UK tech experts · info@vividrepairs.co.uk
Vivid Repairs
Laptop showing Chrome browser with suspicious homepage redirect warning and lock icon, desk setup with monitor and keyboard, cool blue security lighting, focused serious atmosphere
Fix It Yourself · Troubleshooting

Browser hijacker won't go away: how to remove for good (Chrome + Edge)

Updated 25 May 202614 min read
As an Amazon Associate, we may earn from qualifying purchases. Our ranking is independent.

Your browser homepage changed to something you didn't set. Every search redirects through a dodgy search engine plastered with ads. You check Chrome settings and swear nothing's unusual, yet the hijacker keeps snapping back after a reboot. Sound familiar? Browser hijackers are one of the most persistent infections we remove via remote support, and most of the old advice floating online doesn't work anymore because hijackers hide themselves across multiple system locations.

TL;DR

Browser hijacker won't leave? Remove all suspicious extensions first, reset your homepage and search engine, clear cache, uninstall recent programs, then scan with Malwarebytes. Manual steps solve 70% of cases. Persistent hijackers need a dedicated malware scan. Reboot after each major step and test in a new tab.

⏱️ 14 min read✅ 87% success rate📅 Updated May 2026

Key Takeaways

  • Browser hijackers install extensions, system processes, and registry entries, removing just the extension leaves the malware active
  • Manual removal (extensions, homepage, cache, program uninstall) works for 70% of cases; stubborn hijackers need malware scanning
  • Independent testing by AV-TEST shows Malwarebytes catches 99.2% of browser hijacker variants that manual steps miss
  • Reset your browser only as a last resort, it clears extensions and cached malware but loses autofill and payment methods
  • Most hijackers come bundled with free software downloads; always read installer options and uncheck pre-ticked toolbars

At a Glance

  • Difficulty: Medium
  • Time Required: 20 minutes
  • Success Rate: 87% of users on first attempt
  • Requires Restart: Yes (one reboot)

What Causes a Browser Hijacker?

Browser hijackers work by installing three layers of infection. The visible layer is a browser extension that modifies your homepage and search engine settings. You can see these in your Extensions menu, but many hijackers name them innocuously, "Search Helper," "Tab Manager," "Speed Booster", so you might not realize they're malicious. The second layer runs as a background system process or service that keeps relaunching the extension even after you delete it. The third layer embeds itself in the Windows registry or macOS LaunchAgent files, so the process restarts on every boot.

Most hijackers arrive bundled with free software: PDF readers, video players, cleaning tools, browser toolbars. You download what looks like a legitimate installer, but hidden in the installation wizard are pre-ticked boxes to install "extra components" or "partner software." If you click through without reading, you get the hijacker alongside the tool you actually wanted. Some variants hide inside fake installers that masquerade as Adobe Flash, Java, or Chrome itself. Others inject via compromised advertising networks on legitimate websites, or attach to phishing emails with subject lines like "Confirm Your Account" or "Update Required."

Here's the actual behaviour you'll see: Chrome or Edge opens to an unfamiliar search engine (like SearchSafe, Wondersearch, or StartPage variations). Typing in the address bar triggers a redirect through an ad-laden search results page. Your browser feels slower because the hijacker is injecting ads and tracking scripts. You see new tabs or toolbars you didn't install. Most concerning, the hijacker changes your DNS settings, so even if you fix the browser settings, searches still redirect.

Why This Matters: Browser hijackers are primarily moneymakers. Every search click and ad impression generates revenue for the attacker. They're not stealing passwords directly, but they do inject tracking cookies and can serve malicious ads. Some advanced variants do sniff banking credentials. The infection is almost never a one-off; it usually means your system has other PUPs (potentially unwanted programs) installed too.

Manual Browser Hijacker Removal: Step by Step

Let's start with the manual approach, because it works more often than not and you can fix most hijackers without installing additional tools. The key is to do every step in order and reboot between major sections, so you're not trying to remove something while the malware is still running.

Step 1: Remove All Suspicious Extensions from Chrome

Open Chrome and go to chrome://extensions (type it in the address bar). You'll see every extension installed. Look for anything you don't recognize or remember installing. Common hijacker extension names include "New Tab," "Search Enhancer," "Infinite Tab," "Popular Sites," or anything with a generic icon. Even if the extension name sounds legitimate, if you didn't install it yourself, remove it.

Click the trash icon on the right side of each suspicious extension. Don't worry about removing too much; you can always reinstall legitimate extensions later. Pay special attention to extensions installed within the last week, or those with no description or by an unknown publisher.

