PC Defender

Bookmark and Share

Trouble removing this virus? Try Spyware Doctor With Antivirus from PCTools. »Download

Online Virus Removal Guaranteed online virus removal service or you don't pay: www.OnlineComputerRepair.org

[_r_255_r_] Bio: PC Defender, which is also known as PCDefender, is a rogue anti-spyware program that is related to PC Defender 2008. Like its relative, PC Defender tries to trick users into purchasing a license to the ‘full’ version of the software by scaring them using fake malware warnings. PC Defender reaches the user’s system via Trojan viruses that get downloaded from spam emails, fake video codec packs and websites advertising fake malware scanners. Once installed, PC Defender modifies the registry and creates a number of files on the computer. It then loads at startup and starts performing fake system scans, returning results that show the previously created harmless files as dangerous malware programs. PC Defender also displays fake security warning pop-ups from the Windows taskbar. During all this activity, PC Defender repeatedly requests the user to purchase a license to the ‘full’ version of the software, claiming that the currently installed ‘trial’ version is incapable of cleaning out the detected ‘threats’. However, as PC Defender is a fake program, none of its versions are capable of scanning or cleaning any system.

PC Defender

XP Antivirus Pro 2010

» Download PC Defender Removal Software

As soon as you find a copy of this rogue application on your system, you should take measures to delete PC Defender. The process of PC Defender removal involves the stopping of processes, unregistering of DLLs, deletion of files and folders and removal of registry entries.

1

Automatic PC Defender Removal

We do recommend Spyware Doctor with Antivirus. This is one of the few clients out there that can really make a big difference.  The problem most people will have is your fake client may block the install or updating of a real security product.  You can always start of following the manual guide below.  Once you terminate the running processes of this virus you should be able to install the client just fine. If you follow the link above and use coupon code removevirus10 you will get 10% off. This is an exclusive coupon we got just for removevirus.org readers.

ONLINE REMOVAL SERVICE

Sometimes you just need a pro.  If you are having troubles and do not understand the below guide or just feel better having an expert removing this threat and all others on your computer then we recommend www.onlinecomputerrepair.org.  It's one of the leading remote computer repair companies out there and will get you taken care of.

PC Defender Manual Removal Procedures

The first step you need to take in order to remove PC Defender is to stop the following processes:

  • Antispyware.exe
  • proccheck.exe
  • [random characters].exe, like
  • _96222EB958BE7AE1F3D10F.exe
  • _E99A03E2B966DDBBBF0A73.exe

The next step in PC Defender removal is to unregister the following DLL file:

  • hook.dll

As the final step in file removal, delete the following files and folders:

  • C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_a98.dat
  • C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1237843074jtun_allbb0317.x00.full.zip
  • C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1255449998jtun_allccmsl0819.x00.full.zip
  • C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1265852195jtun_scd2.zip.full.zip
  • C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1266010716jtun_nav8enidfull25.x86.seg1.zip
  • C:\Documents and Settings\All Users\Desktop\PC Defender.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\PC Defender\PC Defender.lnk
  • C:\INF\clean.hiv
  • C:\Program Files\Def Group\PC Defender\Antispyware.exe
  • C:\Program Files\Def Group\PC Defender\hook.dll
  • C:\Program Files\Def Group\PC Defender\proccheck.exe
  • C:\WINDOWS\Installer\14d256.msi
  • C:\WINDOWS\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_96222EB958BE7AE1F3D10F.exe
  • C:\WINDOWS\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_E99A03E2B966DDBBBF0A73.exe
  • C:\WINDOWS\Prefetch\922EE651620485838F50FE09DF119-1680527D.pf
  • C:\WINDOWS\Prefetch\ANTISPYWARE.EXE-19ABB532.pf
  • C:\WINDOWS\Prefetch\PROCCHECK.EXE-03906D86.pf
  • C:\WINDOWS\Prefetch\REG.EXE-0D2A95F7.pf
  • C:\Documents and Settings\Administrator\Cookies\index.dat
  • C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
  • C:\Documents and Settings\Administrator\ntuser.dat.LOG
  • C:\INF\rgst152.dat
  • C:\WINDOWS\Debug\UserMode\userenv.log
  • C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
  • C:\WINDOWS\Prefetch\MSIEXEC.EXE-2F8A8CAE.pf
  • C:\WINDOWS\Prefetch\PERL.EXE-08A6F3BE.pf
  • C:\WINDOWS\Prefetch\REGSHOT.EXE-2A173C98.pf
  • C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf
  • C:\WINDOWS\system32\config\default
  • C:\WINDOWS\system32\config\default.LOG
  • C:\WINDOWS\system32\config\Software
  • C:\WINDOWS\system32\config\software.LOG
  • C:\WINDOWS\system32\config\system.LOG
  • C:\WINDOWS\system32\wbem\Logs\wbemess.log
  • C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP
  • C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER
  • C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP
  • C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP
  • C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_a2c.dat
  • C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1237843074jtun_allbb0317.x00.seg1.zip

Now your file system is devoid of anything to do with PC Defender.

If you find this threat too hard to remove yourself and need an expert we recommend www.onlinecomputerrepair.org . They charge far less than others and are great at what they do.

