The Problem

A full-screen red banner says you have 847 viruses, audio blares, and a phone number promises "Microsoft support." Your real files are usually fine—this is scareware: a web page or junk app designed to panic you into paying or installing worse software. It is not the same as a silent trojan, which is why it needs different steps than a standard malware cleanup.

Defender disabled and real unknown processes running? Treat it as infection—remove virus and malware and Defender not working.

How to Spot Fake AV (30-Second Test)

Pop-up appears inside the browser with a toll-free number—Microsoft does not put support numbers in browser alerts.
Claims "Windows Defender Alert" but bad grammar, neon colors, or countdown timers.
Asks you to call, download a "scanner," or pay with gift cards / crypto.
Real Windows Security lives in Settings → Privacy & security → Windows Security—no sirens, no phone number.

The Fix: Step-by-Step

Step 1: Do Not Call the Number

Hang up if you already called—scammers request remote access, install real malware, or charge hundreds for nothing. Disconnect Wi-Fi if they are still on the line and you let them in.

Step 2: Kill the Browser Trap

Ctrl + Shift + Esc → Task Manager → select the browser → End task.
Reopen the browser without restoring the last session (Chrome: often a "Restore pages?" prompt—click Don't restore or start with Ctrl + N in a new window).
If the tab returns instantly, a junk extension is loading it—see Step 5.

Step 3: Clear the Hijack Page on Startup

Edge: Settings → Start, home, and new tabs → set Home and New tab to something neutral (e.g. edge://newtab).
Chrome: Settings → On startup → Open the New Tab page—not "Continue where you left off" until clean.

Step 4: Reset the Browser (Keeps Bookmarks in Most Flows)

Microsoft Edge: Settings → Reset settings → Restore settings to their default values.
Chrome: Settings → Reset settings → Restore settings to their original defaults.

Then run Extensions → remove anything you did not install (names like "PC Protector," "Speed Booster," random letters).

Step 5: Uninstall the Fake Program (If One Installed)

Settings → Apps → Installed apps → sort by Install date → uninstall:

"Windows Defender" that is not from Microsoft (check publisher column).
"Driver Updater," "PC Cleaner," "WebShield," etc.

Step 6: Scan With the Real Defender

Settings → Privacy & security → Windows Security → Virus & threat protection.
Scan options → Full scan.
If you paid a scammer and they had remote access: also run Microsoft Defender Offline scan—steps in malware removal guide.

Step 7: Check Notifications Permission

Scareware sites abuse browser notifications. Edge/Chrome: Settings → Privacy → Site settings → Notifications → remove suspicious sites → set default to Don't allow or ask.

Step 8: Startup and Scheduled Junk

Ctrl + Shift + Esc → Startup apps → disable unknown publishers.
Win + R → taskschd.msc → delete tasks launching from %Temp% or AppData with random names.

After Cleanup

Change passwords if you typed them while the fake page was open—start with email and bank from a clean device.
Create a restore point before installing anything from ads again.
Teach the household: no number on a pop-up is real support.

Fake AV vs Real Malware

| Scareware | Silent malware | |-----------|----------------| | Loud browser page, phone number | Little or no warning | | Often no files encrypted | May steal passwords, mine crypto | | Fix: reset browser, uninstall junk app | Fix: offline scan, Safe Mode |

Still seeing pop-ups on every site after reset? Run the full malware removal path—something is persisting beyond a browser trick.

How to Spot and Remove a Fake Antivirus or Scareware