Browser Hijacked - Indextap.cool Help!

Another short and pictureless Instructable, aimed to oferr a prevention and fix for hijacked browsers on you PC or Laptop.
In this case for a hijacker that is quite intrusive once active - indextap.cool.

Let's start by explaining what a hijacked browser is:
Unlike a real virus a hijacker will try all to just block your browser and make it useless.
There are tons of variations out there but they all have one thing in common.
You always will find the phone number or Email address of the scammer on the only "working" website still showing.
Today I installed the latest Windows updated and one for Firefox.
So you can imagine my surprise when I got hijacked when trying to watch an old TV show that I found hosted on a website.
Used it for several days to watch some of my old time heroes again and never had a problem.
The offending website came through a pop up ad and redirected to indextap.cool - please don't try their website in any form outside a sandboxed browser!

How does it look?
Well the hijacked websites change frequently but as said you always end up locked out of your browser and always will find a "solution" offered for the detected problem.
The worst you can do is to try closing or canceling anything that popped up with it.
That goes for notifications about location or other things, authentications or what not.
No matter where you click or what you click on it will only manifest the hijacker more permanent into your system/browser.

If you ignore that my screenshot if not in english you will see that indextap.cool requires a username and password for server access.
Now, clicking long and often enough will cause more windows to be opened, or tabs, depending on the browser used.
In the end you will just have a window with a phone number or login info for indextap.cool.
Either way it will end in a costly service number you need to call to get full access to free your computer.
In a sandboxed enviroment this hijacker does not get far and nowhere.
In a running system however the clicking will cause the browser history to be changed so only the hijacker is shown and all other windows/tabs of your browser are rendered blocked and useless.
I tired to follow what I could in a virtual machine but it seems there are two outcomes for this bad boy:
a) the system is modified so the affected browser starts as soon as possible while stopping all later services - rendering the entire system unresponsive except for reboots ans shut downs.
b) parts of the system will be encrypted and so far I could not even figure out by what means the data was scrambled.

As said you should be relatively fine if you rebooted and did not click anything to "fix" the problem.
But lets face it, you wouldn't be reading all this from your mobile or tablet if you actually fixed it ;)

There are two options, three if you can bebothered to try the endless amounts of apps offered by anti virus companies and PC fixing websites.
Most programs you can find neither aim directly for a hijacked browser nor do they offer a single fix fo this problem, so avoid them and save time and frustration.

Option one:
Assuming you neither have anything vital in open tabs, nor any login info you no longer know and that you have a copy of your bookmarks elsewhere:
Just unistall the browser fully and install a fresh copy.

Option two:
Assuming you have something to loose:
Delete the current session files and replace them with a backup.

I will go into option two a bit more detailed:
Firefox stores the session info in compressed files inside your profile folder.
Userfoler/appdata/roaming/firefox/profiles - there will be a folder with a cryptic filename, look in there.
You shall find files starting with "previous..." and "recovery...".
Check for todays date and make a copy of todays oldest file!
Rename the rest.
Use the copied file to make more copies to replace the previously renamed files.
You now have the oldest copy of the day and all traces of the last few sessions with the hijacker should be gone.
If not you can try to rename all of todays files so Firefox will try an older copy but you will loose some tabs along the way.
So far I have not found a way to just edit the compressed files to simply replace a charcter or two in the offending URL.

Chrome is similar but also offers the easy way of editing the file(s) containing the last session and tab info.
The files you need to look for are "current session" and curent session.bak".
The "last session" can be helpful as a backup if the filedate is older.
Again the first try is to rename the "current session" file to something like "session-infected".
Then make a copy of the ".bak" file and rename this copy to "current session".
With a bit of luck your hijacker is now gone.
In case it is not:
Open the session files with Notepad++ and search for the address of the offending website, like in my case "indextap.cool", replace one or two charaters to something like "indeytap.cold".
Now you get an error when starting your browser and can just close the tab or enter a working website address.
As a last solution you can alsways make use of the older backup files but editing the session files is the nicest way to fix the problem.

The solution is quite simple: Just never use your browser again ;)
Simple is not good enough in todays times so we make it a bit more complicated:

Once your browser is working again make a backup of the files that store your session, tab and bookmark info.
For Firefox you can get easy o use backup tools, Chrome allows the export and import.
But a simple copy done with the Explorer will do the exact same thing.
Give the file a meaningful ending like - working copy.

