Malware infection: Total XP Security

My church’s secretary called me a few days ago and indicated that she saw a number of popups on her computer screen that seemed suspicious. She wasn’t able to catch anyone by phone at the time, so she did the next best thing she could think of–she shut down the computer without clicking on anything.

It was a day and a half before I was able to make it to the church to look at the PC and I discovered that the pastor had booted it during that day and allowed it to run normally (it serves as a file and print server in addition to being the secretary’s primary workstation). After a partial run of ClamWinAV (which I had downloaded, updated, configured to run in standalone mode, and burned to a CD so I wouldn’t risk infecting my USB drive, I decided to take the machine home and scan the drive on a computer with a known good Antivirus/antimalware program (Microsoft Security Essentials [MSE]).

MSE scanned the drive and found only one problem, which I had it remove. I loaded the drive back into the church’s computer and headed back to the church. Upon booting the computer, everything appeared to be normal. I quickly discovered, however, that all was not well. None of the shortcuts on the desktop worked. Neither did any other program I tried to run. I would always get an “Application not found” or the “Open with” dialog box. Right-clicking on a shortcut or executable file gave me the normal Open, Run as…, and Scan with AVG Free options, but I noticed a new “start” option.

Checking the registry for the .exe class (HKEY_CLASSES_ROOT\.exe\shell\open\command) showed that the (Default) action was now ‘”C:\Documents and Settings\User\Local Settings\Application Data\ave.exe” /start “%1″ %*.’ A quick Google search indicated that this was part of the Total XP Security fake antivirus program.

Some more quick searching via Google turned up some excellent instructions for removing Total XP Security at BleepingComputer.com.

I also discovered another useful tool during this process: Norton Safe Web. Norton Safe Web scans sites for security problems and gives a report on its findings. It also allows visitors to rate and comment about sites. While Googling for instructions to remove Total XP Security I found several sets of instructions on sites that were not rated well by Norton Safe Web. BleepingComputer.com, however, has an excellent rating.

Following the BleepingComputer.com removal instructions has gotten my church’s computer on the right track again. The Malwarebytes Anti-Malware program took about 20 minutes to run and found over 40 infected files/rogue registry keys! It was able to remove them (with a reboot).

I have since removed the AVG virus program and replaced it with MSE. Let’s hope that we don’t end up in this situation again!

This does lead to another question, though. Is MSE enough protection on a PC? Some people don’t think so.

Running MSE and Malwarebytes Anti-Malware side-by-side.

About these ads

2 comments on “Malware infection: Total XP Security

  1. [...] Link: Malware infection: Total XP Security « Smitty's Thoughts [...]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s