Browser hijacking: Difference between revisions

A browser hijacker is a form of malware, spyware or virus that replaces the existing internet browser home page, error page, or search page with its own.^[1] These are generally used to force hits to a particular website.

Morwill Search

Morwill Search is a browser hijacker that is implemented as IE Browser Helper Object. This spyware redirects browser searches to morwill search engine or some other search engines.

Abnow

Abnow Browser Hijacker is a multiple process, self-replicating hijacker, resistant to most anti-virus programs. However, it can be removed with Kaspersky TDSSKILLER.EXE. Link at the end of this page.

Conduit Search

Conduit distributes user customized toolbars. The toolbars modify the browser default search engine and homepage and several other browser settings.^[2]

CoolWebSearch

CoolWebSearch (CWS) was one of the first browser hijackers. It redirected the existing home page to the rogue CWS search engine, with its results as sponsored links. With most antivirus and antispyware programs unable to properly remove this particular hijacker, a man named Merijn Bellekom developed a special tool called CWShredder specifically to remove this hijacker. Cool websearch is a popular browser hijacker and is owned by fun web products.

MySearchCorp.com

Another common browser hijacker that became popular in 2009-2010.

Search-daily.com

Search-daily.com is a hijacker that may be downloaded by the Zlob trojan. It redirects the user's searches to pornography sites. It also is known to slow down computer performance.^[3]

MyStart.Incredibar Search

Mystart Incredibar Search is a browser hijacker which often comes embedded with many download applications and installers such as HyperCam. It is known to install itself into the following browsers: Firefox, Internet Explorer and Google Chrome.

Removing Incredibar can be a daunting task since there are many different variations and most infected systems can expect to find undesirable windows registry changes, browsers configuration changes and files with random strings that are installed into the users local settings folders and depending on the version of your Microsoft Windows you use the location will vary from one version to the next. In some variations of Incredibar it appeals to be a removable add-on within Google Chrome and Firefox, simply removing Incredibar via the inbuilt browser add-on removal process is not enough since the infected system has combined registry and file installs of which reinstalls itself upon a system reboot.

A few virus and spyware removal applications such as Webroot Spysweeper and Eset NOD32 are known to remove Mystart Incredibar Search, but by using these applications to do so will not revert back to your default search engine. Manual removal seems the most effective method as it will revert back all changes while giving you a good understanding how to remove should you get something similar again.^[4]

Profit

Many people believe that browser hijackers were designed for simple annoyance. Most hijackers redirect a page to force hits to their websites which contain ads. This then drives up the advertising cost for that website, thus profiting the site's webmaster.

Malware and many trojans have many marketing uses. This malicious software can hijack your browser even adding exceptions to your browsers security settings and pop up blockers. Most malware software is picked up with something so simple as opening an email or clicking a link.

However in some cases the hijack is being done without the knowledge of the website. The webmaster sets up an account on an advertising platform (where they pay for traffic to be directed to their site via legitimate means—just like Google adWords) and a hijacker starts forcing traffic to that page so the website owners have to pay money each time a user arrives at the page. In this case the hijacker is making money, however the website the user is being forced toward is actually losing a lot of money.

Removal

Most new hijackers will not allow a user to change back to their home page through Internet Properties. Modern hijackers' settings will most likely return upon reboot, however, well-updated antispyware software will likely remove the hijacker. Some spyware scanners have a browser page restore function to set your page back to normal or alert you when your browser page has been changed.

Rogue security software

Some rogue security software will also hijack the start page generally displaying a message such as "WARNING! Your computer is infected with spyware!" to lead to an anti-spyware vendor's page. The start page will return to normal settings once the user buys their software. Programs such as WinFixer are known to hijack the user's start page and redirect it to the website.

Beginning features confused with browser hijackers

EarthLink

In 2006, EarthLink started redirecting mistyped domain names over to a search page. This was done by interpreting the error code NXDOMAIN at the server level. The announcement led to much negative feedback, and EarthLink offered services without this feature.^[5]

See also

• Malware
• Spyware
• NGRBot

References

1. "Browser Hijacking Fix & Browser Hijacking Removal". Microsoft. Retrieved 23 October 2012.
2. "So long, uTorrent". First Arkansas News. 2010-12-15. Retrieved 2011-08-11.
3. "Browser Hijacker" (PDF). MySearchCorp. Retrieved 3 July 2012.
4. "Removing Incredibar". ByBe. Retrieved 19 September 2012.
5. Mook, Nate (2006-09-06). "EarthLink Criticized for DNS Redirects". betaNews. Retrieved 9 May 2012.

External links

• RemovingMalware hijacker removal guide
• EarthLink Redirects
• Abnow Hijack Removal program