Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Home Security Virus Complications


  • Please log in to reply
1 reply to this topic

#1 Tylodon

Tylodon

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 31 July 2011 - 05:12 PM

I am running Windows XP service pack 2 home edition.
I acquired something malicious which pretends to be windows home security 2012. At first it created pop up windows that were fake messages from windows home security slowed down the computer to the point that I could not execute ctrl alt del and could not use the task bar. It took over other virus protection functions, when I checked firewall settings from the control panel it opened a different looking firewall menu in which i could not turn my firewall back on. I unplugged my wireless antennae as I could not shut off the software. I restarted and checked the task manager for unfamiliar programs. I found TPW.exe which I googled and found to be malicious. TPW.exe had internal data written in what appeared to be russian characters.

I disabled its startup in msconfig services and checked the folder it was stored in: C:\Documents and settings\Owner\Local Settings\Application Data. I found 4 other programs which were created at the exact same time as TPW.exe, the other programs had all lower case names of 4 random letters, nwxi.exe, fsff.exe, jhjc.exe and one other which I forget the name of as I already deleted them. To find the names I just listed I checked my search history on my mac book which I am using to work on my pc as I dont want to go online with the pc until this is fixed.

Now that I deleted those 5 seemingly malicious programs, the fake microsoft popups have stopped, but now when I try to open any .exe program windows asks me which program id like to open it with, I can browse and tell it to use the same exact program I just clicked on and then it opens it, very annoying. Also, if I right click on 'My Computer' and click 'properties' it says "C:\WINDOWS\system32\rundll32.exe Application not found". When I check that directory, I do see Rundll32, but without a file extension and with a blank page for an icon. Should I add .exe to the file name?

I tried to install malwarebytes after reading this article: http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-malware-tutorial. But when I get a bit through the installation i get an error reading: "an error has occurred. please report it to support team. PROGRAM_ERROR_UPDATING (11004, 0, No address found) The requested name is valid and was found in the database, but it does not have the correct associated data being resolved for." I guess thats because its trying to update but I have no internet service. I am going to perform a scan with the old definitions. Should I risk connecting to the internet to update the definitions?

Did I delete something I shouldnt have that is causing the bug with opening programs and the properties on my computer and rundll32? I only deleted those 5 .exes from owner\local settings\aplication data, they all had the same date created as tpw.exe, down to the minute. there are a good many files in windows\system32 with the exact same date and time created. I am tempted to deleted those too, but i will wait until malwarebytes gives me the go ahead. What other things can I do? Did I deleted something I shouldn't have? How can i clear the registry of this virus?


Thanks for your help, let me know what other info you need.
-Tyler

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:36 PM

Posted 31 July 2011 - 05:57 PM

Welcome aboard Posted Image

Download and run exeHelper.

  • Please download exeHelper from Raktor to your desktop.
  • Double-click on exeHelper.com to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • A log file named log.txt will be created in the directory where you ran exeHelper.com
  • Attach the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users