Trojan.FakeGoogleJS Alert: What It Means and How to Clean It

Brendan Smith
Brendan Smith - Cybersecurity Analyst
11 Min Read
Editorial poster showing fake GoogleJS extension files being quarantined.
Featured image for a Trojan.FakeGoogleJS Malwarebytes alert and fake extension cleanup guide.

Trojan.FakeGoogleJS is usually a Malwarebytes detection for fake-Google or browser-extension-style JavaScript artifacts, not a legitimate Google component. Public cases show it beside files such as manifest.json, background.js, content.js, jquery.js, and icon.png under user-writable folders like AppData\Local. Keep the detection quarantined, copy the full path, remove the suspicious extension or app source, clean browser sync, then scan again after reboot.

The label matters because it often appears after a fake extension, cracked download, fake updater, suspicious game/mod package, or account-compromise scare. A one-time quarantined extension folder is different from a recurring startup task, PowerShell loader, or account session abuse. This guide walks through the triage without restoring the files or trusting copied fixlists from forum threads.

What Trojan.FakeGoogleJS Means

Trojan.FakeGoogleJS and the related Trojan.FakeGoogle label are seen in Malwarebytes detection logs for suspicious files that imitate a Google or Chrome-related extension structure. The name can sound like an official Google warning, but it is a security-tool label. The practical question is where the alert points and whether anything is still launching those files.

Several public reports show two common patterns: JavaScript/extension-like files in AppData\Local, and persistence-looking entries with names such as GoogleUpdateSecurityTaskMachine. A real Chrome extension also uses files such as manifest.json, background scripts, content scripts, and icons, so the file names alone do not prove safety. A fake extension abuses the same shape while living in the wrong folder, requesting suspicious access, or returning after cleanup.

First Checks Before You Delete Anything

  1. Leave Malwarebytes quarantine in place. Do not restore Trojan.FakeGoogleJS or add an exclusion because the file name mentions Google.
  2. Export or copy the detection details. Save the full path, detection name, scan date, and every companion detection found in the same scan.
  3. Look at the folder, not only the file. A folder with manifest.json, background.js, content.js, jquery.js, and icon.png can be a fake extension package.
  4. Note nearby account symptoms. Instagram, Discord, Microsoft, email, Steam, or browser-session abuse changes the response from simple cleanup to account recovery.
  5. Do not run copied FRST or registry fixlists. Those scripts are written for one machine. Running another user’s fixlist can remove the wrong services, tasks, or browser data.

Path Triage: Cache, Extension Folder, Or Persistence?

Where the alert points What it likely means and what to do
AppData\Local\... with manifest.json, background.js, content.js, or icon.png Likely fake or unwanted extension-style files. Keep quarantine, remove the extension source, clean browser profiles and sync, then scan again.
Chrome\User Data\Default\Local Extension Settings or Sync Data\LevelDB Browser extension/profile data may be involved. Remove suspicious extensions, check sync, and reset only the affected browser data if needed.
Task Scheduler or Registry paths with Google-like task names Higher risk. Inspect scheduled tasks, Startup apps, services, and Run keys because something may be relaunching the fake files.
Downloads, game/mod/crack folder, or an extracted archive Treat the original download as the likely source. Delete it after quarantine, scan the archive folder, and secure accounts if it ran.
Only one quarantined item and clean follow-up scans Lower risk, but do not restore it. Watch for reappearance and keep browser extensions under review.

How To Clean Trojan.FakeGoogleJS

  1. Update Malwarebytes and Windows security tools. Run a fresh scan after definitions update so old cache or deleted files do not confuse the result.
  2. Remove suspicious extensions in every browser. Check Chrome, Edge, Brave, Opera, Firefox, and any portable browser. Remove extensions you did not install, especially search helpers, game/mod helpers, fake VPNs, coupon tools, download helpers, or anything with a random ID.
  3. Check browser sync. If an extension returns after removal, disable extension sync temporarily, remove the extension on each signed-in device, then re-enable sync only after the account is clean.
  4. Review notification permissions and homepage/search settings. Fake extension infections often sit beside push-notification spam, search redirects, or homepage changes.
  5. Inspect Task Scheduler. Sort tasks by recently created or modified entries. Look for commands that launch Chrome, PowerShell, cmd.exe, wscript.exe, mshta.exe, random AppData paths, or Google-like task names you do not recognize.
  6. Inspect Startup apps and Run keys. Check Settings -> Apps -> Startup, the Startup folders, and Registry Run entries if you are comfortable. Export a backup before changing registry values.
  7. Scan after reboot. Reboot and run a full scan. A clean scan after quarantine, extension cleanup, and reboot is a better signal than deleting files while the browser is still open.
  8. Secure accounts from a clean device if anything ran. Change passwords and revoke sessions for email, Microsoft, Google, Discord, Instagram, Steam, password manager, banking, and crypto accounts if the infection followed a download or account activity appeared.
Google ChromeSafariMozilla FirefoxMicrosoft EdgeBraveOpera
Google Chrome
Extension Manager
  1. Launch Chrome.
  2. Click the three dots (...) in the top right corner.
  3. Select Extensions > Manage Extensions.
  4. Click Remove next to the extension you want to delete.

