I’m seeing a lot of computers recently with alerts about W32/Blaster worms, CTHelper.exe infections etc. being reported by the Spyware Defender application. Spyware Defender apparently cannot clear the infection without the registration key.
If you get the same, the bad news is you are infected. The good news is that there is just one program doing it. It is the one telling you you are infected.
The program is usually called DEFENDER.EXE and can be found in c:\users\xxx\app data\roaming. Log in as a different user and delete it. There are more thorough removal tips here.
There are a few variants. You can sometimes remove it quite effectively by doing the following:
Let the program pop-up and warn you you have lots of infections.
Ctrl – Alt – Del and choose Task Manager
In the Applications tab, highlight the rogue program, right-click and choose goto process
Right-click the highlighted process and open file location
Go back to Task Manager and right-click the process and choose End Process Tree
Go back to the Explorer window that popped-up, the files will be hidden so make a note of the path
Run a command prompt and CD to the folder
ATTRIB -S -H -R
Make a note of the filename of the executables that just became visible and delete them
Run REGEDIT and search for instances of the filename.
You are pretty much guaranteed to find it under HKEY_CLASSES_ROOT\.exe\shell\open\command
(Default) should be blank
IsolatedCommand should read “%1” %*
Sort the right values out. Run a virus scan. Reboot.
