If Google shows “You’ve been signed out for your protection” on a Google-owned sign-in page and mentions malware or suspicious activity, treat it as an account-security warning—not proof that Google identified a malware family or remotely scanned the device. Stop retrying from the same browser. Use a trusted phone or computer to review Google security events and sessions, clean the affected browser and device, and only then sign in again.
First, make sure the warning is really from Google
A genuine sign-in warning appears on a Google-owned address such as accounts.google.com. Google Account Help says that when the sign-in box redirects you to its suspicious-activity page, Google detected suspicious account activity.[1] That still does not tell you which program caused it or prove active malware is present.
Treat the message as fake if it appears only inside an unrelated website, browser notification, pop-up, or email and tells you to call a phone number, pay, download a cleaner, install remote-access software, or enter the password on a non-Google domain. Close that page and type myaccount.google.com yourself instead of following its button.
| What you see | Risk and next action |
|---|---|
The warning is on accounts.google.com |
Use a trusted device to review account events and sessions, then clean the browser or device that was rejected. |
| A random page or notification claims Google found malware | Do not call, pay, download, or sign in. Close it, revoke the site’s notification permission, and open Google Account settings directly. |
| Google shows an unfamiliar device, security event, recovery change, or sent activity | Treat the account as compromised. Sign out the unfamiliar session, change the password from a trusted device, and review recovery and third-party access. |
| Account events look normal and device scans are clean | Do not invent a malware diagnosis. After the security checks, clear Google site data or try a fresh browser profile to rule out damaged sign-in state. |
| The exact warning returns after cleanup | Stop repeated attempts from that profile. Recheck extensions, synced browser data, installed apps, sessions, and the deeper escalation steps below. |
Secure the Google Account from a trusted device
Use a phone or computer that is updated and does not show the same warning. If unknown account activity is happening now, secure the account before spending time on browser troubleshooting.
- Review recent security events. In Google Account → Security & sign-in, open Recent security events. Mark unfamiliar activity as not yours and follow Google’s recovery steps.[1]
- Review devices and sessions. Open Your devices → Manage all devices. Google may list several sessions for one device; inspect the browser, location, and last activity, then sign out anything you do not recognize.[2]
- Change the password when compromise is possible. Do this from the trusted device if you saw unknown activity, a password change, a recovery change, or a session that is not yours. Replace reused passwords on other important accounts too.
- Check recovery and verification settings. Remove unknown recovery email addresses, phone numbers, passkeys, app passwords, or 2-Step Verification methods. Add a strong verification method you control.
- Review third-party connections. Remove an app or service you do not recognize or no longer use. A password change and a third-party access grant are separate controls.
A password change is important, but do not treat it as the only step. A stolen browser session, an unfamiliar device, or an authorized third-party connection must be reviewed in its own account panel.
Check Chrome or Edge for the trigger
- Remove extensions you did not choose. Review the extension list in every browser profile. Remove unknown download helpers, search tools, coupon add-ons, PDF converters, VPNs, or extensions that came from a recent installer.
- Check browser symptoms. An unwanted homepage, changed search engine, repeated redirects, new tabs, returning extensions, or virus-alert pages are stronger local evidence than the Google warning alone. Google lists these as signs of unwanted software or malware.[3]
- Revoke abusive site permissions. Remove notification, pop-up, redirect, camera, microphone, and clipboard permissions from unfamiliar sites.
- Reset changed browser settings. Chrome’s Reset settings option restores the search engine, homepage, startup pages, content settings, cookies, extensions, and themes without deleting bookmarks or saved passwords.[3] Re-enable only extensions you trust.
- Use a fresh profile only after cleanup. A new browser profile can separate damaged cookies or synced settings from the cleaned device. It is a troubleshooting step, not proof that malware is gone.
If redirects, managed-browser messages, or unknown extensions keep returning, follow the deeper browser hijacker removal guide. For an example of malware abusing a browser connection to steal session cookies, see the Chrome session-cookie backdoor analysis.