Quick Access: Type chrome://extensions/ in the address bar.

Safari
Settings > Extensions
  1. Open Safari.
  2. In the menu bar, click Safari and select Settings (or Preferences).
  3. Click on the Extensions tab.
  4. Select the extension and click Uninstall.
Mozilla Firefox
Add-ons and Themes
  1. Click the menu button, select Add-ons and themes.
  2. Go to the Extensions tab.
  3. Click the three dots (...) next to the extension and select Remove.

Quick Access: Type about:addons in the address bar.

Microsoft Edge
Browser Extensions
  1. Launch Microsoft Edge.
  2. Click the three dots (...) in the top right corner.
  3. Select Extensions.
  4. Find the extension and click Remove.

Quick Access: Type edge://extensions/ in the address bar.

Brave
Shields and Extensions
  1. Launch Brave browser.
  2. Click the menu icon > Extensions.
  3. Find the extension and click Remove.

Quick Access: Type brave://extensions/ in the address bar.

Opera
Extension Management
  1. Launch Opera.
  2. Click the Opera logo in the top left corner.
  3. Select Extensions > Extensions.
  4. Click the X or Remove button next to the extension.

Quick Access: Type opera://extensions/ in the address bar.

If a website keeps showing unwanted pop-ups, you likely granted it permission to send notifications. To stop them, you need to revoke that permission in your browser settings.

Google ChromeSafariMozilla FirefoxMicrosoft EdgeBraveOpera
Google Chrome
  1. Copy and paste this into the address bar: chrome://settings/content/notifications
  2. Scroll down to the Allowed to send notifications list.
  3. Find the suspicious site.
  4. Click the three dots (...) next to it and select Remove (or Block).
Safari
  1. Open Safari and go to Settings (or Preferences).
  2. Click the Websites tab and select Notifications on the left.
  3. Find the suspicious site in the list on the right.
  4. Select it and click Remove (or change "Allow" to "Deny").
Mozilla Firefox
  1. Copy and paste this into the address bar: about:preferences#privacy
  2. Scroll down to Permissions and click Settings... next to Notifications.
  3. Type the suspicious site in the search bar or find it in the list.
  4. Select the site and click Remove Website.
Microsoft Edge
  1. Copy and paste this into the address bar: edge://settings/content/notifications
  2. Look under the Allow section.
  3. Find the suspicious site.
  4. Click the three dots (...) next to it and select Remove (or Block).
Brave
  1. Copy and paste this into the address bar: brave://settings/content/notifications
  2. Scroll to the Allowed to send notifications list.
  3. Find the suspicious site.
  4. Click the three dots (...) and select Remove (or Block).
Opera
  1. Copy and paste this into the address bar: opera://settings/content/notifications
  2. Check the Allowed to send notifications list.
  3. Find the suspicious site.
  4. Click the three dots next to it and select Remove.
After manual cleanup: reboot Windows and run a full scan to check startup entries, scheduled tasks, bundled apps, and hidden files that may restore the threat.

If the case started after a game, mod, crack, or fake installer, compare it with our infostealer after downloading a game or mod checklist before changing passwords on the same PC. If the extension keeps returning after you remove it, use the persistence steps in our browser extension keeps reinstalling itself guide.

When Account Safety Becomes The Main Issue

A quarantined JavaScript file is not proof that passwords were stolen. But the risk rises when the detection follows a downloaded executable, cracked game, mod installer, fake update, Discord attachment, or browser session theft. In that case, cleanup and account recovery should be separate tasks.

Clean the Windows device first, then change passwords from a different trusted device. Start with email and the account that controls password resets. Revoke active sessions, remove unknown OAuth/app passwords, check forwarding rules, and turn on multifactor authentication. For social accounts, review recent login locations and connected apps. For Discord or Steam, remove unknown sessions and check for messages sent while you were not using the account.

