Browser hijacking

From Wikipedia, the free encyclopedia - View original article

  (Redirected from Browser hijacker)
Jump to: navigation, search

Browser hijacking is the modification of a web browser's settings by a malware, spyware or a virus. The term "hijacking" is used as the changes are performed without the user's permission. A browser hijacker may replace the existing home page, error page, or search page with its own.[1] These are generally used to force hits to a particular website, increasing its advertising revenue.

Some browser hijacking can be easily reversed, while other instances may be difficult to reverse. Various software packages exist to prevent such modification.

Examples of hijackers[edit]


Onewebsearch, referred to as the onewebsearch virus, or redirection virus is malware, categorized as a browser hijacker. Onewebsearch utilizes browser hijackers and black-hat techniques to infect a computer system and attach add-ons, extensions, and toolbars to popular internet browsers without permission, which in turn causes internet browsers like Chrome, Firefox, and Internet Explorer to redirect to,,,, related web pages, and third party domain names.

Conduit Search[edit]

Conduit toolbars have been identified as Potentially Unwanted Programs by Malwarebytes[2] and are typically bundled with other free downloads.[3][4] The toolbars modify the browser default search engine, homepage, and several other browser settings.[5]


CoolWebSearch (CWS) was one of the first browser hijackers. It redirected the existing home page to the rogue CWS search engine, with its results as sponsored links. With most antivirus and antispyware programs unable to properly remove this particular hijacker, a man named Merijn Bellekom developed a special tool called CWShredder specifically to remove this hijacker. Cool websearch is a popular browser hijacker and is owned by fun web products. [edit] is a hijacker that may be downloaded by the Zlob trojan. It redirects the user's searches to pornography sites. It also is known to slow down computer performance.[6]

MyStart.Incredibar Search[edit]

Mystart Incredibar Search is a browser hijacker which often comes embedded with many download applications and installers such as HyperCam. It is known to install itself into the following browsers: Firefox, Internet Explorer, Safari, and Google Chrome.[7]

Removing Incredibar can be a daunting task since there are many different variations and most infected systems can expect to find undesirable Windows registry changes, browser configuration changes, and files with random strings that are installed into the user's local settings folders and depending on the user's version of Windows the location will vary from one version to the next. In some variations of Incredibar it appears to be a removable add-on within Google Chrome and Firefox; however, simply removing Incredibar via the inbuilt browser add-on removal process is not enough since the infected system has combined registry and file installs of which reinstalls itself upon a system reboot.

A few virus and spyware removal applications such as Webroot Spysweeper and Eset NOD32 are known to remove Mystart Incredibar Search, but using these applications to do so will not revert the user to their default search engine. Manual removal seems the most effective method as it will revert all changes while giving the user a good understanding of how to remove it should they get something similar again.

Babylon Toolbar[edit]

Babylon's translation software prompts to add the Babylon Toolbar, identified as a browser hijacker. The toolbar also comes bundled as an add-on with other software downloads.[8]

In 2011, the Cnet site started bundling the Babylon Toolbar with open-source packages such as Nmap. Gordon Lyon, the developer of Nmap, vented his anger online over the way the toolbar was tricked on users.[9] The vice-president of, Sean Murphy, released an apology: The bundling of this software was a mistake on our part and we apologize to the user and developer communities for the unrest it caused.[10][edit] is a browser hijacker which changes the browser homepage, and also runs strings to slow down the victim's PC. It can be difficult to remove manually, or with Internet tools.[11]


MIXI.DJ is a new browser hijacker which changes a browser's homepage. It also adds itself to the registry of the computer, creates strings in the memory and changes the icon on Internet Explorer to a magnifying glass.[edit] (Smartbar developed by Resoft) is potential malware, categorized as a browser hijacker, that causes internet browsers to redirect to the search engine. Even visiting and can lead to malicious downloads without consent. These downloads include multiple and malicious internet browser add-ons, extensions, and toolbars (provided by Conduit malware) like DVDVideoSoftTB, General Crawler, and Save Valet.


Most new hijackers will not allow a user to change back to their home page through Internet Properties. Modern hijackers' settings will most likely return upon reboot, however, well-updated antispyware software will likely remove the hijacker. Some spyware scanners have a browser page restore function to set the user's homepage back to normal or alert them when their browser page has been changed.

Rogue security software[edit]

Some rogue security software will also hijack the start page generally displaying a message such as "WARNING! Your computer is infected with spyware!" to lead to an anti-spyware vendor's page. The start page will return to normal settings once the user buys their software. Programs such as WinFixer are known to hijack the user's start page and redirect it to the website.

Beginning features confused with browser hijackers[edit]


In 2006, EarthLink started redirecting mistyped domain names over to a search page. This was done by interpreting the error code NXDOMAIN at the server level. The announcement led to much negative feedback, and EarthLink offered services without this feature.[12]

See also[edit]


  1. ^ "Browser Hijacking Fix & Browser Hijacking Removal". Microsoft. Retrieved 23 October 2012. 
  2. ^ "PUP.Optional.Conduit removal instructions". Malware Removal Guides. 2013-08-07. Retrieved 2013-10-12. 
  3. ^ "Bundle Your Software with a Custom Toolbar & Start Making Money". Conduit Ltd. 2013. Retrieved 2013-10-12. 
  4. ^ "Download me II—Removing the remnants of the Web’s most dangerous search terms". Ars Technica. 2013-08-25. Retrieved 2013-10-12. 
  5. ^ "So long, uTorrent". First Arkansas News. 2010-12-15. Retrieved 2011-08-11. 
  6. ^ "Browser Hijacker". MySearchCorp. Retrieved 3 July 2012. 
  7. ^ "How To Remove The MyStart By Incredibar Browser Search Redirection Virus (". July 2012. 
  8. ^ Getting rid of Babylon Jay Lee, The Houston Chronicle, July 25, 2012
  9. ^ sorry for bundling Nmap with crapware The Register December 9, 2011
  10. ^ A note from Sean regarding the Installer December 7, 2011
  11. ^ Kiguolis, Ugnius. "Remove Qvo6". Retrieved 8 August 2013. 
  12. ^ Mook, Nate (2006-09-06). "EarthLink Criticized for DNS Redirects". betaNews. Retrieved 9 May 2012. 

External links[edit]