My church’s secretary called me a few days ago and indicated that she saw a number of popups on her computer screen that seemed suspicious. She wasn’t able to catch anyone by phone at the time, so she did the next best thing she could think of–she shut down the computer without clicking on anything.
It was a day and a half before I was able to make it to the church to look at the PC and I discovered that the pastor had booted it during that day and allowed it to run normally (it serves as a file and print server in addition to being the secretary’s primary workstation). After a partial run of ClamWinAV (which I had downloaded, updated, configured to run in standalone mode, and burned to a CD so I wouldn’t risk infecting my USB drive, I decided to take the machine home and scan the drive on a computer with a known good Antivirus/antimalware program (Microsoft Security Essentials [MSE]).
MSE scanned the drive and found only one problem, which I had it remove. I loaded the drive back into the church’s computer and headed back to the church. Upon booting the computer, everything appeared to be normal. I quickly discovered, however, that all was not well. None of the shortcuts on the desktop worked. Neither did any other program I tried to run. I would always get an “Application not found” or the “Open with” dialog box. Right-clicking on a shortcut or executable file gave me the normal Open, Run as…, and Scan with AVG Free options, but I noticed a new “start” option.
Checking the registry for the .exe class (HKEY_CLASSES_ROOT\.exe\shell\open\command) showed that the (Default) action was now ‘”C:\Documents and Settings\User\Local Settings\Application Data\ave.exe” /start “%1″ %*.’ A quick Google search indicated that this was part of the Total XP Security fake antivirus program.
Some more quick searching via Google turned up some excellent instructions for removing Total XP Security at BleepingComputer.com.
I also discovered another useful tool during this process: Norton Safe Web. Norton Safe Web scans sites for security problems and gives a report on its findings. It also allows visitors to rate and comment about sites. While Googling for instructions to remove Total XP Security I found several sets of instructions on sites that were not rated well by Norton Safe Web. BleepingComputer.com, however, has an excellent rating.
Following the BleepingComputer.com removal instructions has gotten my church’s computer on the right track again. The Malwarebytes Anti-Malware program took about 20 minutes to run and found over 40 infected files/rogue registry keys! It was able to remove them (with a reboot).
I have since removed the AVG virus program and replaced it with MSE. Let’s hope that we don’t end up in this situation again!