Browser hijacking is a form of unwanted software that modifies a web browser's settings without a user's permission, to inject unwanted advertising into the user's browser. A browser hijacker may replace the existing home page, error page, or search engine with its own. These are generally used to force hits to a particular website, increasing its advertising revenue.
Some browser hijackers also contain spyware, for example, some install a software keylogger to gather information such as banking and e-mail authentication details. Some browser hijackers can also damage the registry on Windows systems, often permanently.
Some browser hijacking can be easily reversed, while other instances may be difficult to reverse. Various software packages exist to prevent such modification.
Many browser hijacking programs are included in software bundles that the user did not choose, and are included as "offers" in the installer for another program, often included with no uninstall instructions, or documentation on what they do, and are presented in a way that is designed to be confusing for the average user, in order to trick them into installing unwanted extra software.
There are several methods that browser hijackers use to gain entry to an operating system. Email attachments and files downloaded through suspicious websites and torrents are common tactics that browser hijackers use.
- 1 Background
- 2 Avoidance
- 3 Examples of hijackers
- 3.1 Ask Toolbar
- 3.2 Babylon Toolbar
- 3.3 Conduit (Search Protect)
- 3.4 CoolWebSearch
- 3.5 Coupon Server
- 3.6 GoSave
- 3.7 istartsurf
- 3.8 Mixi.DJ
- 3.9 MyStart.IncrediBar Search
- 3.10 Onewebsearch
- 3.11 RocketTab
- 3.12 Sear4m.xyz
- 3.13 Searchassist
- 3.14 Search-daily.com
- 3.15 Searchult.com
- 3.16 Searchgol.com
- 3.17 Searchnu.com
- 3.18 Shorte.st
- 3.19 Snap.do
- 3.20 SourceForge Installer
- 3.21 Taplika
- 3.22 TV Wizard
- 3.23 Vosteran
- 3.24 SupTab
- 3.25 Trovi
- 4 References
- 5 External links
Rogue security software
Some rogue security software will also hijack the start page, generally displaying a message such as "WARNING! Your computer is infected with spyware!" to lead to an antispyware vendor's page. The start page will return to normal settings once the user buys their software. Programs such as WinFixer are known to hijack the user's start page and redirect it to another website.
Non-existent domain pages
The Domain Name System is queried when a user types in the name of a website (e.g. wikipedia.org) and the DNS returns the IP address of the website if it exists. If a user mistypes the name of a website then the DNS will return a Non-Existent Domain (NXDOMAIN) response.
In 2006, EarthLink started redirecting mistyped domain names over to a search page. This was done by interpreting the error code NXDOMAIN at the server level. The announcement led to much negative feedback, and EarthLink offered services without this feature.
Unwanted programs often include no sign that they are installed, and no uninstall or opt-out instructions.
Most hijacking programs constantly change the settings of browsers, meaning that user choices in their own browser are overwritten. Some antivirus software identifies browser hijacking software as malicious software and can remove it. Some spyware scanning programs have a browser restore function to set the user's browser settings back to normal or alert them when their browser page has been changed.
Some of the more malicious browser hijacking programs steal browser cookies on a person's computer, in order to manipulate online accounts they are logged into. One company maliciously used Google cookies to install Android apps onto a user's phone without their knowledge or consent.
As of Microsoft Windows 10, web browsers can no longer set themselves as a user's default without further intervention; changing the default web browser must be performed manually by the user from Settings' "Default apps" page, ostensibly to prevent browser hijacking.
Examples of hijackers
A number of hijackers change the browser homepage, display adverts, and/or set the default search engine; these include Astromenda (www.astromenda.com); Ask Toolbar (ask.com); ESurf (esurf.biz) Binkiland (binkiland.com); Delta and Claro; Dregol; Jamenize; Mindspark; Groovorio; Sweet Page; Search Protect by Conduit along with search.conduit.com and variants;Tuvaro; Spigot; en.4yendex.com, Yahoo, etc.
Ask Toolbar has been widely bundled with the installer for Oracle Java SE and has been criticized for being malware as users had to remember to manually deselect the toolbar installation during a Java installation.