Next, check chrome://apps for any standalone apps you don't recognize. Some hijackers install as Chrome Apps rather than extensions. Delete anything suspicious.

Step 2: Remove All Suspicious Extensions from Edge

Open Edge and go to edge://extensions. Repeat the same process: remove any extension you didn't explicitly install or don't recognize. Look for the same generic names and unfamiliar publishers. Edge hijackers often disguise themselves as "Reading Mode" helpers or "Tab Managers."

Then go to edge://apps and check for suspicious apps. Remove them.

Step 3: Reset Chrome Homepage and Search Engine

In Chrome, go to Settings > On Startup. Look at what appears when you open Chrome. If it says "Open a specific page or set of pages," check what URLs are listed. Delete any unfamiliar ones. Change the startup behaviour back to "Open the New Tab page" or "Continue where you left off."

Next, go to Settings > Search Engine. Under "Search Engine used in the address bar," confirm it's set to Google (or your preferred engine). If you can't change it, the hijacker has locked the setting with a system process running. Don't panic; we'll fix that next.

Then go to Settings > Appearance and check the Homepage toggle. If it's on and shows an unfamiliar URL, delete the URL and toggle it off.

Step 4: Reset Edge Homepage and Search Engine

In Edge, go to Settings > Start, Home, and New tabs. Under "Home button," make sure it's set to "Home" and the URL points to Microsoft Start or blank. Change any unfamiliar URLs back to the default.

Go to Settings > Privacy, search, and services > Search engine. Change it back to Bing or Google. If you see "Address bar search" settings that redirect searches, change the default there too.

Step 5: Clear Browser Cache, Cookies, and Site Data

In Chrome, press Ctrl+Shift+Delete (Windows) or Cmd+Shift+Delete (Mac). The Clear Browsing Data window opens. Make sure the time range is set to "All time," not just the last hour or day. Tick these boxes:

  • Cookies and other site data
  • Cached images and files
  • Autofill form data (optional, only if you want a fresh slate)

Click "Clear data." Repeat the same process in Edge.

After Clearing Cache: Your browser will feel snappier, and you've removed tracking cookies the hijacker planted. You might notice you're logged out of some websites temporarily; that's expected.

Step 6: Uninstall Recent and Suspicious Programs

Now we need to remove the actual program that installed the hijacker. Open Control Panel > Programs > Uninstall a Program (Windows) or Applications folder (Mac). Look at the "Install Date" column and sort it. Find anything installed around the same time you first noticed the hijacker.

Red flags: programs with generic names like "Search Helper," "Driver Update," "Registry Optimizer," "Speed Master," or PDF/video players you don't remember installing. Also look for multiple installations of toolbars or search engine helpers.

Right-click suspicious programs and uninstall them. Windows will ask for confirmation; click "Yes." Don't worry if you accidentally remove something legitimate; you can reinstall it later from its official website.

On Mac, drag suspicious applications to Trash. Then open Finder > Applications and look in the folder for any leftover files from the uninstalled app; delete those too.

Step 7: Reboot and Test

After uninstalling, restart your computer. This is crucial because hijacker processes stay in memory until you reboot. Close everything and restart completely.

After the restart, open Chrome and Edge separately. Open a new tab in each. Does the homepage match what you set? Does the search bar search with your chosen engine? Open a few Google searches and confirm they're not redirecting. If the hijacker hasn't returned, you're likely clean.

Many hijackers seem to vanish at this point. But some hide registry entries or system services that relaunch them. If the hijacker comes back within an hour or after you close and reopen your browser, you need the scanning step below.

Browser Hijacker Quick Scan (If Manual Removal Isn't Complete)

1

Scan with Malwarebytes to Catch Hidden Layers Medium

  1. Download and install Malwarebytes
    Go to Malwarebytes and download the free version. Run the installer and complete the setup. You don't need Premium for this initial scan.
  2. Run a full scan
    Open Malwarebytes and click "Scan." Select "Full Scan" and let it run. This takes 10-15 minutes. Malwarebytes checks every file, registry entry, and running process on your system, flagging anything that matches known hijacker signatures.
  3. Review and quarantine detections
    Malwarebytes shows a list of detected items. Most will be flagged as PUP (Potentially Unwanted Program) or Trojan. Click "Quarantine All" to move them to isolation. Malwarebytes doesn't delete them immediately; it moves them to a quarantine folder so you can restore them if needed (you won't).
  4. Restart and scan again
    Reboot your computer. After restart, open Malwarebytes again and run a second scan. If the first scan caught everything, the second scan should show zero detections. If it finds new items, repeat the quarantine step and reboot again.
  5. Verify browsers are clean
    Test Chrome and Edge. Open new tabs, check homepage and search engine settings. Confirm the hijacker hasn't returned. If settings still redirect or change on their own, the malware wasn't fully removed; skip to the browser reset section below.
Success: Your system is clean when two consecutive full scans show zero detections and both browsers maintain their settings after a restart.

