I don't do torrents, I think it was a website that I visited and somehow it tranferred a file to my application data directory. Everyone should update their windows xp box, I suspect that this virus is taking advantage of unpatched systems.
Read my whole note before taking any actions. You might decide to do things a little differently with full knowledge.
Here's what 'fixed' me:
Download 2 tools on another system, if you do a google search you should find both of them:
Booted up the system from another CD and transferred the 2 files onto the server. (Don't think this step is necessary if you can access a USB stick in safe mode)
Boot up the infected system into safe mode with a command line. Do not use normal safe mode.
Do not use the start menu and try to navigate to anything. There are several registry entries that have been modified that will launch the virus even in safe mode if you try to access the start menu.
From the command line run rkill.exe
From the command line run Malwarebytes' Anti-Malware
Fully write down any registry entries that Malwarebytes finds infected. You'll want to go back in later and recreate these registry entries with appropriate data values. I did not do this and my system has some issues, i.e. it's running fine now but I can no longer do windows update.
Boot up the infected system into normal mode. Log in as a different user then the one originally infected. The other problem I ran into was that the Malwarebytes' I ran in safe mode was 110 days out of date so it did not have an updated virus signature and did not remove all of the infected files. One of the key files would have re-executed if I had logged into the original user. In safe mode with command line I was unable to update the virus signature since I had no net access. If you get an updated signature in the first place then system might actually be clean and you won't have to do the following.
Re-run Malwarebytes' Anti-Malware
This time update Malwarebytes to the most up to date virus signature. And do a full scan. My full scan here identified the infected file and 4 registry entries.
The infected file is going to be a 3 letter (all randomly chosen).exe Mine was xki.exe. I had Malware remove the infected registry entries, which I think is why my microsoft update no longer works. It would probably be safer to fix those entries.
My system is clean, but once I back up the files I'm concerned with, I'm going to do a fresh install and migrate to windows 7 and getting rid of my last XP system.
After doing all of the above, there are 2 things I would do differently. Once I booted in safe mode with command line. I would have navigated to my infected users application directory and looked for the exe and deleted it straight away. Bear in mind that Application Data is a system folder and potentially hidden from you unless you have changed your view types under explorer.
The file for me was:
C:\Documents and Settings\bob\Application Data\xki.exe
So looking in the system folder Application Data under the suspected user would have been pretty easy to locate the only executable even if the name was randomly generated.
I also would have been more careful about letting the anti-virus software delete my registry entries.
Edited by Budapest, 11 April 2011 - 04:55 PM.
Moved from Virus, Trojan, Spyware, and Malware Removal Logs ~Budapest