IDrive Remote Backup
Tech Geek and MoreHow to - Removing Security Shield (Fake Antivirus) Malware

How to – Removing Security Shield (Fake Antivirus) Malware

computer  After a quiet couple of months, where Fake Antivirus pop up’s stopped being a daily issue in tech support, this week we had the return of an oldie but goodie.

We received calls from a couple of clients with a pop up for the “Green Dot Security Shield”. After comparing what each client was doing, we believe that the pop up most likely came while each client was browsing the same “Major Website” (I will not list the website as of now, since we CANT prove our theory, but the suspected site has been notified). Remember, Pop up’s like these can occur surfing any part of the internet, it does not just happen to those who surf the shady side of the web.

What do you see when your get infected

While browsing, what you will see is a pop up (like this example), that looks like an Antivirus program with a message that infected files have been found.  This is why it is important to know what Antivirus / Antimalware software you have installed and what it looks like.

green shield fake av

Once you have this pop up on the screen, what you will find is that you will be unable to open various programs (like your actual malware cleaner), as this pop up starts making changes to your pc.  If you get to this stage, you NEVER NEVER NEVER want to click on any part of the window or any corresponding messages, because even messages that say ignore or skip will actually continue to infect your pc. What you need to do is power off your pc, and then start in safe mode. To get to safe mode, press F8 key over and over as soon as you power on your pc until you get the safe mode message. At which point select “safe mode with networking” (Example below).

image

Once you get booted in safe mode with networking, launch CCleaner. If you don’t have it already installed you can download it from the (LINK) Piriform (http://www NULL.piriform NULL.com/ccleaner) website.  Once installed, and opened, go to Tools (on left side) then select Startup. This will show you a complete look at everything you have starting on your pc.

image

You want to look for a lines for programs that are set to start automatically with names like qfhsl.exe. (Your line may be use a different name, and there may be more than one). If you are not sure if the .exe file is legit or not, use one of the search engines (like Google or Bing) and search for each .exe name.

image

If you are not sure if an item is legit or not disable it, if you know the item is NOT legit then you can delete it right from the CCleaner application. In addition, if you know that the file is not legit, make a note of the listed location and go to that location and manually delete the file as well, as in this example for qfhsl.exe

image

This specific Green Dot Malware can be found in

C:\Documents and Settings\(User name of the signed in user at time of infection)\Local Settings\Application Data\ (for XP)

C:\Users\(User name of the signed in user at the time of infection)\AppData\Local (for Windows Vista and Windows 7)

Additional Clean Up Steps

Once you have taken these steps, you must still run your Antimalware programs to make sure whatever is left behind gets cleaned up. The 2 programs I can recommend are Superantispyware and Malwarebytes.  If you don’t already have these 2 programs installed, go to (LINK) Ninite (http://ninite NULL.com/) to download and install them

image

Once installed, I recommend running Superantispyware first. When you launch the program, before starting the scan, select Check for Updates and let the program update to the latest signature files. (The Database Status should say “Updated X minutes ago)

image

Once your system is updated run a complete scan on all your drives. Once the scan completes, select all items found and click on the remove button. Once all those items are removed, you will get prompted to reboot, at this point select NO.  Instead of the reboot, start Malwarebytes.

Once Malwarebytes starts, click on the Update tab and select Check for Updates and let the software update the signature files.

image

After the software update completes, go back to the scanner tab and select “Perform a full scan”

image

Again, once the full scan completes, select all items found and click on remove.  After you have run both programs and removed all items found, you can reboot your pc and your system should now be clean of the “Green Dot” Malware.

One additional step you may want to take at this point is to uninstall and reinstall your Antivirus software, as many of these malware attacks break the antivirus software, make sure you have the software to reinstall prior to removing the software and if you need to replace your software, you can download free Antivirus software from the (LINK) Ninite (http://ninite NULL.com/) site.

image

Just pick one of the Antivirus choices under the security section.

- (Microsoft Security) Essentials

- Avast

- AVG

All 3 are free for home use.

About the Author: Alex
16 Yrs. of professional experience in Technology. Experience with technology implementation and systems management at numerous 5 Star Hotels, and Stadiums across North America. Head of Tech Geek and More since 2009
Author Website: http://TechGeekandMore.com

2 comments

  1. TNo Gravatar says:

    I had that window (Security shield) pop up on my screen, and closing down the task manager every time I tried to open it. But when I followed these instructions and downloaded CCleaner there were no bad programs on the list, just Windows, McAfee and some games that came with the computer… So, does that mean there’s no virus in my computer? Seems a bit odd.

    • AlexNo Gravatar says:

      That instruction set is only a part of what you need to do. You also need to run a complete scan using that following 2 pieces of software. SuperAntiSpyware and Malwarebytes, you can go to http://www.ninite.com (http://www NULL.ninite NULL.com) to download both of them. Once installed before running each scan make sure that you click update from within each program….

      For more info, see http://www.techgeekandmore.com/2011/04/03/pc-cleanup-malware-virus/ from the Tech Geek and More site.