The reason I say it is for VISTA is because that's what I've tried it on (two different flavors of the same virus). The "Vista" part is the fix.reg file. We had an XP machine get hit also, but AntiMalware took care of it on its own.
You should first try just running AntiMalware. If it doesn't let it run, then you'll need the fix.reg file. I'm sure there's a version for XP, but I haven't tried it to check it out. If she's running XP, check out this page:
http://filext.com/faq/broken_exe_association.phpIf you can't run AntiMalware, it is because the virus has reassigned the action to be taken for that file and in some flavors of the virus it does it for pretty much any .EXE file. The fix.reg file corrects the appropriate associations so you can run AntiMalware. See
http://www.myantispyware.com/2010/01/28/how-to-remove-vista-antispyware-2010-vista-antivirus-2010-vista-guardian/ for more details.
I obviously can't guarantee that this will work, but it did work on the two Vista boxes that I had to repair. The virus keeps evolving and I'm pretty sure it has split into multiple development paths by various groups of social deviants who deserve to be hung by their thumbs naked, soaked in honey, and subjected to millions of honey-loving stinging ants. Your mileage may vary.
On a DIFFERENT machine, do the following:
1. Download the free version of AntiMalware from MalwareBytes.org and put it on a thumb drive.
2. Create a text file on the thumb drive and copy/paste the following exactly:
Windows Registry Editor Version 5.00
<-HKEY_CURRENT_USER\Software\Classes\.exe>
<-HKEY_CURRENT_USER\Software\Classes\secfile>
<-HKEY_CLASSES_ROOT\secfile>
<-HKEY_CLASSES_ROOT\.exe\shell\open\command>
@="\"%1\" %*"
@="exefile"
"Content Type"="application/x-msdownload"
3. Save the file and then rename it to "fix.reg" - DO NOT double-click on this except on the infected machine!
4. Remove the thumb drive.
5. Boot the infected machine in "safe mode with network" or whatever is closest. If you don't know how, restart the machine and right after you see the BIOS message on the black screen, hit F8 about every second until it produces the boot options menu. If you get to the graphic Windows startup screen, you didn't catch it - try again.
6. Open a Windows Explorer. You should be able to do that. If not, all hope may be lost. Insert the thumb drive and try running AntiMalware. If it doesn't let you, you've got the REALLY nasty flavor of the virus. In that case, and only in that case, double click on fix.reg. If it doesn't reboot the machine on its own, do it yourself. The changes won't go into effect until the next boot. I didn't have to boot into safe mode after that, but it won't hurt. THEN you should be able to run AntiMalware.
7. Select the "Quick Scan" option and also have it check for a new signature file (which is why you need network support when you boot into safe mode). It will take a little while to do its magic but it will come up with a window with a list of infected files and registry keys. They should all be selected, but make sure they are and then hit whatever button says "fix" or at least means that. I forget exactly what it is called but it is obvious.
8. When AntiMalware is done, reboot the machine. The machine should boot normally now.
Note: The free version is a "run when you need it" program. They have a more advanced version for $25 or $30 that runs constantly to trap stuff like this.
On Edit:
Your mom WON'T know how or where she got it. As far as I know, all flavors of this virus lurk quietly for a random period of time, erase the browser history from the site they arrived via as well as entries on both sides of the event, and then pounce out and abuse you. They all want you to do one thing: give over credit card information. Some flavors don't change their behavior after that and I've read that others will completely disable the machine after they have been satiated by your credit card info.