Resolving Browser Hijack: searchthatweb.com Malware Removal Guide

Threat Analysis

#browser-hijack #malware #chrome #windows-security #powershell

Executive Summary

This guide documents the investigation and removal of a browser hijacker that redirects search queries to searchthatweb.com, resulting in 404 errors and preventing normal web searches. The malware typically infiltrates systems through bundled software installations and modifies browser settings without user consent.

Severity: Medium
Platform: Windows 10/11
Affected Browsers: Chrome, Edge, Firefox
Threat Type: PUP (Potentially Unwanted Program) / Browser Hijacker

---

Table of Contents

1. Symptoms
2. Root Cause Analysis
3. Diagnostic Steps
4. Remediation Procedure
5. Prevention Strategies
6. Automation Scripts
7. Security Implications

---

Symptoms

Users experiencing this infection will observe:

• Search queries in browser address bar redirect to searchthatweb.com
• 404 “Page Not Found” errors when attempting searches
• Inability to change default search engine in browser settings
• Search engine preferences reverting after manual changes
• Possible homepage hijacking

Example Screenshot

Typical error when infected browser attempts search query

---

Root Cause Analysis

Infection Vector

The malware typically enters systems through:

1. Bundled Software Installation - Included as “optional offer” in freeware installers
2. Fake Software Updates - Disguised as Flash Player or browser updates
3. Malicious Browser Extensions - Installed without explicit user consent
4. Compromised Download Sites - Third-party software repositories

Persistence Mechanisms

The hijacker maintains presence through multiple vectors:

• Browser Preferences Files - Modifies Preferences and Secure Preferences JSON files
• Registry Policies - Enforces search engine via Windows Registry
• Browser Shortcuts - Appends malicious URLs to shortcut arguments
• Scheduled Tasks - Re-applies settings after manual removal
• DNS/Proxy Hijacking - Redirects at network level (less common)

---

Diagnostic Steps

Initial Assessment

Open PowerShell as Administrator (Win+X ? Windows PowerShell (Admin)) and run:

# Check DNS configuration
Get-DnsClientServerAddress -AddressFamily IPv4

# Verify proxy settings
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" | 
    Select-Object AutoConfigURL, ProxyEnable, ProxyServer

# Check hosts file for hijack entries
Get-Content C:\Windows\System32\drivers\etc\hosts | 
    Where-Object {$_ -notmatch "^#" -and $_ -notmatch "^\s*$"}

Browser-Specific Checks

Chrome/Edge Extensions

# List installed extensions (registry check)
Get-ChildItem -Path "HKCU:\Software\Google\Chrome\Extensions" -ErrorAction SilentlyContinue
Get-ChildItem -Path "HKLM:\SOFTWARE\WOW6432Node\Google\Chrome\Extensions" -ErrorAction SilentlyContinue

Browser Policies

# Check for policy-based hijacking
Get-ItemProperty -Path "HKCU:\Software\Policies\Google\Chrome" -ErrorAction SilentlyContinue
Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Google\Chrome" -ErrorAction SilentlyContinue

Browser Preferences

# Search for malicious entries in Chrome config
$prefsPath = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Preferences"
if (Test-Path $prefsPath) {
    Get-Content $prefsPath | Select-String "searchthatweb"
}

---

Remediation Procedure

Step 1: Flush DNS Cache

Clear-DnsClientCache
ipconfig /flushdns

Step 2: Clean Hosts File

# Backup first
Copy-Item C:\Windows\System32\drivers\etc\hosts C:\Windows\System32\drivers\etc\hosts.backup

# Edit hosts file
notepad C:\Windows\System32\drivers\etc\hosts

Remove any suspicious entries. Clean hosts file should only contain:

127.0.0.1       localhost
::1             localhost

Step 3: Remove Browser Policy Hijacks

# Remove malicious Chrome policies
Remove-ItemProperty -Path "HKCU:\Software\Policies\Google\Chrome" `
    -Name "DefaultSearchProviderSearchURL" -ErrorAction SilentlyContinue
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Google\Chrome" `
    -Name "DefaultSearchProviderSearchURL" -ErrorAction SilentlyContinue
Remove-ItemProperty -Path "HKLM:\SOFTWARE\WOW6432Node\Policies\Google\Chrome" `
    -Name "DefaultSearchProviderSearchURL" -ErrorAction SilentlyContinue

Step 4: Fix Browser Shortcuts

$chromeShortcuts = @(
    "$env:PUBLIC\Desktop\Google Chrome.lnk",
    "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk",
    "$env:APPDATA\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk"
)

