, Fiddler can now be the MitM to capture unencrypted HTTPS data while still serving the site. Fiddler fetches some web page, then signs it as "www.google.com" using the certificate that was trusted earlier, DO_NOT_TRUST_FiddlerRoot.

Under these circumstances, malware can take over both the proxy and the certificate to feed you the wrong site while still showing you the green lock icon. I can see this leading to elaborate phishing attacks.

Security Concerns

Related on Security Stack Exchange: What security risks are posed by software vendors deploying SSL Intercepting proxies on user desktops

As Eric Lawrence once wrote,

Fiddler’s HTTPS interception capabilities (rightly) raise eyebrows among security-conscious users.

That's why Fiddler warns about the security implications of intercepting HTTPS traffic:

Screenshot of a Fiddler built-in warning

By user error or malware installation, Fiddler has been associated with various problems:

Although Fiddler itself is not a harmful program, its misuse and misunderstandings led to past bad reputation and viruses pretending to be Fiddler.


I don't know if your computer has been compromised by some Fiddler hijacker, but you indicated that you don't have time to wipe your computer and reinstall, so hopefully the following steps can get rid of Fiddler and restore proper secure web behavior. (I would still recommend reinstalling and changing your passwords afterwards, especially if you're serious about security. You wrote that Spybot – Search & Destroy found some malware.)

Foreword: De-configure Fiddler

The original poster discovered these additional steps to resolve his issue with Fiddler:

Ultimately what fixed it was: Settings -> Show advanced settings -> Under network -> Change Proxy Settings -> Advanced -> Reset


Also in Fiddler Settings I disabled the options allowing it to decrypt HTTPS traffic before uninstalling and re-clearing certificates.

Remove Fiddler's Root Certificate(s)

  1. Press Win+r
  2. Open: certmgr.msc
  3. Look through all of the folders and remove the DO_NOT_TRUST_FiddlerRoot certificate.

Uninstall Fiddler

  1. Go to Control Panel » Programs » Programs and Features.
  2. Uninstall Fiddler. One source says that Fiddler may be called "FiddlerRoot" or "BrowserSafeguard".

Clear Proxy Settings

Assuming that you normally do not use a different proxy…

  1. Go to Control Panel » Internet Options.
  2. In Internet Properties, go to the "Connections" tab.
  3. Under "Local Area Network (LAN) settings", click on "LAN settings".
  4. Clear and uncheck your proxy settings like so: Screenshot of Local Area Network (LAN) Settings

Remove Malware

As suggested previously on Super User, you should try to find and remove the original malware that displayed modified HTTPS webpages.

Detailed advice:
How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC?

  • Thanks for the detailed writeup. I can not bring myself to believe that Fiddler is nefarious because my coworkers and I use it almost everyday for years. I can believe that something else possibly took advantage of the FiddlerRoot Certificate. I've always had Fiddler installed and did not recently do an upgrade, this problem appeared in the last few days. If Fiddler was being nefarious I don't think it would have had "DO_NOT_TRUST" in the certificate name. Ultimately what fixed it was: Settings -> Show advanced settings -> Under network -> Change Proxy Settings -> Advanced -> Reset Commented Feb 2, 2016 at 3:25
  • Also certlm.msc does not appear to be available in Win7. However I did remove all certificate entries for Fiddler using certmgr.msc. Also in Fiddler Settings I disabled the options allowing it to decrypt HTTPS traffic before uninstalling and re-clearing certificates. If you edit your post to include these slightly different steps I will mark this as the answer because ultimately it did fix the issue. Commented Feb 2, 2016 at 3:28
    @DerekZiemba: Going only on various complaints I found about Fiddler, I didn't know what it was, but now that I have looked it up, I see it's supposed to be a legitimate tool. I have changed my answer to make it less accusational and also to put in the corrected facts you found.
    You're VERY confused about Fiddler. Fiddler is a web debugging tool. It has no malicious behavior whatsoever, and it is never installed unless you personally install it using the installer downloaded from Telerik. The scenario described here is a piece of malware which is attempting to avoid detection by making itself look like Fiddler.
    Hello @EricLaw. I'm honored to have your official/authoritative commentary. It's my fault for being uninformed and giving undue weight against Fiddler. I have edited my answer to include your input. I'm sorry about the inconvenience. (After all, you're near enough to walk up to me and punch me in the face!)