Scan the Windows PC before signing in again
- Open Settings → Apps → Installed apps and sort by install date. Remove an unwanted app only when you can connect it to the warning, browser changes, or a recent suspicious download.
- Update Windows Security, run a Full scan, and keep confirmed or unknown detections quarantined while you record their names and paths.
- Run a full Gridinsoft Anti-Malware scan after the manual browser and app review. Remove confirmed detections, reboot, and scan again if the warning or browser symptoms return.
- Check whether security settings, proxy/DNS settings, extensions, startup items, or scheduled tasks return after reboot. The Windows post-malware audit covers these persistence points in more detail.
Clearing cookies or deleting one extension does not check the rest of Windows for an unwanted app, startup entry, scheduled task, or other persistence that may have exposed a Google session. A scan can find local malware and browser changes; it cannot restore a stolen session or prove that no account data was accessed.
If a token stealer ran here, logging back in can hand the attacker your new Discord session, email cookie, Steam token, or wallet access. Scan this Windows PC first, then reset passwords from a clean device.
Scan before signing in againRetry Google sign-in in the right order
- Finish the trusted-device account review and the affected-device cleanup.
- Update the browser and operating system.
- Clear Google cookies and site data in the affected browser, or open a fresh clean profile.
- Sign in by typing
accounts.google.comdirectly. - Return to Google Account Security and confirm that the new session, device, recovery details, and third-party connections are expected.
Do not use Incognito mode as a malware fix. It can test a separate cookie state, but it does not remove an unwanted extension running outside Incognito, an installed app, or Windows persistence.
What if every scan is clean?
A clean scan lowers the evidence for local malware; it does not make the account review optional. Confirm that recent security events, devices, recovery details, third-party connections, browser extensions, and installed apps are all expected. If those checks are clean too, a damaged or repeatedly restored browser profile may be the remaining cause of the sign-in loop.
At that point, remove the old browser profile only after making sure needed bookmarks and data are safely synced or exported. Reinstall the browser from its official source if the profile cannot be repaired. Do not reset Windows solely because Google displayed the warning once.
When to escalate to offline scan or reinstall
Use a deeper cleanup path when a known infostealer, remote-access tool, loader, or credential-stealing extension ran; unfamiliar sessions reappear; security settings will not stay enabled; or detections and browser changes return after reboot. In those cases, stop using the PC for account recovery, run an offline scan, and consider a clean Windows reinstall if you cannot establish a trustworthy state.
The infostealer cleanup and account-recovery guide explains the order for email, password manager, Google, banking, gaming, and other accounts after cookies or saved passwords may have been exposed.
FAQ
Is “You’ve been signed out for your protection” a real Google warning?
It can be real when it appears on a Google-owned sign-in page such as accounts.google.com. A lookalike page, pop-up, notification, or email is not trustworthy merely because it uses Google branding. Open Google Account Security directly and verify the domain.
Does the warning mean Google scanned my computer and found malware?
No. The warning means Google reacted to suspicious account or sign-in activity. It does not name a malware family or prove a device scan occurred. Use account evidence, browser symptoms, installed-app review, and local scans to determine what happened.
Should I change my Google password before removing malware?
If the account may be compromised, change it promptly from a trusted device, not from the suspected PC. Then review devices, sessions, recovery methods, and third-party connections. Clean the affected device before signing in there again.
Why does the warning return when antivirus finds nothing?
The cause may be outside one scanner’s findings: an extension, unwanted app, synced browser setting, damaged profile state, or unresolved account/session issue. Review both the Google Account and the device. If all security checks are clean, try a fresh browser profile before considering an operating-system reinstall.
References
- Google Account Help. “Investigate suspicious activity on your account.” Google, accessed July 17, 2026. Google Account Help.
- Google Account Help. “See devices with account access.” Google, accessed July 17, 2026. Google Account Help.
- Google Chrome Help. “Remove unwanted ads, pop-ups and malware.” Google, accessed July 17, 2026. Google Chrome Help.

