Perfect Defender 2009 – 3 Removal Solutions

Here we go again, or should it be – here we go still!

Add Perfect Defender 2009 to the massive number of rogue security applications currently circulating on the Internet, seeking out unaware users in order to steal their money.

Like all rogue security applications, Perfect Defender 2009 is a master at using Trojans, and fake advertising, to convince unaware Internet users to install this rogue application.

Looking at the website that advertises this parasitic application, it’s difficult not to be impressed. The site appears to be legitimate, and the product appears to be recommended by select members of the computer industry.

(Click pic for larger)

Unfortunately, Perfect Defender 2009 can be installed on a computer system without any action on the part of the user. Delivery methods used by this parasite include dropping a Trojan, in this case the infamous Zlob Trojan, and Internet Browser security holes. It can also be downloaded voluntarily, from rogue security software websites including defender2009.com, the website described earlier, or from “adult” websites.

In the case of the Zlob Trojan being dropped on a system, typically a false security center alert is displayed such as:

To help protect your computer, Windows Firewall has blocked activity of harmful software.

Do you want to block this suspicious software?

Name: Spyware.ISpynow

Risk Level: High

Description: iSpynow is a Spyware program that records keystrokes and takes screen shots of the computer, stealing personal financial information.

Clicking on “enable protection” begins the process of infecting the system by downloading Perfect Defender 2009.

The objective of Perfect Defender 2009, which is the objective of all Rogue Security Software, is to convince the victim to pay for the “full” version of the application in order to remove what are, in fact, false positives that this program is designed to display on the infected computer in various ways, including fake scan results, pop-ups and system tray notifications.

Rogue Security Software unfortunately, is generally very sophisticated and can write itself into multiple parts of the operating system, and in many cases, it can hide its files, registry entries, running process and services, making the infection difficult to find, and extremely difficult to remove.

If you are a victim of Perfect Defender 2009, or other Rogue Security Software, the following removal solutions will be invaluable.

Removal Solutions:

Malwarebytes, a very reliable anti-malware company, has created a free application to help keep you safe and secure. RogueRemover will safely remove a number of rogue security applications. You will also have the option of downloading the free version of Malwarebytes’ Anti-Malware, a highly rated anti-malware application which is capable of removing many newer rogue applications, including Perfect Defender 2009.

411 Spyware, is a great site that specalizes in malware removal. I highly recommend this site.

Bleeping Computer is a web site where help is available for many computer related problems, including the removal of this particular rogue software.

SmitFraudFix, available for download at Geekstogo is a free tool that is continuously updated to assist victims of rogue security applications including the removal of Perfect Defender 2009.

Advertisements

164 Comments

Filed under Don't Get Hacked, Free Security Programs, Interconnectivity, Internet Safety, Malware Advisories, Online Safety, Rogue Software, Spyware - Adware Protection, System File Protection, System Security, trojans, Viruses, Windows Tips and Tools

164 responses to “Perfect Defender 2009 – 3 Removal Solutions

  1. Pingback: Rogue Security Apps… BEWARE! « What’s On My PC

  2. Susan Pope

    Evidently this Perfect Defender has infiltrated my computer. I cannot access any of the removal systems you mentioned above. Can you give me more suggestions? I am not extremly computer literate, but I can follow prompts to remove this aggrevating parasite!

    • billmullins

      Hi Susan,

      It seems you have access to the Internet since I have your email.

      I suggest that you download the relevant solutions to the computer you have
      access to, burn those solutions to a CD, or copy to a USB drive, for
      installation on the infected machine.

      Bill

    • Leo

      Malwarebyte and when that is complete use ccleaner…took 2 hours or so but perfect defender is gone! no visible after effects or system slowdowns…good luck!

  3. Temitayo Giwa

    I have it too. I went to C:\Program Files\MalwareBytes and then changed the name of the file, if you already have it downloaded if not try going to download.com and downloading it through there.

  4. Jaz

    what happens if you’re an idiot and already gave them your credit card into and purchased it????

    • billmullins

      Hey Jaz,

      Giving your credit card info to these cyber-criminals, DOES NOT make you an
      idiot. These scams are incredibly well done, and trick huge numbers of
      people.

      You should immediately notify your bank and dispute the charges. In most
      cases, I have been informed, Banks will reverse the charges. It may also be
      necessary for the Bank to issue you a new card, and cancel the one used in
      the fraud.

      It helps all of us, if victims such as yourself, notify their appropriate
      jurisdictional authorities.

      Good luck

      Bill

  5. gale

    Good article. I downloaded and ran Malware and still the Perfect Defender crap comes up. Should I run Malware detector again?

    • billmullins

      This is the first instance I’m aware of, in which Malwarebytes’ Anti-Malware
      has not been effective in removing this program. I suggest that you download
      and apply the other solution applications mentioned.

      Bill

  6. Andy

    I have this Perfect Defender problem as well. I have downloaded and run Malwarebytes Malware, SmitFraudFix, and Norman Malware Cleaner as my Webroot Spy Sweeper and Trend antivirus programs haven’t been able to identify or fix the problem. Unfortunately, these apps haven’t either. I still have it. (Is it Herpes?). What should I do next?

    • billmullins

      Hey Bonedoc,

      Since individual system configurations vary so widely, it is difficult to
      provide you with a definitive answer. I am assuming that you have run your
      on board malware tools in Safe Mode. If not, you should try this approach
      first.

      As well, please read Free Online Spyware/Virus Scanners – Multiply
      Your Protection!,
      on my site, and then scan your system using these tools. Often, these tools
      can be very effective.

      Depending on your computer knowledge and comfort level, you can attempt a
      manual removal by following these steps that one of my associates has used
      successfully:**

      Stop this process:

      pdfndr.exe

      Delete the following files:

      ProgramFiles\PerfectDefender2009\pdfndr.exe

      ProgramFiles\PerfectDefender2009\uninstall.exe

      ProgramFiles\PerfectDefender2009\dbbase.div

      ProgramFiles\PerfectDefender2009\pd.dll

      ProgramFiles\PerfectDefender2009\pdmonitor.exe

      Delete the following registry key:
      HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Run/”PerfectDefender2009$B!m(B

      Malware of this type is extremely destructive, and in the final analysis you
      may have no choice except a reformat and reinstall. Should this be the case,
      it is important that you wipe your drive before reinstalling since malware
      of this type has been known to survive a reformat.

      Good luck,

      Bill

  7. John Nguyen

    I ran the Malwarebytes Anti-Malware program, and the Z.blog thing still pops up. What can i do to get rid of it?

    • billmullins

      Hi John,

      I have just responded to another reader with the same problem, and the
      answer holds true for your question as well.

      Since individual system configurations vary so widely, it is difficult to
      provide you with a definitive answer. I am assuming that you have run your
      on board malware tools in Safe Mode. If not, you should try this approach
      first.

      As well, please read Free Online Spyware/Virus Scanners – Multiply Your
      Protection!, on my site, and then scan your system using these tools. Often,
      these tools can be very effective.

      Depending on your computer knowledge and comfort level, you can attempt a
      manual removal by following these steps that one of my associates has used
      successfully:

      Stop this process:

      pdfndr.exe

      Delete the following files:

      ProgramFiles\PerfectDefender2009\pdfndr.exe

      ProgramFiles\PerfectDefender2009\uninstall.exe

      ProgramFiles\PerfectDefender2009\dbbase.div

      ProgramFiles\PerfectDefender2009\pd.dll

      ProgramFiles\PerfectDefender2009\pdmonitor.exe

      Delete the following registry key:
      HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Run/”PerfectDefender2009$B!m(B

      Malware of this type is extremely destructive, and in the final analysis you
      may have no choice except a reformat and reinstall. Should this be the case,
      it is important that you wipe your drive before reinstalling since malware
      of this type has been known to survive a reformat.

