Devices and HardwareGamingSecurity and PrivacyContact UsAbout Us

How to Log a Browser Hijacker: Detecting, Tracking, and Documenting the Threat

Browser hijackers are among the most frustrating forms of malware precisely because they operate in plain sight — redirecting your searches, swapping your homepage, injecting ads — while quietly resisting removal. Logging a browser hijacker means creating a documented record of its behavior, its files, and its network activity. That record becomes essential for cleaning an infection thoroughly, reporting it, or understanding exactly how far it spread.

What "Logging" a Browser Hijacker Actually Means

Logging isn't a single action. It refers to capturing evidence across multiple layers:

  • File system changes — new extensions, executables, or registry entries the hijacker created
  • Network activity — domains it contacts, data it sends or receives
  • Browser behavior — which settings were modified (homepage, default search engine, new tab URL, DNS-over-HTTPS settings)
  • Process activity — background tasks keeping the hijacker alive after you think you've removed it

Each layer tells a different part of the story. A hijacker that only modifies browser settings leaves a different footprint than one that installs a persistent background service or modifies your hosts file.

Step 1: Capture the Browser's Current State Before Touching Anything

Before removing anything, document what's been changed. Rushing to clean first destroys the evidence trail.

In Chrome/Edge/Brave:

  • Navigate to chrome://extensions (or edge://extensions) and screenshot every installed extension, including ones you don't recognize
  • Check chrome://settings for homepage, startup pages, and default search engine
  • Open chrome://net-export/ to start a network log — this captures all browser-level network traffic in a JSON file you can analyze later

In Firefox:

  • Visit about:addons and about:config — hijackers often modify browser.startup.homepage and browser.search.defaultenginename directly in config
  • Firefox's built-in about:networking shows active connections

On any browser, export your current extensions list and settings to a text file. Some hijackers reinstall themselves within minutes of removal, so timestamps on your logs matter.

Step 2: Log Running Processes and Startup Entries

Browser hijackers often survive browser removal by anchoring themselves to the operating system.

On Windows:

  • Open Task Manager → Details tab and look for unfamiliar processes tied to browser activity
  • Use msconfig or Task Scheduler to check startup entries — hijackers frequently register as scheduled tasks with names mimicking legitimate software
  • The Registry Editor (regedit) paths to check: HKCUSoftwareMicrosoftWindowsCurrentVersionRun and the equivalent HKLM path

On macOS:

  • Check System Settings → General → Login Items
  • Use Activity Monitor to identify unusual processes consuming network resources
  • Review /Library/LaunchAgents and ~/Library/LaunchAgents — hijackers on macOS commonly drop .plist files here to auto-restart

Logging these locations means copying the full path, filename, and any associated values — not just noting "something looked weird."

Step 3: Capture Network Traffic 🔍

This is where you see what the hijacker is actually doing with your data.

Tools commonly used for network logging:

ToolPlatformWhat It Captures
WiresharkWindows / macOS / LinuxAll network packets at the interface level
Fiddler / Charles ProxyWindows / macOSHTTP/HTTPS traffic from browsers
Chrome Net Export (chrome://net-export/)Chrome-based browsersBrowser-specific DNS, socket, and HTTP logs
Little SnitchmacOSPer-app outbound connection logging
Windows Firewall logWindowsBlocked and allowed connection attempts

The goal is to capture which domains the hijacker contacts, at what intervals, and whether it's exfiltrating anything. DNS queries are particularly revealing — a hijacker may contact its command-and-control infrastructure even when the browser appears idle.

Step 4: Document File System Changes

On Windows, tools like Autoruns (from Microsoft Sysinternals) give a comprehensive view of everything configured to run automatically — far more thorough than Task Manager alone. Running Autoruns before and after a suspected infection gives you a diff of what changed.

For file system logging more broadly:

  • Windows:sfc /scannow logs system file integrity issues; Process Monitor (also Sysinternals) captures real-time file, registry, and process activity
  • macOS:fs_usage in Terminal logs file system calls in real time
  • Both platforms: Antivirus scan logs from tools like Malwarebytes create structured records of detected files with paths and threat classifications

Save every log with a timestamp in the filename. If you're dealing with a persistent hijacker across multiple removal attempts, the timeline matters.

Step 5: Cross-Reference Against Known Threat Databases

Once you've captured file names, domains, and process names, you can identify what you're dealing with.

  • VirusTotal — upload suspicious files or paste domain names to check against 70+ security engines
  • URLhaus and Urlscan.io — look up domains the hijacker contacted
  • Any.run or Hybrid Analysis — behavioral sandboxes where you can run a suspicious file and watch it log its own activity in a controlled environment

These tools don't replace your logs — they help contextualize them. A domain flagged by 40 out of 72 engines on VirusTotal tells you something meaningful about severity and family classification.

The Variables That Shape What You'll Find

How useful your logs are — and what you'll find in them — depends on factors specific to your situation:

  • Your OS and its version — logging tools, accessible paths, and registry structures differ significantly between Windows 10, Windows 11, and various macOS versions
  • Technical comfort level — Wireshark is powerful but produces raw packet data that requires interpretation; Chrome's net-export logs are more accessible but narrower in scope
  • How long the infection has been active — a hijacker running for weeks may have already exfiltrated data, modified more settings, or downloaded secondary payloads
  • Whether the hijacker has rootkit-like components — some advanced hijackers hide processes from standard Task Manager views, requiring specialized tools like GMER or Rootkit Revealer
  • Managed vs. personal devices — enterprise-managed browsers have policy-controlled settings that can mask hijacker activity or prevent certain logging tools from running

A technically confident user on a personal Windows 11 machine with full admin access can run the full logging stack. A non-technical user on a locked-down work laptop will need to involve IT — and the logging process looks completely different in that context.

What you're able to capture, and what that data means for your next step, depends entirely on which of those situations describes your setup. 🔐