PC Defender Registry Removal Proedures

Deleting files and folders alone is not sufficient to completely remove PC Defender. In order to delete PC Defender completely, you must remove the following keys and settings from the Windows registry as well:

  • KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Def Group\PC Defender\"" = ""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Def Group\"" = ""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Documents and Settings\All Users\Start Menu\Programs\PC Defender\"" = ""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\WINDOWS\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\"" = ""
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" "0x00002001"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\Def Group\PC Defender\"proccheck.exe" = "proccheck"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\VAS\"922RR651620485838S50SR09QS119674.rkr" = "1B 00 00 00 06 00 00 00 10 8D 5A 77 91 B0 CA 01"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\16\Shell\"Mode" = "4"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\16\Shell\"ScrollPos1280x1024(1).x" = "0"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\16\Shell\"ScrollPos1280x1024(1).y" = "0"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\16\Shell\"Sort" = "0"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\16\Shell\"SortDir" = "1"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\16\Shell\"Col" = "0xFFFFFFFF"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\16\Shell\"ColInfo"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\INF\"922EE651620485838F50FE09DF119674.exe" = "922EE651620485838F50FE09DF119674"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\system32\"REG.exe" = "Registry Console Tool"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\Def Group\PC Defender\"Antispyware.exe" = "PC Defender application main executable"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" = "0x00002001"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\Def Group\PC Defender\"proccheck.exe" = "proccheck"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = "C:\WINDOWS\system32\userinit.exe,"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = "C:\WINDOWS\system32\userinit.exe,"C:\Program Files\Def Group\PC Defender\Antispyware.exe""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\"Seed"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\"Seed"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\"Directory" = "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\"Directory" = "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\"CachePath" = "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\"CachePath" = "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\"CachePath" = "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\"CachePath" = "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\"CachePath" = "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\"CachePath" = "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\"CachePath" = "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\"CachePath" = "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MSSYCLM\"Start" = "0xE853C38D"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MSSYCLM\"Start" = "0x389F0129"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\CCPD\CLTNetConnect\LastAction: 0x4A55E325"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\CCPD\CLTNetConnect\LastAction: 0x4B7D2A9F"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent\"" = "10"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent\"" = "11"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent\"" = "10"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent\"" = "11"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\"NextId" = "0x00002001"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\"NextId" = "0x00002002"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Cookies" = "C:\Documents and Settings\LocalService\Cookies"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Cookies" = "C:\Documents and Settings\Administrator\Cookies"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Local AppData" = "C:\Documents and Settings\LocalService\Local Settings\Application Data"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Local AppData" = "C:\Documents and Settings\Administrator\Local Settings\Application Data"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Cache" = "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Cache" = "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"History" = "C:\Documents and Settings\LocalService\Local Settings\History"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"History" = "C:\Documents and Settings\Administrator\Local Settings\History"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Far\SavedHistory\"Lines"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Far\SavedHistory\"Lines"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Far\SavedHistory\"Position" = "2E"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Far\SavedHistory\"Position" "2F"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\"HRZR_EHACNGU" = "1A 00 00 00 A6 01 00 00 90 50 33 F9 94 00 CA 01"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\"HRZR_EHACNGU" = "1B 00 00 00 A7 01 00 00 10 8D 5A 77 91 B0 CA 01"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\Shell\Bags\1\Desktop\"ItemPos1280x1024(1)"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\Shell\Bags\1\Desktop\"ItemPos1280x1024(1)"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1\"MRUListEx" = "05 00 00 00 06 00 00 00 09 00 00 00 00 00 00 00 08 00 00 00 07 00 00 00 02 00 00 00 01 00 00 00 04 00 00 00 03 00 00 00 FF FF FF FF"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1\"MRUListEx" = "06 00 00 00 05 00 00 00 09 00 00 00 00 00 00 00 08 00 00 00 07 00 00 00 02 00 00 00 01 00 00 00 04 00 00 00 03 00 00 00 FF FF FF FF"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Symantec\PIF\{96E26A03-A25A-400b-B9B4-564C9BD00F46}\ToasterAlerts\"lastSavedTime" = "20090709T143648"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Symantec\PIF\{96E26A03-A25A-400b-B9B4-564C9BD00F46}\ToasterAlerts\"lastSavedTime" = "20100218T120019"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\SessionInformation\"ProgramCount" = "5"
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\SessionInformation\"ProgramCount" = "6"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\"NextId" = "0x00002001"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\"NextId" = "0x00002002"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Cookies" = "C:\Documents and Settings\LocalService\Cookies"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Cookies" = "C:\Documents and Settings\Administrator\Cookies"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Local AppData" = "C:\Documents and Settings\LocalService\Local Settings\Application Data"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Local AppData" = "C:\Documents and Settings\Administrator\Local Settings\Application Data"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Cache" = "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Cache" = "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"History" = "C:\Documents and Settings\LocalService\Local Settings\History"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"History" = "C:\Documents and Settings\Administrator\Local Settings\History"

Once these registry settings and keys have been removed, your computer is completely safe from PC Defender. In order to make sure of this fact it is recommended to scan the entire PC using genuine antivirus software such as Spyware Doctor with Antivirus.

Delete PC Defender Directories:

  • C:\Program Files\Def Group\PC Defender\
  • C:\Program Files\Def Group\

Conclusion

Manual PC Defender removal is not recommended for inexperienced users as any wrong move during the removal process could cause damage to your computer. Inexperienced users are advised to use a web-based repair service such as www.onlinecomputerrepair.org or legitimate antivirus software to remove PC Defender in a safe and efficient manner.

Other Software clients that Removevirus.org likes to use

As always please post updates to the file traces. If yours are different then other users will find it helpful.

Virus Removal

There are no comments for "PC Defender".

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account, used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.
Syndicate content