$shell = New-Object -ComObject WScript.Shell
foreach ($path in $chromeShortcuts) {
    if (Test-Path $path) {
        $shortcut = $shell.CreateShortcut($path)
        if ($shortcut.Arguments) {
            Write-Host "Cleaning: $path"
            $shortcut.Arguments = ""
            $shortcut.Save()
        }
    }
}

Step 5: Reset Browser Configuration

Chrome Manual Reset

1. Close Chrome completely: taskkill /F /IM chrome.exe
2. Navigate to: chrome://settings/searchEngines
3. Remove any searchthatweb entries
4. Set Google as default
5. Clear browsing data: chrome://settings/clearBrowserData (All time, Cookies + Cache)

Chrome Nuclear Option (Complete Reset)

# Close Chrome
Get-Process chrome -ErrorAction SilentlyContinue | Stop-Process -Force

# Backup user data
$chromeData = "$env:LOCALAPPDATA\Google\Chrome\User Data"
$timestamp = Get-Date -Format 'yyyyMMdd_HHmmss'
Rename-Item $chromeData "${chromeData}.backup_${timestamp}"

# Launch with fresh profile
Start-Process chrome.exe

Step 6: Scan for Malware

# Update Windows Defender signatures
Update-MpSignature

# Run full system scan
Start-MpScan -ScanType FullScan

# Enable PUA protection
Set-MpPreference -PUAProtection Enabled

Step 7: Third-Party Malware Scan

Download and install Malwarebytes:

# Download Malwarebytes
Invoke-WebRequest -Uri "https://data-cdn.mbamupdates.com/web/mb4-setup-consumer/MBSetup.exe" `
    -OutFile "$env:TEMP\MBSetup.exe"

# Install and run (manual step required)
Start-Process "$env:TEMP\MBSetup.exe"

Step 8: Remove Scheduled Task Persistence

# List suspicious scheduled tasks
Get-ScheduledTask | Where-Object {
    $_.TaskPath -notlike "\Microsoft*" -and 
    $_.State -eq "Ready"
} | Select-Object TaskName, TaskPath, Date | Format-Table

# Remove malicious task (if identified)
# Unregister-ScheduledTask -TaskName "SuspiciousTaskName" -Confirm:$false

---

Prevention Strategies

Safe Software Installation Practices

Always Use Custom Installation:

? Express Install
? Quick Install
? Recommended Install

? Custom Install
? Advanced Install

Installation Checklist:

• Download only from official vendor websites
• Verify HTTPS and certificate validity
• Choose “Custom/Advanced” installation mode
• Uncheck all pre-selected “optional” software
• Decline toolbars, browser extensions, homepage changes
• Read each installation screen carefully

Browser Hardening

Chrome Security Settings

# Set via registry (requires Chrome restart)
New-Item -Path "HKCU:\Software\Policies\Google\Chrome" -Force
Set-ItemProperty -Path "HKCU:\Software\Policies\Google\Chrome" `
    -Name "SafeBrowsingProtectionLevel" -Value 2  # Enhanced protection

Regular Extension Audits

Create monthly reminder to review:

• chrome://extensions/ - Remove unfamiliar extensions
• chrome://settings/passwords - Delete suspicious saved passwords
• chrome://settings/content/notifications - Revoke unnecessary permissions

System Hardening

# Enable Windows Defender real-time protection
Set-MpPreference -DisableRealtimeMonitoring $false

# Enable cloud-delivered protection
Set-MpPreference -MAPSReporting Advanced

# Enable automatic sample submission
Set-MpPreference -SubmitSamplesConsent 2

# Block potentially unwanted applications
Set-MpPreference -PUAProtection Enabled

---

Automation Scripts

Automated Security Monitoring

Create this script as C:\Scripts\BrowserSecurityCheck.ps1:

#Requires -Version 5.1

<#
.SYNOPSIS
    Monitors browser configuration for hijack attempts
.DESCRIPTION
    Checks Chrome preferences for unauthorized search engine changes
    Logs alerts to Windows Event Log
.NOTES
    Run as scheduled task every 6 hours
#>

[CmdletBinding()]
param()

$ErrorActionPreference = "Stop"

# Define suspicious patterns
$suspiciousPatterns = @(
    "searchthatweb",
    "search-hijack",
    "unwanted-search",
    "searchmine",
    "search.yahoo.com" # if Yahoo not your preference
)

# Check Chrome preferences
$chromeProfiles = Get-ChildItem "$env:LOCALAPPDATA\Google\Chrome\User Data" -Directory | 
    Where-Object {$_.Name -match "^(Default|Profile \d+)$"}

foreach ($profile in $chromeProfiles) {
    $prefsPath = Join-Path $profile.FullName "Preferences"
    
    if (Test-Path $prefsPath) {
        $content = Get-Content $prefsPath -Raw
        
        foreach ($pattern in $suspiciousPatterns) {
            if ($content -match $pattern) {
                $message = "Suspicious search engine detected in profile: $($profile.Name) - Pattern: $pattern"
                
