Remove PC Defender From Your PC

What is PC Defender?

Related to the notorious rogue software PC Defender 2008, PC Defender uses scare tactics to try and induce users to pay for a license to the software. PC defender enters the user’s system by using Trojans that get downloaded as attachments from spam emails and along with fake video codec packs.

Once established on the system, PC Defender proceeds to perform a large number of fake systems scans, returning results that claim that the computer is severely infected with malicious software. It also displays an endless stream of fake warning pop-ups from the Windows taskbar. The aim of all this activity is to try and get the user to pay for a license to the ‘full’ version of PC Defender, as the rogue software claims that the currently installed ‘trial’ version is insufficient to remove the detected false ‘threats’.

It is important to remember that the so-called ‘full’ version is just as incapable of cleaning your computer as the ‘trial’ version.

The process of PC Defender removal involves the stopping of processes, unregistering of DLLs, deletion of files and folders and removal of registry entries.

File Removal Procedures

The first step in PC Defender removal is to stop the following processes:

Antispyware.exe
proccheck.exe
[random characters].exe, like
_96222EB958BE7AE1F3D10F.exe
_E99A03E2B966DDBBBF0A73.exe

The next step in PC Defender removal is to unregister the following DLL file:

hook.dll

As the final step in file removal, delete the following files and folders:

C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_a98.dat
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1237843074jtun_allbb0317.x00.full.zip
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1255449998jtun_allccmsl0819.x00.full.zip
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1265852195jtun_scd2.zip.full.zip
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1266010716jtun_nav8enidfull25.x86.seg1.zip
C:\Documents and Settings\All Users\Desktop\PC Defender.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\PC Defender\PC Defender.lnk
C:\INF\clean.hiv
C:\Program Files\Def Group\PC Defender\Antispyware.exe
C:\Program Files\Def Group\PC Defender\hook.dll
C:\Program Files\Def Group\PC Defender\proccheck.exe
C:\WINDOWS\Installer\14d256.msi
C:\WINDOWS\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_96222EB958BE7AE1F3D10F.exe
C:\WINDOWS\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_E99A03E2B966DDBBBF0A73.exe
C:\WINDOWS\Prefetch\922EE651620485838F50FE09DF119-1680527D.pf
C:\WINDOWS\Prefetch\ANTISPYWARE.EXE-19ABB532.pf
C:\WINDOWS\Prefetch\PROCCHECK.EXE-03906D86.pf
C:\WINDOWS\Prefetch\REG.EXE-0D2A95F7.pf
C:\Documents and Settings\Administrator\Cookies\index.dat
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\Documents and Settings\Administrator\ntuser.dat.LOG
C:\INF\rgst152.dat
C:\WINDOWS\Debug\UserMode\userenv.log
C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
C:\WINDOWS\Prefetch\MSIEXEC.EXE-2F8A8CAE.pf
C:\WINDOWS\Prefetch\PERL.EXE-08A6F3BE.pf
C:\WINDOWS\Prefetch\REGSHOT.EXE-2A173C98.pf
C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf
C:\WINDOWS\system32\config\default
C:\WINDOWS\system32\config\default.LOG
C:\WINDOWS\system32\config\Software
C:\WINDOWS\system32\config\software.LOG
C:\WINDOWS\system32\config\system.LOG
C:\WINDOWS\system32\wbem\Logs\wbemess.log
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP
C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_a2c.dat
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1237843074jtun_allbb0317.x00.seg1.zip
Now your file system is devoid of anything to do with PC Defender. In order to certify this crucial aspect related to the system’s security it is recommended to conduct a full system scan using genuine antivirus software such as Spyware Doctor with Antivirus.

Registry Removal Procedures

Deleting files and folders alone is not sufficient to completely remove PC Defender. To ensure complete PC Defender removal, delete the following entries from the registry:

KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Def Group\PC Defender\”” = “”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Def Group\”” = “”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Documents and Settings\All Users\Start Menu\Programs\PC Defender\”” = “”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\WINDOWS\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\”” = “”
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\”{92780B25-18CC-41C8-B9BE-3C9C571A8263}” “0×00002001″
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\Def Group\PC Defender\”proccheck.exe” = “proccheck”
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\VAS\”922RR651620485838S50SR09QS119674.rkr” = “1B 00 00 00 06 00 00 00 10 8D 5A 77 91 B0 CA 01″
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\16\Shell\”Mode” = “4″
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\16\Shell\”ScrollPos1280x1024(1).x” = “0″
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\16\Shell\”ScrollPos1280x1024(1).y” = “0″
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\16\Shell\”Sort” = “0″
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\16\Shell\”SortDir” = “1″
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\16\Shell\”Col” = “0xFFFFFFFF”
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\16\Shell\”ColInfo”
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\INF\”922EE651620485838F50FE09DF119674.exe” = “922EE651620485838F50FE09DF119674″
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\system32\”REG.exe” = “Registry Console Tool”
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\Def Group\PC Defender\”Antispyware.exe” = “PC Defender application main executable”
HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\”{92780B25-18CC-41C8-B9BE-3C9C571A8263}” = “0×00002001″
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\Def Group\PC Defender\”proccheck.exe” = “proccheck”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”Userinit” = “C:\WINDOWS\system32\userinit.exe,”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”Userinit” = “C:\WINDOWS\system32\userinit.exe,”C:\Program Files\Def Group\PC Defender\Antispyware.exe””
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\”Seed”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\”Seed”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\”Directory” = “C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\”Directory” = “C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\”CachePath” = “C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\”CachePath” = “C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache1″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\”CachePath” = “C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\”CachePath” = “C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache2″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\”CachePath” = “C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\”CachePath” = “C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache3″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\”CachePath” = “C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\”CachePath” = “C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache4″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MSSYCLM\”Start” = “0xE853C38D”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MSSYCLM\”Start” = “0x389F0129″
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\CCPD\CLTNetConnect\LastAction: 0x4A55E325″
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\CCPD\CLTNetConnect\LastAction: 0x4B7D2A9F”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent\”” = “10″
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent\”” = “11″
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent\”” = “10″
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent\”” = “11″
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\”NextId” = “0×00002001″
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\”NextId” = “0×00002002″
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\”Cookies” = “C:\Documents and Settings\LocalService\Cookies”
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\”Cookies” = “C:\Documents and Settings\Administrator\Cookies”
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\”Local AppData” = “C:\Documents and Settings\LocalService\Local Settings\Application Data”
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\”Local AppData” = “C:\Documents and Settings\Administrator\Local Settings\Application Data”
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\”Cache” = “C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files”
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\”Cache” = “C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files”
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\”History” = “C:\Documents and Settings\LocalService\Local Settings\History”
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\”History” = “C:\Documents and Settings\Administrator\Local Settings\History”
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Far\SavedHistory\”Lines”
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Far\SavedHistory\”Lines”
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Far\SavedHistory\”Position” = “2E”
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Far\SavedHistory\”Position” “2F”
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\”HRZR_EHACNGU” = “1A 00 00 00 A6 01 00 00 90 50 33 F9 94 00 CA 01″
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\”HRZR_EHACNGU” = “1B 00 00 00 A7 01 00 00 10 8D 5A 77 91 B0 CA 01″
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\Shell\Bags\1\Desktop\”ItemPos1280x1024(1)”
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\Shell\Bags\1\Desktop\”ItemPos1280x1024(1)”
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1\”MRUListEx” = “05 00 00 00 06 00 00 00 09 00 00 00 00 00 00 00 08 00 00 00 07 00 00 00 02 00 00 00 01 00 00 00 04 00 00 00 03 00 00 00 FF FF FF FF”
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1\”MRUListEx” = “06 00 00 00 05 00 00 00 09 00 00 00 00 00 00 00 08 00 00 00 07 00 00 00 02 00 00 00 01 00 00 00 04 00 00 00 03 00 00 00 FF FF FF FF”
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Symantec\PIF\{96E26A03-A25A-400b-B9B4-564C9BD00F46}\ToasterAlerts\”lastSavedTime” = “20090709T143648″
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Symantec\PIF\{96E26A03-A25A-400b-B9B4-564C9BD00F46}\ToasterAlerts\”lastSavedTime” = “20100218T120019″
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\SessionInformation\”ProgramCount” = “5″
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\SessionInformation\”ProgramCount” = “6″
HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\”NextId” = “0×00002001″
HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\”NextId” = “0×00002002″
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\”Cookies” = “C:\Documents and Settings\LocalService\Cookies”
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\”Cookies” = “C:\Documents and Settings\Administrator\Cookies”
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\”Local AppData” = “C:\Documents and Settings\LocalService\Local Settings\Application Data”
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\”Local AppData” = “C:\Documents and Settings\Administrator\Local Settings\Application Data”
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\”Cache” = “C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files”
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\”Cache” = “C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files”
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\”History” = “C:\Documents and Settings\LocalService\Local Settings\History”
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\”History” = “C:\Documents and Settings\Administrator\Local Settings\History”

Once these registry settings and keys have been removed, your computer is completely safe from PC Defender.

Leave a Comment