I am running Windows XP service pack 2 home edition.
I acquired something malicious which pretends to be windows home security 2012. At first it created pop up windows that were fake messages from windows home security slowed down the computer to the point that I could not execute ctrl alt del and could not use the task bar. It took over other virus protection functions, when I checked firewall settings from the control panel it opened a different looking firewall menu in which i could not turn my firewall back on. I unplugged my wireless antennae as I could not shut off the software. I restarted and checked the task manager for unfamiliar programs. I found TPW.exe which I googled and found to be malicious. TPW.exe had internal data written in what appeared to be russian characters.
I disabled its startup in msconfig services and checked the folder it was stored in: C:\Documents and settings\Owner\Local Settings\Application Data. I found 4 other programs which were created at the exact same time as TPW.exe, the other programs had all lower case names of 4 random letters, nwxi.exe, fsff.exe, jhjc.exe and one other which I forget the name of as I already deleted them. To find the names I just listed I checked my search history on my mac book which I am using to work on my pc as I dont want to go online with the pc until this is fixed.
Now that I deleted those 5 seemingly malicious programs, the fake microsoft popups have stopped, but now when I try to open any .exe program windows asks me which program id like to open it with, I can browse and tell it to use the same exact program I just clicked on and then it opens it, very annoying. Also, if I right click on 'My Computer' and click 'properties' it says "C:\WINDOWS\system32\rundll32.exe Application not found". When I check that directory, I do see Rundll32, but without a file extension and with a blank page for an icon. Should I add .exe to the file name?
I tried to install malwarebytes after reading this article: http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-malware-tutorial.
But when I get a bit through the installation i get an error reading: "an error has occurred. please report it to support team. PROGRAM_ERROR_UPDATING (11004, 0, No address found) The requested name is valid and was found in the database, but it does not have the correct associated data being resolved for." I guess thats because its trying to update but I have no internet service. I am going to perform a scan with the old definitions. Should I risk connecting to the internet to update the definitions?
Did I delete something I shouldnt have that is causing the bug with opening programs and the properties on my computer and rundll32? I only deleted those 5 .exes from owner\local settings\aplication data, they all had the same date created as tpw.exe, down to the minute. there are a good many files in windows\system32 with the exact same date and time created. I am tempted to deleted those too, but i will wait until malwarebytes gives me the go ahead. What other things can I do? Did I deleted something I shouldn't have? How can i clear the registry of this virus?
Thanks for your help, let me know what other info you need.