Remove Virus & Malware Popups — Complete Cleanup Guide

One of my more memorable calls came in around 11pm on a Tuesday back in March. The caller — a graphic designer who’d been freelancing for eight years and definitely wasn’t computer-illiterate — was close to tears. Every few seconds another popup appeared on her screen. “WINDOWS HAS DETECTED 47 THREATS.” “YOUR DATA IS AT RISK.” “CALL THIS NUMBER IMMEDIATELY.” The X button on each popup just spawned two more. And to top it off, some robotic text-to-speech voice was droning through her speakers warning her not to shut down.

Zero malware on that machine. Zero. Here’s what actually happened: three days earlier she’d been converting a PDF on some free website — the kind of site with five different “Download” buttons where only one is real — and a prompt popped up asking “This site wants to send you notifications.” She clicked Allow, probably without even reading it. That single click gave the website blanket permission to push whatever it wanted to her Windows notification system. And what it pushed was fake virus alerts. Intentionally designed to look identical to real Windows Security warnings.

We walked her through disabling the notification permissions in Chrome, cleared her browser data, and she was done in about ten minutes. No scan needed. No tools needed. Just undoing that one accidental click.

I’m telling you this because a huge chunk of what people think is a “virus” isn’t actually malware at all. According to Malwarebytes’ 2025 State of Malware report, browser-based adware and PUPs account for 72% of consumer malware infections. Most of it is junk that tricked you into installing it or giving it permissions, and most of it comes out without much of a fight.

But roughly 30% of the cleanup sessions we run at RebootDoctor do involve something real. Trojans that steal credentials. Cryptominers burning electricity on someone else’s behalf. Ransomware sitting dormant waiting for a trigger. Keyloggers quietly recording every password you type. Those need actual work to remove.

What I’m going to walk through here is the exact process we follow internally — starting with figuring out whether you even have malware in the first place, because a lot of people assume the worst when the reality is much simpler.

securealert-windows-defender.click

⚠ Windows Defender - Security Warning

** YOUR COMPUTER HAS BEEN BLOCKED **

Threat Detected: Trojan.GenericKD.46856325

Risk Level: CRITICAL

Files at risk: passwords, banking data, photos

Compromised: Credit card information

Call Microsoft Support Immediately:
+1 (888) 555-0199

SCAN NOW

⚠ THIS IS A SCAM — Real Windows Defender never shows phone numbers

First Question: Is This Malware, or Did You Just Grant a Sketchy Website Permission?

Two completely different problems that look almost identical to most users. The fix for one takes ten minutes in browser settings. The fix for the other takes an hour of scanning and manual cleanup. Figuring out which camp you’re in saves you a ton of unnecessary work.

Stuff that looks scary but is probably just browser junk:

• Notification-style popups in the bottom-right corner — they show up even when your browser is closed because Windows notifications don’t need the browser open
• Your homepage is suddenly some search engine you’ve never heard of (SearchProtect, MySearchResults, or weirdly, Yahoo — a lot of adware sets Yahoo as your default because Yahoo pays affiliates per search)
• New tabs spawn randomly displaying ads for VPNs, sketchy antivirus products, or dating sites
• There’s a toolbar at the top of your browser that wasn’t there last week

Actual malware (system-level infection):

• Programs you didn’t install appearing in your Start menu
• Your computer runs way slower than it should and Task Manager shows an unknown process using 80-100% CPU
• Windows Defender or your antivirus was disabled and you can’t turn it back on
• Files on your desktop got renamed or have weird extensions
• Your laptop is inexplicably overheating even at idle
• You see network activity when you’re not doing anything

If your symptoms match the first list, skip ahead to the browser cleanup section. You probably don’t need Safe Mode or deep scans — you need to revoke some permissions and remove some extensions. If it’s the second list, keep reading in order.

Disconnect From the Internet — Seriously, Do This First

People skip this and it drives me crazy. I had a guy in January who spent two hours scanning and cleaning his laptop, and then ten minutes after he finished, the same trojan was back. Because during those entire two hours of scanning, a trojan on his machine was actively reaching out to a remote server — somewhere in Romania based on the IP — and pulling down replacement copies of itself as fast as he deleted them. So yeah: physically disconnect. Ethernet cable out of the port. WiFi slider off. Whatever it takes to sever the connection.

You’ll turn it back on briefly later to grab Malwarebytes, but right now you want this machine talking to nobody.

