Please excuse the length of this post and any lack of clarity. I have never posted here before. Thank you for taking the time to read about my problem, and thank you for any help you can provide.
The only good thing is that my infected computer is a backup computer that I don't use much and I don't connect it to other computers. It is not on a network. However, it has several documents and photos I would like to preserve. It is also useful as a stand alone computer for basic web browsing (but I still intend to get rid of it once Windows 10 comes out).
The infected computer is a desktop with Windows XP Pro SP3. It has Microsoft Security Essentials on it. While the computer is an XP computer, it is as up to date as an XP computer still can be (i.e., the few updates Microsoft still does I make sure to install). Unfortunately, the main login has Admin privileges.
I was not aware of any problem with the computer until yesterday. Yesterday afternoon, I was using the computer and I noticed it was very sluggish. I checked the Task Manager and saw that 2 different "explorer.exe" processes were running. One of the explorer.exe processes kept taking up more and more memory. Instead of taking up 20,000-50,000 K, the growing explorer.exe process reached all the way to 1,400,000 K.
In my ignorance, I didn't realize the computer had somehow been infected by a virus/trojan/etc. At first I thought the growing explorer.exe process was caused by some routine system error (not a malicious virus). I kept using Task Manager to "End Process", but the second explorer.exe kept coming back.
I tried booting into Safe Mood (without Networking), but I got the Blue Screen of Death when I tried booting into Safe Mood. I left the computer unplugged (no electricity) over night. I woke up early and tried the computer again.
I saw that one DOC and two TXT text tiles had weird extensions added to the end, i.e., after the ".doc" and ".txt" for the files, there was a "." with seven letters (the same seven letters for all three files). Not being familiar with ransonware/encryption viruses, I didn't immediately understand what was going on.
After about 15 minutes of web searching, I realized the computer was infected with some type of ransomware/encryption virus. I did not get any sort of ransom message.
I realized the Microsoft Security Essentials was not running. I could not get it to run. I have Malwarebytes installed. I tried running it. Malwarebytes would not run. I tried downloading Kaspersky TDSSkiller. I could download it and start the Unzip, but it would not run.
Eventually, after some guesswork and reading on this website and others (such as Malwarebytes forums), I went into the Documents and Settings\All Users\Application Data in Safe Mode to look for suspicious files or subdirectories. There I found two suspicious looking folders that had "Date Modified" timestamps from yesterday and today. I tried accessing the directories but was not able to. I then realized that those were mostly the core virus directories. I opened a Command Prompt and tried deleting the directories through a command line, but I got a standard DOS message that the access was denied. So I went to the Task Manager and did an "End Process" on both "explorer.exe" processes. The Windows desktop and icons went blank, but the Command Prompt window remained, and after using I believe "-r" or similar DOS commands, I was able to delete both of the troublesome directories.
I see now that accomplished something positive, but I still have many problems. The second version of "explorer.exe" has not returned (I have since rebooted both into a normal Windows session and into Safe Mode; I am currently in a normal Windows session).
I do have Spybot installed, and at least I was able to run Spybot. Spybot detected W32.Palevo and a registry change that seemed to have disabled Windows Antimalware Service by toggling from 0 to 1. I've run Spybot 3 times since then and it hasn't found anything else. I still cannot run Microsoft Security Essentials, I still cannot run Malwarebytes, and I still cannot install TDSSKiller.
In digging through the different directories that have photos and documents (DOC, TXT, PDF, and PPT) on this computer, I see that it does seem that (at least for now) I have stopped any more files from being encrypted. Also, the second "explorer.exe" has not returned, and the one explorer.exe that is running is takiing up what seems like a normal 30,000-40,000K.
I did not get any pop-up demand or wallpaper demand from the ransonware/virus senders/creators. I did find what seems to have been several identical TXT files that were created by the virus. They are titled "Decrypt All Files". They say: