The "Built-in Antivirus Has Detected a Threat" pop-up is a browser-based scam designed to frighten users into believing their computer is infected with malware. These fake security alerts appear while browsing and mimic legitimate antivirus warnings, often claiming that Windows Defender or another built-in security tool has found critical threats. In reality, these pop-ups originate from deceptive websites or adware installed on your system—they have no connection to your actual antivirus software and the "threats" they report are completely fabricated.
This type of scam falls under the broader category of tech support scams. The fraudulent warnings typically display flashing text, countdown timers, and alarming messages about data theft or system damage to create a sense of urgency. Most variants provide a phone number for "Microsoft Support" or "Windows Technical Support" and pressure victims into calling immediately. Once contact is made, scammers attempt to sell unnecessary services, steal remote access to your computer, or install actual malware that compromises your system.
Threat Profile
| Threat Type | Browser-based scam / Tech support scam / Adware-driven pop-up |
| Aliases | "Windows Defender Alert", "Built-in Security Detected Virus", "Microsoft Virus Alert", various phone numbers including patterns like +1-844-XXX-XXXX or +1-888-XXX-XXXX |
| Platform | Windows (primarily); Mac variants exist with similar "Apple Security" branding |
| Distribution Method | Malicious advertising networks, compromised websites, bundled software installers, browser notification abuse, redirect chains |
| Primary Goal | Social engineering—trick users into calling fake tech support numbers or installing additional malware |
| Associated Components | Browser hijackers, adware extensions, persistent notification permissions, unwanted scheduled tasks (when adware component is present) |
| Typical Symptoms | Repeated pop-ups with security warnings, browser redirects to scam pages, new tabs opening automatically, homepage or search engine changes, system slowdowns from background adware |
| Legitimate Software Mimicked | Windows Defender, Microsoft Security, Windows Security Center (uses official logos and branding without authorization) |
| Persistence Mechanism | Browser notification permissions, scheduled tasks (for adware variants), browser extensions, modified shortcuts with malicious URLs appended |
| Data at Risk | If victim calls the number: credit card information, personal identification, remote access credentials, system passwords; if adware is installed: browsing history, search queries |
| Removal Difficulty | Easy to Moderate (browser-only cases are simple; adware-backed infections require more thorough cleaning) |
| Related Families | Part of the broader tech support scam ecosystem alongside "Your Windows Is Infected", "Call Microsoft Immediately", and similar variants |
How It Spreads
This scam primarily reaches victims through two pathways: malicious advertising on legitimate websites and underlying adware infections. Many users first encounter these pop-ups while browsing normally—visiting news sites, streaming platforms, or searching for software downloads. Compromised advertising networks serve fraudulent ads that either display the scam directly or redirect through multiple pages before landing on the fake warning. These malvertising campaigns exploit the programmatic advertising ecosystem, where ads are bought and displayed automatically with minimal human oversight.
The second, more persistent pathway involves adware already installed on the victim's computer. This supporting malware typically arrives bundled with free software downloads, particularly media players, PDF converters, download managers, and optimization utilities obtained from third-party sites. During installation, users who click through setup wizards without reading carefully often accept additional "offers" that include browser hijackers and adware. Once installed, this software injects advertising scripts, modifies browser behavior, and regularly redirects users to the scam pages.
Common distribution vectors include:
- Malicious advertising networks that place scam pop-ups on otherwise legitimate websites through compromised ad slots
- Software bundles where the adware component hides in "recommended" installation options or pre-checked boxes during setup
- Fake download buttons on software download sites that install adware instead of or alongside the intended program
- Browser notification permissions granted to deceptive sites that later push scam alerts directly through the operating system notification system
- Compromised websites injected with redirect scripts that send visitors through chains of malicious pages
- Torrent files and crack/keygen sites that bundle the scam-delivering adware with pirated software
- Fake system update prompts on sketchy websites claiming you need a media player or codec update to view content
- YouTube and social media ads for "PC optimizer" tools that actually install adware components
What It Does On Your Machine
When you encounter this scam through a one-time malicious ad, the immediate impact is limited to your browser session. The fake warning page uses JavaScript to display modal pop-ups that resist closing, sometimes disabling the close button or spawning new alerts each time you dismiss one. The page may freeze your browser or trigger rapid-fire pop-ups to create panic. These techniques are psychological manipulation designed to prevent rational decision-making. The scam page often plays audio warnings, displays countdown timers claiming "Your data will be deleted in X minutes," and lists fabricated threat names with scary-sounding descriptions.