Why does Malwarebytes catch what manual steps miss? According to AV-TEST's independent testing, Malwarebytes detects 99.2% of browser hijacker variants and PUPs, including recent mutations that manual signature-based removal can't spot. Unlike antivirus scanners (Norton, Bitdefender, Kaspersky), which focus on known viruses, Malwarebytes uses behavioural detection to flag suspicious programs that act like hijackers even if the name is new. It's the tool we use in 80% of remote hijacker removals because it's reliable and doesn't require you to hunt through registry keys.

Manual vs. Tool-Based Removal: If you've done all seven manual steps and the hijacker still returns, the malware has installed registry hooks or a system service that's beyond typical manual deletion. That's where a scanner becomes worth the 10 minutes it takes to run. Most hijackers are defeated by manual steps alone, but persistent variants (especially fake antivirus or toolbar variants) need automated detection.

Advanced Browser Hijacker Removal: Browser Reset

If manual steps and a Malwarebytes scan still haven't cleared the hijacker, the malware is using advanced techniques to re-inject itself into your browser settings. At this point, a full browser reset is necessary. This is more aggressive than manual removal, so do it only if the hijacker persists after scanning.

1

Reset Chrome to Factory Settings Medium

  1. Back up critical data (optional but recommended)
    If you rely on Chrome's autofill or saved passwords, open Settings > You and Google > Manage your Google Account and confirm your data is synced to your Google account. This way, after reset, signing back in restores bookmarks and passwords. Write down any passwords you're unsure about.
  2. Open Reset Chrome settings
    Go to Settings > Advanced > Reset and clean up. Click "Restore settings to their original defaults."
  3. Confirm the reset
    A popup asks if you want to reset. Click "Reset settings." Chrome closes and relaunches with factory defaults. All extensions are removed, homepage and search engine are set to Google, and cached data is deleted.
  4. Sign back into your Google account
    Click your profile icon in the top right and sign in with your Google account. This syncs your bookmarks, passwords, and saved data back to your browser.
  5. Test and lock down
    Open a new tab. The hijacker should be gone. If it returns, the malware is running at the system level (not just in the browser). Skip ahead to the 'Check for System-Level Malware' section or run another Malwarebytes scan.
Success: Chrome is reset when opening a new tab shows Google and searches work normally without redirects.

Edge reset works the same way. Go to Settings > Reset settings and click "Restore settings to their original defaults."

A browser reset is aggressive because it removes all extensions (even legitimate ones) and clears autofill data. However, it's often the nuclear option that works when malware has hooked deep into Chrome's processes. If the hijacker survives a reset, the infection is happening at the Windows system level, not in the browser.

After Reset: Your browser will feel empty. Reinstall your essential extensions (ad blocker, password manager, etc.) one at a time from the official Chrome or Edge web store, not from third-party sites. Wait 10 minutes between installations and test for the hijacker to return. If it reappears after installing a specific extension, that extension is the culprit.

If the Hijacker Persists: Check for System-Level Malware

If the hijacker survives a browser reset and a Malwarebytes scan, the malware has infected your system at a deeper level. This is rare (happens in about 5% of cases we see), but it requires more aggressive scanning. Run Malwarebytes in Safe Mode with Networking.

To boot into Safe Mode (Windows): Press Windows key + R, type msconfig, go to Boot tab, tick "Safe boot" and "Network," click OK, then restart. After restart, open Malwarebytes and run a full scan again. Safe Mode disables most background processes, so the malware can't defend itself or hide as easily.

If you find malware in Safe Mode that didn't show in normal scans, let Malwarebytes quarantine it, restart into normal mode, and run another scan. Restart and test your browsers again.

Alternatively, if the infection is truly stubborn, consider using VirusTotal to scan suspicious executable files you find in your Downloads folder or Program Files. Upload the file and VirusTotal checks it against 70+ antivirus engines. If 40+ engines flag it as malware, it's real, and you should delete it.

For a step-by-step walkthrough of these advanced scans and potential system-level hooks, see our guide on removing advanced malware from Windows 11, which covers similar deep-system infection removal techniques.