This has been especially severe in Denmark where the government sponsored digital signature system NemID (which in reality is more of a single sign on system for public servers such as banks and government offices) up to 2015 relied on Java on the client side and thus most computers running Microsoft Windows in Denmark were vulnerable to having the unwanted Ask Toolbar installed.
Babylon Toolbar is a browser hijacker that will change the browser homepage and set the default search engine to isearch.babylon.com. It is also a form of adware. It displays advertisements, sponsored links, and spurious paid search results. The program will collect search terms from your search queries.
In 2011, the Cnet site Download.com started bundling the Babylon Toolbar with open-source packages such as Nmap. Gordon Lyon, the developer of Nmap, was upset over the way the toolbar was tricked onto users using his software. The vice-president of Download.com, Sean Murphy, released an apology: The bundling of this software was a mistake on our part and we apologize to the user and developer communities for the unrest it caused.
Similar variants of the Babylon toolbar and search homepage exist including: Bueno Search, Delta Search, Claro Search, and Search GOL. All of these variants state to be owned by Babylon in the terms of service.
All of the toolbars were created by Montiera.
Conduit (Search Protect)
Conduit is a PUP / hijacker. It steals personal and confidential information from the user and transfers it to a third party. This toolbar has been identified as Potentially Unwanted Programs (PUPs) by Malwarebytes and is typically bundled with free downloads. These toolbars modify the browser's default search engine, homepage, new tab page, and several other browser settings. There are similar variants of conduit search such as trovi.com, trovigo.com, better-search.net, seekforsearch.com, searchitdown.com, need4search.com, clearsearches.com, search-armor.com, searchthatup.com, premiumsearchweb.com, along with other variants which were created in a customized way for the toolbar creation service Conduit Ltd used to offer.
A program called "Conduit Search Protect", better known as "Search Protect by conduit", can cause severe system errors upon uninstallation. It claims to protect browser settings but actually blocks all attempts to manipulate a browser through the settings page; in other words, it makes sure the malicious settings remain unchanged. Search Protect has an option to change the search homepage from the "recommended" search home page Trovi, however, users have reported it changing back to Trovi after a period of time.The uninstall program for Search Protect can cause Windows to be unbootable because the uninstall file not only removes its own files, but also all the boot files in the root of the C: drive. and leaves a BackGroundContainer.dll file in the start-up registry. Conduit is associated with malware, spyware, and adware, as victims of this hijacker have reported unwanted pop-ups and embedded in-text advertisements, on sites without ads.
Victims of unwanted redirections to conduit.com have also reported that they have been attacked by phishing attempts and have received unwanted email spam, junk mail, other messages, and telephone calls from telemarketers. Some victims claim that the callers claimed to be Apple, Microsoft, or their ISP, and are told that personal information was used in some phone calls, and that some of the calls concerned their browsing habits and recent browsing history. Personal information used in phishing attempts may be associated with spyware.
This was one of the first browser hijackers. It redirected the user from their existing home page to the rogue CoolWebSearch search engine, with its results as sponsored links. With most antivirus and antispyware programs unable to properly remove this particular hijacker, a man named Merijn Bellekom developed a special tool called CWShredder specifically to remove this kind of hijacker. CoolWebSearch is a popular browser hijacker and is owned by 'fun web products'.
Coupon Server is an adware program bundled with multiple freeware applications that can be downloaded from the Internet by users. This program may appear on PCs without a user's knowledge. Coupon Server may appear to be useful, but can be intrusive and display ads without users' permissions. Coupon Server is also considered as a malicious domain and browser hijacker. It will hijack your Internet browser and forcibly lead a user to its homepage, which is disguised as a legitimate search engine to fool visitors into using the website. It will also direct the browser to a suspicious domain and alter browser settings.
The ad-triggering software called GoSave has been reported to cause user experience issues because of its intrusive characteristics. The victim is not appropriately informed at installation, and ads are inserted into webpages. It adds a plugin or extension to whichever web browsers is the default. It is currently compatible with Internet Explorer, Firefox and Chrome. The name of the add-on is not necessarily "GoSave" – it varies from GS Booster, to GS Sustainer, or something else.