The displayed phone numbers connect to call centers operated by scammers, not Microsoft or any legitimate company. If a victim calls, the scammer typically asks for remote access using tools like TeamViewer, AnyDesk, or UltraViewer. Once connected, they may run legitimate Windows utilities (Event Viewer, Command Prompt showing directory listings, Task Manager) but misrepresent normal system logs and files as evidence of infection. The goal is to sell expensive "repair services" ranging from $200 to $500, install monitoring software for ongoing access, or harvest credit card information and personal details for identity theft.
When an underlying adware component is present, the impact extends beyond individual browsing sessions. The adware modifies browser settings to ensure repeated exposure to the scam. It may install browser extensions that inject advertisements, change your default search engine to generate revenue through search redirects, and add scheduled tasks that periodically launch browsers with scam URLs. Some variants modify browser shortcuts to include command-line parameters that automatically open scam pages on launch.
The adware component typically collects browsing data including search queries, visited websites, and click patterns. While less dangerous than banking trojans or ransomware, this information is sold to advertising networks or used to build profiles for more targeted scam campaigns. System performance often degrades due to constant background processes checking for update commands, downloading additional adware payloads, and injecting scripts into web pages. Some variants consume significant CPU resources for cryptocurrency mining or participate in click-fraud schemes, generating revenue for the operators while slowing your computer.
Manual Removal — Step by Step
Close Your Browser Safely
First, exit the scam page completely. If the pop-ups prevent normal closing, open Task Manager (press Ctrl+Shift+Esc), locate your browser process (Chrome, Firefox, Edge, etc.), click it, and select "End Task". Do NOT click anything within the scam pop-up itself, including "OK" or "Cancel" buttons. If your browser has a "Restore previous session" feature, disable it temporarily before reopening to avoid reloading the scam page.
Check Browser Notification Permissions
Many variants abuse the browser notification system. In Chrome, go to Settings > Privacy and Security > Site Settings > Notifications and remove any suspicious or unfamiliar websites from the "Allowed to send notifications" list. In Firefox, open Settings > Privacy & Security > Permissions > Notifications > Settings and remove questionable entries. In Edge, navigate to Settings > Cookies and site permissions > Notifications and clear problematic sites. Look especially for domains with random character strings or misspellings of legitimate sites.
Review and Remove Suspicious Extensions
Open your browser's extension management page (chrome://extensions/ for Chrome, about:addons for Firefox, edge://extensions/ for Edge). Look for extensions you don't remember installing, particularly those with vague names like "Helper", "Manager", "Secure", or random character strings. Remove anything unfamiliar or installed around the time the pop-ups started appearing. Legitimate extensions typically have detailed descriptions, developer information, and many reviews—suspicious ones often lack these details.
Inspect Programs and Features
Open Control Panel > Programs > Programs and Features (or Settings > Apps > Installed Apps on Windows 11). Sort by "Installed On" date and examine recent additions. Look for unfamiliar programs with generic names, especially those installed on the same day the pop-ups started. Common culprits include names containing "Search", "Web", "Helper", "Secure", "Optimizer", or random word combinations. Uninstall anything suspicious. Be cautious during uninstallation—some adware uninstallers try to install additional software as you remove the original.
Check Scheduled Tasks
Press Win+R, type "taskschd.msc", and press Enter to open Task Scheduler. Examine the Task Scheduler Library for entries that look suspicious—particularly those set to run frequently (every few hours or daily) with random names or located in Microsoft\Windows folders but with non-standard names. Right-click any suspicious tasks and select "Delete". Look especially for tasks that launch browsers with URLs as parameters or execute files from %LOCALAPPDATA% or %APPDATA% with GUID-style folder names.
Examine Browser Shortcuts
Right-click your browser shortcut (on desktop or taskbar), select Properties, and examine the "Target" field. It should point only to the browser executable—something like "C:\Program Files\Google\Chrome\Application\chrome.exe" with nothing after it. If you see additional URLs or parameters appended after the .exe, delete everything after the closing quotation mark following chrome.exe (or firefox.exe, msedge.exe, etc.). Click Apply and OK. Check all browser shortcuts including those in the Start Menu folder.
Run Reputable Anti-Malware Software
Download and run Malwarebytes Free (from malwarebytes.com—verify the URL carefully) to scan for adware components that manual removal might miss. Update the definitions before scanning. Let it complete a full scan, which typically takes 15-30 minutes. Quarantine or remove any detections. Consider also scanning with AdwCleaner (also from Malwarebytes), which specializes in browser hijackers and adware. Free versions of these tools are sufficient for removal, though you'll see upgrade prompts for real-time protection.
