Removing Browser Hijackers (TotalAV)

  • BEST Antivirus Staff 2
  • TotalAV
0
(0)

Windows (App V5)

A browser hijacker is an annoying malware that causes the homepage of a browser to change or search to not be performed on the default search engine. Instead redirect to another search engine when a search is attempted.

Despite browser settings for homepage, new tab, and default search being set, browser hijackers overrule this and direct users to ad-ridden homepages and low-quality search engines.

Browser hijackers can be difficult to remove, but not impossible. Due to the alterations these hijackers make being deep-rooted in the browser, it isn’t always something antivirus can automatically remove. Sometimes, removing hijackers is as simple as re-adjusting the browser’s homepage and default search engine. In most cases, TotalAV will stop hijackers from getting onto your computer in the first place. The problem is, they usually arrive by tricking users into downloading something that seems legitimate – so we sometimes find that users have ignored TotalAV warnings, believing the program they are downloading to be okay.

If updating the homepage, new tab, and default search settings does not work, between 5-15 minutes of time needs to be spent following this guide to fully remove the problem.

Windows

The root cause of a browser hijacker on Windows will likely be one of these:

  • Manipulated web browser settings (as mentioned above)
  • ​A low trust software application that needs uninstalling via the control panel
  • A low trust browser extension that needs removing from your web browser

To check installed programs, click the Windows icon/Start button and type Control Panel, and press enter. In Control Panel, double-click Add/Remove Programs. Here, all the installed programs will be displayed as a list. It is good practice to remove any you no longer use, and either search Google for ones you aren’t sure about or contact the TotalAV support team to query if the app is legitimate. Typically though, these browser hijackers have very corny names such as the following:

  • GoSave
  • CoolWebSearch
  • MyWaySearch
  • WeKnowSearch
  • Coupon Genie
  • CouponAlerts
  • DealBrowsing
  • HotSearch
  • MySearch
  • Conduit Search Protect
  • Coupon Server
  • Istartsurf.com
  • Search-daily.com
  • Snap.do
  • Trovi

Notice a pattern? These applications try to be ambiguous in name so that users don’t recognise the listing in their installed program list. If you identify the hijacker in your installed programs, click to select it, and then click Remove. It is likely the uninstall will be sluggish and mildly irritating, possibly trying to convince you to keep it and/or directing you to a strange webpage. Read these screens slowly and carefully, ensuring you follow everything in Add/Remove Programs until the program is uninstalled and no longer listed. Sorting the list of installed programs by date may help, as you might be able to identify unrecognised software that arrived at the same time as something you purposely installed.

The next stage is to open your web browser and locate the settings for browser extensions:

 Chrome

  • Paste:chrome://extensions/  in your browser searchbar

 

  • Find the extension you want to delete > Click 

 

  • Click

Mozilla Firefox

  • Pasteabout:addons in your browser search bar

 

  • Find the extension that you want to delete > Click   Click Remove

 

  • Click

Microsoft Edge

  • Pasteedge://extensions/ in your browser search bar

 

  • Find the extension that you want to delete > Click Remove

 

  • Click 

After removing extensions, the best way forward is to reset your browser completely – but consider that saved passwords and bookmarks may disappear if you haven’t created a sync account within your browser. If not, please ensure you clear cookies and cache as a minimum.

If your links are still redirected to other sites or you are unable to open certain websites, this situation is more serious. It is likely that your Hosts file is hijacked and it will need to be reset. To do so, go to C:\Windows\System32\drivers\etc to find the host file, then:

  1. Rename the Hosts file to hosts.old
  2. Create a new .txt file named hosts in the %WinDir%\System32\Drivers\Etc folder
  3. Copy the following text to the new file and save it

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a ‘#’ symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost

After doing so, finally, open a command prompt window by clicking Start/Windows icon and typing cmd, click on the search result and type in ipconfig /flushdns, press Enter and let the DNS flush. After it’s done, you will see Windows IP Configuration. Successfully flushed the DNS Resolver Cache. Clearing it will remove DNS redirects in your network configuration.



If all else fails, please don’t hesitate to contact us and we can arrange a remote screen sharing session where a tech will remove the hijacker for you.

Android

A browser hijacker is an annoying malware that causes the homepage of a browser to change or search to not be performed on the default search engine. Instead redirect to another search engine when a search is attempted.

Despite browser settings for homepage, new tab, and default search being set, browser hijackers overrule this and direct users to ad-ridden homepages and low-quality search engines.