      Good luck,

      Bill

  8. John Nguyen

    I was able to uninstall Perfect Defender 2009 but the Zblog still pops up. How do i get rid of the popup?

    • billmullins

      Here is a solution posted in comments just minutes ago.

      I’ve checked this out and it seems to work.

      Try this:

      *Reboot in Safe Mode

      Click on:

      My Computer

      Local Disk (C)

      Now onto folders:

      Documents and Settings

      * now find the folder with your user name & click it *

      Application Data

      Google

      INSIDE the Google folder DELETE these:

      kjzna1562565.exe

      spcffwl.dll

      the entire folder called TSCAN

      now close & go back to your desktop & empty the recycle bin.

      RESTART

      You should now be able to open Internet Explorer & have it respond
      normally.
      *
      Bill*
      *

  9. AtomicPunk

    After about 20 hrs of trying everything mentioned above, I finally found a solution that worked for me with XP.

    Try this:

    Reboot in Safe Mode

    Click on:

    My Computer

    Local Disk (C)

    Now onto folders:

    Documents and Settings

    * now find the folder with your user name & click it *

    Application Data

    Google

    INSIDE the Google folder DELETE these:

    kjzna1562565.exe

    spcffwl.dll

    the entire folder called TSCAN

    now close & go back to your desktop & empty the recycle bin.

    RESTART

    You should now be able to open Internet Explorer & have it respond normally.

    Hope this helps!

    • billmullins

      Thanks for this.

      I’ve checked out this solution for the trojan.zlob.g on the forums, and it
      seems to work.

      Bill

  10. Bob

    So I pretty much removed all of perfect defender with you program so thank you for that.

    But I still get the phony windows defender alert popup and when i go into documents and settings i don’t see any folder called “application data” or anything to do with google.

    is there anything i’m missing or anything else i can do?

  11. NoKaOi

    I wanted to try AtomicPunk’s solution but I have Vista – the folders have different names and and I’ve been unable to figure it out. Do you have any suggestions? Thanks.

  12. carpcatcher

    Thanks for the warning. I didn’t fall for this but I’m definitely going to bookmark the removal liinks. Good post, good site, I’m going to keep coming back.

  13. Hemant

    Thanks to Atomicpunk and Bill – this solution works for the latest Trojan.Zlog.G popup problem where no internet connection works and repeated fake warnings to ‘activate’ Defender anti-virus program.

    No use running any ant-virus/soyware programs only, manual removal works perfect:

    Start in safe mode (press F8 at startup)
    Delete following:

    kjzna1562565.exe
    spcffwl.dll
    T-Scan (entire folder)

    their location would be C:\Documents and Settings\{username}\Application Data\Google\

    It looks so simple in hindsight, entire day wasted in efforts.

  14. Bill Mullins

    If you are continuing to have difficulty removing this parasite, despite having tried all the recommended tools – visit Bleepingcomputer.com and checkout their forums which have additional information.

    Bill Mullins

  15. Evan

    I have the popup consistently on my screen. Any suggestions for manual removal with the vista OS?

  16. Bob

    I managed to fix the problem

    I got rid of the program but the popup was still there so i started the computer in safe mode and eventually ended up doing a system restore. I restored my computer to its state from 2 days ago. haven’t had the popup since.

    hopefully someone will find this useful.

    • billmullins

      Hi Bob,

      Apologies for not getting back earlier – sometimes it may take several days
      to answer comments.

      Terrific that you have manged to rid yourself of this infection.

      You might want to consider at this point, installing 2 additional small
      security applications.
      ThreatFire,
      which offers zero day protection and
      WOTa
      Browser add-on which will advise you when you land on an unsafe site.

      Bill

  17. Qbish

    http://www.simplysup.com/tremover/download.html

    Trojan Remover works GUARANTEED!!! Trust me, I just used it and it works. Remember to update it before running it.

  18. c

    I’m also having problems with Trojan.zlob.g and would like to get rid of it manually using the tips from Hemant and Bill. For some reason I can still use Firefox and IE no problem, but the Windows pop-up shows up about every 10 minutes and my home pages have been changed to redirect me to the Personal Defender 2009 site.

    My questions are: why don’t I see an Application Data folder under my UserName folder? Also, when I use the search function to look for files and folders with Google in the name nothing comes up. I haven’t restarted my computer in safe mode, could that be the reason?

    I’m obviously not highly computer literate, but I can follow simple directions pretty well 🙂 Thanks for your help!

  19. c

    Hi again. I just restarted my computer in safe mode in order to locate the offending files. Sadly, I still don’t see an Applications Data folder. I’ve followed the steps:
    My Computer
    Local Disk C
    My Username
    …and that’s where it ends. Why can’t I see the Apps Data folder? Eesh. This is frustrating. Thanks again for your help!

  20. c

    Hello once again! I think I got rid of the Trojan. After a little more research, I learned that selecting ‘show hidden folders’ under Settings, Control Panel, File Options, View allowed me to see my App Data folder and delete the Trojan files. Success!

    Thanks 🙂

  21. LeviGratton

    I don’t have Perfect Defender on my computer, but I am repeatedly being prompted to purchase it and being told that I cannot safely access the internet, and having my internet browser randomly shut down.

    Any suggestions? It seems the Trojan that makes me ‘need’ their anti-virus is still afflicting me.

  22. LeviGratton

    Oh, if it helps any I’m running Windows XP on an HP Pavillion Laptop. I’m not computer illiterate, but I don’t often need to do any sort of work on mine. I actually forget how to boot in safe mode.

    • billmullins

      Hi Levi,

      Let’s start with booting into safe mode:

      1. If the system is already turned off, power it on.
      2. If the system is already on, shutdown the system normally, wait 30
      seconds, then power it back on.
      3. Begin tapping the F8 key every few seconds as the system boots up
      until the screen offering the Safe Mode option appears.
      4. Use the arrow keys to highlight Safe Mode and press the Enter key.
      5. The system will now boot into Safe Mode.
      6. On Windows XP, you may receive a prompt asking if you really want to
      boot into Safe Mode. Choose Yes.

      Rerun the recommended solutions from the article, in Safe Mode. This is a
      particularly difficult parasite and in the last few days many of my
      colleagues have simply given up and reformatted their customers Hard Drives.

      Before you consider that however, please read Free Online Spyware/Virus
      Scanners – Multiply Your
      Protection!,
      on my site, and then scan your system using these tools. Often, these tools
      can be very effective.

      If you’re still stuck, try the following solution mentioned in the comments
      section.:

      I’ve checked this out and it seems to work.

      Reboot in Safe Mode

      Click on:

      My Computer

      Local Disk (C)

      Now onto folders:

      Documents and Settings

      * now find the folder with your user name & click it *

      Application Data

      Google

      INSIDE the Google folder DELETE these:

      kjzna1562565.exe

      spcffwl.dll

      the entire folder called TSCAN

      now close & go back to your desktop & empty the recycle bin.

      RESTART
      You should now be able to open Internet Explorer & have it respond
      normally.

      Good luck,

      Bill

  23. Bob

    Hey, I accidentally had this installed, so far a system restore and symantec antivirus seemed to work… I’m running malwarebytes just in case though, thanks for the info.

  24. Bob

    also, I am a different bob than the one above…
    ironic that he also did system restore too

  25. LeviGratton

    All’s well again in PC land. Thanks a lot.

    And may the Perfect Defender people get taken to court a thousand times.

  26. I’m gonna try some of the solutions that I’ve read on this site. All of you have been very helpful, thank you to everyone, and wish me luck!!!