The browser hijacker istartsurf.com may replace the preferred search tools. This infection travels bundled with third party applications and its installation may be silent. Due to this, affected users are not aware that the hijacker has infected their Internet Explorer, Google Chrome or Mozilla Firefox browsers.
Mixi.DJ offers a media player, but also a free toolbar and Conduit-based search engine, the toolbar being the add-on prompted to add during installation. The toolbar is a new hijacker that alters a browser's homepage. It also adds itself to the computer's registry, creates strings in the memory, and changes Internet Explorer's icon to a magnifying glass.
MyStart.Incredibar Search (Mystart Search IncrediBar, MyStart toolbar, MyStart Search, IncrediBar, IncrediBar Games-EN) is a very dangerous Internet browser hijacker, virus, and spyware that often comes embedded with many download applications and installers such as HyperCam. It is known to install itself into Firefox, Internet Explorer, Safari, and Google Chrome
Symptoms range from no symptoms at all (simple processor drainage) to complete system crashes so severe that the victim has to re-install their entire operating system.
MyStart uses browser helper objects (in this case search tools) and infects users by installing MyStart search toolbar into their browser (Firefox is most vulnerable) which redirects internet users to MyStart’s websites, mystart.incredibar.com in particular. Some Internet users report that they are redirected for every search or webpage they visit.
Removing Incredibar can be an extremely daunting task since there are countless different variations and most infected systems can expect to find undesirable Windows registry changes, browser configuration changes, and files with random strings that are installed into the user's local settings folders and depending on the user's operating system, its version, and even computer the location will vary from one PC to the next. In one version of Incredibar it appears to be a removable add-on, plug-in, or extension within web browsers; however, simply removing Incredibar via the inbuilt browser add-on removal process is not enough since the program has already combined registry and file installs which re-installs itself upon a system or browser reboot.
A few virus and spyware removal applications such as Webroot Spysweeper, Eset NOD32, AdwCleaner, and Junkware Removal Tool are known to remove Mystart.Incredibar, but using these applications to do so will not revert the user to their default search engine.
Onewebsearch, referred to as the onewebsearch virus, or onewebsearch.com redirection virus is malware, categorized as a browser hijacker. Onewebsearch utilizes browser hijackers and black-hat techniques to infect a computer system and attach add-ons, extensions, and toolbars to popular internet browsers without permission, which in turn causes internet browsers like Chrome, Firefox, and Internet Explorer to redirect to onewebsearch.com, search-, home-, or start.onewebsearch.com, related web pages, and third party domain names.
RocketTab is a browser hijacker that runs as a program and browser plugin. It embeds its own search results from RocketTab when you search with other providers. RocketTab sets itself as a proxy and runs all http and https traffic through itself. It is known to create problems for security applications. Uninstalling the application removes the proxy, the targeted ads and search results RocketTab provides.
Sear4m.xyz is categorized as a browser hijacker which alters a computer's performance. Some adware[which?] uses Sear4m.xyz to cause a user to click on Sear4m.xyz ads. Once Sear4m.xyz is installed, it changes the default DNS settings of browsers like Mozilla Firefox, Google Chrome, and Internet explorer, and often redirect to various fake websites which are often laiden with viruses.
Searchassist is a browser hijacker which piggybacks on other downloads from untrusted websites.
It will change the new tab homepage to searchassist.net and opens searchassist on browser start-up. It is stubborn, and if not uninstalled, will repeatedly change the browser tabs and homepage settings. It works with Firefox, Safari, Chrome, and Internet Explorer, though is only compatible with Windows and Linux. It can be detected by ADWcleaner, Spyhunter, and Malwarebytes. It is also known to slow down computer performance and cause the blue screen of death (BSOD), a screen that causes the computer to restart because of the viruses that came with searchassist. Searchassist, not unlike Vosteran, can have spyware links.
Review sites such as CNET may recommend searchassist, but many users rate it poorly. Searchassist claims to be a legitimate search engine with great personal results, tempting victims into the hijack, making it one of the hardest hijacks to recognize because the image on search assist is very much like a genuine Google Doodle.
Searchult.com is a browser hijacker that replaces users home page, new tab page and default search engine. The program is advertised as a browser add-on that is supposed to help customize tabs and protect browsers from being affected by other programs. Searchult.com is associated with malware distribution. The website displays a banner ad just below the search box. Most often, these are adverts for Flash games.
