Windows XP Reinstall
I write this from the trusty little Macbook, while installing a fresh copy of Windows XP on my Dell desktop computer. It is only a year old, but yesterday I downloaded a PDF from the Internet and picked up a virus.
I knew almost immediately that there was a problem, because a window entitled “Antivirus XP 2008” appeared, prompting me to “Click here” to install the program. At the same time, my desktop background changed to a nasty blue, with an advertisement in the center warning me about the risks of not installing the antivirus software.
I did not click the button, but instead opened up the Task Manager, found the rogue window, and forcibly closed it, after which I rebooted the computer. But alas, the window appeared again. And now there were more problems. Suddenly the computer announced that the DCOM Server Process had terminated unexpectedly, and that it would be shutting down directly. This happened a couple times.
After some research, I downloaded a program called Malwarebytes, which was supposed to remove the virus. The download was not easy, because both IE and Firefox were under the control of the virus. I logged out and logged in as the Guest account, which could still browse the Internet (likely because it was not an account with Administrator privileges). I downloaded Malwarebytes, and then logged out and logged in again as an Administrator to run it.
Malwarebytes detected and removed the virus, but my Internet connection still seemed slow, and most of my Google searches were being redirected to less than savory sites. All requests to microsoft.com were being blocked, and the hosts file was being regularly overwritten.
At this point I tried a Windows Repair using the Installation CD, but it only replaced a handful of files in the WINDOWS folder and did not remove the virus. All in all, this was an ineffective waste of time. I should have wised up at this point and performed a fresh installation, but I wanted to know more about the virus.
So I installed Wire Shark, and watched the network traffic, in hopes of getting a clue as to the nature of the virus. I immediately saw HTTP requests going out to an unfamiliar IP address, 67.228.116.96. This resolved to weightlossproduct.net, registered to a cybersquatter. It also resolved to cafedinst.org, registered to someone in Maryland. A PHP server at that address was sending down binary files to my computer.
The next step was to find the actual process generating the network traffic and remove it. For this I installed a Process Monitor from Microsoft. After gazing at svchost.exe processes and a variety of DLLs and threads, it became evident to me that the virus was posing as a legitimate Windows file (or files) and was going to be next to impossible to exterminate.
It was then that I decided to install a fresh copy of Windows XP. Even this did not work the first time, because after it was finished it left a bunch of old files in the WINDOWS folder. So I installed again, this time to a WINXP folder, then deleted the WINDOWS folder, then installed one final time, ending up with a brand-new sparkling clean installation in the WINDOWS directory.