  27. Matt Deist

    above response worked great, no more Trojan.Zlob.G!!!!!!

  28. Ryan

    wow! I cannot say how much u have informed me and i am only 13. I have been in a situation like this before with a thing called win32 or somthing. My dad told me everything and that i should not be scared. Bill u r the best in informing me and i have to ask me dad to do the rest. I was scary though at 1st seeing the Trojan.Zlob.G and they r very clever with the firewall thing but u just saved my life!!!! Thx again Bill. U r 1 heck of a hero! 🙂

  29. Ian

    Hey, unfortunately, I also have this problem. My problem is that many of my apps do not work properly (they become non responsive very quickly) and some sites I can’t revisit. I tried using the malwarebytes program, but all that was found was hijack.startmenu (which I’m not 100% sure if I should delete it). Trend Micro Antivirus could not find it also. I then tried to use it manually, but once in safe mode, I couldn’t find my Documents and Settings Folder in the C drive so I went directly to my folder (my user folder) then to AppData, but I had no google folder. Only Local, LocalLow, and Roaming. Some of which led to a google file, but none containing those folders.

    I’m using Vista Premium and I obviously need some advice.

  30. Ian

    Update: I ran Malware again and this time coming up with 4 trojan.fakealert and the hijack.startmenu
    I’ll assume I should delete these now I suppose.

    • billmullins

      Hi Ian,

      Got both your comments at the same time.

      If Malwarebytes found 4 trojan.fakealerts, definitely delete these entries.

      If you need to go in later to remove anything manually, (you mentioned you
      couldn’t find some files/folders), be sure you have selected show hidden
      files under Settings, Control Panel, File Options, View, otherwise you will
      not have access to all files/folders.

      In earlier readers’ comments, you will find a number of different manual
      removal methods that I have verified will work, depending on your specific
      system configuration.

      Good luck with this,

      Bill

  31. Moey

    To Bill and AtomicPunk,

    I totally love you guys.

    You dudes are definitely legends!

  32. Ashok

    Hi Bill ,
    Thanks for best information to handle Perfectdefender2009.
    I have used all tools and site..It worked fine for me..But still facing issue with POP UP.
    – I dont find and files which is mentioned under folder google .I have enabled to see Hide folder also.
    your input will be valuable
    Thanks in advance.
    Ashok

  33. Ratrix

    I have the same trouble. The Google folder has none of those folders/file within it. Do they only show up in the safe mode?

  34. Stephanie

    Well, I did control, alt and delete to get the Task Mgr. Then I selected *Processes*. I found the devil (pubdfdr.exe) or something to that affect and choose END PROCESS. It seems to be working. However, uninstalling is a different story and the annoying “security center/trojan” popup still comes alive.
    Don’t these idiots have anything better to do with their time? ARGH!
    I also looked for the “application data” in my user name folder. It wasn’t there.

  35. Stephanie

    P.S. After stopping the process I was able to delete the program! Do the deleting quick as this beast is unrerentless! Emptied recycle bin and rebooting.

  36. Stephanie

    One more time…sorry people, but I’m as frustrated as you so if I can help you I am willing. Go to your control panel. Select *security alerts*. On the left choose “change the way I’m alerted” (last option on left). UNcheck all boxes. Click ok. TaDa! =)
    Well, at least for now it’s not bearing its ugly head!

  37. lana butters

    I’ve tried the removal as given above but dont seem to have “application data folder” or “google”. Is there anywhere the files could be stored and named as. I’ve run the malwarebytes but still get the pop up. Please help thanks

  38. Pingback: Top Posts « WordPress.com

  39. Sybil

    Caught by this darn Trojan.Zlob.G yesterday and nearly went out of my mind trying to get rid of it!!
    Thanks to those who suggested booting into Safe Mode and going from there. Tried this just a while ago, and hopefully the problem has been fixed!!!
    Great site, be coming back again. Many thanks.

  40. Susan

    All, I followed the instructions from AtomicPunk and Bill the evening of Dec. 7. (and thanks to “C”) for the note about the hidden folders.

    Anyway, when I got to the Google folder, the .exe, and .dll files had a different series of numbers and letters from the ones liste in AtomicPunk’s original email. Since they were obviously loaded on my computer a couple of days ago, I rightly assumed the were the culprit and deleted and shredded them.

    I just wanted to let other users know in case they didn’t make the same connection.

    Thanks for for this site and documenting the manual solution. I called the Microsoft PC Safe department 3 times, ran 4-5 different anti-virus softwares, including a couple on this site, and the manual solution is the only one that worked for me.

    Regards,

  41. Timm

    What method did you use to identify the files associated with the virus in the first place?

  42. Elle

    Thanks for the info on this site.

    I downloaded Perfect Defended but thank god I was suspicious enough to put the name into google before I installed it on my computer.

    Will it still be on my computer though? It must be in some way since I’m still getting the fake Windows “warning”.

    Thanks guys!

  43. Colly

    Hi all. Had the above problems with Perfect Defender trojan, which completely cleared with above method.

    However, managed to pick up the bloody trojan again after 20 mins of net surfing, but interestingly had completely different names for rogue files although obviously culprits (given that they hadn’t been there 20 mins before!)

    I’ve checked this variation on the above method and it also seems to work.

    Reboot in Safe Mode, then Click on:

    My Computer

    Local Disk (C)

    Now onto folders:

    Documents and Settings

    * now find the folder with your user name & click it *

    Application Data

    Google

    INSIDE the Google folder delete these files:

    fhexj6825097.exe

    mjkdpl.dll

    the entire folder called GMail (contains a few small GIFs which are actually trojans)

    now close & go back to your desktop & empty the recycle bin, then restart the computer.

    You should now be able to open Internet Explorer OK.

    Hope the above helps.

  44. Jack

    Hey,
    I have tried using smitfraud fix, malwarebytes, and Super antispyware but they all have been unsuccessful.
    I don’t have the program installed in my computer but when ever i go in internet explorer this pop up appears:
    “Insecure Internet activity. Threat of virus attack….”
    So if you can help me please, i would really appreciate it.

  45. Mike

    Hi all, I have this studpid perfect defender virus on a common use dell gx280 running xp pro.

    I read all of the posts on this dirty bug, and it seems it can be deleted in safe mode, but I cant get my system to start in safe mode (pressing F8 at startup), or even into setup for that matter(F2).

    It goes straight to the perfect defender security alert pages and wont respond to any key stroke or mouse click commands.

    Any ideas to force system into safe mode? or suggestions to get rid of virus from this point?

  46. Dan

    I’m in the same situation. I’m using Malwarebytes right now, but I haven’t been able to find all of the other stuff, in the registry or elsewhere. Yet the browser still opens with the dangerous site message. It also crashes soon after, esp. if I’m trying to download stuff like Malwarebytes to deal with it.
    BTW, is there any chance that the Crash Reporter function in Firefox is somehow linked to this Trojan?

  47. Dan

    Oh, and another thing. When I installed he Malwarebytes and ran it, I had a series of error messages. It’s worrying.

  48. RSO

    I have been trying to get rid of it from my mom’s Dell (running XP) for two days but I can’t locate any of the files. I have not tried malwarebytes yet since I could not open a browser because it would keep shutting down automatically. PD was not “installed” since the popup is simply Xd out each time but I am wondering if I will need to actually install it through that popup in order to find it. I tried safe mode also and went through various manual searches per various websites but nothing shows up. I also cant find the applications data folder.

    Are there different removal instructions if the popup has not been clicked to install and the only signs of PD are the fake popup warnings?

  49. Dan

    I tried the safe mode approach and it appears to have been effective. I had to run malwarebytes in safe mode because there was something making it have errors in the regular settings. It found the Hijacker that was opening the “unsafe web page” whenever I opened my browser. And at the same time going into the Google folder of the Application Data folder and removing the files noted above seems, for the time being, to have been effective.