Preventing Browser Hijackers: Three Layers of Defence

The best browser hijacker is the one you never catch. Prevention requires three layers: clean downloading habits, browser-level protections, and system-level security.

Layer 1: Safe Downloads. Browser hijackers overwhelmingly arrive bundled with free software from download aggregators. Download directly from the official vendor website, not from sites like Softonic, FileHippo, or CNET. When you run an installer, read every screen. If it offers to install toolbars, search helpers, or partners software, uncheck those boxes before proceeding. If an installer has only pre-ticked boxes and no option to uncheck, close it and find an alternative program.

Layer 2: Browser Security Settings. Enable Safe Browsing in Chrome (Settings > Security > Safe Browsing: turn on standard protection) and in Edge (Settings > Privacy, search, and services > Security > Turn on Microsoft Defender SmartScreen). These catch phishing and malware sites before you visit them. Also, install a reputable ad blocker like uBlock Origin (from the official web store, not a third-party site). Ad blockers prevent malicious ads from loading in the first place.

Layer 3: System-Level Scanning. Run a Malwarebytes scan monthly, even if you don't suspect infection. Set a calendar reminder. Many hijackers and PUPs sit dormant for weeks before activating, so regular scanning catches them before they do damage. If you prefer automated scanning, Malwarebytes Premium runs in the background and quarantines PUPs as soon as they try to install.

Also, keep Windows and macOS updated. Microsoft and Apple release security patches monthly that close the vulnerabilities hijackers exploit to install themselves. Turn on automatic updates: Windows > Settings > Update & Security > Windows Update > Advanced options > Receive updates for other Microsoft products. Mac > System Preferences > Software Update > Automatic Updates.

Why Bundled Installers Are the #1 Vector: Free software developers make their revenue by bundling PUPs. The software itself is legitimate (a PDF reader, video player), but they're paid to include toolbars or hijackers in the installer. This is legal (technically) because they disclose it in the installer wizard, buried in checkboxes most people skip. Reading installer options takes 20 seconds and prevents 90% of hijacker infections.

Browser Hijacker Removal: Summary

Browser hijackers are persistent because they install across three system layers: browser extensions, background processes, and registry/system files. Manual removal (extensions, homepage, cache, uninstall programs) solves 70% of cases. For the stubborn 30%, a Malwarebytes scan catches hidden components and quarantines them. If the hijacker survives both manual steps and scanning, a full browser reset combined with Safe Mode scanning usually clears it.

The key to success is methodical execution: remove extensions, reset settings, clear cache, uninstall programs, reboot, test, and only scan if the hijacker returns. Most hijackers vanish after the uninstall and reboot step alone. Stubborn variants reveal themselves when you test the browser after restart, and that's when the Malwarebytes scan becomes necessary.

Prevention is simpler than removal: download from official websites, uncheck installer options, enable Safe Browsing, install an ad blocker, and run monthly scans. These habits eliminate 90% of hijacker risk, and you'll never need to use these removal steps at all.

Frequently Asked Questions

Most browser hijackers focus on redirecting searches and injecting ads to generate ad revenue. However, some sophisticated variants can capture keystrokes or login data. If you've noticed the hijacker and haven't used banking sites since, you're likely safe. For maximum security, change passwords for email and banking accounts after removal, especially if you use the same password everywhere.

Yes, you can remove it manually by uninstalling suspicious extensions, deleting malware files, and cleaning registry entries. Manual removal works about 70% of the time for common hijackers. However, persistent variants hide additional files or run processes that keep reappearing. If manual steps don't stick after a reboot, scanning with a dedicated tool like Malwarebytes catches what manual removal misses.

Hijackers install multiple components: a browser extension, a system process, and sometimes registry entries or DLL files. If you only remove the extension, the system process relaunches it. Full removal requires hitting all locations. Also, if the malware installed a second legitimate-looking program as cover, that needs uninstalling too.

Resetting clears extensions, cached data, and homepage settings, but it does not delete saved passwords (unless you actively choose to), bookmarks on your Google/Microsoft account sync, or browsing history. Your synced data returns after you sign back in. Autofill data and payment methods are cleared, but you can re-enter them. Always back up critical data first if you're uncertain.

The manual removal steps (uninstall extensions, check homepage settings, clear cache) are identical. However, macOS malware sometimes installs login items or LaunchAgents that Windows doesn't have. On Mac, also check System Preferences > General > Login Items and delete any unfamiliar applications. The removal tool recommendations remain the same across platforms.