In Windows, what is scareware and how can I remove it?

Username:
Password:

On this page:

About scareware

Scareware is a category of malicious software that poses as legitimate virus protection in an attempt to persuade or frighten you into providing personal or financial information to fraudulent developers or thieves. Though each scareware program will have effects and enforced user limitations of its own, a general trait of scareware is to notify you of virus infections and request you purchase protective software that is most likely inactive or malicious itself.

The alert notifications these programs generate are often single, large interfaces or a series of dialog boxes, sometimes numbering in the dozens, that reference or scan actual files on your computer and prevent the use of user and system programs. These prompts may mirror or imitate native Windows utilities like the Action Center or Windows Firewall, but often include a year in their title (e.g., Windows Internet Security 2012). More notification prompts often appear for each process initiated, and in some cases you may be completely unable to interact with your computer in any way.

Scareware files can piggy-back with browser add-ons, custom social networking media or chat platforms, games, or online advertisements. Luckily, they tend to be few in number (one to three), install themselves in one of a few possible hidden locations, and can be deleted without issue once you're able to access and modify the file system.

Avoiding scareware infections

No single utility or preventative software can protect all computers from scareware. The best prevention is to be wary of online advertisements and games, and avoid unfamiliar software downloads. In short, don't allow any program or web site to have access to your system or install applications or utilities you don't expressly want or need.

Finding and deleting scareware infections

Prerequisite step for all methods

Note: The following instructions are not guaranteed to remove scareware infections. In some cases, it might be necessary to reformat your hard drive and reinstall Windows in order to remove an infection. However, it's a good idea to try these steps first.

To search for and delete scareware infections, you must first load your computer into Safe Mode with Networking and log into the affected user profile. It is unlikely that the scareware will initialize and prevent the following procedures when you're in Safe Mode. If you experience the alert notifications or are unable to access your system files in Safe Mode, contact the Support Center.

Windows 7, Vista, and XP (General)

Run a full scan of recently updated Windows Defender, delete all found infections, and restart your computer; see What is Windows Defender and how do I use it?
Run a System Restore from a recent restore point to resolve any potential preference or file type association issues caused by scareware; see In Windows, how can I restore my computer to a previous configuration?

Windows 7 and Vista (Advanced)

Open Computer. If you don't see the Tools menu, press F10. From the Tools menu, select Folder Options... .
In the Folder Options window, click the View tab.
In the list of "Advanced settings", underneath "Hidden files and folders", select Show hidden files, folders, and drives, and click OK.
If you are able to enter the address C:\ProgramData in the address bar and reach this destination, skip to step 6.
Open the C: drive or local system disk. You should now see a slightly opaque ProgramData folder; open this.
In ProgramData, view the contents as Details and sort by descending Date modified.
Look for odd executable (.exe) or application files that were last modified around the date or time you experienced symptoms of scareware. The names of these files tend to be random strings of letters and/or numbers (e.g., avsgh.exe, gad6.exe), and they can have icons imitating legitimate Windows utilities. Drag any of these files to the Recycle Bin as a temporary placeholder, being sure not to open them. Check recently modified subfolders for similar files as well.
Note: Folders named in long hexadecimal strings surrounded by curly braces, e.g., {1234ABCD-EF56-...}, most likely contain important configuration files and should not be modified.
If you are able to enter C:\Users\your_Windows_username\AppData in the address bar and reach this destination, skip to step 11.
Go back to the main directory of the C: drive and open the Users folder.
In this folder, you should be able to open your Windows username directory. In this directory, you should see another slightly opaque folder named AppData. Open it.
AppData contains three temporary, configuration, and profile file repositories: Local, LocalLow, and Roaming. Follow the instructions from step 7 for each of these folders, being sure not to actually delete the files you move to the Recycle Bin.
Restart your computer normally to see if the infection has been removed. If so, make sure that all files in the Recycle Bin were placed there by you or another computer user, remove necessary files from the bin, and empty it. If you like, you can revert the hidden file/folder options to their original settings. Run a recent System Restore to restore potentially altered preference settings and file type associations. If your computer is still infected by scareware, try to complete the general instructions, or contact the Support Center.

Windows XP (Advanced)

Open My Computer. If you don't see the Tools menu, press F10. From the Tools menu, select Folder Options... .
In the Folder Options window, click the View tab.
In the list underneath "Advanced settings", select Show hidden files and folders, and click OK at the bottom of the window.
Open the C: drive or local system disk. If you are able to enter the address C:\Documents and Settings\your_Windows_username\Application Data in the address bar and reach this destination, skip to step 6.
Navigate to Documents and Settings and then your Windows username. You should now see a slightly opaque Application Data folder. Open it.
In Application Data, view the contents as Details and sort by descending Date modified.
Look for odd executable (.exe) or application files that were last modified around the date or time you experienced symptoms of scareware. The names of these files tend to be random strings of letters and/or numbers (e.g., avsgh.exe, gad6.exe), and they can have icons imitating legitimate Windows utilities. Drag any of these files to the Recycle Bin as a temporary placeholder, being sure not to open them. Check recently modified subfolders for similar files as well.
Note: Folders named in long hexadecimal strings surrounded by curly braces, e.g. {1234ABCD-EF56-...}, most likely contain important configuration files and should not be modified.
If you are able to enter C:\Documents and Settings\your_Windows_username\Local Settings in the address bar and reach this destination, skip to step 10.
Go back to the Windows username directory of Documents and Settings and open the opaque Local Settings folder.
Local Settings contains three temporary, configuration, and profile file repositories: Application Data, Temp, and Apps. Follow the instructions from step 7 for each of these folders, being sure not to actually delete the files you move to the Recycle Bin.
Restart your computer normally to see if the infection has been removed. If so, make sure that all files in the Recycle Bin were placed there by you or another computer user, remove necessary files from the bin, and empty it. If you like, you can revert the hidden file/folder options to their original settings. Run a recent System Restore to restore potentially altered preference settings and file type associations. If your computer is still infected by scareware, try to complete the general instructions, or contact the Support Center.

This is document bbwq in domain all.
Last modified on January 07, 2013.