Extension Keeps Returning?

Brendan Smith
Brendan Smith - Cybersecurity Analyst
9 Min Read
Browser extension returns after removal because sync, policy, or startup persistence restores it.
Browser extension returns after removal because sync, policy, or startup persistence restores it.

If a browser extension keeps reinstalling itself, the extension folder is usually only the visible symptom. Something else is restoring it: browser sync, an enterprise-style policy, a companion app, a scheduled task, a startup entry, or adware running in the user profile. Remove the restoring source first, then remove the extension and reset the browser.

This matters when an extension appears in Chrome, Edge, Brave, or Opera without consent, injects ads, changes search, asks for broad site access, manages other extensions, or returns after you delete it. Treat that as a browser-hijacker or PUA persistence problem until you prove it is only a sync mistake.

Why the extension comes back

Recurring extensions usually return through one of these paths:

  • Sync restores it. The extension is still attached to your Google, Microsoft, or Opera profile and returns after sign-in.
  • A browser policy forces it. Chrome and Edge both support managed extension policies. Legitimate administrators use them, but adware can abuse the same policy area on personal PCs.
  • A companion program reinstalls it. A recently installed “PDF”, “coupon”, “download helper”, “cleaner”, “ad blocker”, or game/mod tool may recreate the extension.
  • A scheduled task or startup entry reloads it. Tasks under AppData, ProgramData, or a random vendor folder can rewrite browser settings after every reboot.
  • The browser profile is still contaminated. Deleting one extension directory does not clean preferences, local state, policy, sync data, or another profile.

Record clues before deleting it

Open the browser extension page and turn on developer mode if the browser offers it. Write down the extension name, ID, permissions, source path, and whether it says Installed by your administrator, Managed by your organization, or from another store. These clues tell you where to look next.

Clue What it usually means
Same extension returns after sign-in Sync or browser import is restoring it.
Cannot remove it from the browser UI A policy may be force-installing it.
It returns after reboot A startup item, scheduled task, service, or companion app may be reinstalling it.
It appears in several browsers Look for a Windows-level app, policy, or adware component, not only one browser profile.
It has broad site access or history permissions Assume possible data exposure and review passwords/sessions after cleanup.

If the returning item is a Malwarebytes detection named Trojan.FakeGoogleJS, first preserve the full AppData or extension-folder path. Our Trojan.FakeGoogleJS cleanup guide explains how to separate fake extension files, browser sync, and scheduled-task persistence.

Clean it in the right order

  1. Pause sync and auto-import first. Sign out of the affected browser or pause sync. In Edge, also check profile import settings if it keeps copying Chrome extensions back. Do not turn sync on again until the local machine is clean.
  2. Check browser policy pages. Open chrome://policy, edge://policy, brave://policy, or the equivalent Chromium policy page. Look for extension-related entries such as ExtensionSettings or ExtensionInstallForcelist. Google and Microsoft document these as administrator controls for force-installed extensions [1] [2] [3]. On a work or school device, ask the administrator. On a personal PC, unexpected extension policies are suspicious and should be investigated together with installed apps and startup entries.
  3. Remove suspicious installed apps. Sort Windows installed apps by date. Uninstall unknown ad blockers, shopping helpers, search tools, downloaders, “web protectors”, cracked-software helpers, or bundles installed near the first extension appearance.
  4. Inspect startup persistence. Check Startup Apps, Task Scheduler, Services, and the Startup folders. Be especially careful with entries launching from %AppData%, %LocalAppData%, %ProgramData%, %Temp%, or a random folder name. Disable only items you understand or can clearly connect to the unwanted extension.
  5. Close every browser process. Use Task Manager to end Chrome, Edge, Brave, Opera, and their background update/helper processes before removing profile leftovers.
  6. Remove the extension from the browser UI. Use the browser’s Extensions page first. If the extension is unpacked and points to a local profile folder, delete that specific extension folder only after the restoring process is stopped.
  7. Reset browser settings after the source is gone. Reset search, startup page, new tab, notification permissions, and site permissions. If the extension changed search or redirects, see Gridinsoft’s PUA and browser hijacker removal guide for the broader cleanup order.
  8. Scan for PUA/adware persistence. Run Gridinsoft Anti-Malware if the extension returns, appears in multiple browsers, arrived after a bundle, or created ads/redirects. A scan is useful here because the visible extension may be reinstalled by a separate Windows component.
After manual cleanup: reboot Windows and run a full scan to check startup entries, scheduled tasks, bundled apps, and hidden files that may restore the threat.

