UITS

In Windows, what is scareware and how can I remove it?

On this page:


About scareware

Scareware is a category of malicious software that poses as legitimate virus protection in an attempt to persuade or frighten you into providing personal or financial information to fraudulent developers or thieves. Though each scareware program will have effects and enforced user limitations of its own, a general trait of scareware is to notify you of virus infections and request you purchase protective software that is most likely inactive or malicious itself.

The alert notifications these programs generate are often single, large interfaces or a series of dialog boxes, sometimes numbering in the dozens, that reference or scan actual files on your computer and prevent the use of user and system programs. These prompts may mirror or imitate native Windows utilities like the Action Center or Windows Firewall, but often include a year in their title (e.g., Windows Internet Security 2012). More notification prompts often appear for each process initiated, and in some cases you may be completely unable to interact with your computer in any way.

Scareware files can piggy-back with browser add-ons, custom social networking media or chat platforms, games, or online advertisements. Luckily, they tend to be few in number (one to three), install themselves in one of a few possible hidden locations, and can be deleted without issue once you're able to access and modify the file system.

Back to top

Avoiding scareware infections

No single utility or preventative software can protect all computers from scareware. The best prevention is to be wary of online advertisements and games, and avoid unfamiliar software downloads. In short, don't allow any program or website to have access to your system or install applications or utilities you don't expressly want or need.

Back to top

Finding and deleting scareware infections

Prerequisite step for all methods

Note: The following instructions are not guaranteed to remove scareware infections. In some cases, it might be necessary to reformat your hard drive and reinstall Windows in order to remove an infection. However, it's a good idea to try these steps first.

To search for and delete scareware infections, you must first load your computer into Safe Mode with Networking and log into the affected user profile. It is unlikely that the scareware will initialize and prevent the following procedures when you're in Safe Mode. If you experience the alert notifications or are unable to access your system files in Safe Mode, contact the Support Center.

Back to top

Windows 8.x, 7, and Vista (General)

  1. Run a full scan with recently updated security software, and remove any harmful programs.

    Note: For personal computers, UITS recommends Windows Defender for Windows 8.x, which comes as part of Windows 8.x as a full antivirus suite. For Windows 7 and Vista, UITS recommends Microsoft Security Essentials, available free of charge via IUware. Be sure to have only one antivirus program installed.

  2. Run a System Restore from a recent restore point to resolve any potential preference or file type association issues caused by scareware; see In Windows, how can I restore my computer to a previous configuration?

Back to top

Windows 8.x, 7, and Vista (Advanced)

  1. In Windows 7 and Vista, open Computer. If you don't see the Tools menu, press F10. From the Tools menu, select Folder Options.... In Windows 8.x, go to your start screen and type control panel. When you see the Control Panel option, click it. In the Control Panel, change the View by: option in the top right to Large icons and find Folder Options.
  2. In the "Folder Options" window, click the View tab.
  3. In the list of "Advanced settings", underneath "Hidden files and folders", select Show hidden files, folders, and drives, and click OK.
  4. If you are able to enter the address C:\ProgramData in the address bar and reach this destination, skip to step 6.
  5. Open the C: drive or local system disk. You should now see a slightly opaque ProgramData folder; open this.
  6. In ProgramData, view the contents as Details and sort by descending Date modified.
  7. Look for odd executable (.exe) or application files that were last modified around the date or time you experienced symptoms of scareware. The names of these files tend to be random strings of letters and/or numbers (e.g., avsgh.exe, gad6.exe), and they can have icons imitating legitimate Windows utilities. Drag any of these files to the Recycle Bin as a temporary placeholder, being sure not to open them. Check recently modified subfolders for similar files as well.

    Note: Folders named in long hexadecimal strings surrounded by curly braces, e.g., {1234ABCD-EF56-...}, most likely contain important configuration files and should not be modified.

  8. If you are able to enter C:\Users\your_Windows_username\AppData in the address bar and reach this destination, skip to step 11.
  9. Go back to the main directory of the C: drive and open the Users folder.
  10. In this folder, you should be able to open your Windows username directory. In this directory, you should see another slightly opaque folder named AppData. Open it.
  11. AppData contains three temporary, configuration, and profile file repositories: Local, LocalLow, and Roaming. Follow the instructions from step 7 for each of these folders, being sure not to actually delete the files you move to the Recycle Bin.
  12. Restart your computer normally to see if the infection has been removed. If so, make sure that all files in the Recycle Bin were placed there by you or another computer user, remove necessary files from the bin, and empty it. If you like, you can revert the hidden file/folder options to their original settings. Run a recent System Restore to restore potentially altered preference settings and file type associations. If your computer is still infected by scareware, try to complete the general instructions, or contact the Support Center.

Back to top

This is document bbwq in the Knowledge Base.
Last modified on 2015-03-12.

  • Fill out this form to submit your issue to the UITS Support Center.
  • Please note that you must be affiliated with Indiana University to receive support.
  • All fields are required.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.

  • Fill out this form to submit your comment to the IU Knowledge Base.
  • If you are affiliated with Indiana University and need help with a computing problem, please use the I need help with a computing problem section above, or contact your campus Support Center.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.