Boot Into Safe Mode

Here’s the problem with trying to remove malware while Windows is running normally: there are dozens of services loading at startup, and most infections inject themselves into that sequence. They add registry entries, they register themselves as services, they set up pairs of processes that watch each other — kill process A and process B immediately respawns it, and vice versa. Try to delete a file and Windows tells you it’s “in use” because the malware has it locked open.

Safe Mode bypasses all of that nonsense. Windows loads the minimum it needs to run — basic display driver, keyboard, mouse, essential services — and ignores everything else. The malware’s startup entries still exist in the registry but Windows doesn’t execute them. The malicious executables are still on the disk, they just aren’t doing anything. They’re sitting there like a loaded gun with the safety on — present but inert, easily found and deleted by a scanner.

The way you get into Safe Mode on Windows 10 or 11 is a bit buried: open Start, click the power icon, then hold Shift while clicking Restart. A blue recovery screen appears — pick Troubleshoot, then Advanced Options, then Startup Settings, then hit Restart one last time. You’ll get a numbered menu. Press 5 for Safe Mode with Networking. That gives you a skeleton version of Windows that still has internet access for downloading tools. Grab Malwarebytes and any Defender definition updates, then turn WiFi off again immediately.

Fair warning though — I’ve encountered infections in the last year that are aware they’re running in Safe Mode. They detect it and either hide more aggressively or they don’t start at all, which sounds good except the scanner can’t find a process that isn’t running. For those situations, the next step (offline scanning) is what you actually need.

Run Windows Defender Offline Scan

This is Microsoft’s answer to malware that hides from regular scans. Defender Offline reboots your computer and scans before Windows fully loads — before any malware has a chance to start running and start hiding.

1. Open Windows Security from the Start menu
2. Click Virus & threat protection
3. Click Scan options, then select Microsoft Defender Offline scan
4. Hit Scan now — your PC restarts and the scan runs outside of Windows

Go do something else for 15-20 minutes while it runs. Make coffee. The scan finishes, Windows boots back up normally, and you can see what it found under Windows Security → Protection History.

Now — people online love to dunk on Windows Defender. “It’s built-in, it can’t be good.” I used to think that too, until I actually looked at the numbers. AV-TEST Institute has been rating it at 99.7% detection against widespread malware in their Q1 2025 tests. That’s on par with Kaspersky and Bitdefender. It’s been my only antivirus on my personal desktop for two years and I’ve had zero infections. Not everybody needs Norton or ESET. Defender handles the job for most people.

Where Defender does fall short — and this is a real gap — is with stuff that Microsoft technically doesn’t classify as “malware.” Adware, PUPs (Potentially Unwanted Programs), aggressive browser extensions. Microsoft takes a conservative stance on these. Which brings me to:

Malwarebytes — Your Second Scanner, Not Your Replacement

After Defender finishes, I run Malwarebytes on every single infected machine. The free version. You don’t need Premium for scanning — Premium just adds real-time protection, which isn’t the point here. What matters is that Malwarebytes and Defender look at threats through fundamentally different lenses. Microsoft’s philosophy is “we only flag things we’re very confident are malicious.” Malwarebytes’ philosophy is more like “if it’s sketchy, we’re flagging it.” The overlap between what they catch is maybe 80%. That remaining 20% is exactly why you need both.

The process:

1. Reconnect to the internet briefly
2. Download Malwarebytes free from their site — go directly to malwarebytes.com, don’t Google it and click the first result, because sometimes the top result is a sponsored ad for a fake version (I have personally seen this happen to three separate clients)
3. Install it, run a full scan — not a quick scan
4. Quarantine everything it finds. If you’re not sure about a detection, quarantine it anyway. You can restore false positives later.
5. Restart your computer

On a typical adware-laden machine, Malwarebytes finds somewhere between 15 and 200+ items. Don’t let a high number scare you — many of those are tracking cookies and registry keys rather than actual malicious files. A count of 150 doesn’t mean you have 150 viruses.

The Browser Cleanup — This Is Where Most Problems Actually Live

Remember what I said earlier about 72% of consumer infections being browser-based? This section matters more than the scanning steps for most people.

Strip Out Suspicious Extensions

For Chrome, type chrome://extensions in the address bar. Edge users: edge://extensions. Firefox: about:addons.

Now look at that list and be ruthless. Anything you don’t actively use on a regular basis — get rid of it. Even stuff that seems harmless. I don’t care if you installed it six months ago for some specific task and thought you might need it again someday. Kill it. You can reinstall legitimate extensions in thirty seconds if you ever actually need them again.

