Browser Hijacker Removal Guide (Windows 11, 2026)

Open chrome://policy in your address bar. If you see entries like DefaultSearchProviderEnabled, HomepageLocation, or ExtensionInstallForcelist — those aren’t your settings. A browser hijacker injected Chrome enterprise policies into your Windows Registry, and that’s why changing your homepage or search engine back does nothing. The settings are grayed out because the hijacker is using Chrome’s own management features against you. You can reinstall Chrome, clear all browsing data, even factory reset the browser — the hijacker survives all of it because the policy lives in the registry, not in Chrome’s data folder.

The names we clean most often right now are Bangsearch.pro, Yglsearch, ActiveSearchBar, Qltuh, CelestialQuasaror, and MegaGuard. New variants pop up every couple weeks because the infrastructure is easy to clone. Stanford’s Internet Observatory reported over 280 million downloads of malicious browser extensions in 2025, and a single incident in July compromised 2.3 million Chrome and Edge users. Those are just the extension-based ones — doesn’t count the ones bundled with free software installers.

Kill the Policy First

This is the step most online guides skip or bury at the bottom. Open Registry Editor — Win+R, type regedit, Enter. Navigate to these locations and delete the Chrome folder under each:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome — delete the entire Chrome folder if you’re not on a managed work computer.

HKEY_CURRENT_USER\SOFTWARE\Policies\Google\Chrome — same thing.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Update — some hijackers set update policies here to prevent Chrome from auto-updating, which would otherwise remove the hijacker when Google updates its malicious extension blocklist.

For Edge: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge and the HKCU equivalent.

Restart Chrome. The “Your browser is managed by your organization” banner should disappear and your homepage and search engine settings become editable again. If the banner comes back after a reboot, you’ve got a persistence mechanism reinstalling the policy — keep reading.

Extensions and Task Scheduler

Go to chrome://extensions, turn on Developer Mode (toggle in the top right), and remove everything you didn’t deliberately install from the Chrome Web Store. Don’t just disable — click Remove. Disabled hijacker extensions can re-enable themselves through scheduled tasks. Anything with “PDF,” “Helper,” “Safe Search,” “Web Protection,” or “Enhanced Search” in the name that you don’t recognize is suspect. Stanford found hijacker extensions survive on the Web Store for an average of 380 days before detection, so it may have looked legitimate when you installed it months ago.

If an extension’s Remove button is grayed out, you haven’t finished the registry cleanup above — the policy is force-installing it. Go back and make sure you deleted those registry keys.

Now open Task Scheduler — Win+R, taskschd.msc. This is where most DIY removal attempts fall apart and why the hijacker keeps coming back after people think they’ve cleaned it. Hijacker tasks use names designed to look harmless: “ChromeUpdate,” “BrowserMaintenance,” “SystemHealthCheck,” sometimes random strings. Click each suspicious entry and check the Actions tab. If the action runs a PowerShell script, a .bat file from a Temp directory, or an .exe from an AppData folder, that’s your persistence mechanism. I’ve seen one called “MicrosoftEdgeUpdateTask” — close enough to a real Edge task that most people skip right past it. Delete it. Also check Task Manager’s Startup tab — entries with no publisher or pointing to executables in AppData\Local\Temp are almost never legitimate.

One last hiding spot nobody checks: C:\Windows\System32\drivers\etc\hosts. Open it with Notepad as admin. A clean hosts file is mostly comments (lines starting with #). If you see google.com, bing.com, or any legitimate domain mapped to random IP addresses, that’s hosts-file hijacking — oldest trick in the book and still effective because nobody looks there.

Reset and Scan

Once persistence is gone, reset the browser. Chrome: Settings, Reset Settings, “Restore settings to their original defaults.” Firefox: type about:support, click “Refresh Firefox” — this is more aggressive, creates a new profile entirely, which is exactly what you want. Bookmarks and saved passwords survive both.

Run Windows Defender full scan — Settings, Privacy & Security, Windows Security, Virus & threat protection, Full Scan. Then Malwarebytes Free for a second opinion — it catches PUPs that Defender’s default settings sometimes ignore. Our full malware removal guide covers the Safe Mode scanning technique for deeper infections.

Check your DNS settings too. Some hijackers don’t touch the browser at all — they change your DNS so all web traffic gets rerouted through their servers. Command Prompt, ipconfig /all, look at the DNS Servers line for your active adapter. Should be your router IP, your ISP, or a public DNS you set yourself. Unfamiliar addresses you never configured? Change them to 8.8.8.8 and 1.1.1.1. Our DNS guide covers the full diagnostic if you suspect DNS-level tampering. Also log into your router (192.168.1.1 or 192.168.0.1) and check DNS there — some malware that gains router access changes DNS at the router level, affecting every device on the network.

After removing a hijacker, change passwords for any accounts you logged into while it was active. Hijacker extensions with broad permissions can read everything you type into web forms. Install uBlock Origin to block the malvertising chains that deliver hijackers in the first place. For software downloads, use official websites or Ninite.com, and read every screen during installation wizards — uncheck “Install recommended browser extension” and “Set as default search engine,” which are pre-checked by default. If the hijacker keeps coming back after all this, we can find the persistence mechanism remotely — average session takes about 20 minutes because we know exactly where to look.