As these hijacks don't even require any decent coding skills anyone could write one in minutes for their own website.
The trick is find a way to include your link into some pop up ad that is active on many website out there.
Preferably these scammers use websites that are not frequently checked by Google and other "services" or just those making their main income from intrusive ads.
In any case the gap is so far neither filled by the big browsers, nor our operating systems.
If someone ends with a linking ad that ends on a scammer site the end is always the same.
Some of these hijackers literally made millions by demanding a lot of money to restore your now encrypted data on the computer.
All because people kept clicking to "fix" the browser and later were too embarassed to inform the right authorities about the fraud.
One of the best options these is not using an adblocker, simply because most websites now lock you out if you use them.
Same for your favourite firewall or anti virus pack - they will just fail.
Real prevention these days works through so called white- and black lists.
Offending sites are blacklisted by your system and you are kept a bit safer.
Downside is they don't work in realtime and need active input to include the latest offenders.
And in many cases the check if the website owner was able to clean the ad mess is never done, locking the website out and causing someone to loose it all.

The problem is that there is always someone with a bit of skills and means that wants to make easy money by doing nothing.
This results in most of the hijacks you can encounter, like the FBI one I mentioned in a previous Ible.
Here all you need is to pay for a phone redirect service or use one that charges only the caller.
The second case skips the manual labour that would follow a call or at least makes taking control much easier.
Here the scammer tries all he can to start protected services and access points to gain full control over the system you hold dear.

They both work by assuming there are enough DUP out there with free internet access to make it worth trying.
And any real DUP will have no clue how to handle a threat on the screen claiming they got caught doing something illegal, have infected files on the computer or have just lost the use of the browser.
And of course the key is to be fast and complete so there is a higher chance to get at least a few hundret callers until the ad service will block you.

The real risk is not the inital hijack as this always easy to fix as you noticed in the previous steps.
The big risk starts by clicking and ends by calling or starting a now active tool on your system that allows the scammer to repair your system.
And don't get me wrong, they will fix it, even after you transfered the money or in most cases free of charge.
But they take all info about you they can get in the meantime, in many cases trying to clone and copy your entire hardrive at the same time.
In the worst case it goes like this:

Scared person in front of the screen tries to get rid of the ongoing popups until only a fullscreen mode of the browser is left.
That there is a Windows key and a reboot option becomes only appearent once all that could be infected is infected and the restart allows full system control for the scammer.
Usually including blocking all anti virus packs you might have and opening all ports and protocols for your firewall.
Of course in a way that you can't fix this either.
And if shit really hits the fan then you will be greeted by a screen from the scammer with just a phone number and the note that your data is now encrypted to prevent data loss and further infection.
Once the person called and transfered the few buck the scammer fix scan the system do his best to remove all traces of the infection that caused you soo much pain.
This take quite some time, usually about as much time as you would need to copy all vital stuff from your hard drives.
Once all is clean you will be informed that your session ends with the reboot and that your system will be back to normal.
And often this the cases, sometimes a keylogger and redirector are left behind though.
But shortly after this fix your bank accounts drain, your inventions appear on the open market, you private bedroom videos end up on porn sites and just thank god if you don't have very private pics of your kids playing naked in the inflatable pool....
By the time you noticed a problem your whole identy might be copied or misused already.
Letters for new credit cards that are due to be paid off, insurance policies you never signed up for or a visit from the cops letting you know that they just arrested someone using your drivers license with a different picture...

Several governments might control and check whatever you do on the net, Google tracks and follows you wherever possible and Facebook does not really know what privacy is even if they use a dictionary to look the word up.
But a scammer has only one goal: your money and your identity.
Chances are that out of 100 hijacks there is just one or two that make it far enough to cause real harm or damage to systems.
In all other cases common sense by not clicking and following scammer instructions all traces can be removed before anything permanent is done to a system.

If you need ads to pay for your server or hosting service than by all means go for it.
But let the user have the control and include the ads into your website instead of using a service that just provides random ads.
In either case you get what you pay for so to say.
An unknow provider offering huge ad income will usually be as intrusive as possible and keep all control about ad content.
A high chance to end up with a scammer sooner or later.
On the other hand trusted services usually offer targeted ads, for example if your website deal with electrocis stuff then most ads will be for this topic.
And here the chance to end up with ads from legit companies are far higher.
Same for the provider actually checking the references and history of anyone wanting to place ads through them.
Last but not least there is the all eating giant Google offering any ad solution you might need - in return for including your data to their data and processing of course.

