Removing “System Defender” Malware

Earlier this evening, Elke got a horrific computer infection from clicking on link in a SPAM comment posted to one of her BLOGs. Apparently it looked innocuous, but it was a gateway to digital hell.

The hellion is called “System Defender” — a truly nasty, vile and evil program that turns off McAfee, Spybot and Ad-Aware, then looks like a spyware removal program and constantly pops up brightly colored alarm windows saying, in effect, “Your system is infected! Click here to clean.” But if you do, it only gets worse.

Also, if you Google-search for it, be advised that some of the leading search results are themselves vectors for this infection! is, however, safe, and it’s what I’ll direct you to below.

Skip the following paragraph unless you’re morbidly curious about the inner workings of how System Defender builds a force field around itself.

This program is very good at hiding and protecting itself. Some versions disable web browsing (to prevent downloading cures). All versions disable anti-virus and anti-spyware that already is running. It creates a folder for itself that is visible only from the DOS Prompt — not from My Computer, unless you do some trickery I won’t get into here, since it’s useless to view the files anyway. Assuming you find this malware’s executable and DLLs (I did), you can rename and relocate, but not delete them. Don’t even bother trying to change its files’ attributes; “System Defender” still can’t be deleted, and will change its folder back to “Read Only” automatically if you try to turn that off. So, don’t waste time messing with the files. It also will replace its own entries in the registry if you delete them via REGEDIT.

Again, McAfee, Norton, Ad-Aware, and Spybot all are absolutely helpless and useless against it.
So spare yourself the time I wasted at first. Instead…

Here are the removal instructions for anyone else who ever may get infected by “System Defender”:

    1. If you can open and use your web browser, go here…, and print those instructions. Download and install Malwarebytes exactly as it tells you, then run it and reboot per the instructions.

    2. If “System Defender” has disabled your web browser (as hers did), you’ll have to
    a. Go to a separate, uninfected PC or laptop.
    b. Put a clean jump drive in the USB port.
    c. Open a browser.
    d. Download Malwarebytes’ install file from either of these two links:

      BleepingComputer or CNet

    e. Save or copy the install file it to your jump drive
    f. Take that jump drive and stick it into a USB port on the infected PC
    g. Open My Computer on the infected PC
    h. Move the install file from the jump drive to anywhere on the infected PC,
    i. Run the install program as you would for any other software (agree to terms, specify location, etc.), then, once installed,
    j. Run Malwarebytes
    k. Go to “Scanner” and run the “Perform Quick Scan” option
    l. Wait 5-15 minutes for it to run. It will check lots of boxes signifying various places on the PC where bad files from “System Defender” and other malware exist. Follow the instructions to quarantine them.
    m. Restart the PC normally (from the START Menu).

I’m loading the free version of Malwarebytes onto my laptop and onto my main PC too (once it’s back from the shop for unrelated reasons). The free version is easy software and cleans up lots of other malicious garbage from a PC as well. [The pay version does automatic detection and scheduling of scans and updates…the free edition, you have to do those proactively.]

And yes, we already were considering Macintoshes as replacements for when our Windows machines becomes obsolete or die completely. This further reinforces that notion.


Leave a Reply

You must be logged in to post a comment.