                # Log to Event Viewer
                Write-EventLog -LogName Application -Source "BrowserSecurityMonitor" `
                    -EventId 1001 -EntryType Warning -Message $message
                
                # Create desktop alert file
                $alertPath = "$env:USERPROFILE\Desktop\SECURITY_ALERT.txt"
                @"
BROWSER HIJACK DETECTED
Time: $(Get-Date)
Profile: $($profile.Name)
Pattern: $pattern

ACTION REQUIRED:
1. Run full malware scan
2. Reset browser settings
3. Review installed extensions
"@ | Out-File $alertPath -Force
                
                Write-Warning $message
            }
        }
    }
}

# Check hosts file integrity
$hostsPath = "C:\Windows\System32\drivers\etc\hosts"
$hostsContent = Get-Content $hostsPath | Where-Object {$_ -notmatch "^#" -and $_ -notmatch "^\s*$"}

if ($hostsContent -match "searchthatweb|search-hijack") {
    Write-EventLog -LogName Application -Source "BrowserSecurityMonitor" `
        -EventId 1002 -EntryType Error -Message "Hosts file compromised"
}

Write-Output "Security check completed: $(Get-Date)"

Register as Scheduled Task

# Create event log source (run once as admin)
New-EventLog -LogName Application -Source "BrowserSecurityMonitor" -ErrorAction SilentlyContinue

# Create scheduled task
$action = New-ScheduledTaskAction -Execute "PowerShell.exe" `
    -Argument "-ExecutionPolicy Bypass -File C:\Scripts\BrowserSecurityCheck.ps1"

$trigger = New-ScheduledTaskTrigger -Daily -At 9am -RepetitionInterval (New-TimeSpan -Hours 6) `
    -RepetitionDuration (New-TimeSpan -Days 1)

$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest

$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries `
    -StartWhenAvailable

Register-ScheduledTask -TaskName "BrowserSecurityMonitor" -Action $action -Trigger $trigger `
    -Principal $principal -Settings $settings -Description "Monitors browser for hijack attempts"

Hosts File Integrity Monitor

# Create baseline
$hostsPath = "C:\Windows\System32\drivers\etc\hosts"
Copy-Item $hostsPath "${hostsPath}.baseline"

# Monitor script
$baseline = Get-FileHash "${hostsPath}.baseline" -Algorithm SHA256
$current = Get-FileHash $hostsPath -Algorithm SHA256

if ($baseline.Hash -ne $current.Hash) {
    Write-EventLog -LogName Application -Source "BrowserSecurityMonitor" `
        -EventId 1003 -EntryType Warning -Message "Hosts file modified - manual review required"
    
    # Compare differences
    Compare-Object (Get-Content "${hostsPath}.baseline") (Get-Content $hostsPath) | 
        Out-File "$env:USERPROFILE\Desktop\hosts_changes.txt"
}

---

Security Implications

Data Exposure Risks

Search Query Logging:

• Malicious search engines log all queries, including:
  • Internal network names/IPs
  • Confidential document names
  • Usernames and potentially credentials typed in search bar
  • Medical/personal information queries

Man-in-the-Middle Attacks:

• Hijacked DNS can intercept all traffic
• SSL stripping potential for credential harvesting
• Redirection to phishing sites

Post-Incident Actions

# Audit recent network connections
Get-NetTCPConnection -State Established | 
    Where-Object {$_.RemoteAddress -notmatch "^(127\.|10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)"} |
    Select-Object LocalAddress, RemoteAddress, RemotePort, OwningProcess, State |
    Format-Table -AutoSize

Required Actions:

1. Change Passwords for accounts accessed during infection period:
   • Email accounts
   • Banking/financial services
   • Work-related accounts (VPN, corporate email)
   • Social media accounts
2. Review Access Logs:
   • Check email login history
   • Review bank account activity
   • Audit cloud service access logs (Google/Microsoft/Dropbox)

3. Enable 2FA/MFA on all critical accounts if not already active

4. Monitor Credit Reports if financial data may have been compromised

Incident Documentation

Create incident report:

$report = @"
=== Security Incident Report ===
Date Detected: $(Get-Date)
Threat Type: Browser Hijacker (searchthatweb.com)
Affected Systems: $env:COMPUTERNAME
User Account: $env:USERNAME

Timeline:
- First noticed: [USER INPUT REQUIRED]
- Remediation started: $(Get-Date)
- Remediation completed: [PENDING]

Actions Taken:
- Removed browser hijack configuration
- Reset browser settings to defaults
- Full system malware scan (Defender + Malwarebytes)
- Changed critical passwords
- Enabled enhanced security settings

Lessons Learned:
- [USER INPUT: How did infection occur?]
- [USER INPUT: What will prevent recurrence?]