IMHO the best option for targeted income on a personal or home shop website is is donations and finding supporters.
If you sell stuff on your website than there might be companies seeing a potential in your access counter and they might be willing to pay a few bucks for having their ads with your website.
Convinience will however usually trump as we all have little time to deal with all the things that require attention.
In any case it can pay off to have a dummy compter or virtual system checking your website and the ads on a regular base.
If you notice a scam or even hijack yourself then there might be only very few or even no affected people out there yet.
Calling your ad provider for an immediate takedown of the offending ad can often prevent your website from being blacklisted.

This is a question I am asking myself now for a few years!
None of the great providers of firewall and anti-virus solutions offers a true and working hijack prevention.
Google now uses their quantum and super computers to track scmas and hijacks close to real time.
the aim is to provide a Chrome browser that utilises this backbone to stop an attempt to block the browser before the data is transmitted to the end user.
Once it works it will be a nice thing to have but at what price....

Windows does not really care about what happens to thrid party browsers but even the Internet Explorer is only safe of the system tool to remove and control harmful apps is active and current.
A hijack still happens in the official browser as it does in the other big browsers.

There is light at the end of the tunnel after all though.
For example non-intrusive browsers like Puffin and search engines like DuckDuckgo.
If you check the history of all things internet you can see a pattern.
Some sleep, some develop, some make good profits, some flare up and suddenly disappear.
From a lot of small and often not very helpful search engines we got to specialesed ones.
Like those still active today for the main purpose of scientific research.
If you want someone today to search for some info on the web you say : Google it!
We have been trained to trust and use only one provider for our internet searching needs.
Little by little other search engines lost revenue and userbase or just got swallowed by the big players left.
Miscrosoft still tries to provide a search engine, same does Yahoo but noone really cares anymore.
And telling someone to use something like Duckduckgo instead to keep the privacy and ads safe usually only works for the show effect that you can do things without Google.
Our prefered mobile operating system comes from Google too unless of course you prefe the rotten fruit as the symbol of your mobile life.
Pressure is now building up to offer alternatives to the Google browser and search services in operating systems and devices out there.
Sadly I think it will go like our favourite fizzy drink of all times.
You don't ask for a brown overseat fizzy drink you ask for a C...
And lets face: After endless years of training the enduser to use only what Google wants making them learn differently goes again the convinience we already have.

A thing that should have happen many years ago is a website with a databse listing all known hijackers.
Images of their screens, phone numbers and Emails and instructions how to quickly deal with such "threads".
Anyone with slightly above programming skills can write a batch files or little app that does just what I suggested earlier to remove a hijacker fast and easy.
You could just start an alternative browser if you have one installed or use a tool that comes with the package of your browser already to connect to this website and database.
A few clicks and your browser is cured.
Could even be as simple as the browser detecting it is blocked and force the tool to connect to the cleanup service right after the next reboot.
So if you are like me you must wonder too why it is not done?

Lets check currently available options:
You call Microsoft or Apple to report a hicked browser and ask for help.
And if you are lucky enough after a few days they might be able to fix your problem by making you install all from scratch.
You paid a lot of money for your great but now utterly useless anti-virus and online protection suite?
Ok, try their tools you can not download without a working browser.
So you make use of the support hotline and find out that for your specific problem you need to call a different and often costly number.
And once they charged enough they might be able to use a tool like Teamviewer to remotely fix your browser or to guide oyu through a fresh install of your browser.
I tried a few and so far none was able to provide a fix as easy and direct as I showed here.
Last but not least you might have alternative means of browsing on a phone or tablet and waste few hours searching for your particular hijacker to no avail as it is new.
Then you try "generic" solutions offered on some websites.
Some might even try to download stuff and transfer it to the PC or laptop to fix the problem there.
All comes down to money :(
The scammer who got you wants it of course.
But anyone who could offer easy and fast help has a valid excuse to blame someone else for being responsible for this kind of "thread".
Instead you are made to pay and use their service to help you.
A simple email with the instructions would be too easy...
So please, if you found this helpful after you got hijacked share the fix with as many other people as possible.
Make them aware of copies in the profile folders.
Show them how to create and use them.
Just spread the word!
Once the scammers know that even old granny next doord can fix thier hijack in 5 minutes they might bother to find a real job and life instead.