Windows Shield Center is one of the rogue antiviruses using faked Microsoft Security Essentials alerts to convince user into giving away credit card details for software they do not need nor which is working. Typically, you are infected by trojans distributing Windows Shield Center and other parasites in following ways: visiting hijacked websites or viewing infected advertisements, downloading faked updates to software, cracks or codecs or by email, social networking or IM spam. Any of these ways are possible and sometimes it is hard to say how one got the trojan. However, what happens next is quite predictable:
First, you will start seeing a faked popup by “Microsoft Security Essentials”. This popup will state that PC is infected by unknown WIN32 Trojan, so you need to scan your PC.
Microsoft Security Essentials Alert
Potential Threat Details
Microsoft Security Essentials detected potential threats that might compromise your private or damage your computer. Your access to these items may be suspended until you take an action. Click ‘show details’ to learn more.
Threat prevention solution found
Security system analysis has revealed critical file system vulnerability caused by severe malware attacks.
Risk of system files infection:
The detected vulnerability may result in unauthorized access to private information and hard drive data with a seriuos possibility of irreversible data loss and unstable PC performance. To remove the malware please run a full system scan. Press ‘OK’ to install the software necessary to initiate system files check. To complete the installation process please reboot your computer.
System Security Warning
Attempt to modify register key entries is detected. Register entries analysis is recommended.
System component corrupted!
System reboot error has occurred due to lsass.exe system process failure.
This may be caused by severe malware infections.
Automatic restore of lsass.exe backup copy completed.
The correct system performance can not be resumed without eliminating the cause of lsass.exe corruption.
What does look strange is, typically MSE will block undetected threats and thats it. It recommends running scans periodically, rather than after threat detected, and scans are unnecessary once threat is detected – it either can be removed or is not detected at all.
So if you launch this faked scan, The “Trojan” is identified as Trojan.Horse.Win32.PAV.64.a and it is stated that it can not be removed by MSE. That is particullary strange, as MSE can remove all parasites that it can detect and identify.
Lastly, the fake MSE searches for solution and suggests installing Windows Shield Center, which will activate on reboot. Once you press OK, system downloads the rogue and reboots the system to finalize its install. Then additional problems start happening.
Windows Shield Center will execute after the reboot, and it will not allow doing anything else till PC “scan” is finished. The scan will detect numerous infections on the PC, which could not be detected by other antiviruses. These infections are faked, most of the files “infected” are harmless or even non-existent. Windows Shield Center has no real database of parasites, thus it relies on false positives only. It will refuse to fix all the problems in its free version, asking to purchase FULL version of the rogue. I strongly advice not to pay for Windows Shield Center, as there is no legitimate company behind and it will steal your credit card details.
If you close Windows Shield Center after scan, you still won’t be able to use the PC normally. First, you will be bombed with various alerts claiming that this fake antivirus detected more threats to your PC and privacy, claiming that your system components are corrupted or that half of your programs are infected with keyloggers that try to steal your information. These Windows Shield Center lies serve 2 purposes. The first one is to convince you into giving away credit card details. The other one is to prevent legitimate antiviruses and anti-malware programs from being downloaded and executed, so it would be harder to get rid of Windows Shield Center.
However, it is still possible to remove Windows Shield Center. The removal procedure looks like this:
First, you will need either reboot into safe mode with networking or/and stop its processes. I recommend downloading process explorer from here (renamed version). Launch it. If Windows Shield Center will block its execution, do not close that window, but launch the program again.
Next step is identifying and stopping Windows Shield Center processes. These processes are randomly named, but they will be launched from folder containing string Application Data, APPDATA, or ProgramData (or similar). Stop them. If you do it successfully, the Windows Shield Center window will close.
Third step is fixing system registry. Launch regedit. Modify these keys accordingly:
This should stop Windows Shield Center from launching on startup.
Also, look for keys like these :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe “Debugger” = ‘svchost.exe’
These keys disable legitimate antivirus processes thus it is good idea to delete the debugger key/value pair.
The last step is scanning with decent anti-malware programs and deleting all the files associated with Windows Shield Center. I recommend spyhunter or Malwarebytes Anti-Malware for that, though there are other superb programs for that, like Hitman Pro, Emsisoft Anti-Malware, etc. Full versions of these programs have likely blocked WIndows Shield Center from infecting your PC and saved lots of time.
Automatic Windows Shield Center removal tools
Important Note: Although it is possible to manually remove Windows Shield Center , such activity can permanently damage your system if any mistakes are made in the process, as advanced spyware parasites are able to automatically repair themselves if not completely removed. Thus, manual spyware removal is recommended for experienced users only, such as IT specialists or highly qualified system administrators. For other users, we recommend using Reimage or other tools found on 2-viruses.com.