Subscribe & Save 20% off Premium or Families plans
By subscribing, you agree to receive marketing communications regarding industry news and research, educational resources, and LastPass products and services. The processing of your personal data in accordance with the LastPass Privacy Policy. You can unsubscribe from marketing communications at any time.
The first widely recognized browser hijacker was CoolWebSearch, which compromised 8.2% of computers worldwide.
You open a tab and search, but someone else decides what you see. Browser hijackers can track your every move, reroute your searches, and flood your screen with unwanted content. Discover what's really controlling your search results.
Strange browser settings, slow page loads, and frequent redirects to unfamiliar sites? You may have a browser hijacker on your hands.
You've spotted the signs. Now, the fix starts with running a reputable antivirus (but doesn't end there).
LastPass complements tools like TotalAV to give you a layered defense. Uncover the tools you need to fight back against browser hijackers.
Does the name CoolWebSearch ring a bell? Back in 2003, this notorious browser hijacker - malware that controls browsers without consent – compromised 8.2% of computers worldwide.
If you were unlucky enough to have been a victim, CoolWebSearch flooded your browser with ads, redirected you to phishing sites, and changed your browser settings. And if you were extra unlucky, one of its hundreds of variants also installed porn site bookmarks in your browser. In its heyday, CoolWebSearch earned its creators $300 million a year, leading Information Week to dub it the “Ebola” of adware.
Fast forward to today, browser hijacking hasn’t stayed that simple. In July 2025, Koi Security analyst Idan Dardikman reported that 2.3 million Chrome and Edge users had their browsers hijacked – even though most of them never clicked anything. Fortunately, the right controls can protect you from this rising threat.
Below, we explore how they work to keep your browser secure.
What can a browser hijacker do?
First, let’s define a browser hijacker: This is malware that takes control of your browser without your permission, and it does this in several ways:
- Bundled software downloads. A browser hijacker may piggyback on “free” software downloads. But during installation, it quietly changes your default home page and search engine. For example, if you’ve ever installed Babylon translation software or forgotten to uncheck the “add-on” box for a free tool like Unlocker, chances are high that you’ve experienced a browser hijacking.
Once downloaded, Babylon installed its own toolbar in browsers and rerouted every search query to search.babylon.com, where users were served with ad-infected sites. This browser hijacker also had rootkit capabilities and was a pain to remove, earning it the nickname of the “software that just won’t die” from PCMAG. Your best bet? Avoid freeware, if at all possible.
- Phishing links and ads. A browser hijacker can also hide behind innocent-looking links in ads, emails, or social media. Clicking on them can trigger automatic downloads or redirects to attacker-controlled pages that steal your login credentials. The single easiest thing you can do to protect yourself? Avoid clicking on suspicious links.
This includes shortened URLs with unfamiliar origins, URLs that mimic actual domains (but with missing or added characters, like amazzon.com), and long URLs for unfamiliar domains that read like gibberish (many random special characters and symbols).
- Drive by downloads. Simply visiting a compromised site can sometimes initiate a silent download of malware like Sakula Rat (a remote access trojan). This RAT has been active since 2012 and exploits vulnerabilities in older browsers like Internet Explorer. It’s mainly weaponized by APT groups for remote control and data exfiltration.
- Malicious browser extensions. A browser hijacker is often disguised as a helpful extension that boosts your productivity, blocks pesky ads, and gets you better discounts.
In 2020, Nano Adblocker and its companion Nano Defender – once trusted Chromium-based ad-blocking extensions - were found quietly siphoning browser history and sending it to remote servers. And in early 2025, extensions like Cuponomia: Coupons and Cashback (downloaded by 700,000+ users) were similarly found tracking browser activity, which led to their removal from the Chrome Store.
- Fake updates or alerts. It may even lure you with fake update alerts that promise to “protect your system” from a virus while quietly installing actual malware on your device.
So, in summary, browser hijackers can track your every move, redirect your searches to phishing sites, change your homepage & search engine, and flood your screen with ads & fake alerts.
Browser hijackers also put your online security at risk, stealing things you’d rather keep private: your passwords, bank logins, late-night search history.
And if you’re a business owner, the stakes are even higher. One compromised browser extension on a workstation or endpoint device can open the floodgates to a data breach, exposing client information, proprietary data, and access credentials.
This can put your business at risk for ransomware, identity theft, and even corporate espionage. When that happens, you’re looking at:
- expensive compliance fines
- reputational damage
- operational disruptions that could cost you clients and contracts
This brings us to an important question.
How do I know if I have a browser hijacker?
