A popup appears claiming your PC has 47 viruses. A red Windows Security alert warns of imminent data loss. A phone number is displayed for “Microsoft Support.” These are scareware and rogue software scams — deceptive programs that impersonate legitimate security tools to trick users into paying for fake services or installing actual malware.
What Is Rogue Software?
Rogue software (also called scareware or fake antivirus) is a category of malicious or deceptive program that mimics the appearance of legitimate security software. Its goal is to alarm users with fabricated threat reports and pressure them into:
- Purchasing a fake “full version” to remove invented threats
- Calling a fraudulent tech support number (toll fraud)
- Installing additional malware under the guise of a “fix”
- Surrendering remote access to their computer
Unlike traditional malware that tries to stay hidden, rogue software is deliberately visible — the fear it creates is the mechanism of attack.
How Rogue Software Is Distributed
Malvertising is the leading delivery channel. Malicious ads served on legitimate websites redirect users to pages that trigger drive-by downloads or display convincing popup alerts. The user doesn’t need to click anything beyond the initial ad.
Fake BSOD and alert pages are web-based scams that use JavaScript to display a full-screen message mimicking a Windows Blue Screen of Death or Windows Defender alert. The page plays an alarm sound and displays a Microsoft phone number. The browser is made difficult to close (fullscreen API abuse, dialog loops). Pressing F11 or using Task Manager exits the page.
Search engine poisoning places malicious websites at the top of search results for queries like “my PC is slow” or “remove virus free.” Users land on pages that immediately display fake scan animations.
Bundled installers include rogue security tools alongside legitimate free software, using the same techniques as adware distribution.
Recognizing Rogue Software
Legitimate security software behaves predictably. Rogue programs exhibit telltale signs:
| Legitimate AV | Rogue Software |
|---|---|
| Reports specific file paths | Vague “threats detected” with no details |
| Free version scans without payment | Demands payment before showing results |
| Purchased through known retailers | Payment page is unfamiliar, high-pressure |
| Does not block other programs | Blocks Task Manager, legitimate AV tools |
| Does not generate phone popups | Prominently displays phone numbers |
| Matches vendor you chose | Appeared without being installed |
Common historical families:
- WinFixer / WinAntiVirus / ErrorSafe — early 2000s pioneers, fined by FTC
- Antivirus 360 / MS Antivirus — cloned Windows XP security center UI
- Windows Police Pro / Total Security — mimicked Windows 7 Action Center
- Advanced Mac Cleaner / Mac Keeper — Mac-targeting variants with aggressive popups
Modern variants increasingly combine fake AV with tech support scam phone numbers rather than direct payment pages, making them harder to trace financially.
Removal Steps
Step 1: Don’t Pay or Call
If you see a popup with a phone number claiming to be Microsoft, Apple, or your ISP — do not call. Microsoft never proactively contacts users about infections. Calling connects you to scammers who will request remote access and charge hundreds of dollars.
If the browser is frozen in a fake alert loop, press Alt+F4 or use Ctrl+Alt+Delete → Task Manager → End Task on the browser process.
Step 2: Boot into Safe Mode
Rogue software often blocks security tools in normal boot. Restart into Safe Mode to limit what runs at startup:
Windows 11: Hold Shift while clicking Restart → Troubleshoot → Advanced options → Startup Settings → Restart → Press 4 for Safe Mode
In Safe Mode, most rogue software cannot load because it runs as a startup service or scheduled task.
Step 3: Run Malwarebytes
Download Malwarebytes Free from malwarebytes.com (on a clean device if needed, transferred via USB). Run a full scan. Malwarebytes specifically targets rogue software families and PUPs that traditional antivirus may classify ambiguously.
Quarantine all detections and restart.
Step 4: Run AdwCleaner
After Malwarebytes, run AdwCleaner to catch browser-based components, registry entries, and scheduled tasks that rogue software uses to reinstall itself.
Step 5: Check Installed Programs and Scheduled Tasks
Open Control Panel → Programs → Uninstall a program, sorted by installation date. Uninstall any security tools you didn’t intentionally install.
Check Task Scheduler (taskschd.msc) for tasks pointing to AppData or Temp directories and delete them.
Step 6: Verify Windows Defender Is Enabled
After removing the rogue software, confirm Windows Defender is active and running:
Windows Security → Virus & threat protectionSome rogue programs disable Windows Defender via registry or Group Policy. To re-enable:
Set-MpPreference -DisableRealtimeMonitoring $falseOr use gpedit.msc → Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Antivirus → Turn off Microsoft Defender Antivirus → Not Configured.
Reporting Scams
If you paid a fake tech support number or a rogue software purchase:
- File a complaint with the FTC:
reportfraud.ftc.gov - Report to IC3 (Internet Crime Complaint Center):
ic3.gov - Contact your bank or credit card company immediately if you paid — fraud disputes can recover funds
- Report the website to Google Safe Browsing:
safebrowsing.google.com/safebrowsing/report_phish/
Browser vendors use these reports to block scam pages for all users.
Prevention
- Use a content blocker (uBlock Origin) — blocks the malvertising that delivers most scareware
- Keep browsers updated — browser exploits are patched regularly
- Enable SmartScreen in Edge and Windows Security — it flags known scam URLs
- Educate family members — elderly users are disproportionately targeted by phone-based variants
- Bookmark legitimate security tools — know what real Windows Security looks like so impersonators are obvious
Rogue software succeeds through confusion and urgency. A calm, methodical response — close the browser, don’t call the number, scan with real tools — is all it takes to neutralize the threat.