    RSO, I am not a techie, but one thing I realized I needed to do was make sure hidden folders were visible when I was in my C: drive–go to the Folder Options under Tools and find the appropriate check box. then I could go, find the Google folder, and delete the two files noted. They were only in my account’s file, but I have admin settings so it may have changed everything for the others, too.

    What Malwarebytes removed was a registry entry. If you go to your regedit you might be able to remove it yourself if you feel up to it. According to the Malwarebytes log, mine was at HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu)

    Note, I use Firefox, but it affected both FF and IExplorer.

    Just FYI

    Thanks for running this blog, Bill.

  50. RSO

    Thanks for the reminder about the hidden folders, Dan. So much frustration over two days caused me to miss that tidbit earlier in this discussion. I will go back for day 3 tomorrow and either post up my thanks or attach what little hair I had left that was caused to be pulled out over this issue.

  51. JBEACH

    This was a great help. The safe mode bit worked for me perfectly. Thanks for helping myself and others who got stuck on this!

  52. Ian

    Hello again, I posted earlier (Wednesday) in which I had this. After deleting the four Trojan.FakeAlerts files found by malwarebytes my computer has appeared to turn back normal. I have had access to all programs and no more pop-ups. Just like to personally thanks for the big help this was.

  53. RegHartopp

    I had found the same files as Colly did in GOOGLE folder… also found another rogue file in the IDENTITIES folder named sinashi.exe which seems clearly linked to the PERFECT DEFENDER 2009 malicious attack with its time of creation fitting in perfectly with the timining of the other rogue files on my machine. Seems all ok on mine now using the SAFE mode method.

  54. RegHartopp

    Done some further checking within the Folders contained in the APPLICATION DATA folder and found some more malicious files installed at the same time as the other known suspicious files. It seems to use commonly seen folders to hide within…so check All folders in the Application Data folder for dodgy content.Timing and type of entry should show wether its suspicious.

    Other rogue files ;
    In Adobe folder kernell.32dll
    In AdobeUM folder gdi.dll
    In Jasc Software Inc folder xerks.exe
    In Help folder rasim.exe
    In Lavasoft folder manol.exe
    In Macromedia folder netsk.exe

    Hope this helps ppl deal with this nasty software.

  55. Dan

    Thanks Reg. I did this and found several of those files in other folders within Application Data.

    For those looking: run a search in the App. Data folder, and search for files modified on the date the problem started. If you found the file in the Google folder, you’ll know the time. For me, they were all created at the same time on the same day.

  56. RSO

    I just came down for Day 3 of the battle and with the updated instructions about finding the hidden folders it looks like mom is up and running again.

    Thanks Bill and to everyone else who offered their experiences and insight.

    Happy Holidays to all!

  57. Alex

    Some how I think I’ve gotten this perfect defender 2009 thing. Every time I try to do something it ethier shuts down my computer, redirects me, or takes me off the internet. Is there anythnig I can do to fix it or is my computer destroyed? Will this spread to other computers in my house? Will it get into my e-mail or my IM account? Will my music and word folders be ok? I don’t know alot about computers.

  58. buja

    I had the same problem I did the exact same thing mentioned above. The malware created 2 more files called GoogleUpdate and windpipe which need to be deleted (they are not actually files but are values hence you won’t be able to find them in a search). Even without deleting them the system runs fine and the exact effect of these values are not know.

    In order to delete them

    click on

    start menu
    run
    regedit ( you need to type it then click ok)

    (the Registry Editor opens up)

    Highlight mycomputer by clicking on it.

    click on

    Edit
    Find
    windpipe (you need to type this then click on find next)

    (if it doesnt display in the first go try again)

    highlight, right click and delete it.

    Also if googleupdate is displayed in the search result delete it.

    Else search for it and delete it the same way.

    Note : Both these values may show the application data folder as there location.

    All the best.

  59. i havent downloaded the software but the shame is, is that i reformatted my pc for other reasons about 2 hours before, as soon as i connected to the internet i was infected by thsi virus, unfortunatly nothing on this site has worked for me so far but i am using my training to locate and distroy the files responsible and when i do ill post it here

  60. jp

    just had this happen…follow the above instructions…delete works perfectly

  61. RSO

    Does anyone know how their computer got infected? I was able to identify the time that it got on my mom’s computer but she did not seem to be doing anything that would have resulted in it.

  62. Joepp

    I’ve got the same problem..
    Malwarebytes won’t recognise trojan.zlob.g.
    SmitFraudFix doesn’t even run.. what can i do?
    Thanks,

  63. tonio

    Hi guys,
    I got the same problem with perfect defender. I have the constant pop up, fake security alert, except for me its about the ” win32.NETSKY.Q ” virus. And I also have the error when I launch Internet Explorer.
    So many solutions up there, I don’t know which one is the correct one. A step by step would be really nice because I don’t know where to start!

  64. Rich

    I puzzled over this for a while. I believe this will fix the problem (it has for me):

    1. Start your computer in safe mode (press F8 as computer is booting).

    2. Go to:
    C:\Documents and Settings\{username}\Application Data\Google\

    3. There will be two files here, one named mjkdpl.dll (mine was, others I’ve heard have spcffwl.dll) and fhexj6825097.exe (or kjzna1562565.exe)

    4. Delete mjkdpl.dll and fhexj6825097.exe

    Remember, you can only delete them in safe mode. Good luck!
    Rich

  65. Rich

    (continued from above)
    5. Restart

    That’s a quick and easy way for doing it, anyway! It worked for me, and you may wish to try it before trying some of these more involved methods.

  66. tonio

    Thanks a lot Rich!
    I did what you said, except to find the location of the infected files I used malwarebytes.
    My PC is healthy again!
    Thank you Bill Mullins, this page really helped me to get through this.

  67. Mitch

    I downloaded Malwarebytes and RogueRemover. Neither of these programs found anything harmful, though I wasn’t able to update them for some reason. (I have since updated and scanned, must have been their servers) I never actually installed Perfect Defender, but I was getting the pop-up and the prompt to visit their site when I opened Firefox. I went ahead and deleted the files in the Google folder manually in safe mode, and that seemed to do the trick. One thing I would add is that if you do it this way, you should definitely check the other sub-folders in the AppData folder. I found several executable files that were all created at the same time, right when I discovered something was fishy.

    When I first started getting these pop-ups, I ran AVG Free 8.0 and it discovered/quarantined/deleted a Key Logger. After that, I still got the pop-ups until I found this site and went through the process of cleaning it up. I’m not entirely convinced the two were related, but is this what Perfect Defender was designed to do?

    • billmullins

      Hey Mitch,

      This type of malware is multi-layered, and can continue to drop additional
      malware on a machine until it’s eradicated.

      In answer to a previous comment, I recommended reading Replace Task Manager
      with Free System
      Explorer
      on
      my site. This free tool not only monitors activity, but in addition, with a
      right menu click, provides online information including virus checking for
      any process, driver or service, from VirusTotal or Jotti.

      You might find this useful

      Congrats on a job well done.

  68. Mitch

    btw, the file that AVG found was called upd.exe and it was in the AppData folder also.

  69. Franz

    Bill, thank you SO much, not even sure HOW I got this, had installed AVG 8 and updated my windows to SP3, thought this was at first a byproduct of that, so after uninstalling all of those I decided to use google (when I could keep my browser open long enough, safari ended up saving me)…going into safe mode, finding hidden files and deleting them(mine was the FHEX series, not the KJZNA series but still) my comp seems back to its self, DLing malwarebyes anti maleware now and gonna get AVG back on to keep this from happeneing again…

    thanks for your help and time you put into this helping people:-)

    Franz

  70. Erica

    Bill,

    Your site is wonderful — I was completely lost until I found it.