Red flags I specifically look for: anything with “search” or “toolbar” in the name, extensions called things like “PDF Helper” or “Download Assistant” or “Smart Coupon” — these are almost always adware dressed up in a helpful-sounding name. Also watch for extensions with vague names like just “Extension” or “Helper” with no real description.

Real story — a college kid brought in his Dell in January with six coupon-finding extensions installed. Six different ones! Each one was silently rewriting his Amazon affiliate links so some random third party earned commission on everything he bought. None of them were technically malware. They did technically find coupons. They just also skimmed affiliate revenue from every online purchase he made for probably a year before he noticed.

Kill the Notification Spam

Remember the woman from my opening story? This is her fix. If fake “virus alert” popups keep appearing in the corner of your screen, the problem is almost certainly notification permissions.

In Chrome, go to Settings → Privacy and Security → Site Settings → Notifications. There’s an “Allowed to send notifications” list. Go through it. You’ll probably find domains in there you’ve never heard of. Anything unfamiliar, hit the three-dot menu and remove it. Edge has the same thing under Settings → Cookies and Site Permissions → Notifications.

What happened is at some point you visited a website that popped up “this site wants to send notifications” and you (or someone using your computer, or you accidentally while trying to close a popup) clicked Allow. That was the entire infection vector. One click, unlimited fake alerts forever until you revoke the permission.

Reset Your Browser to Factory

Last step for the browser — a full settings reset. This catches anything you might’ve missed: modified homepage, hijacked default search engine, startup pages that redirect to ad sites.

In Chrome it’s under Settings → Reset settings → “Restore settings to their original defaults.” Edge has it in the same spot. Firefox is slightly different — type about:support in the address bar and click “Refresh Firefox.”

Fair warning — the reset will also remove your extensions (which is actually a good thing at this point, since you just cleaned them). Bookmarks and saved passwords stay intact though.

The Manual Cleanup — Finding What Scanners Miss

Automated scanners are great but they don’t catch everything, especially if the malware has been on your system for a while and has had time to dig in. Here are the manual checks I do on every infected machine after the automated scans finish.

Task Manager — The Manual Check

Open Task Manager (Ctrl+Shift+Esc), go to the Startup tab. This is the list of everything that auto-launches when you boot Windows. Anything that you don’t recognize — and I mean genuinely don’t recognize, not “I’m not sure what this does but it sounds official” — right-click it and choose “Open file location.” That tells you where the actual file lives. If the executable is sitting in a Temp folder, or buried inside your AppData directory, or in some folder on C:\ with a name like j2k9df83 — that’s almost certainly not legitimate software.

Also check the Processes tab. Sort by CPU usage, highest first. Cryptominers are one of the more common infections we deal with now, and they’re actually the easiest to spot here because they eat 80-100% of your CPU doing nothing visibly useful. The trick is they often disguise themselves with names that sound like Windows processes — “svchost.exe” or “RuntimeBroker.exe” — but if you right-click and check the file location, a real svchost lives in C:\Windows\System32. A fake one lives wherever the malware dropped it.

Scheduled Tasks — The Sneaky Persistence Trick

This one frustrates me because so few removal guides mention it, and it’s the reason infections “come back” after people think they’ve cleaned them. Hit Win+R, type taskschd.msc, press Enter.

Browse through the Task Scheduler Library. What you’re looking for: tasks with names that are random strings of characters, or tasks scheduled to run “At logon” or “At startup” or on a repeating timer that you definitely didn’t create yourself. In April I cleaned a machine where Malwarebytes found and removed the malware executable three times. Three passes, three clean removals. And it kept coming back within an hour. Turns out there was a scheduled task running every 60 minutes that reached out to a server and pulled down a fresh copy. The scanners kept nuking the symptom but not the mechanism.

DNS Settings — The Subtle Hijack

This is a sneakier move some malware pulls. Instead of showing you popups or running a miner, it changes your DNS configuration. DNS is basically the phone book of the internet — it translates “google.com” into an IP address. If malware points your DNS at a server they control, they can redirect you to fake versions of websites (like a fake bank login page) without you seeing anything obviously wrong.

To check: Control Panel → Network and Internet → Network Connections. Right-click whatever connection you’re using (WiFi or Ethernet), hit Properties, double-click Internet Protocol Version 4 (TCP/IPv4). If it says “Use the following DNS server addresses” and you didn’t set those yourself — something changed them. Switch to “Obtain DNS server address automatically,” or set them to Cloudflare’s 1.1.1.1 and 1.0.0.1, which are fast and trustworthy.