Browser hijackers can be difficult to remove, but not impossible. Due to the alterations these hijackers make being deep-rooted in the browser, it isn’t always something antivirus can automatically remove. Sometimes, removing hijackers is as simple as re-adjusting the browser’s homepage and default search engine. In most cases, TotalAV will stop hijackers from getting onto your computer in the first place. The problem is, they usually arrive by tricking users into downloading something that seems legitimate – so we sometimes find that users have ignored TotalAV warnings, believing the program they are downloading to be okay.

If updating the homepage, new tab, and default search settings does not work, between 5-15 minutes of time needs to be spent following this guide to fully remove the problem.

Android

Android browser hijackers are usually caused by a poor quality app having been installed. If you have encountered search redirects or homepage changes and can trace it back to when you installed an app – try removing that app, clearing browser data, and seeing if the problem is still present.

We do encounter users who have website notifications set in Chrome for Android, which they believe are hijacking their browser. This is a slightly different behavior and easily controlled within settings, please see this article regarding disabling Chrome notifications on Android.

With actual browser hijackers though, that cause browsers on Android to randomly open webpages we suggest the following:

Step 1: Remove poor quality apps

  1. On your Android device, press and hold your device’s power button
  2. On your screen, touch and hold Power off
  3. Your device will then start in safe mode, you will see Safe mode at the bottom of your screen
  4. One by one, remove recently downloaded apps (before doing so you may want to download this free app to quickly create an exportable list of all your apps)
  5. After each uninstall, restart your device without safe mode to see whether removing that app solved the problem
  6. After you remove the app that caused the problem, you can add back the other apps that you removed

Step 2: Reset browser app cache

  1. Open the Settings app on your Android device
  2. Tap the Storage heading to open its settings page (If your phone runs Android Oreo or earlier, you’ll want to open the App Manager settings page)
  3. Tap the Other Apps heading to see a list of installed apps
  4. Find your browser that you want to clear the cache of and tap its listing
  5. Tap the Clear cache button

This should fix the problem, however, if browser hijacking persists you may want to clear the storage completely, repeat these steps, and choose the Clear storage button in the final step.
Warning: This will remove all of the app’s data, including usernames and passwords, game progress, etc

macOS

A browser hijacker is an annoying malware that causes the homepage of a browser to change or search to not be performed on the default search engine. Instead redirect to another search engine when a search is attempted.

Despite browser settings for homepage, new tab, and default search being set, browser hijackers overrule this and direct users to ad-ridden homepages and low-quality search engines.

Browser hijackers can be difficult to remove, but not impossible. Due to the alterations these hijackers make being deep-rooted in the browser, it isn’t always something antivirus can automatically remove. Sometimes, removing hijackers is as simple as re-adjusting the browser’s homepage and default search engine. In most cases, TotalAV will stop hijackers from getting onto your computer in the first place. The problem is, they usually arrive by tricking users into downloading something that seems legitimate – so we sometimes find that users have ignored TotalAV warnings, believing the program they are downloading to be okay.

If updating the homepage, new tab, and default search settings does not work, between 5-15 minutes of time needs to be spent following this guide to fully remove the problem.

MacOS

Since MacOS Catalina was released in late 2019, this fixed the vast majority of hijacker problems on the Safari Browser. If your Mac has hardware which supports Catalina, we highly recommend updating to it to remove Safari hijackers.

The root cause of a browser hijacker on MacOS will more than likely be one of these:

  • Manipulated web browser settings (guide for removal here)
  • An App in Applications that needs trashing
  • A hidden App in the /Library folder that needs trashing
  • An extension that needs removing from your web browser
  • A spurious Profile that exists in System Preferences > Profiles that needs removing
  • ​Spurious Plist files that need removing from:
    • /Library/LaunchAgents
    • ~/Library/LaunchAgents
    • /Library/Application Support
    • ~/Library/Application Support
    • /Library/LaunchDaemons
    • ​~/Library/LaunchDaemons
  • Google Chrome says it is managed by organisation

The first step is to check in the Applications folder, it is good practice to trash any you no longer use, and either search Google for ones you aren’t sure about or contact the TotalAV support team to query if the app is legitimate. Typically though, these browser hijackers have very corny names such as the following:

  • Know.ac
  • SearchBaron
  • Bing.ac
  • SurfBuyer
  • My Coupon Search
  • MacKeeper
  • Mac Auto Fixer
  • MyWaySearch
  • ​Spider Search

Notice a pattern? These apps try to be ambiguous in name so that users don’t recognise the listing in their Applications folder. If you identify the hijacker, click and drag it to the trash. It is possible the trashing will require you to enter your admin password, this is a good sign, enter it to complete removal. Be sure to empty the trash after removing any programs you don’t use or recognise. As of mid-2019, it is quite common for a folder to exist in the Applications folder, containing the dodgy application – usually called something in relation to coupons.