Reset Browser Settings
If pop-ups persist after the above steps, reset your browser to defaults. In Chrome, go to Settings > Reset settings > Restore settings to their original defaults. In Firefox, type "about:support" in the address bar and click "Refresh Firefox". In Edge, navigate to Settings > Reset settings > Restore settings to their default values. This removes extensions, clears temporary data, and resets your homepage and search engine, but preserves bookmarks and passwords. You'll need to reinstall legitimate extensions afterward.
Check for Additional Modifications
Open Windows Settings > Apps > Startup and disable any unfamiliar programs set to launch at boot. Then press Win+R, type "msconfig", and click the "Startup" tab (or "Open Task Manager" link on newer Windows versions). Disable any suspicious startup items. Also check your homepage and default search engine in each browser—some adware changes these to revenue-generating search engines even after extension removal.
Verify and Monitor
Restart your computer and open your browser normally. Visit a few typical websites and verify that pop-ups don't return. Check your browser's homepage and search engine settings one final time. Monitor system performance for the next few days—if you notice unusual slowdowns, unexpected browser behavior, or new suspicious programs appearing, the infection may have multiple components requiring professional attention. Consider changing passwords for important accounts if you suspect any information was compromised, especially if you called the scam number or granted remote access.
Prevention
- Never call phone numbers displayed in pop-up warnings. Legitimate antivirus software never displays phone numbers for support in pop-up alerts. Microsoft and other major companies do not include support numbers in security warnings. Real Windows Defender alerts appear in the Windows Security app, not in your web browser.
- Use a reputable ad blocker. Browser extensions like uBlock Origin (not just "uBlock") significantly reduce exposure to malicious advertising networks. While not perfect, they block many of the advertisement chains that deliver these scams. Configure the blocker to use multiple filter lists for maximum effectiveness.
- Download software only from official sources. Obtain programs directly from developers' websites or the Microsoft Store rather than third-party download sites. When using search engines to find software, verify the URL carefully—scammers buy ads for searches like "download VLC" that lead to bundle-laden installers instead of the real VideoLAN site.
- Read installation prompts carefully. When installing free software, always choose "Custom" or "Advanced" installation rather than "Recommended" or "Express". Uncheck any boxes offering additional software, toolbars, browser changes, or "enhanced search experiences". Legitimate software makes these options clear; bundled adware relies on users clicking through mindlessly.
- Keep Windows and browsers updated. Security patches close vulnerabilities that malicious ads and malware exploit. Enable automatic updates for Windows, and ensure your browser is set to update automatically. Most modern browsers do this by default, but it's worth verifying in settings.
- Be cautious with browser notification requests. When a website asks to "Show notifications", click "Block" unless you have a specific reason to allow it and trust the site completely. Many scam operations abuse legitimate notification features to bypass pop-up blockers and deliver alerts that look like system warnings.
- Maintain real antivirus software. Windows Defender (built into Windows 10 and 11) provides solid baseline protection for most users. If you prefer third-party options, Bitdefender, Kaspersky, ESET, or Malwarebytes Premium offer comprehensive protection. Avoid "free antivirus" programs with unfamiliar names—many are scareware that creates the problems they claim to fix.
- Educate household members and employees. Tech support scams particularly target less technical users. Make sure family members and coworkers know that legitimate companies never cold-call about infections and that pop-up warnings with phone numbers are always scams. Create a culture where checking with someone knowledgeable before calling or downloading is encouraged, not seen as an interruption.
Bring It In
If these pop-ups won't stop appearing, if you already called the number and granted remote access, or if you're simply unsure whether your computer is clean, bring it to our Roswell shop. Tech support scams often indicate underlying adware infections that scatter components across your system—browser extensions, scheduled tasks, registry modifications, and background processes that all need identification and removal. What seems like a simple browser problem can involve a dozen different persistence mechanisms, and missing even one means the behavior returns within days.
We've seen the damage these scams cause firsthand, from customers who paid hundreds of dollars for fake services to those whose computers were loaded with actual malware by the "technicians" who gained remote access. The sooner you address the problem, the better. Call us at (770) 856-1765 or stop by our shop at 1260 Hembree Road in Roswell. We'll run a thorough diagnostic, remove all adware components, verify your security software is functioning properly, and walk you through exactly what happened so you can recognize and avoid these scams in the future. Most cleanings are completed same-day, and we don't upsell services you don't need—just honest assessment and effective removal.