Yes, you guessed it. Browser hijackers can go unnoticed for weeks or months. And here's how they do it:
- They slip in silently through software installations or phishing links. One click, and a hidden malware loader activates. The hijacker may be tucked inside a multi-stage loader, which also delivers ransomware, spyware, crypto miners, or keyloggers/credential stealers.
- An example is SmokeLoader, which can disguise its code to make it unreadable to signature-based antivirus tools.
SmokeLoader can also leverage LOL (live off the land) techniques, like using legitimate Windows processes to execute commands. This makes its actions look like normal system behavior.
So, if browser hijackers are this stealthy, how can you know if you have a browser hijacker on your hands?
The answer is to watch for these three (3) key signs:
Unauthorized changes
- Homepage redirects to phishing sites
- Default search engine replaced with a questionable alternative
- New toolbars or extensions you didn’t install
Performance issues
- Sluggish browsing performance or slow page loads *
- Unexpected crashes or freezes
*Spyware and keyloggers consume significant CPU and memory bandwidth for keystroke monitoring and data exfiltration, which slows down page rendering.
Behavioral red flags
- Aggressive surge in unwanted content
- Extensions that promise benefits but push intrusive ads
- Frequent redirects to ad-heavy or phishing sites
Now that you know what to look for, let’s talk about how to remove a browser hijacker.
How do I detect a browser hijacker?
In 2025, detecting a browser hijacker is far from easy.
A Stanford University report estimated that users have downloaded at least 280 million malicious browser extensions (MBE) in recent years.
At DEFCON 32, SquareX researchers shattered the illusion that Google’s Manifest V3 framework was the ultimate safeguard against MBEs. Their research revealed jaw-dropping vulnerabilities that leave users wide open to attack:
- MBEs running under MV3 can siphon live video from your Google Meet or Zoom calls without any special permissions, silently spying on your most private conversations.
- MBEs can also impersonate you and add rogue users to corporate GitHub repositories, opening backdoors to your code and trade secrets.
- Ultimately, these MBEs can bypass Manifest MV3 protections to steal your login credentials, browsing & download history, and bookmarks.
Google intended MV3 to plug security holes in previous versions. However, SquareX’s findings prove that MV3 continues to fall short. And that’s not all: Security tools like SASE (secure access service edge), EDR (endpoint and detection response), and SWG (secure web gateways) aren’t equipped to monitor extensions dynamically.
Fortunately, tools like FortiGuard Antivirus can help you detect and block multi-stage malware with browser hijacking capabilities like SmokeLoader.
In addition, LastPass - an award-winning Secure Access Provider - can complement such tools to give you a layered defense against extension-based attacks. Here’s how:
- LastPass only autofills your credentials on true, verified sites. This means you won’t fall for phishing tricks aimed at stealing your login credentials.
- Secure, military-grade AES-256 encryption – the kind used by federal agencies, the military, and the NSA - keeps your most sensitive data locked down.
- Vault URL encryption safeguards all login credentials tied to URLs, making them completely invisible and useless to attackers. This means you keep your personal & business passwords, licenses, and trade secrets safe from espionage or insider leaks.
- If the possibility of a data breach keeps you up at night, our Dark Web Monitoring service tracks your email addresses 24/7, searching nonstop for your data being sold or traded on Dark Web forums. You get instant alerts if your information is compromised, allowing you to update your credentials and protect your money, data, and sanity. Get Dark Web Monitoring free with a 30-day LastPass Premium trial (no credit card required).
- And finally, if you’re doing business today, LastPass SaaS Monitoring & SaaS Protect stand ready to serve as your frontline defense against costly breaches that can result in downtime, shattered customer trust, and lost revenues.
With security teams recognizing browsers as the primary attack surface for SaaS apps, you need an easy, no-fuss way to monitor unusual logins, rogue extensions, risky apps, and unexpected permission changes. SaaS Monitoring + Protect lets you do just that, and you can unlock this today with a free trial of Business Max (no credit card required).
“People are experimenting with AI tools like OpenAI and Canva. We don’t want to block innovation, but we do want to guide it safely. LastPass is smart, secure, and it just works.” Learn how Axxor is using LastPass SaaS Monitoring + Protect to build a culture of security and support a growing workforce worldwide.
Sources
https://www.2-spyware.com/coolwebsearch-the-most-infamous-browser-hijacker
https://www.mcafee.com/learn/browser-hijacking/
https://techreviewadvisor.com/what-is-a-browser-hijacker/
https://arxiv.org/html/2503.04292v2
FAQs: How to remove browser hijackers
To remove a browser hijacker from Chrome, run a full antivirus scan and then reset your browser settings to default:
- First, start by running an antivirus like TotalAV, as recommended by Cybernews.
- Next, click the three dots at the upper right corner of your browser page and select Settings > Reset settings.