The Nuclear Option — When Nothing Else Works

So you’ve done all of the above and the computer is still acting weird. Unexpected network activity, random slowdowns, something just feels off. At this point you’re probably dealing with a rootkit or a fileless infection — the kind of malware that lives below the level where normal scanners operate. Consumer tools can’t reliably reach it.

The most certain fix is a clean Windows install. And I want to be specific about what I mean — not the “Reset this PC” option in Windows Settings. That feature reuses portions of the existing Windows installation and sometimes the infection survives the reset. What I’m talking about is downloading the Microsoft Media Creation Tool on a clean computer, creating a bootable USB, booting from that USB, and formatting the drive during installation. Total scorched earth.

Obviously, back up your personal stuff first. Documents, photos, music — copy those to an external drive. But don’t copy over any .exe files or program installers from the infected machine. You could transfer the infection right along with your data. And once you’ve copied your files to the external drive, scan that drive with Malwarebytes from a clean machine before plugging it into your freshly installed Windows.

Silver lining — after a clean install your PC will boot faster than it has in years. Good opportunity to keep things optimized from the start instead of letting 47 startup programs accumulate again.

How Not to Get Infected Again

Repeat customers are a real thing in virus removal. We have people who call us three, four times a year with the same type of infection. And every time, it’s the same behavior that caused it. So here’s what I tell every single client after a cleanup session:

Notification prompts. This is number one. Any time a website pops up asking “this site wants to send you notifications” — click Block. Don’t even read the rest of the prompt. Block it. I cannot overstate how many of our cleanup tickets come from this one thing. The only sites that should have notification permission are ones you’d actively miss updates from, like your bank or maybe a calendar app.

Software downloads. Stop Googling the name of the program you want and clicking the first result. Especially the results with the little “Sponsored” tag. A client of ours in February — and I wish I was making this up — Googled “Malwarebytes download,” clicked the top sponsored result, and got a browser hijacker from a fake Malwarebytes site. The irony still hasn’t worn off. Type the URL directly. malwarebytes.com. Not whatever Google Ads decides to show you.

Defender. Leave it on. I know there’s a crowd that says you need to disable Defender to install certain things — game mods, cracked software, whatever. Look, that’s your choice, but understand what you’re doing: you’re removing the single layer of protection standing between you and 560,000 new malware variants that AV-TEST says appear every day. Every day. That number still surprises me and I’ve been working in this field for years.

Ad blocking. Install uBlock Origin. It’s free, it’s open source, it’s been around forever. A ridiculous amount of malware gets distributed through legitimate advertising networks. You visit a perfectly normal website, the ad network serves a malicious ad, and certain exploit kits can execute code just from the ad rendering on your screen — you don’t even have to click anything. uBlock prevents that entirely.

Password reuse. Different topic from malware specifically, but if you’re using the same password for your Gmail, your bank, and your Amazon account — one breach exposes everything. Bitwarden is free, generates random passwords, and stores them securely. Takes about twenty minutes to set up and it’s one of the highest-impact security improvements anyone can make.

When to Call in a Professional

Everything I’ve described above handles roughly 85% of the infections we see. Genuine adware, browser hijackers, common trojans, PUPs. The tools are free, the process is straightforward if tedious, and you can do it yourself without special technical knowledge.

The other 15% — that’s where it gets complicated. Ransomware that’s encrypted your files, rootkits that survive a Defender offline scan, blue screen crashes caused by corrupted system files from a deep infection, or situations where you’re just not confident that the machine is actually clean after your own cleanup. These are the cases where a professional set of eyes and tools makes the difference.

Our virus and malware removal service is $29.90 per session. We connect remotely through your existing internet connection, run enterprise-grade scanners that aren’t available to consumers, and manually trace anything the automated tools miss. The session includes a follow-up system hardening — we lock down browser settings, disable unnecessary services, configure Windows Defender optimally, and walk you through the habits that prevent reinfection.

Average cleanup time is 30-60 minutes for adware and browser infections, 1-2 hours for deeper system-level malware. If a clean Windows install turns out to be the best path, we’ll tell you that upfront rather than billing hours to chase something that a fresh install fixes in 20 minutes.

Message us on WhatsApp — we’re available 24/7 and we can usually tell within the first five minutes of looking at your Task Manager whether you’re dealing with something you can handle yourself or something that needs professional tools.

Last verified: May 2026