Where to check in each browser

Browser Useful places to check
Chrome chrome://extensions, chrome://policy, sync settings, and profile folders under %LocalAppData%GoogleChromeUser Data.
Microsoft Edge edge://extensions, edge://policy, profile import settings, and profile folders under %LocalAppData%MicrosoftEdgeUser Data.
Brave brave://extensions, brave://policy, sync chain settings, and profile folders under %LocalAppData%BraveSoftwareBrave-BrowserUser Data.
Opera opera://extensions, sync settings, startup settings, and profile data under %AppData%Opera Software or %LocalAppData%ProgramsOpera.

When to change passwords

Change passwords only after the extension and its restoring source are gone. Prioritize email, browser-synced accounts, banking, work accounts, password manager, social media, and gaming accounts if the extension had permissions for browsing history, all-site access, clipboard activity, notifications, downloads, or extension management. Also sign out of other sessions where the account provider offers that option.

If you are unsure whether an extension is malicious, compare its permissions with Gridinsoft’s browser extension safety checklist. Broad access is not automatically malware, but broad access plus silent installation or reinstallation is enough reason to clean the PC and review sensitive accounts.

What not to do

  • Do not repeatedly delete the same extension folder while the browser is still running. The restoring process may immediately recreate it.
  • Do not remove corporate or school policies from a managed device. If the PC belongs to an organization, contact IT.
  • Do not reinstall the browser as the first fix. Reinstalling often keeps the same sync account, policies, tasks, or Windows-level app.
  • Do not install more random “extension remover” tools. That can add another PUA to the same problem.

FAQ

Why does the extension return after I delete its folder?

Because another source is probably restoring it. Check browser sync, policy pages, recent installed apps, scheduled tasks, startup entries, and AppData or ProgramData helpers before deleting the folder again.

Does “Managed by your organization” always mean malware?

No. It is normal on school or work devices. On a personal PC, unexpected browser policy entries deserve investigation because unwanted software can use policy mechanisms to force-install extensions.

Should I reset Chrome or Edge?

Resetting helps only after the restoring source is removed. If you reset first, the same sync account, policy, task, or companion app can bring the extension back.

Can a browser extension steal passwords?

Some extensions can read page content or browsing activity depending on their permissions. If the extension had broad site access or appeared without consent, clean the device first, then change important passwords and revoke suspicious sessions.

References

  1. Google Chrome Enterprise Help. “Automatically install apps and extensions.” Google, accessed June 1, 2026. https://support.google.com/chrome/a/answer/6306504?hl=en-EN
  2. Chrome Enterprise. “ExtensionSettings: Extension management settings.” Google, accessed June 1, 2026. https://chromeenterprise.google/policies/extension-settings/
  3. Microsoft Learn. “ExtensionInstallForcelist.” Microsoft, last updated May 22, 2026, accessed June 1, 2026. https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies/ExtensionInstallForcelist
  4. Microsoft Support. “Microsoft Edge Extensions: Frequently Asked Questions.” Microsoft, accessed June 1, 2026. https://support.microsoft.com/en-us/edge/microsoft-edge-extensions-frequently-asked-questions
What Is OmApSvcBroker.exe?
PUADlManager:Win32/InstallCore: Meaning and Removal
Trojan:PDF/Phish.A
Odyssey Stealer: Russian ‘Love Trump’ Malware Replaces Ledger Live Crypto Wallet App
Win.MxResIcn.Heur.Gen
TAGGED:
Share This Article
ByBrendan Smith
Cybersecurity Analyst
Follow:
Brendan Smith has spent over 15 years knee-deep in cybersecurity, chasing down malware from the gritty reverse-engineering of old-school trojans all the way to wrangling full-blown incident responses for small-to-medium businesses that couldn’t afford a full-blown breach. Over at Gridinsoft, he’s the guy piecing together those double-checked guides on nasty stuff like AsyncRAT ransomware—take last year, for instance, when his breakdowns caught more than 200 sneaky variants right in live scans, knocking user cleanup jobs down by a solid 40% and saving folks hours of headache.
Previous Article WP Maps Pro CVE-2026-8732 WordPress administrator account creation risk WP Maps Pro CVE-2026-8732
Next Article Editorial poster showing a Netlogon RCE warning hitting a domain controller vault. Netlogon CVE-2026-41089 RCE
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?