Could Trojan.FakeGoogleJS Be A False Positive?

It is possible, but do not assume that on the first alert. A false-positive path is more plausible when the file came from a known extension project you control, the code is expected, no persistence exists, the browser behaves normally, and multiple updated scans are clean. Most ordinary users should not restore the quarantined item. If it was a real extension you develop, test it in a clean development profile and submit the file to the detecting vendor rather than excluding the whole folder.

What Not To Do

  • Do not restore quarantined files with FakeGoogle in the detection name.
  • Do not assume the alert is safe because Google, Chrome, or update words appear in a task name.
  • Do not install more random “removal tools” from search results.
  • Do not reuse another person’s cleanup script, FRST fixlist, or registry file.
  • Do not keep using the same browser profile for password changes until extension sync and suspicious add-ons are clean.

FAQ

Is Trojan.FakeGoogleJS from Google?

No. The name is a malware-detection label. It often points to fake-Google or Chrome-extension-style files, not to a legitimate Google update.

Why did Malwarebytes find files like manifest.json and background.js?

Those are normal file names in browser extensions, but malicious or unwanted extensions can use the same structure. The folder path, extension source, permissions, and persistence decide the risk.

Should I wipe Windows after Trojan.FakeGoogleJS?

Not automatically. If quarantine holds, the files were in an extension-like folder, and clean follow-up scans show nothing else, targeted cleanup is often enough. Consider reinstalling only when malware keeps returning, account theft is confirmed, or you cannot trust the original installer chain.

Why does the fake extension come back?

Common reasons include browser sync, another signed-in device, a companion app, a scheduled task, a Run key, or a policy entry. Remove the source before re-enabling sync.

Can I delete the AppData folder manually?

Delete only the suspicious folder after quarantine and scans identify it. Removing large AppData sections blindly can break browsers and apps while leaving the startup task that recreates the folder.

References

  1. Malwarebytes Forums. “Unable to start Malwarebytes or Malwarebytes Chameleon.” Malwarebytes Forums, public removal log showing Trojan.FakeGoogle task-cache detections, accessed June 2, 2026. https://forums.malwarebytes.com/topic/216979-unable-to-start-malwarebytes-or-malwarebytes-chameleon/
  2. Reddit r/computerviruses. “Got infected with floxif virus, trogan.fakegoogle and ramnit virus.” Public user report with Trojan.FakeGoogle extension-style files under AppData, accessed June 2, 2026. https://www.reddit.com/r/computerviruses/comments/1trwesi/got_infected_with_floxif_virus_troganfakegoogle/
  3. Chrome for Developers. “Manifest file format.” Google, accessed June 2, 2026. https://developer.chrome.com/docs/extensions/reference/manifest
  4. Google Chrome Help. “Install and manage extensions.” Google, accessed June 2, 2026. https://support.google.com/chrome/answer/2664769
  5. Microsoft. “TrojanDownloader:JS/FakeUpdates.J threat description.” Microsoft Security Intelligence, updated February 7, 2024, accessed June 2, 2026. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader%3AJS%2FFakeUpdates.J&threatId=-2147133367
CrackedCantil Dropper Delivers Numerous Malware
Ledger Recovery Phrase Verification Scam
Trojan:Win32/Stealer!MTB: What It Means and How to Remove It
Bank Details Email Scam
DDoS Attacks: 6 Tried-and-Tested Methods How to Prevent It
TAGGED:
Share This Article
ByBrendan Smith
Cybersecurity Analyst
Follow:
Brendan Smith has spent over 15 years knee-deep in cybersecurity, chasing down malware from the gritty reverse-engineering of old-school trojans all the way to wrangling full-blown incident responses for small-to-medium businesses that couldn’t afford a full-blown breach. Over at Gridinsoft, he’s the guy piecing together those double-checked guides on nasty stuff like AsyncRAT ransomware—take last year, for instance, when his breakdowns caught more than 200 sneaky variants right in live scans, knocking user cleanup jobs down by a solid 40% and saving folks hours of headache.
Previous Article Editorial poster showing wslservice.exe process checks and suspicious path signals. wslservice.exe: Safe or Malware?
Next Article Editorial image showing Trojan:JS/Obfuse.NF!MTB as a hidden PowerShell alert blocked by security controls. Trojan:JS/Obfuse.NF!MTB: PowerShell Alert Keeps Coming Back
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?