    I tried to do the manual delete, but I’m worried I missed something. I also ran malwarebytes, but it didn’t come up with anything. Is there any way to check that I’ve gotten rid of the virus? I’m worried about purchasing other spyware/virus protection online in case the PD is still there to steal my credit card info.

    Thanks!

    Erica

  71. c

    Hi everyone,

    I was able to get rid of the nasty .zlob last week using the suggestions on this forum for rebooting in Safe Mode and deleting the bad files in the Google folder under Application Data (after selecting ‘show hidden folders’ in my Folder Options in the Control Panel) and haven’t had a problem since.

    What I’m wondering is if there is a chance the Trojan could still be present and able to track my keystrokes without my knowing. The Trojan just seemed to be directing me to buy the PD ’09 scamware, but, being paranoid by nature I haven’t done any online banking for fear that my info might be visible. What do you guys think?

    Thanks!

  72. Chris

    I have vista and I keep getting a pop up that claims to be a windows security alert.
    It says the following…
    Name: Win32.Netsky.Q
    Risk Level: high
    Description: This trojan has a keyboard logging function, which is intended to steal info. from users of a range of online payment systems.

    How do I get this pop-up to stop?

    I have not clicked the protect icon on the pop up but I have clicked the recommended software icon and it sends me to a website to purchase the perfect defender

    Please Help!

  73. KimD

    Unfortunately I have this horrible virus too. Did not download Perfect Defender but my computer is getting worse and worse.

    I have tried to get into Safe Mode and cannot. I do know how, but my computer won’t do it. Therefore the manual delete won’t work. I even tried doing it in Command Prompt.

    I’m running Malwarebytes right now on the infected computer (not this laptop obviously) but it seemed to skip the Application Data / Google directory. I’m not convinced it will find anything.

    Not sure what I’ll do next since everything I try to do seems to be blocked. Any other ideas anyone?

  74. Madcap

    Hey all, Bill, put out some good information here. If you want a Nine step process, that fixes this take a look at this article, which goes into more detail. Feel free to plagiarize, the author doesn’t care.

    9 STEP SOLUTION to ERADICATE PERFECT DEFENDER if INTERNET is BROKE!!

    http://www.associatedcontent.com/article/1261114/solution_to_ispyvirus_and_perfect_defender.html?cat=15

  75. Suzanne

    I followed the manual removal showed above but the files were named pzpsp23511834.exe and mrkgrn.dll . They had the right date of when this started happeining so I took the plunge and deleted them. I did not find a TSCAN folder. I seem to be able to browse normally now but what a nightmare. I am not a computer person but work for a small church and IT issues by default ends up with me so thank you so much for the help. I’m going to try to download some of the suggested software – I tried the Malbytes before the manual remove and it didn’t help.

  76. Chris

    Hi their for some stupid reason of mine i deleted the Google folder under the application data 😦 Is their any other way I can find these nasty folders?
    please help I hate seeing my computer suffer by having this virus
    PLEASE HELP!!!!

  77. barry siegel

    Malware bytes did find my PF malware, but not by scanning, but more by luck. After many many hours of various tries, I installed MW bytes and after one week or so upon startup, MW Bytes messaged me that it would like to stop a process that was a fake trojan. When I looked at the location I saw that MW Bytes had found the hiding place of the file. I need to share that information so here it is. The file was located at c:\users\Eugene ( one of our users ) \AppData\Roaming\Google\mrkqrr.dll

    I destroyed the file and another related folder and associated contents with Powerdesk and the foe was vanquished. Thanks to Bill Mullins and MalwareBytes

  78. saleh

    the part where you said this

    Clicking on “enable protection” begins the process of infecting the system by downloading Perfect Defender 2009

    this came up on my screen but i did not click on that but i did click on the link to the site bt did not download it is my computer infected?

  79. Anna

    I used malwarebytes to remove and think it’s gone, but in my add/remove programs there is the uninstall perfect defender 2009. Should I uninstall this there also? I’m pretty scared to do anything, worried I might get this again. Any help would be appreciated.

  80. Hi all,

    Wanted to contribute my own info here to the this thread.

    In my case, I deleted the weird files in the \Google folder. Then deleted all the other files in Application Data with the same date. …no luck. Still couldn’t run or update Anti-spyware programs like AVG.

    This bug is now known as the ISPYVIRUS which works by “installing” a bogus “device” that continues to infect your PC.

    Go to My Computer, right-click and do “Manage”. Right-click again on Device Manager and select “Show Hidden Devices”.

    Once you have that, you will see TDSSserv.sys. Right-click and Disable.

    Reboot.

    Download and run Malware-bytes. That should get you. For a full description see this guide:

    http://www.associatedcontent.com/article/1261114/solution_to_ispyvirus_and_perfect_defender.html?cat=15

  81. George

    Bill — I am SOOO thankful I found your blog regarding the Perfect Defender 2009 — I thought it looked suspicious, but I downloaded the free version, anyway — then when I went to remove it (via Add/Remove Programs thru the Control Panel), I didn’t see it — that’s when I realized that I was in trouble (lol) — I Googled & found your blog & saw that you listed 3 links that could possibly help — I used Malwarebytes, downloaded it, ran it, & it did the trick !!! Thank you so much for your help !!

  82. Lee

    I still have not had any luck in removing this trojan/spyware. I do not know if it has been modified to keep up with the solutions but if anyone knows the latest solution for a system running XP please let me know. Thanks.

  83. ben

    As Lee said above, there must be a new strain of this trojan. I got infected with a new strain of this trojan, not sure how, just checking the normal safe sites. It does not allow for booting in safe mode, and the malwarebyte does not run. Another program (spy something 3) was able to run, and it detected a “rootkit” program that is preventing exe files from running. But that removal program requires a license to activate the remove option.

    I tried to force the safe mode by checking the safemode box in the boot.ini window. BAD IDEA, DO NOT FORCE SAFE MODE, IT WILL RESULT IN AN ENDLESS LOOP OF BOOTING ERROR. now I can’t even boot in safe or normal mode now.
    will try to fix the boot problem tomorrow, but I hope there will be a fix for this new trojan soon.

    • billmullins

      Hey Ben,

      You are correct this parasite seems to have morphed. Have you tried
      SmitFraudFix , available for
      download at Geekstogo. This is a free tool that is continuously updated to
      assist victims of rogue security applications.

      Bill

  84. kunaal

    Guys,

    Thank you very much for this thread, and this site. Managed to land myself with this damn thing a couple of hours ago, but followed the manual delete instructions posted by AtomicPunk and co above, and they seem to work just fine. For reference, there seem to be newly modified files everywhere throughout the ‘Application Data’ folder, not just in ‘Google’, and if you want to delete them all it might be worth a thorough check. I had a couple of .gif files in a new folder called ‘Yahoo!’, as well as most of those mentioned above.

    Awesome site, Bill; I’ll definitely be back on this when I next get a problem.