Searchgol.com (can also be found as Search-Gol) is a search engine, which may show up on the infected computer instead of the user's default search engine. The cause of it getting onto the homepage is unknown, but it is known for downloading malware onto the computer. It replaces the default homepage without the user's permission. Numerous antivirus websites and blogs report that searchgol is a virus, but it is a potentially unwanted program (PUP) because it sneaks inside the system in a bundle with other programs and initiates some changes on the system without the user's permission. Removing Searchgol is not easy, as the victim must perform a browser restore, before removing programs related or downloaded by the browser hijacker.
Searchnu.com domain and the domain search-results.com belong to the IAC Search & Media, Inc. This company is known by the name Ask Jeeves Inc. It has a lot of popular domains on the web and the most famous of them is Ask.com. When something is searched for through the Searchnu search engine, the search results will redirect to Ask.com and related websites. The user can still access Google, either by entering it in the address bar or by searching for it, but Searchnu is still the homepage. Searchnu has 3 "clones" which are Searchnu.com/406, /409, and /421. However, removing Searchnu is easy following instructions.
Shorte.st is a browser hijacker that alters users’ web browser settings without their permission. This adware function by injecting unwanted advertising into the users’ browser. In detail, once shorte.st enter into a device, it modifies internet settings. After it will start tracking users Internet activities such as cookies and browser histories. Then it shares this information with third parties about users IP address, web page visits, and the time users spend on them. Browser hijackers can break into devices in several ways. Manual removal of shorte.st will not work in most of the cases & device may malfunction if removal not done correctly. However, removing shorte.st is easy and automatic by following instructions.
Snap.do (Smartbar developed by Resoft) is potential malware, categorized as a browser hijacker and spyware, that causes Internet browsers to redirect to the snap.do search engine. Snap.Do can be manually downloaded from the Resoft website, though many users are entrapped by their unethical terms. It affects Windows and can be removed through the Add/Remove program menu. Snap.Do also can download many malicious toolbars, add-ons, and plug-ins like DVDVideoSoftTB, General Crawler, and Save Valet.
General Crawler, installed by Snap.do, has been known to use a backdoor process because it re-installs and re-enables itself every time an affected user removes it through their browser(s).
Snap.do will disable the option to change your homepage and default search engine.
Resoft will track the following information:
- The Internet domain and IP address from which the user accesses the Resoft Products (location, ID, etc.)
- Screen resolution of the user's computer monitor (display)
- The date and time the user intentionally or unintentionally accesses Resoft products
- The pages the user is visiting with the Resoft Products (with or without knowledge of using Resoft products, Snap.do)
- If the user willingly or unwillingly linked to a Resoft website from another referring website, the address of that site
By using the Resoft Products, the user consents to have their personal data transferred to and processed both within and outside of the United States of America.
By using the Resoft website, the user agrees to the preceding uses of their information in this way by Resoft.
A previous installer of SourceForge included adware and PUP installers.
One particular one changes the browser settings of Firefox, Chrome and Internet Explorer to show the website "istartsurf.com" as the homepage. It does so by changing registry settings and installing software which resets the settings if the user tries to change them.
On June 1, 2015, SourceForge claimed that they stopped coupling "third party offers" with unmaintained SourceForge projects
Taplika is a browser hijacker which contains Trojan Viruses which steals personal information from the user and sends it to third party. This can encrypt personal files & folders, as well as emails, photographs, video & documents etc. Once it infects the system, a user may lose all of their data from the affected system, and could cause possible hardware damage.
Vosteran is a browser hijacker that changes a browser's home page and default search provider to vosteran.com. This infection is essentially bundled with other third-party applications. Vosteran carries the PUP virus. The identity of Vosteran is protected by privacyprotect.org from Australia. Vosteran is registered through Whiteknight.
SupTab is a PUP and hijacker. During installation, it adds search toolbars, redirects the home page to another link, and displays unwanted ads. The program is bundled with the installation of random freeware or shareware programs. It may remain unseen by some security programs like legitimate software.
It can be found when installing "Cheat Engine" or a different version of "VLC Player" on www.oldapps.com, or when downloading applications from certain freeware sites, such as Softonic.com or Download.com.
