What's Scare-Ware?
Scare-Ware is a form of malicious software that imitates a virus scanner, and tried to trick the user into purchasing the full virus scanner software. Of course, since this is actually a fake program, entering any credit card information will inevitably lead to your information beings stolen. Never "buy" this software. Never purchase anything you did not specifically ask to purchase. Real virus scanning software is downloaded manually. If you didn't download this software, it's probably scare-ware!
How does it work?
Scare-Ware usually sets up camp in two ways. First, it hides the actual program file (called an executable) by marking thew program file as both hidden, and as a protected operating system file. Then, it edits the windows registry so that every time a program is opened, the scare-ware's executable is prompted to open, too. This can be frustrating, since every program you try to open (even real antivirus programs) will prompt the redeployment of the malware.
Repair and Removal
Note: Removing scare-ware is a multi-step process, and the process I am going to describe may not work for every case of scare-ware.
Step 1: Breaking the cycle
-Download this ZIP file and extract the contents to your desktop (mirror links at the bottom of this post).
-When asked for a password, type 'wrk' without the quotes
-Press Ctrl + Shift + Esc to open the Task Manager, and then minimize it
-Open a program (like windows notepad) to invoke the malware to appear.
-Once the malware window pops up, minize that, and then switch to the Task Manager Window
-On the Applications Tab, find the malware's program (it will have the same name as the malware window)
-Right Click the malware name in the task manager, and then click "Go to Process"
-Write down the name of the highlighted process on a piece of paper.
-Right click the process, and click Properties.
-Write down the folder path (next to 'Location:')
-Close the Properties windows (NOT the Task Manager, though)
-Right Click whatever Process is now highlighted, and click End Process Tree
-If a box appears asking to confirm ending the process, click End Process.
-Now close Task Manager.
-On your desktop, double click the file named "EXE (Fix)" and confirm adding it to the registry.
-Immediately restart your computer. I recommended a hard power cycle, rather than letting it power down.
-When Windows is up and ready to use again, press Ctrl + Shift + Esc to open Task manager.
-Open the Processes tab, and look to see if the malware process is running. If not, you have broken the cycle! If so, I'm afraid your problem may be outside the scope of this tutorial.
Step 2: Removing the Mal-ware Executable
-Open a My Computer window.
-Click 'Tools' and then 'Folder Options'
-Click on the 'View' tab.
-Look for an option that says "Show hidden files, folder and drives"
-Click the circle next to "Show hidden files, folder and drives"
-Uncheck the box next to "Hide protected operating system files"
-Click Apply, and close the window.
-Now look at the folder path you wrote down in step one, and navigate to that folder.
-You should see a file with the same name as the malware process you ended in step one
-Delete that file, and then empty your Recycle Bin.
-Go back to "Folder Options, and recheck the "Hide protected operating system files" box
-Click the circle next to "Don't show hidden files, folders of drives" and then click apply.
-You're finished :)
Notes:
Mirror Link 1
Mirror Link 2
Mirror Link 3
Mirror Link 4
-If you can't find the malware executable in step 2, run a full system search for the malware processes name.
-The ZIP archive password is wrk
