We received calls from a couple of clients with a pop up for the “Green Dot Security Shield”. After comparing what each client was doing, we believe that the pop up most likely came while each client was browsing the same “Major Website” (I will not list the website as of now, since we CANT prove our theory, but the suspected site has been notified). Remember, Pop up’s like these can occur surfing any part of the internet, it does not just happen to those who surf the shady side of the web.
What do you see when your get infected
While browsing, what you will see is a pop up (like this example), that looks like an Antivirus program with a message that infected files have been found. This is why it is important to know what Antivirus / Antimalware software you have installed and what it looks like.
Once you have this pop up on the screen, what you will find is that you will be unable to open various programs (like your actual malware cleaner), as this pop up starts making changes to your pc. If you get to this stage, you NEVER NEVER NEVER want to click on any part of the window or any corresponding messages, because even messages that say ignore or skip will actually continue to infect your pc. What you need to do is power off your pc, and then start in safe mode. To get to safe mode, press F8 key over and over as soon as you power on your pc until you get the safe mode message. At which point select “safe mode with networking” (Example below).
Once you get booted in safe mode with networking, launch CCleaner. If you don’t have it already installed you can download it from the (LINK) Piriform (http://www NULL.piriform NULL.com/ccleaner) website. Once installed, and opened, go to Tools (on left side) then select Startup. This will show you a complete look at everything you have starting on your pc.
You want to look for a lines for programs that are set to start automatically with names like qfhsl.exe. (Your line may be use a different name, and there may be more than one). If you are not sure if the .exe file is legit or not, use one of the search engines (like Google or Bing) and search for each .exe name.
If you are not sure if an item is legit or not disable it, if you know the item is NOT legit then you can delete it right from the CCleaner application. In addition, if you know that the file is not legit, make a note of the listed location and go to that location and manually delete the file as well, as in this example for qfhsl.exe
This specific Green Dot Malware can be found in
C:\Documents and Settings\(User name of the signed in user at time of infection)\Local Settings\Application Data\ (for XP)
C:\Users\(User name of the signed in user at the time of infection)\AppData\Local (for Windows Vista and Windows 7)
Additional Clean Up Steps
Once you have taken these steps, you must still run your Antimalware programs to make sure whatever is left behind gets cleaned up. The 2 programs I can recommend are Superantispyware and Malwarebytes. If you don’t already have these 2 programs installed, go to (LINK) Ninite (http://ninite NULL.com/) to download and install them
Once installed, I recommend running Superantispyware first. When you launch the program, before starting the scan, select Check for Updates and let the program update to the latest signature files. (The Database Status should say “Updated X minutes ago)
Once your system is updated run a complete scan on all your drives. Once the scan completes, select all items found and click on the remove button. Once all those items are removed, you will get prompted to reboot, at this point select NO. Instead of the reboot, start Malwarebytes.
Once Malwarebytes starts, click on the Update tab and select Check for Updates and let the software update the signature files.
After the software update completes, go back to the scanner tab and select “Perform a full scan”
Again, once the full scan completes, select all items found and click on remove. After you have run both programs and removed all items found, you can reboot your pc and your system should now be clean of the “Green Dot” Malware.
One additional step you may want to take at this point is to uninstall and reinstall your Antivirus software, as many of these malware attacks break the antivirus software, make sure you have the software to reinstall prior to removing the software and if you need to replace your software, you can download free Antivirus software from the (LINK) Ninite (http://ninite NULL.com/) site.
Just pick one of the Antivirus choices under the security section.
- (Microsoft Security) Essentials
All 3 are free for home use.