I’m seeing a lot of computers recently with alerts about W32\/Blaster worms, CTHelper.exe infections etc. being reported by the Spyware Defender application. Spyware Defender apparently cannot clear the infection without the registration key. <\/p>\n
<\/p>\n
If you get the same, the bad news is you are infected. The good news is that there is just one program doing it. It is the one telling you you are infected. <\/p>\n
The program is usually called DEFENDER.EXE and can be found in c:\\users\\xxx\\app data\\roaming.\u00a0 Log in as a different user and delete it. There are more thorough removal tips here<\/a>.<\/p>\n There are a few variants. You can sometimes remove it quite effectively by doing the following:<\/p>\n Let the program pop-up and warn you you have lots of infections.<\/p>\n Ctrl – Alt – Del and choose Task Manager<\/p>\n In the\u00a0 Applications tab, highlight the rogue program, right-click and choose goto process<\/p>\n Right-click the highlighted process and open file location<\/p>\n Go back to Task Manager and right-click the process and choose End Process Tree<\/p>\n Go back to the Explorer window that popped-up, the files will be hidden so make a note of the path <\/p>\n Run a command prompt and CD to the folder<\/p>\n ATTRIB -S -H -R<\/font><\/p>\n Make a note of the filename of the executables that just became visible and delete them<\/p>\n Run REGEDIT and search for instances of the filename.<\/p>\n \u00a0\u00a0 You are pretty much guaranteed to find it under HKEY_CLASSES_ROOT\\.exe\\shell\\open\\command<\/font> <\/p>\n \u00a0 \u00a0 (Default)<\/em><\/font> should be blank<\/p>\n \u00a0 \u00a0 IsolatedCommand<\/font> should read “%1” %*<\/font><\/p>\n Sort the right values out. Run a virus scan. Reboot. <\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":"