A very familiar Penicuik virus removal job walks through the workshop door most weeks: an otherwise healthy laptop where Chrome or Edge has started redirecting every other search to a "shopping deals" page, a fake news site, or a pop-up demanding attention. The homepage keeps changing on its own. The default search engine isn't Google anymore. Extensions the owner never installed have appeared in the toolbar. This isn't quite a virus in the traditional sense — it's a browser hijacker, and it's one of the most common infections we see on Penicuik and Loanhead machines.
The good news is that browser hijackers are a lot less scary than ransomware and, done properly, can usually be cleared without wiping the PC. The bad news is that the "obvious" fix — uninstalling the browser and reinstalling it — very rarely works, because the hijacker doesn't actually live in the browser. This guide walks through what actually needs to happen.
What a Browser Hijacker Actually Is
A browser hijacker is a piece of software (often installed as a browser extension, sometimes as a small Windows app) whose job is to redirect your web traffic through pages that pay whoever wrote it. Most are commercial adware rather than criminal malware — the payload is unwanted ads, sponsored search results, and pop-ups rather than stolen bank details. Some of the nastier ones will also change your default search engine, force-install extra extensions after every browser restart, or track what you type into forms. Either way, they're worth removing.
They almost never get in through a "hack". The usual route is a bundled installer: someone downloads an unofficial PDF converter, a driver updater, or a codec pack from the top Google result, clicks Next through the installer without reading, and quietly agrees to install a "search assistant" and a browser extension at the same time. Our post on signs your PC has a virus covers the wider symptom picture; browser hijacking is the specific version where everything except the browser feels fine.
1. Check Your Browser Extensions First
Open Chrome, click the three-dot menu, then Extensions → Manage Extensions. Look at everything installed. Anything you didn't add yourself and don't recognise — turn off first, then remove. Common offender names we see on Penicuik bench jobs include "PDF Toolbox", "Search Manager", "Deals Finder", "Video Downloader Plus", "Quick Search Bar", and anything with the word "coupon" in it. Do the same for Edge (three-dot menu → Extensions) and Firefox (menu → Add-ons and themes).
Chrome will sometimes grey out the Remove button on a hijacker extension and show a message that it's "installed by your administrator" or "managed by your organisation" — on a home PC that's almost always a hijacker abusing a Windows policy setting rather than a real administrator. Don't panic, but don't try to force it here — that setting needs sorting at Windows level (Step 4).
2. Reset the Browser Properly
Once the visible extensions are gone, do a proper reset rather than trusting the browser is now clean. In Chrome: Settings → Reset settings → Restore settings to their original defaults. This puts the homepage, default search engine and startup pages back, disables anything left in extensions, and clears cookies used for tracking. Edge has the same option under Settings → Reset settings. Firefox has a Refresh Firefox button on its troubleshooting page.
Resetting keeps your bookmarks and saved passwords but wipes the settings the hijacker was using to steer you. If a reset button is greyed out or the reset "completes" but nothing changes, that's another sign the hijacker has planted itself outside the browser — again, Step 4 territory.
3. Scan for the Windows-Side Installer
Because most hijackers arrive with a small helper program on Windows itself, a browser-only clean-up leaves the installer sitting on the machine, quietly re-adding the extension every time it launches. Open Settings → Apps → Installed apps and sort by install date. Look for anything installed near the day the redirects started, anything you don't remember installing, and anything with a generic name like "PDF Helper", "Driver Support", "PC Cleaner" or "Search Protect". Uninstall them.
Then run two on-demand scans, in this order: Malwarebytes (as a second opinion) and Microsoft Defender's Offline scan (Settings → Privacy & security → Windows Security → Virus & threat protection → Scan options). Malwarebytes catches adware and PUPs that Defender ignores; the Defender Offline scan runs from outside Windows and catches things that hide from a running scan. Between the two, we clear the majority of Penicuik hijacker jobs.
4. Deal With the Sneaky Bits: Policies and Scheduled Tasks
This is the part that catches people out. Modern hijackers know that most users will reset the browser or reinstall Chrome, so they plant themselves in two Windows features designed for corporate admins:
- Chrome/Edge policies — registry keys under HKLM\SOFTWARE\Policies\Google\Chrome or the Edge equivalent that force-install extensions, lock the homepage, or block the user from removing them. On a home PC these should be empty; anything sitting there is almost always the hijacker.
- Scheduled tasks — a small task that runs every hour or at every logon and simply re-runs the installer if it's been removed. They usually have vague, official-looking names like "System Update Helper" or "Chrome Optimisation Service".
Clearing these safely takes a bit of care — deleting the wrong registry key or scheduled task can cause other problems — and it's the point at which most customers stop and bring the machine in. If you're comfortable with regedit and Task Scheduler you can inspect them yourself; if not, our virus and malware removal or software troubleshooting team handles this on the bench in about an hour, and we can also do it over remote support if the machine is otherwise usable.
5. A Bench Example From Penicuik
A recent EH26 job: a laptop where Chrome kept opening a fake "Amazon deals" tab every twenty minutes or so, and the default search had switched from Google to something called "SafeFinder". The owner had already reinstalled Chrome twice and run a Norton scan that came back clean. The extension list looked innocent. The hidden cause was two-fold: a "PDF Toolbox" extension that Chrome was flagging as installed by an administrator, and a scheduled task called "Update Assistant" that ran every logon and re-injected it. Once the registry policy was cleared, the scheduled task removed, and Malwarebytes finished a scan, the laptop was clean and stayed clean.
What stood out on that job — and it's the pattern on most of these — is that the underlying laptop was fine. Nothing was slow, nothing had been encrypted, no data was at risk. Compare that with our ransomware protection guide, where the whole point is preventing catastrophic file damage. Browser hijackers are annoying rather than dangerous, but they're a strong indicator that the machine's software habits (downloads from ad-heavy sites, ignored consent boxes) need a small course correction.
Keeping It Gone
Once the machine is clean, a few small habits keep it that way. Download software from the vendor's own site rather than the first Google result — a lot of top ad slots for names like "VLC" or "7-Zip" are impersonators bundling adware. During any installer, read the small print and untick anything about "recommended offers", "search assistants" or "start pages". Keep browser extensions minimal — every one you add is a permission to read every page you visit. And when a pop-up on a website tells you your Chrome is out of date and offers to update it, close the tab; real browser updates never come from a website. Our related pieces on spotting tech support scams and phishing scams cover the wider social-engineering side of this in more depth.
Neighbourhood Notes
Browser hijackers turn up on Penicuik, Loanhead, Roslin and Bonnyrigg laptops in about the same proportion as anywhere else in Midlothian — this isn't a local problem, it's a category of infection that follows anyone who downloads a lot of add-on tools from ad-heavy sites. That said, we do notice it more on machines used by more than one person: family PCs where one member installs a "helper" program and everyone else inherits the redirects. If the same laptop is shared in your household, splitting into separate Windows user accounts is often the single most effective preventative fix, and it takes about ten minutes to set up.
The Short Version
If Chrome or Edge in Penicuik keeps redirecting to strange sites or dumping pop-up ads, don't reinstall the browser and don't factory-reset the PC. Remove any extensions you don't recognise, reset the browser to defaults, uninstall recently-added Windows programs you don't remember installing, and run Malwarebytes plus a Defender Offline scan. If the redirects come back, the hijacker has planted itself in Chrome policies or a scheduled task — that's the point to bring it in, and it's a straightforward bench job from there.
Last updated: 13 July 2026