    Many thanks,
    Kunaal

  85. skiier

    Bill and guys, i want to tell you my case. i got this thing last night. stupid enough, i enabled it and as soon as it started to ‘scan’, i realized i was mistaken. so i stopped it and used norton to scan the disk. Norton did find something and resolved. i was paying attention. then i used another computer to find this blog and read through most of the posts. i got an idea what is going on.
    then after work i went home check directories and registry, nothing left to clean, maybe norton did the job. however that phony warning popped up again and asked me to enable the perfect defender 2009, again. it didnt think i would, right? and of course it disable my web browser. so as told by some of the posts, i went straight to that google folder, well i couldnt delete 2 very suspicious file, cij…656.exe and kp…dll, i dont remember the exact name of them, and they are different from that in those posts. but im almost 100% sure those are the evil files. and of course i m not able to delete them just there bc it’s running! then i go check the startup program list, aha, it’s in it, named realteke. i disable it and reboot the computer, not in safemode though, bc i read a post about some complication. after reboot i went straight to the google folder and deleted them, empty the trash bin, i dont find that tscan folder though, other folders look good. and reboot again, now firefox is working, and no phony pop up yet..i hope this is over, and you guys can get some update from my case.

    • billmullins

      Hey Skiier,

      Thanks for sharing your experience – I’m sure it will be helpful for others.

      It’s terrific that you were able to solve this puzzle.

      Bill

  86. ben

    Will try smithfraudfix next. I was able to boot in windows normal mode again by making a bart PE builder cd, so that I can access and fixed the boot.ini file. Still not able to boot in safe mode.

  87. klnim

    this is a nightmare. i have tried trend, i use to be able to log in safe mode, now i cannot. i annot find the hidden files. what is the easiest way for computer illiterate to remove this thing.

    • billmullins

      Unfortunately, removing parasitic applications like this requires the user
      to be very computer savvy. If you do not have a high skill level you should
      take your machine to a professional, or seek help from a trusted computer
      savvy friend. As a last resort, a Hard Drive reformat and reinstalling your
      applications may be your only choice.

      Bill

  88. klnim

    i have been working on this since saturday

  89. kim

    Hi Guys. Bill, thank you so much. As the last resort, I downloaded malwarebytes in the safe mode and it worked. It took less than 5 minutes. I have been working on this for four days. I hope this helps others. I tried to delete the files listed but could not find them. Good luck to everyone.

  90. skiier

    Bill and guys, you are doing a great job fighting the evil 🙂 I really appreciate it. we will do it together. so far my computer is recovered from it. but i m still wondering how i got it. I will guess it’s from one of those messed-up website. I was searching song lyrics and ended up on those web pages full of flashing ads, and pop-ups.

  91. Runner

    Bill,

    I ran the MalwareBytes program and it picked up 25 errors – some of which were under that google folder. It stated that they could not be removed, but that the program would try again during reboot. I also restarted my system in safemode and tried to delete those files manually and they were not there.

    I restarted again and no pop-ups came up and the internet seems to be back to normal.

    Does this mean that I am all set? I am just worried some part of this crazy spyware is still on my system and don’t want it to steal my information.

    Thank you so much for this website! I thought I was going to have to replace my system.

    • billmullins

      The definite answer is maybe; or maybe not. The only way to be sure is a
      disk wipe, reformat, and a reinstall.

      The chances of still being infected are very small, but unfortunately there
      is still a chance.

      Bill

  92. Randi

    I am a Blog Virgin. this is my first. My mom has gotten the perfect defender 2009 crap. ive been trying for 3 days to remove it. I downloaded Xoftspy. i have it on my pc and thot it works alright. was 40 buks but cant detect the problem. ive read all the entries you have here and just want to do the right thing. im going back tomorow to wk on her pc for day 4. aaaaauugghh! n e way she has a Dell xp office. and what is going to work? can i get some walkthrough steps anyone? i get the pop up and the explorer begins to open but snaps off. no getting online at all. we have comcast too. so mcaffee is running. does not detect it…… help!

  93. Hi, Perfect Defender adds keep showing on my computer every say Half An Hour, I have not downloaded it but I would like to know how to stop these adds for good! Thanks In Advance.

  94. Rachel

    Thank you so much everyone. It means a lot that you want to help! 🙂

  95. Jude

    Thanks for this. I managed to find the Apps Data folder, but I don’t have a Google folder (even with Show Hidden enabled).

    So I did a System Restore and so far so good; no more pop-ups and the internet browser is mine to command again! Bwahaha!

    Er…sorry. Got a little carried away there.

    Anyway, if my internet’s working again and I’m not getting the popup, does this mean that (im)Perfect Defender is gone for good? (Sorry for the noobish question; I’m really not a techie. It takes the IT department at work half an hour with sock puppets and words of one syllable to get instructions through my head!)

  96. Karen Austin

    Had the Perfect Defender nitemare….the previous response instructions for going to “my computer”, documents/settings, your user name, applications, google…. worked like magic…however, the files are no longer named the same as in the previous instructions but they still end in .dll and .exe and they were installed today. I deleted them, emptied my trash, (sorry I was an idiot and did not copy them before I deleted them so I could let you know what they were) restarted my machine, and it is working like normal again. THANK YOU EVERYONE RESPONSIBLE FOR THIS GREAT INFO…have been at this for hours.

  97. Steven

    Its a shame I’ve also got this into my machine (its a shame because I’m a system admin myself, and I got the virus when I was searching for a solution for an error in exchange server…lol)

    My first instinct tells me something is wrong when I saw that security center pop up…it looks so real I almost got fooled, but when I read the little portion at the bottom, no, that doesn’t sound like Microsoft wording….

    It only give me one option, which is to “Enable Protection”, but I know for sure microsoft don’t have a button like that, so I clicked the close “X” on the top right corner, about 30 seconds later my machine forcely reboot itself….

    Now I’m start getting panic, I grabbed my windows PE disc and boot with that, and just looking over the start up process…I couldn’t find anything that’s suspecious, beside one thing, Google! The service that’s under Google folder just don’t look like anything Google…. But it still have me fooled…I just leave it there…

    After that I tried several different approach with no luck, and by trial and error, I think I found a pattern in the rogue ware, if you don’t close that security center warning and just leave it there, it won’t reboot your machine. that buys me enough time to find this website and following instructions here finally got rid of it!!

    Thanks for all the great help!!

  98. Steven

    This is actually pretty sad, the Perfect Defender software is programmed in a way its almost perfection!

    The interface looks great, all the graphics are super.. and the way the program tricks user into believe that its a genuine MSFT stuff…..

    This is an incredible app if its not a rogueware, I just don’t understand why a programmer with such a brilliant skill will choose to do something like this!?

    What’s going on in this world? Just how much profit can you make by creating stuff like this?

  99. Steven

    Added information about removing Perfect Defender

    I saw several post above were having trouble finding the “Application Folder”.

    I don’t know if this has already been answered as I don’t have time to read through ALL posts.

    But the application folder is actually hidden, so heres how to make them appear

    First make sure you are in safe mode by pressing F8 at boot and choose “Safe Mode”

    when you get into windows, open any folder so you see an explorer window.

    1. Click Tools –> Folder Options…

    2. Click “View” tab

    3. Under “Hidden Files and Folders” choose “Show Hidden Files and Folder”

    4. Uncheck the box that says “Hide protected operating system files”

    and you will see the application folder under C:\Document and Settings\username$\

    Just make sure you reverse the change back the way it was after you are done, because some of these files are hidden for a reason, accidentally deleting these files can wrack havoc on your machine. Not to mention having a bunch of extra icons clogging your desktop and folders.

    Hope this helped

  100. Dano

    Bill, AtomicPunk, others:
    I don’t usually post on the internet, but I felt compelled to thank you all for the excellent advice. Everything was where you said it would be.

    The solution that worked for me was:
    Ran Malwarebytes — it found the infected files and deleted one.
    Safe Mode Manual Delete — to delete the other file.
    Then ran a bunch of searches on all files to be sure.
    Empty Recycle Bin.
    Rebooted and all set.