Next, it is important to search other locations on the Mac for Applications. First, enable the view of hidden files within finder:

  1. Open Terminal (found in Finder > Applications > Utilities)
  2. In Terminal, paste the following: defaults write com.apple.finder AppleShowAllFiles YES
  3. Press return
  4. ​Hold the Option/alt key, then right-click on the Finder icon in the dock and click Relaunch.

Now, in the top right of the finder window, search for .app, make sure you are viewing finder with regular icons as it makes suspicious apps easier to spot. See the screenshot below where a file called macautofixer.app is highlighted, the icon itself is the missing-image icon, this is a telltale sign this app is suspicious combined with its strange name.

Any apps you discover with this icon, search the full app name on Google and it will become pretty clear if this is a browser hijacker or not from the search results. Drag it to the trash if it is widely acknowledged as a Hijacker. The typical ones (as of mid-2019) we’ve seen are:

  • MacAutoFixer
  • MacKeeper
  • Advanced Mac Cleaner
  • MyCouponize

Next, open System Preferences (Click the Apple icon in the top right > select System Preferences). In the 4th row of System Preferences icons, if there is an icon called Profiles, click it. If there isn’t an icon called Profiles, ignore this step. In profiles will be a list of any installed, usually some public Wi-Fi networks install profiles, or some businesses install them on staff computers to limit control. In the case of browser hijackers, they have been known to input profiles here to force browsers to redirect searches and force homepages on users. Select any listed profiles in the sidebar, then in the main window check the details section – if this lists a homepage of the nasty search engine you are being directed to, you can safely remove the profile.

The next step is to remove suspicious PLIST files located at:

  • /Library/LaunchAgents
  • ~/Library/LaunchAgents
  • /Library/Application Support
  • ~/Library/Application Support
  • /Library/LaunchDaemons
  • ~/Library/LaunchDaemons

To access these folders, click Go on the menu bar, then select Go to Folder…

Systematically type in each of the 6 folder paths shown above, and check the files in these locations – the names should indicate if they relate to a legitimate application, or by double-clicking them, the wording in the file should suggest if it relates to a decent application or one which you’ve removed as part of the previous steps. Again, online search the names of these files to check the legitimacy of them. Any spurious Plist files in any of these locations can be dragged to the trash. Be sure to empty the trash after following these steps.

The next stage is to open the problematic web browser, and check the following:

 Chrome

  • Paste:chrome://extensions/  in your browser searchbar

 

  • Find the extension you want to delete > Click 

 

  • Click
  • If when clicking the 3 dot overflow icon, in the top right of a chrome window, it shows ‘Managed by Organisation’ at the bottom, and Chrome isn’t logged into a GSuite work account – then this may be the cause of the hijacker, follow these steps:
  1. Open the Terminal app (Go > Utilities > Terminal or press Command+Space and search Terminal)
  2. Enter the commands below, hit Enter after each:
    • defaults write com.google.Chrome HomepageIsNewTabPage -bool false
    • defaults write com.google.Chrome NewTabPageLocation -string “https://www.google.com/”
    • defaults write com.google.Chrome HomepageLocation -string “https://www.google.com/”
    • defaults delete com.google.Chrome DefaultSearchProviderSearchURL
    • defaults write com.google.Chrome HomepageLocation -string “https://www.google.com/”
    • ​​defaults delete com.google.Chrome DefaultSearchProviderSearchURL
    • defaults delete com.google.Chrome DefaultSearchProviderNewTabURL
    • defaults delete com.google.Chrome DefaultSearchProviderName
  3. ​​Restart Chrome
  4. Click the 3 dot overflow icon and select Settings
  5. Under Appearance ensure the Show Home button switcher is enabled, and the new tab page is set to what you want it to be (Most likely wither the Google New Tab page default or a custom address of your choice:
  6. Scroll down the section labeled Search Engine
  7. Ensure your preferred default search engine is listed in the drop-down menu
  8. Click Manage search engines
  9. Any search engineers you don’t use or don’t recognise listed under default search engines can be removed by clicking the 3 dot icon on their listing, then clicking remove from list


 

Mozilla Firefox

  • Pasteabout:addons in your browser search bar

 

  • Find the extension that you want to delete > Click   Click Remove

 

  • Click

Safari

  • With Safari open, click Safari in the menu bar at the top of the screen
  • In the menu, click Preferences..
  • Click the Extensions tab of Preferences
  • ​Any installed extensions will be listed here, click any in the sidebar you wish to remove, then on the right pane click the Uninstall button

 

If all else fails, please don’t hesitate to contact us and we can arrange a remote screen sharing session where a tech will remove the hijacker for you.

Source : Official TotalAV Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

(Visited 61 times, 1 visits today)
Tagged: