If a browser extension keeps reinstalling itself, the extension folder is usually only the visible symptom. Something else is restoring it: browser sync, an enterprise-style policy, a companion app, a scheduled task, a startup entry, or adware running in the user profile. Remove the restoring source first, then remove the extension and reset the browser.
If the recurring clue is Chromnius, ChromniusEdge, an ExtensionSeed folder, or a WorldWideWeb scheduled task, use the Chromnius removal guide before resetting the browser again.
After the restoring source is removed, follow the Chrome speed cleanup guide to check Chrome Task Manager, Memory Saver, cache, and any remaining extension load.
This matters when an extension appears in Chrome, Edge, Brave, or Opera without consent, injects ads, changes search, asks for broad site access, manages other extensions, or returns after you delete it. Treat that as a browser-hijacker or PUA persistence problem until you prove it is only a sync mistake.
If the visible clue is a domain such as ultahost.gl sending fake alerts or reopening tabs, start with the Ultahost.gl pop-ups removal checklist, then return here if an extension or policy keeps restoring the behavior.
Why the extension comes back
Recurring extensions usually return through one of these paths:
- Sync restores it. The extension is still attached to your Google, Microsoft, or Opera profile and returns after sign-in.
- A browser policy forces it. Chrome and Edge both support managed extension policies. Legitimate administrators use them, but adware can abuse the same policy area on personal PCs.
- A companion program reinstalls it. A recently installed “PDF”, “coupon”, “download helper”, “cleaner”, “ad blocker”, or game/mod tool may recreate the extension.
- A scheduled task or startup entry reloads it. Tasks under AppData, ProgramData, or a random vendor folder can rewrite browser settings after every reboot.
- The browser profile is still contaminated. Deleting one extension directory does not clean preferences, local state, policy, sync data, or another profile.
A June 2026 D3Lab case shows why policy clues matter: a malicious Chrome extension used Native Messaging as a bridge from browser data to Windows commands. See the related security news on the Chrome Native Messaging cookie backdoor if an unknown extension appears with a local host, PowerShell activity, or session-cookie exposure.
If the returning extension is tied to a fake search provider, compare it with exact-domain cases such as the Nextgeeker.com redirect, where sync, browser policies, and companion apps can restore the hijack after a reset.
Record clues before deleting it
Open the browser extension page and turn on developer mode if the browser offers it. Write down the extension name, ID, permissions, source path, and whether it says Installed by your administrator, Managed by your organization, or from another store. These clues tell you where to look next. If the main clue is the browser-wide Managed by your organization message on a personal PC, use the managed browser policy removal guide before deleting random registry keys.
How to check an unknown Chrome extension ID
A 32-character Chrome or Edge extension ID is a lookup key, not a malware verdict by itself. Copy the ID from the extension page, search for the exact ID, compare the extension name and publisher with what appears in your browser, and then decide from the full context: did you install it, does it ask for broad permissions, is it forced by policy, and does it return after removal?
Some IDs resolve to ordinary-looking Web Store entries, while others point to monitoring or hijacking behavior. For example, ekpkdmohpdnebfedjjfklhpefgpgaaji currently maps to Tackker / Free Keylogger Tool – Child Monitor, a browser monitoring extension that publicly describes keystroke and browsing-history logging [4]. If a monitoring extension appears without informed consent, remove it, pause sync, check policy entries, scan for the installer or companion app that added it, and rotate passwords for accounts used while it was active.
