Indiana University
University Information Technology Services
  
What are archived documents?
Login>>
Login

Login is for authorized groups (e.g., UITS, OVPIT, and TCC) that need access to specialized Knowledge Base documents. Otherwise, simply use the Knowledge Base without logging in.

Close

In Windows, what is scareware and how can I remove it?

On this page:


About scareware

Scareware is a category of malicious software that poses as legitimate virus protection in an attempt to persuade or frighten you into providing personal or financial information to fraudulent developers or thieves. Though each scareware program will have effects and enforced user limitations of its own, a general trait of scareware is to notify you of virus infections and request you purchase protective software that is most likely inactive or malicious itself.

The alert notifications these programs generate are often single, large interfaces or a series of dialog boxes, sometimes numbering in the dozens, that reference or scan actual files on your computer and prevent the use of user and system programs. These prompts may mirror or imitate native Windows utilities like the Action Center or Windows Firewall, but often include a year in their title (e.g., Windows Internet Security 2012). More notification prompts often appear for each process initiated, and in some cases you may be completely unable to interact with your computer in any way.

Scareware files can piggy-back with browser add-ons, custom social networking media or chat platforms, games, or online advertisements. Luckily, they tend to be few in number (one to three), install themselves in one of a few possible hidden locations, and can be deleted without issue once you're able to access and modify the file system.

Back to top

Avoiding scareware infections

No single utility or preventative software can protect all computers from scareware. The best prevention is to be wary of online advertisements and games, and avoid unfamiliar software downloads. In short, don't allow any program or web site to have access to your system or install applications or utilities you don't expressly want or need.

Back to top

Finding and deleting scareware infections

Prerequisite step for all methods

Note: The following instructions are not guaranteed to remove scareware infections. In some cases, it might be necessary to reformat your hard drive and reinstall Windows in order to remove an infection. However, it's a good idea to try these steps first.

To search for and delete scareware infections, you must first load your computer into Safe Mode with Networking and log into the affected user profile. It is unlikely that the scareware will initialize and prevent the following procedures when you're in Safe Mode. If you experience the alert notifications or are unable to access your system files in Safe Mode, contact the Support Center.

Back to top

Windows 8.x, 7, and Vista (Advanced)

  1. In Windows 7 and Vista, open Computer. If you don't see the Tools menu, press F10. From the Tools menu, select Folder Options... .

    In Windows 8.x, go to your start screen and type control panel. When you see the Control Panel option, click it. In the Control Panel, change the View by: option in the top right to Large icons and find Folder Options.

  2. In the Folder Options window, click the View tab.

  3. In the list of "Advanced settings", underneath "Hidden files and folders", select Show hidden files, folders, and drives, and click OK.

  4. If you are able to enter the address C:\ProgramData in the address bar and reach this destination, skip to step 6.

  5. Open the C: drive or local system disk. You should now see a slightly opaque ProgramData folder; open this.

  6. In ProgramData, view the contents as Details and sort by descending Date modified.

  7. Look for odd executable (.exe) or application files that were last modified around the date or time you experienced symptoms of scareware. The names of these files tend to be random strings of letters and/or numbers (e.g., avsgh.exe, gad6.exe), and they can have icons imitating legitimate Windows utilities. Drag any of these files to the Recycle Bin as a temporary placeholder, being sure not to open them. Check recently modified subfolders for similar files as well.

    Note: Folders named in long hexadecimal strings surrounded by curly braces, e.g., {1234ABCD-EF56-...}, most likely contain important configuration files and should not be modified.

  8. If you are able to enter C:\Users\your_Windows_username\AppData in the address bar and reach this destination, skip to step 11.

  9. Go back to the main directory of the C: drive and open the Users folder.

  10. In this folder, you should be able to open your Windows username directory. In this directory, you should see another slightly opaque folder named AppData. Open it.

  11. AppData contains three temporary, configuration, and profile file repositories: Local, LocalLow, and Roaming. Follow the instructions from step 7 for each of these folders, being sure not to actually delete the files you move to the Recycle Bin.