    Thanks again,
    Dano

  101. Drew

    Bill, others,

    I have the Perfect Defender 2009 popup. I’m not a PC expert, but followed your instructions

    i firstly downloaded malwarebytes, but it kept crashing on me about 1min into the scan)

    I then rebooted into safe mode, went into the Google folder.

    the only file i could delete was:

    pfysw721318.exe

    there was no spsffwl.dll; or any other *.dll files

    and no TSCAN folders.

    Hopefully this will do the trick.
    Thank you for your help!! I really apreciate it!!

    Cheers, Drew

  102. Greg

    Like Steve said above, by just closing that website’s window installs the virus… pretty slick.
    It crashed firefox as soon as I did that. I had AVG running at the time… oh well. AVG couldn’t find the problem.

    I ran malwarebytes in safe mode. That program is dog SLOW, especially on music files, so exclude those folders if possible.
    ran smitfraud in safe mode, which didn’t eradicate it.
    superantispyware, trojan remover, searchanddestroy, were no go.
    Anyway clamwin found a few.
    I’m trying the kaspersky free virus removal tool next.
    Once you find one file, the fastest way to root out the rest is to go to start/search for files and folders by date. You will find a bunch of files installed all at the same time. Just select all and trash them. I also dumped my firefox files created at the same time when it crashed (Feb 5 at 1001AM)
    Here are some of the files you may find
    rasim.exe ,sinashi.exe,xerks.exe,manol.exe,netsk.exe,kernell32.dll,gdi32.dll, mjkdpl.dll

  103. ENTBedford

    Thank you all very much. This has been very helpful.
    Could it be summarised a bit?

    For example, there are 2 main problems as far as I can tell,
    1) the annoying popup and how to remove it (which I had)
    2) the Perfect Defender software itself (which I did not)

    I found it very difficult (4 hours!) to find out what was causing the popup even though I knew it was dodgy. I had to click to go to the even dodgier site to find Perfect Defender, which then led me to this great site via Google. Once here, the advice told me how to get rid of it.

    Trouble is I’m easily bored and only read the first month or so of posts, so couldn’t find my particular version of the rogue file in the Application data\Google file, not the TSCAN folder. The giveaway was the icon for the rogue file that looked like a firewall.

    Malwarebytes found it, and has for the time being at least knocked it on the head.

    Are there ever any legitimate .exe files in the \Google folder, or is anything found there always dodgy?

    Thanks again for all the help I found here. TH

  104. ENTBedford

    PS Using A squared I think I have found where mine came from.

    The SmitFraud virues and malware (which are pretty like Perfect Defender as far as I can tell) often apparently come via Codec downloads.

    My son downoladed The Libertines “Arbeit mach frei” and this contains the trojan downloader WMA.GetCodec.b!A2. Someone has an odd sense of humour, but somehow appropriate.

    (Arbeit mach frei means work makes you free – if he had not tried to get the song without working and paying for it, I wouldn’t have had to spend 4 hours sorting it out for free.)

  105. Benjamin

    I have a problem with the Defender cause i had a virus on my computer that wouldn’t let me get on the internet so i’m having to use my dad’s old one how do i get that stuff off my computer since i can’t use my own computer?

  106. Milky

    I was able to remove Perfect Defender very easily by deleting the directory I had installed it into after closing the process.

    eg. ctrl + alt + del pdfndr.exe

    however the popup would not be silenced.

    I found the perfect defender registry keys by using ‘spybot search&destroy’ which is a program that rarely fails me.

    Then found a file called sqean9524272.exe in my –

    D:\Documents and Settings\ >>INSERT USER NAME HERE<<<\Application Data\Google

    I was able to delete this file but it seemed to reappear by itself.

    Luckily I had been in the process of scanning with ‘malwarebytes anti-malware’ program

    (ttp://www.malwarebytes.org/products.php)

    It then detected the the sqean9524272.exe and told me that it would remove the program once I restarted my computer
    The restart length was a tad ominous and there were a few unforseen errors upon startup but after that the computer seemed to return to normal and have had no popups since.

    In the end the advice I would give is – if you are having this problem check that google folder and delete anything it contains. I have since checked that folder several times and it never shows any files contained. This harmful program may have been updated to randomise its filename as to elude people like us.

    Thanks to everyone who posted information.

  107. sue

    My operating system is XP and I have tried now for days and endless hours to get rid of this malicious spyware pop up. It immobilized explorer and Firefox browsers but I managed to download opera so can access the internet. I have run SmitFraud (in safe mode following all directions) and superspyware and a couple other freebies.. all of these resulted in the pop up warning now looking like hieroglyphic gibberish so these programs must have deleted at least something of it.

    none of the dll or exe files listed above were found on my pc and nor have i found what is in the processes (alt, control, delete) that I should shut down. so far my anti spywares have found only one affected command in registry and one in the google folder (documents and settings).

    it would be really good to see the end of this problem – as i am too scared to access online banking etc until its cleared up.

    I would REALLY like to do a system restore to an earlier date but i have tried and tried.. it will only do incomplete restores no matter what the date.

  108. sue

    and i forgot to say a big thanks to all the comments and a question to Bill – why is my little face on the right corner of my comment so angry? all the others are kind of cute 🙂

  109. Shanae

    i was able to remove the virus from my computer following the instructions provided by other users on this site and i just wanted to say thank you thank you thank you so very much. my computer was giving me that crazy 2009 defender pop up yesterday and today everything works perfectly. i really appreciate y’alls help!

  110. mista nik

    Just emerged from the frightmare that is Perfect Defender 2009. Thanks to all on here for the tips, Antimalware seems to have got rid of the bugger once and for all.

  111. Kat

    Thank you thank you thank you, all of you! Picked this up at work, not something you want to tell your boss. Read your posts and figured out how to view my hidden application data folder. However, my trojan files looked different than those mentioned above.

    In my google folder was on legit history folder and then a firewall logo titled js—— (sorry was so concerned about getting it off I didn’t write it down) and one off those icons that looks like a piece of paper with a screw. The virus was hiding in those two legit looking icons. I wouldn’t have known for sure if there wasn’t an identical computer in the office with the same set-up as mine. I compared the two application data folders and was able to deduce what had to go.

    I never would have figured it out if it wasn’t for all of you.

    THANK YOU!

    ps. how does Windows Defender Malware rank?

  112. Dave

    Bill,

    Have you seen the new version of this with jaeio234556 in the folder and basically undelete-able? Shell32.dll accopanies that file and also cannot be removed… yet, I’m still working.

    • Bill Mullins

      Hey Dave,

      I must admit I haven’t – sounds like a nightmare.

      I have noticed increased activity with this crap though.

      Bill

  113. Scott

    I just recently got the new version of this crap, the jaeio234556 version with the shell32, and i cant figure out how to get rid of it. And apparently its effecting me starting my computer in safe mode, it just wont allow it. I never downloaded the perfect defender junk which is a plus, but this pop-up keeps coming up. If anyone figures out how to get rid of this new strain of perfect defender let me know, its proving to be quite a challenge

    Scott

  114. Justin

    Bill/Scott,

    I was infected yesterday evening and was up until 3AM and got no where! I downloaded and paid for the pro version of Malwarebytes but its not working as of yet.

    I did read some of the blogs which contain solutions to the program not running but its not working for me yet. I overcame the issue of the Malware not installing completely but now it won’t run. I tried deleting some files from a video I saw on youtube also. For example, in the “Run” menu I type msconfig but it loads with an hour glass and doesn’t let me delete files..It just goes away.

    If anyone can help me here, I would greatly appreciate it.

