PC Defender is a rogue anti-spyware application that is related to the well-known PC Defender 2008. It uses scare tactics to try and get users to buy a software license. PC Defender gets installed on user systems via Trojan viruses that get downloaded along with fake video codec packs and from websites that advertise fake malware scanners. Once installed, PC Defender starts performing endless fake security scans on the system, returning results that claim that the computer is under threat from a large number of malware applications that do not exist. PC Defender also generates fake pop-ups from the Windows taskbar, warning users that their computer is at risk. Meanwhile, this rogue software repeatedly requests the user to purchase a license to the ‘full’ version of PC Defender, claiming that the currently installed ‘trial’ version is insufficient to properly clean out the detected false ‘threats’. However, no user should allow themselves to be tricked into paying for this license, as the so-called ‘full’ version of PC Defender is just as incapable of scanning or cleaning any system as the ‘trial’ version is. Check here PC Defender to get more infos about this threat.

PC Defender

The following sections provide a brief tutorial on how to delete PC Defender. The process of PC Defender removal involves the stopping of processes, unregistering of DLLs, deletion of files and folders and removal of registry entrie

File Removal Procedures

The first step you need to take in order to delete PC Defender is to stop the following processes:

  • Antispyware.exe
  • proccheck.exe
  • [random characters].exe, like
  • _96222EB958BE7AE1F3D10F.exe
  • _E99A03E2B966DDBBBF0A73.exe

Next, it is necessary to unregister the following DLL file:

  • hook.dll

As the final step in file removal, delete the following files and folders:

  • C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_a98.dat
  • C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1237843074jtun_allbb0317.x00.full.zip
  • C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1255449998jtun_allccmsl0819.x00.full.zip
  • C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1265852195jtun_scd2.zip.full.zip
  • C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1266010716jtun_nav8enidfull25.x86.seg1.zip
  • C:\Documents and Settings\All Users\Desktop\PC Defender.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\PC Defender\PC Defender.lnk
  • C:\INF\clean.hiv
  • C:\Program Files\Def Group\PC Defender\Antispyware.exe
  • C:\Program Files\Def Group\PC Defender\hook.dll
  • C:\Program Files\Def Group\PC Defender\proccheck.exe
  • C:\WINDOWS\Installer\14d256.msi
  • C:\WINDOWS\Installer\FC2ABC8E-3715-4A32-B8B5-559380F45282\_96222EB958BE7AE1F3D10F.exe
  • C:\WINDOWS\Installer\FC2ABC8E-3715-4A32-B8B5-559380F45282\_E99A03E2B966DDBBBF0A73.exe
  • C:\WINDOWS\Prefetch\922EE651620485838F50FE09DF119-1680527D.pf
  • C:\WINDOWS\Prefetch\ANTISPYWARE.EXE-19ABB532.pf
  • C:\WINDOWS\Prefetch\PROCCHECK.EXE-03906D86.pf
  • C:\WINDOWS\Prefetch\REG.EXE-0D2A95F7.pf
  • C:\Documents and Settings\Administrator\Cookies\index.dat
  • C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
  • C:\Documents and Settings\Administrator\ntuser.dat.LOG
  • C:\INF\rgst152.dat
  • C:\WINDOWS\Debug\UserMode\userenv.log
  • C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
  • C:\WINDOWS\Prefetch\MSIEXEC.EXE-2F8A8CAE.pf
  • C:\WINDOWS\Prefetch\PERL.EXE-08A6F3BE.pf
  • C:\WINDOWS\Prefetch\REGSHOT.EXE-2A173C98.pf
  • C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf
  • C:\WINDOWS\system32\config\default
  • C:\WINDOWS\system32\config\default.LOG
  • C:\WINDOWS\system32\config\Software
  • C:\WINDOWS\system32\config\software.LOG
  • C:\WINDOWS\system32\config\system.LOG
  • C:\WINDOWS\system32\wbem\Logs\wbemess.log
  • C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP
  • C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER
  • C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP
  • C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP
  • C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_a2c.dat
  • C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1237843074jtun_allbb0317.x00.seg1.zip

Now your file system is devoid of anything to do with PC Defender. In order to make sure of this fact it is recommended to conduct a full system scan using genuine antivirus software such as Spyware Doctor with Antivirus.

Registry Removal Procedures

Deleting files and folders alone is not sufficient to completely delete PC Defender. In order to delete PC Defender completely, you must remove the following keys and settings from the Windows registry as well:

  • KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Def Group\PC Defender\”" = “”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Def Group\”" = “”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Documents and Settings\All Users\Start Menu\Programs\PC Defender\”" = “”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\WINDOWS\Installer\FC2ABC8E-3715-4A32-B8B5-559380F45282\”" = “”
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\”92780B25-18CC-41C8-B9BE-3C9C571A8263” “0×00002001″
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\Def Group\PC Defender\”proccheck.exe” = “proccheck”
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\75048700-EF1F-11D0-9888-006097DEACF9\Count\HRZR_EHACNGU:P:\VAS\”922RR651620485838S50SR09QS119674.rkr” = “1B 00 00 00 06 00 00 00 10 8D 5A 77 91 B0 CA 01″
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\16\Shell\”Mode” = “4″
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\16\Shell\”ScrollPos1280x1024(1).x” = “0″
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\16\Shell\”ScrollPos1280x1024(1).y” = “0″
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\16\Shell\”Sort” = “0″
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\16\Shell\”SortDir” = “1″
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\16\Shell\”Col” = “0xFFFFFFFF”
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\16\Shell\”ColInfo”
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\INF\”922EE651620485838F50FE09DF119674.exe” = “922EE651620485838F50FE09DF119674″
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\system32\”REG.exe” = “Registry Console Tool”
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\Def Group\PC Defender\”Antispyware.exe” = “PC Defender application main executable”
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\”92780B25-18CC-41C8-B9BE-3C9C571A8263” = “0×00002001″
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\Def Group\PC Defender\”proccheck.exe” = “proccheck”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”Userinit” = “C:\WINDOWS\system32\userinit.exe,”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”Userinit” = “C:\WINDOWS\system32\userinit.exe,”C:\Program Files\Def Group\PC Defender\Antispyware.exe”"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\”Seed”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\”Seed”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\”Directory” = “C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5″
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\”Directory” = “C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5″
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\”CachePath” = “C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1″
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\”CachePath” = “C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache1″
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\”CachePath” = “C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2″
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\”CachePath” = “C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache2″
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\”CachePath” = “C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3″
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\”CachePath” = “C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache3″
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\”CachePath” = “C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4″
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\”CachePath” = “C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache4″
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MSSYCLM\”Start” = “0xE853C38D”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MSSYCLM\”Start” = “0x389F0129″
  • HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\CCPD\CLTNetConnect\LastAction: 0x4A55E325″
  • HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\CCPD\CLTNetConnect\LastAction: 0x4B7D2A9F”
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent\”" = “10″
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent\”" = “11″
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent\”" = “10″
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent\”" = “11″
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\”NextId” = “0×00002001″
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\”NextId” = “0×00002002″
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\”Cookies” = “C:\Documents and Settings\LocalService\Cookies”
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\”Cookies” = “C:\Documents and Settings\Administrator\Cookies”
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\”Local AppData” = “C:\Documents and Settings\LocalService\Local Settings\Application Data”
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\”Local AppData” = “C:\Documents and Settings\Administrator\Local Settings\Application Data”
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\”Cache” = “C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files”
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\”Cache” = “C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files”
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\”History” = “C:\Documents and Settings\LocalService\Local Settings\History”
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\”History” = “C:\Documents and Settings\Administrator\Local Settings\History”
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Far\SavedHistory\”Lines”
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Far\SavedHistory\”Lines”
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Far\SavedHistory\”Position” = “2E”
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Far\SavedHistory\”Position” “2F”
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\75048700-EF1F-11D0-9888-006097DEACF9\Count\”HRZR_EHACNGU” = “1A 00 00 00 A6 01 00 00 90 50 33 F9 94 00 CA 01″
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\75048700-EF1F-11D0-9888-006097DEACF9\Count\”HRZR_EHACNGU” = “1B 00 00 00 A7 01 00 00 10 8D 5A 77 91 B0 CA 01″
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\Shell\Bags\1\Desktop\”ItemPos1280x1024(1)”
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\Shell\Bags\1\Desktop\”ItemPos1280x1024(1)”
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1\”MRUListEx” = “05 00 00 00 06 00 00 00 09 00 00 00 00 00 00 00 08 00 00 00 07 00 00 00 02 00 00 00 01 00 00 00 04 00 00 00 03 00 00 00 FF FF FF FF”
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1\”MRUListEx” = “06 00 00 00 05 00 00 00 09 00 00 00 00 00 00 00 08 00 00 00 07 00 00 00 02 00 00 00 01 00 00 00 04 00 00 00 03 00 00 00 FF FF FF FF”
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Symantec\PIF\96E26A03-A25A-400b-B9B4-564C9BD00F46\ToasterAlerts\”lastSavedTime” = “20090709T143648″
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Symantec\PIF\96E26A03-A25A-400b-B9B4-564C9BD00F46\ToasterAlerts\”lastSavedTime” = “20100218T120019″
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\SessionInformation\”ProgramCount” = “5″
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\SessionInformation\”ProgramCount” = “6″
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\”NextId” = “0×00002001″
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\”NextId” = “0×00002002″
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\”Cookies” = “C:\Documents and Settings\LocalService\Cookies”
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\”Cookies” = “C:\Documents and Settings\Administrator\Cookies”
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\”Local AppData” = “C:\Documents and Settings\LocalService\Local Settings\Application Data”
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\”Local AppData” = “C:\Documents and Settings\Administrator\Local Settings\Application Data”
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\”Cache” = “C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files”
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\”Cache” = “C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files”
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\”History” = “C:\Documents and Settings\LocalService\Local Settings\History”
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\”History” = “C:\Documents and Settings\Administrator\Local Settings\History”

Once these registry settings and keys have been removed, your computer is completely safe from PC Defender.

Conclusion

Inexperienced users are advised against attempting to delete PC Defender manually, as any mistake on your part could cause damage to your operating system.. Inexperienced users are advised to use a web-based repair service such as www.onlinecomputerrepair.org or legitimate antivirus software to delete PC Defender in a safe and efficient manner.

Get Social, Bookmark Us!!:
  • blinkbits
  • BlinkList
  • blogmarks
  • co.mments
  • del.icio.us
  • digg
  • Fark
  • Furl
  • Ma.gnolia
  • NewsVine
  • Reddit
  • Smarking
  • Spurl