A fake Chrome update virus is a scam page that pretends Chrome needs an urgent update, then pushes you toward running a command, downloading a file, or allowing a fake fix. If a browser page opened Terminal, Command Prompt, PowerShell, or typed something by itself, treat it as a malware incident, not as a normal Chrome update.
Fake update lures can also deliver files that are not what they appear to be; the sysupdate.jpeg malware guide explains one fake-image chain that installs remote access through ScreenConnect. sysupdate.jpeg malware cleanup guide.
First checks after a fake Chrome update opened Terminal
- Disconnect from the internet if a command is still running or new windows keep appearing.
- Do not copy, paste, or rerun the command. Do not close the evidence before noting what happened.
- Scan the PC fully and check startup entries, scheduled tasks, browser extensions, and recent downloads.
- Change passwords from a clean device if any script, installer, or command executed.
| Threat type | Fake update / ClickFix-style social engineering / script malware |
| Common signs | Fake Chrome relaunch/update message, loud alert, terminal opened, command typed, PowerShell or CMD activity |
| Main risk | Infostealer, remote script, browser hijacker, token theft, account compromise |
| Safe action | Stop the command, scan the device, secure accounts from a clean device, and remove persistence. |
What probably happened?
Chrome updates do not require a random website to open Windows Terminal, PowerShell, Command Prompt, or Run. Real Chrome updates happen through Chrome’s own updater or through your managed company software. A recipe site, download page, streaming page, or pop-up cannot legitimately update Chrome by typing commands into your system.
Microsoft has documented ClickFix-style attacks where a page convinces users to paste or run commands in Windows tools [1]. Some fake-fix pages also try to place a command on the clipboard or guide the user through a keyboard sequence. The visible story may be “Chrome update”, “browser crash”, “verification”, or “fix this error”; the real goal is to run attacker-controlled code.
First steps if the command ran
- Disconnect from Wi-Fi or unplug Ethernet if the script is still active.
- Take a photo of any visible command, file path, domain, or error message.
- Close the browser and Terminal/PowerShell windows.
- Do not restore the same browser session.
- Run a full scan with GridinSoft Anti-Malware.
- Check Task Scheduler, Startup Apps, Services, browser extensions, and recently downloaded files.
- Change email, Microsoft/Google, banking, crypto, Discord, and work passwords from a clean device if the command executed.
Fake update and ClickFix chains may call mshta.exe as the next-stage host. If blank mshta.exe windows keep appearing after the browser is closed, follow the mshta.exe blank-window cleanup steps as well.
What to check after a fake update command
| PowerShell history | Recent commands that downloaded or executed remote content. |
| Downloads and Temp | Unknown EXE, MSI, JS, VBS, BAT, CMD, PS1, ZIP, or random-name files. |
| Task Scheduler | New tasks that launch PowerShell, CMD, mshta, wscript, browser, or unknown files. |
| Browser | New extensions, notification permissions, changed search/homepage, managed policies. |
| Accounts | New sign-ins, recovery changes, Discord spam, email forwarding rules, OAuth apps. |
If this happened on a company laptop
Stop using the device for work accounts and tell your IT/security team as soon as possible. Do not try to hide the event by deleting logs. The useful details are the website, time, command window, files created, and any alerts. If the company uses endpoint protection, they may need to isolate the device and collect logs.
How real Chrome updates work
Real Chrome updates do not ask you to install a random file from an unrelated website. Google documents Chrome updates through Chrome settings and normal update prompts [2]. If a page outside Chrome settings says “Chrome update required” and then asks you to run a command, close it.
Related recovery guides
- Can Malware Activate Later? What to Do
- Infostealer After Downloading a Game or Mod
- Fake Virus Alert: How to Stop Scareware Pop-Ups
FAQ
Can a website really open PowerShell by itself?
A normal website should not silently control PowerShell, but social-engineering pages can trick users into running commands or abuse browser/system prompts. Treat unexpected terminal activity as suspicious.
Is turning off the laptop enough?
No. It may stop the current command, but dropped files, scheduled tasks, or stolen sessions may remain. Scan and secure accounts.
Should I change passwords immediately?
Use a clean device first. Changing passwords on a still-infected PC can expose the new credentials.
Was Chrome itself infected?
Usually the page is fake, not Chrome. Still check extensions, notification permissions, and managed policies after cleanup.
