About scareware in Windows

On this page:

About scareware

Scareware is a category of malicious software that poses as legitimate virus protection in an attempt to persuade or frighten you into providing personal or financial information to fraudulent developers or thieves. Though each scareware program will have effects and enforced user limitations of its own, a general trait of scareware is to notify you of virus infections and request you purchase protective software that is most likely inactive or malicious itself.

The alert notifications these programs generate are often single, large interfaces or a series of dialog boxes, sometimes numbering in the dozens, that reference or scan actual files on your computer and prevent the use of user and system programs. These prompts may mirror or imitate native Windows utilities like the Action Center or Windows Firewall, but often include a year in their title (for example, Windows Internet Security 2012). More notification prompts often appear for each process initiated, and in some cases you may be completely unable to interact with your computer in any way.

Scareware files can piggy-back with browser add-ons, custom social networking media or chat platforms, games, or online advertisements. Luckily, they tend to be few in number (one to three), install themselves in one of a few possible hidden locations, and can be deleted without issue once you're able to access and modify the file system.

Avoid scareware infections

No single utility or preventative software can protect all computers from scareware. The best prevention is to be wary of online advertisements and games, and avoid unfamiliar software downloads. In short, don't allow any program or website to have access to your system or install applications or utilities you don't expressly want or need.

Find and delete scareware infections

Prerequisite step for all methods

These instructions are not guaranteed to remove scareware infections. In some cases, it might be necessary to reformat your hard drive and reinstall Windows in order to remove an infection; however, it's a good idea to try these steps first.

To search for and delete scareware infections, you must first load your computer into Safe Mode with Networking and log into the affected user profile. It is unlikely that the scareware will initialize and prevent the following procedures when you're in Safe Mode. If you experience the alert notifications or are unable to access your system files in Safe Mode, contact the Support Center.

Windows (general)

  1. Run a full scan with recently updated security software, and remove any harmful programs.
    For recommendations about antivirus software, see Recommended antivirus software at IU.
  2. Run a System Restore from a recent restore point to resolve any potential preference or file type association issues caused by scareware; see Restore your Windows computer to a previous configuration

Windows (advanced)

  1. Search for and open Folder Options.
  2. In the "Folder Options" window, click the View tab.
  3. In the list of "Advanced settings", underneath "Hidden files and folders", select Show hidden files, folders, and drives, and click OK.
  4. If you are able to enter the address C:\ProgramData in the address bar and reach this destination, skip to step 6.
  5. Open the C: drive or local system disk. You should now see a slightly opaque ProgramData folder; open this.
  6. In ProgramData, view the contents as Details and sort by descending Date modified.
  7. Look for odd executable (.exe) or application files that were last modified around the date or time you experienced symptoms of scareware. The names of these files tend to be random strings of letters and/or numbers (for example, avsgh.exe, gad6.exe), and they can have icons imitating legitimate Windows utilities. Drag any of these files to the Recycle Bin as a temporary placeholder, being sure not to open them. Check recently modified subfolders for similar files as well.
    Folders named in long hexadecimal strings surrounded by curly braces, for example, {1234ABCD-EF56-...}, most likely contain important configuration files and should not be modified.
  8. If you are able to enter C:\Users\your_Windows_username\AppData in the address bar and reach this destination, skip to step 11.
  9. Go back to the main directory of the C: drive and open the Users folder.
  10. In this folder, you should be able to open your Windows username directory. In this directory, you should see another slightly opaque folder named AppData. Open it.
  11. AppData contains three temporary, configuration, and profile file repositories: Local, LocalLow, and Roaming. Follow the instructions from step 7 for each of these folders, being sure not to actually delete the files you move to the Recycle Bin.
  12. Restart your computer normally to see if the infection has been removed. If so, make sure that all files in the Recycle Bin were placed there by you or another computer user, remove necessary files from the bin, and empty it. If you like, you can revert the hidden file/folder options to their original settings. Run a recent System Restore to restore potentially altered preference settings and file type associations. If your computer is still infected by scareware, try to complete the general instructions, or contact the Support Center.

Related documents

This is document bbwq in the Knowledge Base.
Last modified on 2021-12-02 16:30:11.