WinPC Defender is a new rogue anti-spyware program discovered by security analyst S!Ri and is a clone of the programs named XP Police Antivirus and IE Security. Like its predecessors, this program is installed and advertised through the use of Trojans that display fake security alerts on your computer. These security alerts state that your computer is infected and that you should click on them in order to download software that will protect you. Once you click on these alerts, the Trojan will automatically download and install the program on your computer.
When WinPC Defender is installed it will scan your computer and display a variety of infections that cannot be removed unless you purchase the program. These infections, though, do not actually exist on your computer. Instead WinPC Defender is programmed to always show the same scan results regardless of the computer it is run on. It does this in order to scam you into thinking that you are infected and hoping that you will purchase the program in order to remove the infections. When S!Ri was testing this rogue he had registered his copy of the program to see if even the registered version would remove these so-called infections. Even when the program was registered, it still would not remove any of the infections and continued to state that your computer was infected.
A byproduct of this program running on your computer is an endless barrage of false warnings and Internet Explorer hijackings. These alerts are programmed to stay on top of your desktop so that if you have any running applications you need to close the alerts before you can get back to the screen you were working on. Even more annoying is that when you close these alerts you will then have to wade through a bunch of "Are you sure?" screens before the alert will close. The alerts that we saw when testing included a Firewall Warning and a Trojan alert. The text of these alerts are:
A piece of malicious code was found in your system which can replicate itself if no action is taken. Click here to have your system cleaned by WinPC Defender
Hidden file transfer to remote host was detected.
This program, in addition to the nag screens, will hijack your Internet Explorer browser so that it randomly shows a warning when you are browsing the web. While browsing the web, you may be shown a Insecure Internet Activity. Threat of virus attack screen, instead of the page you are trying to browse to. This screen will contain an option to continue to the page or purchase WinPC Defender. Regardless of the choice you select, you will still be brought to the purchase page for this program.
As you can see, this program has only one purpose and that is to trick you into thinking you are infected so that you purchase it. Please ignore any warnings that this program may display and instead use the free removal guide below to remove WinPC Defender and any associated malware.
Self Help Guide
If you are uncomfortable making changes to your computer or following these steps, do not worry! Instead you can get free one-on-one help by asking in the forums.
This removal guide may appear overwhelming due to the amount of the steps and numerous programs that will be used. It was only written this way to provide clear, detailed, and easy to understand instructions that anyone can use to remove this infection for free. Before using this guide, we suggest that you read it once and download all necessary tools to your desktop. After doing so, please print this page as you may need to close your browser window or reboot your computer.
Now please download RogueKiller and save it to your desktop. RogueKiller will scan your computer for unwanted programs that may have been installed on your computer without your knowledge. You can download RogueKiller from the following URL:
When RogueKiller has finished downloading, please double-click on the Setup.exe icon that now appears on your desktop. Once you double-click on the icon the RogueKiller setup will begin. Please follow the prompts to install the program onto your computer.
Keep clicking next until you are at a screen asking you to enter license information. If you have purchased RogueKiller in the past, you can enter your license in this screen. Otherwise, click on the Next and keep following the prompts until the program is installed.
RogueKiller should now launch automatically and display a User Account Control prompt asking if you wish to run the program. Click on the Yes button and RogueKiller will start and display the main screen shown below.
Now click on the Scan button and you should come to the Scan Settings screen. Do not make any changes and then click on the Start Scan
RogueKiller will now scan your computer for infections, as shown below. This process can take quite a while, so please be patient as RogueKiller scans your computer.
When RogueKiller has finished scanning your computer, it will display a screen showing what was found.
Please review the list of detected files and put a checkmark in those entries that you wish RogueKiller to remove. When ready, click on the Remove Selected button.
RogueKiller will now remove the selected items and display a Removal Finished screen. At this screen you can click on the Finish button and then click on the same button at the next screen to finish the RogueKiller removal process.
Now you should download HitmanPro from the following location and save it to your desktop:
When you visit the above page, please download the version that corresponds to the bit-type of the Windows version you are using.
Once downloaded, double-click on the file named HitmanPro.exe (for 32-bit versions of Windows) or HitmanPro_x64.exe (for 64-bit versions of Windows). When the program starts you will be presented with the start screen as shown below.
Now click on the Next button to continue with the scan process.
You will now be at the HitmanPro setup screen. If you would like to install the 30 day trial for HitmanPro, select the Yes, create a copy of HitmanPro so I can regularly scan this computer (recommended) option. Otherwise, if you just want to scan the computer this one time, please select the No, I only want to perform a one-time scan to check this computer option.
Once you have selected one of the options, please click on the Next button.
HitmanPro will now begin to scan your computer for infections. When it has finished it will display a list of all the malware that the program found as shown in the image below. Please note that the infections found may be different than what is shown in the image.
You should now click on the Next button to have HitmanPro remove the detected infections. When it is done you will be shown a Removal Results screen that shows the status of the various infections that were removed. At this screen you should click on the Next button and then if prompted you should click on the Reboot button. If HitmanPro does not prompt you to reboot, please just click on the Close button.
Once your computer has has restarted or you pressed the Close button, you should now be at your Windows desktop.
As many malware and unwanted programs are installed through vulnerabilities found in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:
Your computer should now be free of the WinPC Defender program. If your current security solution allowed this program on your computer, you may want to consider purchasing the full-featured version of HitmanPro to protect against these types of threats in the future.
If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic link ed below:
Purchase the full-featured version of HitmanPro, which includes discover viruses, trojans, rootkits, spyware and other malware on up-to-date and fully protected computers using cloud protection and behavioral detections, to protect yourself against these types of threats in the future!