- Choose Reset settings to their original defaults.
- Confirm the action by tapping the blue Reset settings button.
On Android, you can remove a browser hijacker with these two steps:
#1 Remove the browser hijacker from your phone:
- Go to Android Settings and navigate to Apps
- Select Manage Apps and look for programs you didn’t install.
- Click to open App info and select Uninstall.
#2 Remove the hijacker from your browser:
- Head to Android Settings > Apps > Manage Apps and select the browser
- Click on Force stop and choose Clear data
Alternatively, you can also use an antivirus tool like TotalAV to detect and remove browser hijackers. Note, however, that manual steps like resetting browser settings may still be necessary if leftover changes (like an altered homepage or search engine) remain after the scan.
To remove a browser hijacker from Firefox, run a full antivirus scan and then reset your browser settings to default:
- First, start by running an antivirus like TotalAV, as recommended by Cybernews.
- Click the three horizontal lines in the upper right corner and select Help.
- Choose More troubleshooting information.
- On the right side, select Refresh Firefox
- Confirm by clicking Refresh Firefox again.
To eradicate browser hijackers from a Mac, you can perform a manual removal. Note, however, that manual removal can be a daunting task. It involves:
- Stopping the browser hijacking process. To do this, you’ll open Activity Monitor in Launchpad and force quit any suspicious processes.
- Clearing the system DNS cache. To do this, you’ll go to Launchpad, open Terminal, enter the command sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder, and press Enter.
- Deleting the browser hijacker in Finder. To do this, head to Finder> Application, right-click any apps you didn’t install, and choose Move to Bin. Finally, you’ll empty the bin by right clicking the bin icon and choosing Empty Bin.
- Resetting your browser settings. You can do this by following this article’s previous instructions on removing browser hijackers from Chrome, Firefox, and Safari.
To make the removal of browser hijackers easier, you can also try using a macOS antivirus tool like MacKeeper. However, just like for Android phones, manual steps like resetting your browser settings may be needed to ensure no hijacker-related settings remain.
To remove a browser hijacker from Safari, run a full antivirus scan and then reset your browser settings to default:
- First, start by running an antivirus like TotalAV, as recommended by Cybernews.
- Then, at the top left corner of your browser, open the Safari dropdown menu and click Settings.
- Go to the General tab and verify your chosen homepage.
- Next, go to the Extensions tab and uninstall any extensions you don’t recognize
- After you’ve finished, head to the Websites tab, select Notifications, and deselect Allow Websites to ask for permission to send notifications.
- Then, select the Privacy tab and click Manage Website Data.
- In the pop-up, choose Remove all.
- Finally, return to Safari's home screen, locate the Develop dropdown at the top, click it, and select Empty Caches.
To remove the Yahoo browser hijacker or redirect virus, run a full system antivirus scan and then reset your browser settings:
- First, start by running an antivirus like Norton 360 Deluxe, as recommended by Cybernews.
- Next, click the three dots at the upper right corner of your browser page (if you’re using Chrome) and select Settings.
- On the left side of the screen, select Search engine.
- Next to Yahoo Search, select Change.
- From a list of browsers, click your preferred search engine and then Set as Default.
- Click Manage search engines and site search
- Select the three dots (⋮) by Yahoo Search and click Delete.
- Next, remove any unwanted extensions. Click the three dots (⋮) in the upper right corner again and then Extensions > Manage Extensions
- Press Remove when you see unfamiliar extensions.
- Finally, restore your Chrome browser settings to default: Go to Settings > Reset settings > Reset settings to their original defaults.
- Confirm the action by tapping the blue Reset settings button and then reopen Chrome to start browsing again.
No, Bing isn’t actually hijacking your browser. Redirects to Bing may result from the Bing redirect browser hijacker changing your search engine without your consent.
To fix a Google redirect to Bing, run a full system scan with an antivirus like TotalAV and then perform a complete reset of your browser settings. If you aren’t quite sure which settings were changed without your consent, your best bet is to reinstall your browser.
If all the above fails, a reinstall of your operating system may be necessary.
Yes, Avast antivirus can detect and remove browser hijackers. However, Avast advises that browser hijackers can often get installed with user permission during bundled software installs. So, removal may also require manually uninstalling unwanted apps and resetting browser settings.
Yes, Malwarebytes Browser Guard can actively monitor your search results for unauthorized modifications and block browser hijacking attempts.
Subscribe & Save 20% off Premium or Families plans
By subscribing, you agree to receive marketing communications regarding industry news and research, educational resources, and LastPass products and services. The processing of your personal data in accordance with the LastPass Privacy Policy. You can unsubscribe from marketing communications at any time.
