Fake Virus Warning Pop-Up? How to Remove It Safely

Press Ctrl+Shift+Esc to open Task Manager. Find your browser in the list — Chrome, Edge, Firefox — right-click it, End Task. The fake warning disappears. Don’t click anything on the scam page first, not the X buttons, not “Close,” not “Scan Now.” Those are all part of the page and clicking them opens more tabs or triggers more pop-ups. If Ctrl+Shift+Esc doesn’t work because the page intercepted it, press Ctrl+Alt+Delete instead — that always works because it’s handled at the kernel level, no webpage can block it. If the browser went full-screen and you can’t see the taskbar, hit F11 first to exit full-screen mode.

When you reopen the browser, it’ll probably offer to restore your previous session. Don’t. That reopens the scam page. Open a fresh tab instead.

A woman called us in a panic because her entire screen was locked on a full-page warning with the Microsoft logo, a case number, a countdown timer, and alarm sounds. She couldn’t close the browser, couldn’t Alt+F4 it. She was about to call the 1-800 number on the screen. Took forty-five seconds to fix. Killed the browser process, cleaned notifications, done. No virus. No Trojan. The whole thing was a webpage.

Real vs Fake

Real virus warnings from Windows Defender appear as small toast notifications near the clock in the bottom right — the shield icon in your system tray. They say something like “Threats found” with a button to review. No alarm sounds, no phone numbers, no countdown timers, no drama.

Fake warnings are the opposite. Full-screen, loud, phone numbers, countdown timers, claims your passwords and credit cards are being stolen right now. And they almost always appear inside your browser — you can see tabs and the URL bar at the top. Real Windows alerts never show up inside Chrome or Edge. If you can see browser chrome around the warning, it’s a webpage pretending to be a system alert. The FBI IC3 reported over $924 million in tech support scam losses in 2023. It’s one of the most profitable cybercrime categories precisely because these pages look so convincing.

There’s a middle category that trips people up — notification pop-ups that appear outside the browser in the bottom-right corner of Windows. These look like system notifications but they’re actually from a website you accidentally gave notification permission to. That’s the next section.

Browser Notifications

This is why the fake warnings keep coming back after you close them. About half the people who contact us about recurring fake virus pop-ups have this exact problem. They’ve closed the pop-up ten times, run Defender scans, installed Malwarebytes — nothing finds anything because there’s nothing to find. The “virus” is a notification from a website they accidentally clicked Allow on months ago.

In Chrome: click the three dots top right, Settings, Privacy and Security, Site Settings, Notifications. You’ll see a list of sites with notification permission. Look for anything you don’t recognize — domains like “securealert-scan.com” or “system-warning-update.xyz” or anything with “microsoft” or “defender” in it that isn’t actually microsoft.com. Click the three dots next to each and Remove or Block. Edge: Settings, Cookies and Site Permissions, Notifications. Firefox: Settings, Privacy & Security, scroll to Permissions, click Settings next to Notifications.

Notification permissions persist through browser restarts, computer restarts, even reinstalls if you’re signed into a sync account. Killing the browser only stops the current pop-up. Removing the permission is what stops them permanently. I’d honestly recommend turning off notification requests entirely — in Chrome, Settings, Privacy and Security, Notifications, select “Don’t allow sites to send notifications.” You can add exceptions for sites you actually want, like Gmail. Install uBlock Origin while you’re at it — it blocks the malvertising chains that trigger these scam pages in the first place. Some Windows 11 “ads” aren’t even from the browser at all — they’re built-in promotional features that turn off in Settings.

If You Already Called the Number

When you call the number on a fake virus warning, you reach a call center using VoIP to display a US number. They confirm your computer is “severely infected” and ask you to download TeamViewer or AnyDesk for remote access. Once connected, they open Event Viewer — a standard Windows tool that logs thousands of routine events — and point to the yellow warnings and red errors. “See these? These are the viruses.” Every Windows computer has hundreds of those entries. They’re routine logs, not infections. Then comes the pitch: $299-499 for a “cleanup,” or an annual plan for $199-399. Some go further and install actual malware or change your password while they have access.

If you already gave someone remote access, do this in order: disconnect from the internet immediately to kill their session. Change passwords from a different device — start with email and bank. Check your installed programs for TeamViewer, AnyDesk, UltraViewer, SupRemo, ConnectWise, or any remote tool you didn’t install, and uninstall them. Run a full Windows Defender scan, then Malwarebytes free for a second opinion. Call your bank and credit card company — most reverse tech support scam charges if reported within 60 days. File complaints at reportfraud.ftc.gov and ic3.gov. If you want someone to verify they didn’t leave anything behind, our full malware guide covers the cleanup, or to check whether your computer actually has a real virus versus just needing notification cleanup, that guide walks through the Task Manager and scanning process — and we can sweep the system remotely to make sure nothing was installed during their access.