PC Defender Removal

Virus Bio: PC Defender, which is also known as PCDefender, is a rogue anti-spyware program that is related to PC Defender 2008. Like its relative, PC Defender tries to trick users into purchasing a license to the ‘full’ version of the software by scaring them using fake malware warnings. PC Defender reaches the user’s system via Trojan viruses that get downloaded from spam emails, fake video codec packs and websites advertising fake malware scanners. Once installed, PC Defender modifies the registry and creates a number of files on the computer. It then loads at startup and starts performing fake system scans, returning results that show the previously created harmless files as dangerous malware programs. PC Defender also displays fake security warning pop-ups from the Windows taskbar. During all this activity, PC Defender repeatedly requests the user to purchase a license to the ‘full’ version of the software, claiming that the currently installed ‘trial’ version is incapable of cleaning out the detected ‘threats’. However, as PC Defender is a fake program, none of its versions are capable of scanning or cleaning any system.

PC Defender

PC Defender

» Download PC Defender Removal Software

As soon as you find a copy of this rogue application on your system, you should take measures to delete PC Defender. The process of PC Defender removal involves the stopping of processes, unregistering of DLLs, deletion of files and folders and removal of registry entries.

PC Defender Manual Removal Procedures

The first step you need to take in order to remove PC Defender is to stop the following processes:

  • Antispyware.exe
  • proccheck.exe
  • [random characters].exe, like
  • _96222EB958BE7AE1F3D10F.exe
  • _E99A03E2B966DDBBBF0A73.exe

The next step in PC Defender removal is to unregister the following DLL file:

  • hook.dll

As the final step in file removal, delete the following files and folders:

  • C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_a98.dat
  • C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1237843074jtun_allbb0317.x00.full.zip
  • C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1255449998jtun_allccmsl0819.x00.full.zip
  • C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1265852195jtun_scd2.zip.full.zip
  • C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1266010716jtun_nav8enidfull25.x86.seg1.zip
  • C:\Documents and Settings\All Users\Desktop\PC Defender.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\PC Defender\PC Defender.lnk
  • C:\INF\clean.hiv
  • C:\Program Files\Def Group\PC Defender\Antispyware.exe
  • C:\Program Files\Def Group\PC Defender\hook.dll
  • C:\Program Files\Def Group\PC Defender\proccheck.exe
  • C:\WINDOWS\Installer\14d256.msi
  • C:\WINDOWS\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_96222EB958BE7AE1F3D10F.exe
  • C:\WINDOWS\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_E99A03E2B966DDBBBF0A73.exe
  • C:\WINDOWS\Prefetch\922EE651620485838F50FE09DF119-1680527D.pf
  • C:\WINDOWS\Prefetch\ANTISPYWARE.EXE-19ABB532.pf
  • C:\WINDOWS\Prefetch\PROCCHECK.EXE-03906D86.pf
  • C:\WINDOWS\Prefetch\REG.EXE-0D2A95F7.pf
  • C:\Documents and Settings\Administrator\Cookies\index.dat
  • C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
  • C:\Documents and Settings\Administrator\ntuser.dat.LOG
  • C:\INF\rgst152.dat
  • C:\WINDOWS\Debug\UserMode\userenv.log
  • C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
  • C:\WINDOWS\Prefetch\MSIEXEC.EXE-2F8A8CAE.pf
  • C:\WINDOWS\Prefetch\PERL.EXE-08A6F3BE.pf
  • C:\WINDOWS\Prefetch\REGSHOT.EXE-2A173C98.pf
  • C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf
  • C:\WINDOWS\system32\config\default
  • C:\WINDOWS\system32\config\default.LOG
  • C:\WINDOWS\system32\config\Software
  • C:\WINDOWS\system32\config\software.LOG
  • C:\WINDOWS\system32\config\system.LOG
  • C:\WINDOWS\system32\wbem\Logs\wbemess.log
  • C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP
  • C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER
  • C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP
  • C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP
  • C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_a2c.dat
  • C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1237843074jtun_allbb0317.x00.seg1.zip

PC Defender Registry Removal Procedures

Deleting files and folders alone is not sufficient to completely remove PC Defender. In order to delete PC Defender completely, you must remove the following keys and settings from the Windows registry as well:

  • KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Def Group\PC Defender\"" = ""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Def Group\"" = ""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Documents and Settings\All Users\Start Menu\Programs\PC Defender\"" = ""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\WINDOWS\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\"" = ""
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" "0x00002001"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\Def Group\PC Defender\"proccheck.exe" = "proccheck"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\VAS\"922RR651620485838S50SR09QS119674.rkr" = "1B 00 00 00 06 00 00 00 10 8D 5A 77 91 B0 CA 01"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\16\Shell\"Mode" = "4"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\16\Shell\"ScrollPos1280x1024(1).x" = "0"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\16\Shell\"ScrollPos1280x1024(1).y" = "0"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\16\Shell\"Sort" = "0"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\16\Shell\"SortDir" = "1"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\16\Shell\"Col" = "0xFFFFFFFF"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\16\Shell\"ColInfo"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\INF\"922EE651620485838F50FE09DF119674.exe" = "922EE651620485838F50FE09DF119674"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\system32\"REG.exe" = "Registry Console Tool"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\Def Group\PC Defender\"Antispyware.exe" = "PC Defender application main executable"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" = "0x00002001"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\Def Group\PC Defender\"proccheck.exe" = "proccheck"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = "C:\WINDOWS\system32\userinit.exe,"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = "C:\WINDOWS\system32\userinit.exe,"C:\Program Files\Def Group\PC Defender\Antispyware.exe""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\"Seed"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\"Seed"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\"Directory" = "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\"Directory" = "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\"CachePath" = "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\"CachePath" = "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\"CachePath" = "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\"CachePath" = "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\"CachePath" = "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\"CachePath" = "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\"CachePath" = "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\"CachePath" = "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MSSYCLM\"Start" = "0xE853C38D"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MSSYCLM\"Start" = "0x389F0129"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\CCPD\CLTNetConnect\LastAction: 0x4A55E325"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\CCPD\CLTNetConnect\LastAction: 0x4B7D2A9F"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent\"" = "10"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent\"" = "11"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent\"" = "10"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent\"" = "11"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\"NextId" = "0x00002001"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\"NextId" = "0x00002002"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Cookies" = "C:\Documents and Settings\LocalService\Cookies"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Cookies" = "C:\Documents and Settings\Administrator\Cookies"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Local AppData" = "C:\Documents and Settings\LocalService\Local Settings\Application Data"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Local AppData" = "C:\Documents and Settings\Administrator\Local Settings\Application Data"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Cache" = "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Cache" = "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"History" = "C:\Documents and Settings\LocalService\Local Settings\History"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"History" = "C:\Documents and Settings\Administrator\Local Settings\History"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Far\SavedHistory\"Lines"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Far\SavedHistory\"Lines"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Far\SavedHistory\"Position" = "2E"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Far\SavedHistory\"Position" "2F"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\"HRZR_EHACNGU" = "1A 00 00 00 A6 01 00 00 90 50 33 F9 94 00 CA 01"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\"HRZR_EHACNGU" = "1B 00 00 00 A7 01 00 00 10 8D 5A 77 91 B0 CA 01"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\Shell\Bags\1\Desktop\"ItemPos1280x1024(1)"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\Shell\Bags\1\Desktop\"ItemPos1280x1024(1)"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1\"MRUListEx" = "05 00 00 00 06 00 00 00 09 00 00 00 00 00 00 00 08 00 00 00 07 00 00 00 02 00 00 00 01 00 00 00 04 00 00 00 03 00 00 00 FF FF FF FF"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1\"MRUListEx" = "06 00 00 00 05 00 00 00 09 00 00 00 00 00 00 00 08 00 00 00 07 00 00 00 02 00 00 00 01 00 00 00 04 00 00 00 03 00 00 00 FF FF FF FF"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Symantec\PIF\{96E26A03-A25A-400b-B9B4-564C9BD00F46}\ToasterAlerts\"lastSavedTime" = "20090709T143648"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Symantec\PIF\{96E26A03-A25A-400b-B9B4-564C9BD00F46}\ToasterAlerts\"lastSavedTime" = "20100218T120019"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\SessionInformation\"ProgramCount" = "5"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\SessionInformation\"ProgramCount" = "6"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\"NextId" = "0x00002001"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\"NextId" = "0x00002002"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Cookies" = "C:\Documents and Settings\LocalService\Cookies"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Cookies" = "C:\Documents and Settings\Administrator\Cookies"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Local AppData" = "C:\Documents and Settings\LocalService\Local Settings\Application Data"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Local AppData" = "C:\Documents and Settings\Administrator\Local Settings\Application Data"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Cache" = "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Cache" = "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"History" = "C:\Documents and Settings\LocalService\Local Settings\History"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"History" = "C:\Documents and Settings\Administrator\Local Settings\History"

Once these registry settings and keys have been removed, your computer is completely safe from PC Defender. In order to make sure of this fact it is recommended to scan the entire PC using genuine antivirus software such as Spyware Doctor with Antivirus.

Delete PC Defender Directories:

  • C:\Program Files\Def Group\PC Defender\
  • C:\Program Files\Def Group\

Outside Resources:

http://www.bleepingcomputer.com/virus-removal/remove-pc-defender-plus

http://malwaretips.com/blogs/remove-pc-defender-plus/

Speak Your Mind

*

RemoveVirus.org cannot be held liable for any damages that may occur from using our community virus removal guides. Viruses cause damage and unless you know what you are doing you may loose your data. We strongly suggest you backup your data before you attempt to remove any virus. Each product or service is a trademark of their respective company. We do make a commission off of each product we recommend. This is how removevirus.org is able to keep writing our virus removal guides. All Free based antivirus scanners recommended on this site are limited. This means they may not be fully functional and limited in use. A free trial scan allows you to see if that security client can pick up the virus you are infected with.