Next Review: $(Get-Date).AddDays(7)
"@

$report | Out-File "$env:USERPROFILE\Desktop\incident_report_$(Get-Date -Format 'yyyyMMdd').txt"

---

Verification Checklist

After completing remediation, verify:

# Run verification script
Write-Host "`n=== POST-REMEDIATION VERIFICATION ===" -ForegroundColor Cyan

# 1. DNS Check
Write-Host "`n[1] DNS Configuration"
Get-DnsClientServerAddress -AddressFamily IPv4 | Format-Table -AutoSize

# 2. Hosts File
Write-Host "`n[2] Hosts File Entries"
$hostsEntries = Get-Content C:\Windows\System32\drivers\etc\hosts | 
    Where-Object {$_ -notmatch "^#" -and $_ -notmatch "^\s*$"}
if ($hostsEntries.Count -le 2) {
    Write-Host "? Hosts file clean" -ForegroundColor Green
} else {
    Write-Host "? Review hosts file manually" -ForegroundColor Yellow
}

# 3. Chrome Configuration
Write-Host "`n[3] Browser Configuration"
$prefsPath = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Preferences"
if (Test-Path $prefsPath) {
    $searchCheck = Get-Content $prefsPath -Raw
    if ($searchCheck -match "searchthatweb") {
        Write-Host "? Chrome still infected" -ForegroundColor Red
    } else {
        Write-Host "? Chrome configuration clean" -ForegroundColor Green
    }
}

# 4. Security Settings
Write-Host "`n[4] Windows Defender Status"
$mpStatus = Get-MpComputerStatus
Write-Host "Real-time Protection: $($mpStatus.RealTimeProtectionEnabled)" `
    -ForegroundColor $(if ($mpStatus.RealTimeProtectionEnabled) {"Green"} else {"Red"})
Write-Host "PUA Protection: $($mpStatus.PUAProtection)" `
    -ForegroundColor $(if ($mpStatus.PUAProtection -ne "Disabled") {"Green"} else {"Yellow"})

# 5. Test Search Functionality
Write-Host "`n[5] Manual Test Required:"
Write-Host "   Open Chrome and search for 'test' in address bar"
Write-Host "   Expected: Redirects to Google search results"
Write-Host "   If still redirecting to searchthatweb.com, escalate to manual review"

Write-Host "`n=== VERIFICATION COMPLETE ===" -ForegroundColor Cyan

Manual Tests:

• Open Chrome
• Type “test search” in address bar
• Verify redirects to Google (or your preferred search engine)
• Check chrome://settings/searchEngines - no suspicious entries
• Check chrome://extensions/ - no unfamiliar extensions
• Test on different browser (Edge/Firefox) to confirm system-wide fix

---

Additional Resources

Official Documentation

• Microsoft Defender Documentation
• Chrome Enterprise Policies
• Malwarebytes Support

Community Resources

• Bleeping Computer Malware Removal Forum
• r/techsupport
• Microsoft Community

Tools Used

Tool	Purpose	Download
Windows Defender	Built-in antivirus	Pre-installed
Malwarebytes	Anti-malware scanner	Official Site
PowerShell	Automation & remediation	Pre-installed
Process Explorer	Process investigation	Sysinternals
Autoruns	Startup analysis	Sysinternals

---

Conclusion

Browser hijackers like searchthatweb.com are prevalent threats that exploit user inattention during software installation. The key to prevention is maintaining security awareness during the installation process and regularly auditing browser configurations.

Key Takeaways:

1. Always use “Custom Install” and read each screen
2. Download software only from official sources
3. Regularly review browser extensions and permissions
4. Keep Windows Defender active with PUA protection enabled
5. Run periodic malware scans (Malwarebytes monthly)

Recovery Time: 30-60 minutes
Skill Level Required: Intermediate (PowerShell knowledge helpful)
Success Rate: >95% with complete procedure

If issues persist after following this guide, the system may require advanced forensic analysis or clean OS reinstallation.

---

Comments & Feedback

Have you encountered this malware? Share your experience or alternative solutions in the comments below.

Last Updated: February 4, 2026
Author: Andy - IT Security Specialist
Blog: andycyber.ca

---

Related Posts

• Securing Windows 11: Essential Hardening Guide
• PowerShell Security Best Practices
• Building a Home Lab Security Operations Center

---

Disclaimer: This guide is provided for educational purposes. Always backup important data before performing system modifications. Test commands in a safe environment first.