Current AI-branded extensions are another useful warning sign. Microsoft reported a malicious Chromium extension named Search for perplexity ai that spoofed Perplexity AI, changed search behavior, and routed address-bar input through attacker-controlled infrastructure before Google removed it from the store [3]. Removal from the store does not clean browsers where it was already installed, so users still need to uninstall the extension, reset search and new-tab settings, and check whether sync or policy brings it back.
| Clue | What it usually means |
|---|---|
| Same extension returns after sign-in | Sync or browser import is restoring it. |
| Cannot remove it from the browser UI | A policy may be force-installing it. |
| It returns after reboot | A startup item, scheduled task, service, or companion app may be reinstalling it. |
| It appears in several browsers | Look for a Windows-level app, policy, or adware component, not only one browser profile. |
| It has broad site access or history permissions | Assume possible data exposure and review passwords/sessions after cleanup. |
If the returning item is a Malwarebytes detection named Trojan.FakeGoogleJS, first preserve the full AppData or extension-folder path. Our Trojan.FakeGoogleJS cleanup guide explains how to separate fake extension files, browser sync, and scheduled-task persistence.
One current fixed-ID case is the ModHeader malware warning. If Chrome or Edge disabled it, compare the extension ID and version before deleting only the matching profile storage.
Clean it in the right order
- Pause sync and auto-import first. Sign out of the affected browser or pause sync. In Edge, also check profile import settings if it keeps copying Chrome extensions back. Do not turn sync on again until the local machine is clean.
- Check browser policy pages. Open
chrome://policy,edge://policy,brave://policy, or the equivalent Chromium policy page. Look for extension-related entries such asExtensionSettingsorExtensionInstallForcelist. Google and Microsoft document these as administrator controls for force-installed extensions [1] [2]. On a work or school device, ask the administrator. On a personal PC, unexpected extension policies are suspicious and should be investigated together with installed apps and startup entries. - Resolve the extension ID before deleting evidence. If the browser shows only an ID, map it to the extension name first. Keep a note of the ID, name, publisher, permissions, source path, and install source so you can tell the difference between a sync mistake, a forced policy, a monitoring extension, and a search hijacker.
- Remove suspicious installed apps. Sort Windows installed apps by date. Uninstall unknown ad blockers, shopping helpers, search tools, downloaders, “web protectors”, cracked-software helpers, or bundles installed near the first extension appearance.
- Inspect startup persistence. Check Startup Apps, Task Scheduler, Services, and the Startup folders. Be especially careful with entries launching from
%AppData%,%LocalAppData%,%ProgramData%,%Temp%, or a random folder name. If the restoring app is App Explorer/SweetLabs/Pokki, use the Host App Service removal guide to check its updater, scheduled task, and browser leftovers. Disable only items you understand or can clearly connect to the unwanted extension. - Close every browser process. Use Task Manager to end Chrome, Edge, Brave, Opera, and their background update/helper processes before removing profile leftovers.
- Remove the extension from the browser UI. Use the browser’s Extensions page first. If the extension is unpacked and points to a local profile folder, delete that specific extension folder only after the restoring process is stopped.
- Reset browser settings after the source is gone. Reset search, startup page, new tab, notification permissions, and site permissions. If the extension changed search or redirects, see Gridinsoft’s PUA and browser hijacker removal guide for the broader cleanup order.
- Match exact adware labels first. If the cleanup involves
SpecialSearchOffer, BrowserAssistant, or aNetTwoUpdaterscheduled task, follow the SpecialSearchOffer adware removal steps, then return here for managed-policy or extension-reinstall checks. - Scan for PUA/adware persistence. Run Gridinsoft Anti-Malware if the extension returns, appears in multiple browsers, arrived after a bundle, or created ads/redirects. A scan is useful here because the visible extension may be reinstalled by a separate Windows component.
If the extension was forced by policy, came with an unknown Windows app, or returns after reboot, the visible browser add-on may be only one part of the cleanup. Gridinsoft Anti-Malware can check for bundled apps, startup entries, scheduled tasks, hidden files, browser changes, and other persistence that may reinstall the extension after manual removal.
If redirects, notifications, extensions, homepage changes, or managed policies return after browser cleanup, the source is often outside the browser: an installed app, policy, scheduled task, or startup entry.
