Go To My Dashboard
Malware Support Menu

Malware Support

Removing Browser Hijackers

Browser Hijackers are usually obtained by installing extensions within web browsers or as part of programs. A seemingly useful search toolbar, or an extension that helps with a web task can in some cases turn out to take unwarranted control of a web browser.

These aren't normally viruses or malware. Browser Hijackers are 'unwanted software' as their objective is to serve ads as opposed to be covert and do something malicious. The problem is, they usually arrive by tricking users into downloading something that seems legitimate - so we sometimes find that users have ignored TotalAV warnings, believing the program they are downloading to be okay. Sometimes, they simply go under the radar as the code they use is not malware or virus like in nature.


Within this article you will learn:

  • What are the signs of Browser Hijackers
  • What are the causes, and how do I remove Browser Hijackers?
  • Browser Configuration

    • Signs of Browser Hijackers

    Here are some of the common signs that you have been effected by Browser Hijackers

  • Searches redirected to different websites
  • Slow loading webpages
  • Homepage changed
  • Multiple toolbars on a web browser
  • Multiple pop-ups appearing

    • What are the causes, and how do I remove Browser Hijackers?

    If you feel that you have been effected by Browser Hijackers, please follow these steps to remove them.

    Causes of Browser Hijackers

    The root cause of a browser hijacker on Windows will likely be one of these:

  • Manipulated web browser settings
  • A low trust software application that needs uninstalling via the control panel
  • A low trust browser extension that needs removing from your web browser

    • Remove programs causing Browser Hijackers

  • Click the Windows icon/Start button
  • Type Add or remove and press enter.
  • Uninstall programs as necessary
    • It's a good idea to remove any programs you no longer use. If the hijacker happened not long after a recent install you may want to remove that program as well.

    Some example Browser Hijacker programs include:

  • GoSave
  • CoolWebSearch
  • MyWaySearch
  • Coupon Genie
  • CouponAlerts
  • DealBrowsing
  • Istartsurf.com
  • search-daily.com
  • Snap.do
    • Sorting the list of installed programs by date may help, as you might be able to identify unrecognized software that arrived at the same time as something you purposely installed.

    Causes of Browser Hijackers

    The root cause of a browser hijacker on macOS® will likely be one of these:

  • Manipulated web browser settings
  • An App in Applications that needs trashing
  • A hidden App in the /Library folder that needs trashing
  • An extension that needs removing from your web browser
  • A spurious Profile that exists in System Preferences > Profiles that needs removing
  • Google Chrome says it is managed by organsiation

    • Remove programs causing Browser Hijackers

  • Open Finder
  • Open Applications
  • Remove
    • It's a good idea to remove any programs you no longer use. If the hijacker happened not long after a recent install you may want to remove that program as well.

    Some example Browser Hijacker program names include:

  • GoSave
  • CoolWebSearch
  • MyWaySearch
  • Coupon Genie
  • CouponAlerts
  • DealBrowsing
  • Istartsurf.com
  • search-daily.com
  • Snap.do
    • Sorting the list of installed programs by date may help, as you might be able to identify unrecognized software that arrived at the same time as something you purposely installed.

    Other Applications

    Next, it is important to search other locations on the Mac for Applications.

  • Enable the view of hidden files within Finder: - Open Terminal (Finder > Applications > Utilities) - In Terminal, paste the following: - defaults write com.apple.finder AppleShowAllFiles YES - Press return - Hold the Option/alt key, then right-click on the Finder icon in the dock and click Relaunch.
  • Find and Remove suspicious .apps

    • In the top right of the finder window, search for .app

    • Remove suspicious apps

    Make sure you are viewing finder with regular icons as it makes suspicious apps easier to spot. See the screenshot below where a file called macautofixer.app is highlighted, the icon itself is the missing-image icon, this is a telltale sign this app is suspicious combined with its strange name.

    Remove Profiles

  • Open System Preferences (Click the Apple® icon in the top right > select System Preferences).
  • Open Profiles
  • Check each profile and remove any profile which has HomePage set to an undesired page.

    • Remove suspicious PLIST files

  • Go to Finder
  • click Go on the Menu Bar
  • Type /Library/LaunchAgents
  • Hit Enter

    • Repeat the steps above for each of the folder locations below:

  • ~/Library/LaunchAgents
  • /Library/Application Support
  • ~/Library/Application Support
  • /Library/LaunchDaemons
  • ~/Library/LaunchDaemons

    • Systematically type in each of the 6 folder paths shown above, and check the files in these locations - the names should indicate if they relate to a legitimate application, or by double-clicking them, the wording in the file should suggest if it relates to a decent application or one which you've removed as part of the previous steps. Again, online search the names of these files to check the legitimacy of them. Any spurious Plist files in any of these locations can be dragged to the trash. Be sure to empty the trash after following these steps.

    The next stage is to open the problematic web browser, and check the following:

  • Copy and Paste chrome://extensions/ into your browser search bar
  • Find the extension you want to delete
  • Click Remove
  • Click Remove
  • Copy and Paste chrome://extensions/ into your browser search bar
  • Find the extension you want to delete
  • Click Remove
  • Click Remove
  • Click the three vertical dots

    • If it shows 'Managed by Organization' or similar and you aren't logged into a GSuite work account this may be the cause of the Hijacker and will also need to be resolved.

  • Open the Terminal app (Go > Utilities > Terminal or press Command+Space and search Terminal)
  • Enter the commands below, hit Enter after each:

    • defaults write com.google.Chrome HomepageIsNewTabPage -bool false

    defaults write com.google.Chrome NewTabPageLocation -string “https://www.google.com/"

    defaults write com.google.Chrome HomepageLocation -string “https://www.google.com/”

    defaults delete com.google.Chrome DefaultSearchProviderSearchURL

    defaults write com.google.Chrome HomepageLocation -string “https://www.google.com/”

    defaults delete com.google.Chrome DefaultSearchProviderSearchURL

    defaults delete com.google.Chrome DefaultSearchProviderNewTabURL

    defaults delete com.google.Chrome DefaultSearchProviderName


    Restart Chrome

  • Click the 3 dot overflow icon and select Settings
  • Under Appearance ensure the Show Home button switcher is enabled, and the new tab page is set to what you want it to be (Most likely wither the Google New Tab page default or a custom address of your choice):
  • Scroll down the section labeled Search Engine
  • Ensure your preferred default search engine is listed in the drop-down menu
  • Click Manage search engines
  • Any search engineers you don't use or don't recognise listed under default search engines can be removed by clicking the 3 dot icon on their listing, then clicking remove from lists
  • Copy and Paste about:addons into your browser search bar
  • Find the extension that you want to delete
  • Click the 3 Dots Overflow Menu
  • Click Remove
  • Click Remove
  • Copy and Paste edge://extensions/ in your browser search bar
  • Find the extension that you want to delete
  • Click Remove
  • Click Remove
  • With Safari® open, click Safari® in the menu bar at the top of the screen
  • In the menu, click Preferences..
  • Click the Extensions tab of Preferences
  • Any installed extensions will be listed here, click any in the sidebar you wish to remove, then on the right pane click the Uninstall button

    • Reset Browser

    After removing extensions, the best way forward is to reset your browser completely - but consider that saved passwords and bookmarks may disappear if you haven't created a sync account within your browser.

    If not, clear cookies and cache.

    Did this answer your question?

    YesNo

    Thanks for the feedback!