Trovi uses Bing (a legitimate search engine) to provide results to the user. The address bar changes to Bing.com after searching but don't be fooled, you are still searching through Trovi. Trovi used to use their own website to show search results with the logo at the top left hand corner of the page but later switched to Bing in attempt to fool users a little easier. Trovi is not as deadly as it used to be with taking the ads out of the search results depending on what browser your using, but is still considered a browser hijacker.
It also hijacks the homepage and new tab page settings to where you can not change them back to the original settings. Depending on what browser your using, you might see ads on the page.
When it infects, it makes a browser redirect from Google and some other search engines to trovi.com.
Trovi was created using the Conduit toolbar creation service and has known to infect in similar ways to the Conduit toolbar.
- "Browser Hijacking Fix & Browser Hijacking Removal". Microsoft. Retrieved 23 October 2012.
- "Malwarebytes Potentially Unwanted Program Criteria". Malwarebytes.
- "Rating the best anti-malware solutions". Arstechnica. 2009-12-15. Retrieved 28 January 2014.
- "Threat Encyclopedia – Generic Grayware". Trend Micro. Retrieved 27 November 2012.
- "PUP Criteria". Malwarebytes.
- Mook, Nate (2006-09-06). "EarthLink Criticized for DNS Redirects". betaNews. Retrieved 9 May 2012.
- Rudis Muiznieks. "Exploiting Android Users for Fun and Profit". The Code Word.
- "Mozilla blasts Microsoft for making it harder to switch to Firefox in Windows 10". The Verge. Vox Media. 2015-07-30. Retrieved October 18, 2015.
- "PUA.Astromenda". symantec.com.
- "How to Remove Astromenda Search From Your Browser". Lavasoft.
- "Remove Astromenda, Buzzdock and Extended Update toolbar from your browser". norton.com.
- "Dregol Search Removal | Removal Guide".
- Getting rid of Babylon Jay Lee, The Houston Chronicle, July 25, 2012
- Download.com sorry for bundling Nmap with crapware The Register December 9, 2011
- A note from Sean regarding the Download.com Installer Download.com December 7, 2011
- "How to remove Search Protect by Conduit Ltd". Lavasoft. 2013-06-01. Retrieved 2013-10-12.
- "Bundle Your Software with a Custom Toolbar & Start Making Money". Conduit Ltd. 2013. Archived from the original on 2014-03-31. Retrieved 2013-10-12.
- "Download me II—Removing the remnants of the Web's most dangerous search terms". Ars Technica. 2013-08-25. Retrieved 2013-10-12.
- "Fixing BackgroundContainer.dll Left Over by Conduit Ltd". appuals. Retrieved 20 March 2015.
- "Perion Completes Acquisition of Conduit's ClientConnect Creating a Leading Provider of Digital Solutions for Publishers" (Press release). Tel Aviv, Israel; San Francisco. Business Wire. 2014-01-02. Retrieved 2015-06-07.
- "Perion Partners with Lenovo to Create Lenovo Browser Guard" (Press release). Tel Aviv, Israel; San Francisco. Business Wire. 2014-06-18. Retrieved 2015-06-07.
- "How To Remove Search Protect By Conduit Ltd". Lavasoft. Retrieved 3 December 2014.
- "Remove "Ads by Coupon Server" virus (Removal Guide)". Remove "Ads by Coupon Server" virus (Removal Guide). Stelian Pilic. Retrieved March 25, 2014.
- "Remove istartsurf". support.kaspersky.com. Kaspersky Lab. Retrieved 24 June 2010.
- "Browser Hijacker" (PDF). MySearchCorp. Retrieved 3 July 2012.[permanent dead link]
- "How To Remove Snap.Do Browser Hijacker". Lavasoft. Retrieved 4 August 2014.
- "Third party offers will be presented with Opt-In projects only - SourceForge Community Blog". SourceForge Community Blog. 2015-06-01. Retrieved 2018-08-16.
- "Remove Vosteran". How To Remove. 2014-11-25. Retrieved 25 November 2014.
- How to easily remove Trovi Search redirect (Virus Help Guide). malwaretips.com