Scan for extension leftoversWhere to check in each browser
| Browser | Useful places to check |
|---|---|
| Chrome | chrome://extensions, chrome://policy, sync settings, and profile folders under %LocalAppData%\Google\Chrome\User Data. |
| Microsoft Edge | edge://extensions, edge://policy, profile import settings, and profile folders under %LocalAppData%\Microsoft\Edge\User Data. |
| Brave | brave://extensions, brave://policy, sync chain settings, and profile folders under %LocalAppData%\BraveSoftware\Brave-Browser\User Data. |
| Opera | opera://extensions, sync settings, startup settings, and profile data under %AppData%\Opera Software or %LocalAppData%\Programs\Opera. |
When to change passwords
Some malicious extensions do more than restore themselves. Microsoft’s StegoAd takedown showed how Edge add-ons could target credentials and session cookies, so users who installed one should also review the StegoAd Edge extension response steps.
Change passwords only after the extension and its restoring source are gone. Prioritize email, browser-synced accounts, banking, work accounts, password manager, social media, and gaming accounts if the extension had permissions for browsing history, all-site access, clipboard activity, notifications, downloads, or extension management. Also sign out of other sessions where the account provider offers that option.
If you are unsure whether an extension is malicious, compare its permissions with Gridinsoft’s browser extension safety checklist. Broad access is not automatically malware, but broad access plus silent installation or reinstallation is enough reason to clean the PC and review sensitive accounts.
What not to do
- Do not repeatedly delete the same extension folder while the browser is still running. The restoring process may immediately recreate it.
- Do not remove corporate or school policies from a managed device. If the PC belongs to an organization, contact IT.
- Do not reinstall the browser as the first fix. Reinstalling often keeps the same sync account, policies, tasks, or Windows-level app.
- Do not install more random “extension remover” tools. That can add another PUA to the same problem.
If the returning extension is Easy Search and the browser briefly opens easysearching.net, use the Easysearching.net cleanup checklist after these reinstall checks.
When the returning extension also causes the browser to open multiple tabs by itself, widen the cleanup to startup URLs, notification permissions, shortcuts, and Windows scheduled tasks.
FAQ
Why does the extension return after I delete its folder?
Because another source is probably restoring it. Check browser sync, policy pages, recent installed apps, scheduled tasks, startup entries, and AppData or ProgramData helpers before deleting the folder again.
Does “Managed by your organization” always mean malware?
No. It is normal on school or work devices. On a personal PC, unexpected browser policy entries deserve investigation because unwanted software can use policy mechanisms to force-install extensions.
Should I reset Chrome or Edge?
Resetting helps only after the restoring source is removed. If you reset first, the same sync account, policy, task, or companion app can bring the extension back.
Can a browser extension steal passwords?
Some extensions can read page content or browsing activity depending on their permissions. If the extension had broad site access or appeared without consent, clean the device first, then change important passwords and revoke suspicious sessions.
For an exact-name case that follows this pattern, the Easy Online Templates adware guide shows how to remove the extension and then check sync, notifications, and Windows persistence.
References
- Chrome Enterprise. “ExtensionSettings: Extension management settings.” Google, accessed June 1, 2026. https://chromeenterprise.google/policies/extension-settings/
- Microsoft Learn. “ExtensionInstallForcelist.” Microsoft, last updated May 22, 2026, accessed June 1, 2026. https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies/ExtensionInstallForcelist
- Microsoft Threat Intelligence. “Chromium extension uses AI-related branding to redirect browser search.” Microsoft Security Blog, June 29, 2026, accessed July 7, 2026. https://www.microsoft.com/en-us/security/blog/2026/06/29/chromium-extension-uses-airelated-branding-redirect-browser-search/
- Chrome Web Store. “Free Keylogger Tool – Child Monitor Tackker.” Google, accessed July 7, 2026. https://chromewebstore.google.com/detail/free-keylogger-tool-child/ekpkdmohpdnebfedjjfklhpefgpgaaji