  115. I ran across this page while checking to see what other people are saying/doing about these types of problems. You have lots of good information. With that said, it has been my experience that a reinstall is the best answer. The big reason for this is it is nearly impossible to find everything they have damaged. Even if you get all the infection the system is still comprised or and/or individual programs damaged. Along with a reformat and reinstall I also recommend clearing the BIOS because most of the reinfections come from there, not the hard drive. Also, make sure after you reinstall that you are not using an Administrator account all the time. I personally know of many techs who tell people they can not prevent getting infected … I shake my head every time I hear this because this kind of junk has tried to infect my machine and failed every time … yes it’s Windows.

    • Bill Mullins

      Clint,

      Cannot disagree with any of your points. A reformat and reinstall (for the reasons you state), is the only practical solution following an infection like this. Anything else is simply an exercise in futility, in my view.

      Thank you for your instructive comment.

      Bill

  116. DC

    I was this victim of this Trojan today after I attempted to download WinZip. It restarted my computer, overran my Google homepage in Firefox with a security warning message, and keeps on displaying a pretty convincing Windows-esque looking security warning pop-up every ten minutes or so.

    I haven’t attempted the repair process yet, but I did manage to find out a name of at least one person behind this fraud, based on a simple Domain Registration search on “secure.instacheckout.com”, the site that the pop-up led me to, and Perfect Defender 2009 is sold through.

    I won’t be listing the registrants name or address here, but if you head to the following link, you can find out both of these for yourself: http://whois.domaintools.com/instacheckout.com.

    After also doing a Google search of her name and location, I believe that her surname may actually split into two parts, and if so, may also be on be on Windows Live 🙂

    If anyone knows of any Online Fraud departments, feel free to pass on her details for investigation. Cheers 🙂

  117. sjt

    I have the newest edition of the Perfect Defender 2009 crap with the shell32.exe problem. The Domain Registration search for the website that I am redirected to upon Mozilla startup is http://whois.domaintools.com/perfectd-review.com .

    Do what you wish with this information. (I have not taken it upon myself yet to solve this problem, but will let you know what happens.)

  118. sjt

    OK, I seem to have solved the problem for my own computer (keeping in mind that the problematic startup page was occurring in Mozilla Firefox; also, I viewed hidden files to perform these tasks):

    1. C, then Documents and Settings, then Administrator, then Application Data, then Mozilla, then Firefox. Within ‘Firefox’ there were two unusual folders (whose names I cannot remember…sorry) with suspicious files (some of them cache files) (note: don’t delete the folder with the ‘.default’ tag!). I deleted these two folders first. This (I’m 90% certain) removed the weird startup page, but not the popups.
    2. Then, in safe mode, I went to C, then Document Settings, then Application Data, then Google. There were two files: one of them had a long name (as with Dave and Scott above, but not the same name), and the other was shell32.dll. I deleted both of these files and immediately cleaned the Recycling Bin.
    3. Then, in normal mode, I ran a HijackThis scan. One of the registries still contained the odd-named file that was in ‘Google’; it was an O4 item. I checked the item and clicked “fix checked.”

    It’s only been about a half hour, but I have not had a popup or experienced the weird Firefox startup page in that time. Hope this helps anyone else reading this!

  119. Chintu

    Hi Bill, Steps given by you really worked well!!!
    I did get rid of “perfect defender”.
    Thanks a lot!!

  120. Edwin

    is this one of the files?
    cjhhl15625481

    i used to have installed the perfect defender 2009 and got it uninstalled today, but the fake firewall alert keeps on showing. and i can’t go into safemode. can anyone give me a solution please?
    thanks

  121. Edwin

    OK,OK,finally i got rid of it by renaming the files, ending the process and deleting it. hope this helps.
    thanks

  122. anca

    hello..i’ve got a friend who has such a problem..she followed all the steps..and after she restarted the pc..mozilla didnt respond..she couldn’t search anything else…before..when she had perfect defender..everytime she tried to start mozilla a poop appeared..called win32..but now that window does not apper anymore..my question is why does not mozilla work( srry for my english im from europe)

  123. An

    Hey Bill,

    Looks like I have a similar problem with a few people above with the two files in my Google folder. One is the one with the long name (in my case, ocprg23017248 ) and the other is shell32.dll. If you ever have any idea please reply and let me know, you saved my life just by getting rid of the actual thing but these pop-ups are driving me insane.

    Weirdly I think something happened while I was trying to get rid of it. It wouldn’t be deleted so I attempted a few different things to get the protection off it and even though I don’t think any of them were actually successful when I went back to the actual PD files and tried to delete them again it worked. Any idea how that happened? I’m not complaining I could delete them, I’m just wondering.

    Again, any news of this apparently new shell32.dll problem would be much appreciated! You’re a lifesaver.

    • Bill Mullins

      Hey An,

      I haven’t looked at this parasite since I first published this back in December, so I’m not up to date on which files are currently being affected. These rogue applications morph continuously, so its very difficult staying ahead of the curve.

      Frankly, on the odd occasion I have been unsuccessful in removing this type of infection from a test system, I do a complete reinstall of the OS.

      Bill

  124. An

    I think I finally got rid of it. 🙂 I deleted the prefetch, then got MoveOnBoot to get rid of the problematic file (the one that had that long name) since my computer wouldn’t go on Safe Mode either. Hope this helps anybody if they’re still suffering from it. Thanks though Bill, you were helpful getting rid of some of it. 🙂

  125. Pingback: +++ | Lily of the Valley

  126. JahnO

    Hi, I have the same problem as the ones above. I haven’t installed the Perfect Defender 2009 virus but I get the popup.
    When I first start the computer I can start up Malwarebytes, but after a minute the program shuts down and I can’t start the program again. I can see Malwarebytes runs in Task Manager in processes but I can’t do any actions in Malwarebytes and it doesn’t show up. What can I do. I also have a problem with using FireFox (also have the same problem with IE), because the program just shuts down sometimes.
    Thanks JahnO

  127. JahnO

    And the popup doesn’t say win32.zafi.b it says win32.brontok

  128. Mrs.Problem

    Hi Mr.Mullin,

    I have problems with my computer as the mentioned above. I haven’t follow your directions, because i’m not sure if this is the right thing to be done. I thought Perfect defender 2009 was madwe to take care of the spywares, not the opposite.The firewall alert keeps popping out and some programs such as Firefox shut down every time I’m opening a new window. What should I do?
    By the way i find your way of answering back to anyone who writes to you very devoting. Many thanks in advance and keep up the good work.

    • Bill Mullins

      Hi Mrs. Problem,

      Provided you have the necessary skills, follow the advice as laid out in the article. You should know however, that a great deal of operating system knowledge is required – something not always made clear on many self-help sites..

      If you do not have the required skills, you should consider taking your machine to a professional computer technician.

      Frankly, since the current crop of rogue applications infect so many areas of the system, and since it is virtually impossible to be certain all infections have been removed, I now recommend a wipe/reformat of the infected hard drive and re-installation of the operating system.

      I’m sure this is not pleasant news.

      Bill

  129. Mrs.Problem

    Hi Mr. Mullin,

    Thank you very much for the help. I followed your instructions and used Malawarebytes to remove the virus. I think everything is Ok right now and by the way did i thank you in the proper way? Again thank you very much for the help. This website is AWESOME!!!!

    Mrs. Problem

    • Bill Mullins

      Hi Mrs. Problem,

      I’m happy to hear your problem has been solved. Malwarebytes is a great application which I use it every day, as a secondary scanner. And yes, you’re very good at saying “thanks”.

      Bill

  130. George

    I had a techie friend help me get rid of a virus and, in doing so, he ended up setting my security settings so high that now I am unable to do a web search on anything (takes me to a web page that says: Internet Explorer cannot display the web page) ! I’ve been looking @ all of my firewall & internet options settings, & I’m currently unable to see what I need to click in order to help me gain web search privilages again — I know this is not related to the Perfect Defender malware going on, but didn’t know if you could help……please advise……thanks