  12. Restart your computer normally to see if the infection has been removed. If so, make sure that all files in the Recycle Bin were placed there by you or another computer user, remove necessary files from the bin, and empty it. If you like, you can revert the hidden file/folder options to their original settings. Run a recent System Restore to restore potentially altered preference settings and file type associations. If your computer is still infected by scareware, try to complete the general instructions, or contact the Support Center.

Back to top

Windows 7, Vista, and XP (General)

Important: As of April 8, 2014, Microsoft no longer supports Windows XP with security updates. To ensure the highest security standards, the UITS Support Center no longer registers Windows XP devices to the IU network. UITS strongly recommends that you look into the options for replacing or upgrading your Windows XP computers for full compatibility with IU systems. See About end of life for Windows XP.

  1. Run a full scan with recently updated security software, and remove any harmful programs.

    Note: For personal computers, UITS recommends Windows Defender for Windows 8.x, which comes as part of Windows 8.x as a full antivirus suite. Be aware that the earlier version of Windows Defender on IUware is not the full suite, but a spyware program only. For Windows 7 and Vista, UITS recommends Microsoft Security Essentials, available free of charge via IUware. Be sure to have only one antivirus program installed.

  2. Run a System Restore from a recent restore point to resolve any potential preference or file type association issues caused by scareware; see In Windows, how can I restore my computer to a previous configuration?

Back to top

Windows XP (Advanced)

Important: As of April 8, 2014, Microsoft no longer supports Windows XP with security updates. To ensure the highest security standards, the UITS Support Center no longer registers Windows XP devices to the IU network. UITS strongly recommends that you look into the options for replacing or upgrading your Windows XP computers for full compatibility with IU systems. See About end of life for Windows XP.

  1. Open My Computer. If you don't see the Tools menu, press F10. From the Tools menu, select Folder Options... .

  2. In the Folder Options window, click the View tab.

  3. In the list underneath "Advanced settings", select Show hidden files and folders, and click OK at the bottom of the window.

  4. Open the C: drive or local system disk. If you are able to enter the address C:\Documents and Settings\your_Windows_username\Application Data in the address bar and reach this destination, skip to step 6.

  5. Navigate to Documents and Settings and then your Windows username. You should now see a slightly opaque Application Data folder. Open it.

  6. In Application Data, view the contents as Details and sort by descending Date modified.

  7. Look for odd executable (.exe) or application files that were last modified around the date or time you experienced symptoms of scareware. The names of these files tend to be random strings of letters and/or numbers (e.g., avsgh.exe, gad6.exe), and they can have icons imitating legitimate Windows utilities. Drag any of these files to the Recycle Bin as a temporary placeholder, being sure not to open them. Check recently modified subfolders for similar files as well.

    Note: Folders named in long hexadecimal strings surrounded by curly braces, e.g. {1234ABCD-EF56-...}, most likely contain important configuration files and should not be modified.

  8. If you are able to enter C:\Documents and Settings\your_Windows_username\Local Settings in the address bar and reach this destination, skip to step 10.

  9. Go back to the Windows username directory of Documents and Settings and open the opaque Local Settings folder.

  10. Local Settings contains three temporary, configuration, and profile file repositories: Application Data, Temp, and Apps. Follow the instructions from step 7 for each of these folders, being sure not to actually delete the files you move to the Recycle Bin.

  11. Restart your computer normally to see if the infection has been removed. If so, make sure that all files in the Recycle Bin were placed there by you or another computer user, remove necessary files from the bin, and empty it. If you like, you can revert the hidden file/folder options to their original settings. Run a recent System Restore to restore potentially altered preference settings and file type associations. If your computer is still infected by scareware, try to complete the general instructions, or contact the Support Center.

Back to top

This is document bbwq in domain all.
Last modified on March 20, 2014.

I need help with a computing problem

  • Fill out this form to submit your issue to the UITS Support Center.
  • Please note that you must be affiliated with Indiana University to receive support.
  • All fields are required.



Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.

I have a comment for the Knowledge Base

  • Fill out this form to submit your comment to the IU Knowledge Base.
  • If you are affiliated with Indiana University and need help with a computing problem, please use the I need help with a computing problem section above, or contact your campus Support Center.