What Was Happening
Pop-up ads were appearing while browsing — even on sites the user trusts, even with a third-party ad blocker installed. The desktop was also showing notifications styled to look like Windows alerts, telling them their PC was “at risk” and they needed to call a phone number.
The customer was understandably worried about ransomware. The good news up front: this was adware, not ransomware. Annoying, intrusive, occasionally a scam vector, but the data on the machine was not encrypted or under threat. The right response is methodical removal rather than panic.
Our Diagnosis
There is a useful triage for “pop-up” complaints. The visible symptom is the same but the underlying cause and removal route are different:
- Browser adware extension. Pop-ups appear in the browser. They follow the browser between sessions and machines if Chrome / Edge sync is on. Removal is in the browser, not the OS.
- Browser hijack via search redirect. New tabs open to a different search engine, default search has been changed without permission. Removal involves both the extension and browser policy settings.
- Windows-level notification spam. Notifications appear on the desktop, not the browser. Caused by a website that was granted notification permission earlier — removal is in browser site permissions, not antivirus.
- Genuine malware with adware payload. Pop-ups appear even without a browser open. Process Explorer shows unfamiliar processes consuming CPU. Different removal approach again — this needs a proper anti-malware scan.
For this HP we saw all three of categories 1, 2 and 3 — fairly typical for a machine that has accumulated adware over time without being checked.
Specifically:
- A browser extension installed about six weeks ago, calling itself “Search Helper Pro” — not on the user’s list of installed extensions in their memory.
- The default search engine had been silently changed to a low-quality ad-driven search redirector.
- Notification permission had been granted to four unfamiliar domains.
- A scheduled task in Task Scheduler that ran on user logon, downloading and reinstalling the extension if it was missing.
How We Fixed It
Removal in the correct order matters, because cleaning the extension before cleaning the persistence mechanism just means it comes back on the next reboot:
- Disabled the scheduled task first. Without this, anything else we did would be undone by the next user login.
- Removed the malicious extension from the browser.
- Reset browser settings to defaults: default search engine, new tab page, startup behaviour, site permissions including notifications.
- Cleared local browser cache and service workers for the affected domains so any cached scripts couldn’t re-establish themselves.
- Deleted the scheduled task properly (disabling alone leaves the trigger in place).
- Checked registry run keys and startup folder for any other persistence mechanisms.
- Ran three independent scanners on the machine, not just one. Different scanners catch different families.
- Rebooted, logged back in, waited ten minutes, then re-ran the scans to confirm nothing had reappeared.
- Full system health check while the machine was on the bench: disk health (SMART), RAM diagnostic, temperature monitoring under load, pending Windows updates, BIOS / firmware updates.
The Result
The machine was clean on follow-up scans. No pop-ups in the browser, no desktop notifications, no scheduled task. We took the customer through how the original infection had likely arrived — almost certainly the fake-update prompt — so they could spot the next one before clicking it.
Why This Happens
The vast majority of “my laptop has a virus” complaints we see at the workshop are not viruses in the classic sense. They are adware browser extensions installed by the user — unknowingly — via one of three vectors:
- The fake update prompt. A web page tells the user their browser or Flash or “video player” needs updating, with a button that installs the extension. Real browser updates do not work this way. Chrome, Edge, Firefox and Safari all update silently in the background.
- The bundled free download. A “free PDF converter” or “free YouTube downloader” that quietly installs an additional extension during setup, on a screen the user clicks through.
- The unrelated extension that turned malicious. A legitimate extension that gets sold to a new owner and pushes an update that turns it into adware. This one is hard for users to defend against — the extension was clean when it was installed.
The adware itself is rarely sophisticated. Its goal is ad impressions, search redirects, or steering users to phone-scam landing pages. It is not interested in your files. But the same delivery vector can carry worse things, which is why we always do a full scan rather than just cleaning the visible symptom.
How to avoid the next infection
- Update browsers from the browser itself, not from a pop-up. Chrome: three dots → Help → About Chrome. Edge: three dots → Help and feedback → About. If a website tells you to update, close that tab.
- Review your browser extensions every few months. Anything you do not recognise, remove. Two or three useful extensions is normal; ten is a warning sign.
- Be careful with “free” downloads of paid software. If it should not be free, it usually has a hidden cost.
- Check installed programs once a quarter. Settings → Apps on Windows, Applications folder on macOS. Anything unfamiliar with a recent install date is worth investigating.
- Run a reputable scanner monthly even when nothing seems wrong. Windows Defender alone is good; pairing it occasionally with a second on-demand scanner catches things the first one misses.
Local Help in Putney SW15
Aggressive pop-ups, locked browser settings or ‘support call’ scareware all have different removal routes.
We clean the infection, fix the conditions that allowed it, and brief you on what changed.
Book a workshop visit on 020 7610 0500 or via the contact form.