How to remove XP-Shield

Posted by Grinler on May 14, 2008 @ 03:05 PM · Views: 575

Add to Favorites!    Print Guide!

What this programs does:

XP-Shield is a rogue anti-spyware program that is in the same family as AntiVirProtect and WinXProtector. When XP-Shield is installed, it will scan your computer and list a variety of security risks that can only be removed if you first purchase the software. What classifies this software as a rogue is that it deliberately lists legitimate Microsoft files as malware in order to scare you into purchasing the software. For example, it lists the C:\Windows\System32\dllcache\pdh.dll file as the Complexel Trojan, when in reality it is a legitimate Microsoft DLL file.

Furthermore, when XP-Shield is running it will randomly display security alerts that are masquerading as Windows Security Center alerts stating that Windows has detected virus or spyware activity on your computer. It then proceeds to tell you that it found XP-Shield and that you should purchase it in order to protect yourself. These alerts, though, are being generated by the program itself and not Windows as it attempts to make you believe. This is just another example of the misleading tactics XP-Shield uses in order to have you purchase a license of the software.

Below are various screen shots of XPShield program.

XP-Shield
For more screen shots of this infection click on the image above.

This guide will walk you through removing XP-Shield.

Threat Classification:

• Information on Rogue Programs

Advanced information:

View XP-Shield files.
View XP-Shield Registry Information.

Tools Needed for this fix:

• Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

O4 - HKCU\..\Run: [XPShield] C:\PROGRA~1\XPShield\XP-SHI~1.EXE

Guide Updates:

05/14/08 - Initial guide creation.

Automated Removal Instructions for XP-Shield using Malwarebytes' Anti-Malware:

1. Print out these instructions as we will need to close every window that is open later in the fix.
   
   
2. Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:
   
   Malwarebytes' Anti-Malware Download Link
   
   


3. Once downloaded, close all programs and Windows on your computer, including this one.
   
   
4. Double-click on the icon on your desktop named Download_mbam-setup.exe. This will start the installation of MBAM onto your computer.
   
   
5. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
   
   
6. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
   
   
   
   
   
   
   
7. On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for XP-Shield related files.
   
   
8. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
   
   
   
   
   
   
   
9. When the scan is finished a message box will appear as shown in the image below.
   
   
   
   
   
   
   You should click on the OK button to close the message box and continue with the XPShield removal process.
   
   
10. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
    
    
11. A screen displaying all the malware that the program found will be shown as seen in the image below.
    
    
    
    
    
    
    
    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine.
    
    
12. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
    
    
13. You can now exit the MBAM program.
    

Your computer should now be free of the XPShield program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated XP-Shield Files:

c:\Program Files\XPShield
c:\Program Files\XPShield\INSTALL.LOG
c:\Program Files\XPShield\UNWISE.EXE
c:\Program Files\XPShield\XP-Shield Web Site.url
c:\Program Files\XPShield\XP-Shield.exe
%UserProfile%\Desktop\XP-Shield.lnk
%UserProfile%\Local Settings\Temp\XPShieldSetup.exe
%UserProfile%\Start Menu\Programs\XPShield
%UserProfile%\Start Menu\Programs\XPShield\XP-Shield Web Site.lnk
%UserProfile%\Start Menu\Programs\XPShield\XP-Shield.lnk

Associated XP-Shield Windows Registry Information:

HKEY_CURRENT_USER\Software\XPShield
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XP-Shield
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "XPShield"