View Full Version : Fraud AntiMalwareDoctor: Returns After Removal & Immunization; MSW Explorer Damaged
MJWolter
2010-10-24, 02:54
Hello. I cannot run ERUNT or provide a DSS log because of damage to Windows Explorer that keeps shutting it down whenever I try to navigate anywhere. I also cannot download Windows updates, though Windows is suggesting I do so.
History: After I followed a YouTube link to a third-party site, "AntiMalwareDoctor" began running, claimed to have found a bunch of threats, and offered help if I would just register the software. Looked like a scam, so I chose "Continue without Protection," but it would not close. Then an alert (TeaTimer maybe?) popped up, asking for approval of a registry update. I denied. "AntiMalwareDoctor" popped up again. I finally shut it down with Task Manager and tried to start Spybot. I got it open, but "AntiMalwareDoctor" came back, I started getting a message that "windows host process (Rundll32) has stopped working," and Windows Explorer kept restarting. Finally, I managed to update Spybot, checked for problems, found and removed "Fraud AntiMalwareDoctor," and immunized. However, I could not restart because the toolbar was gone and the "Windows" key did not respond. Since then I have shut down and restarted a few times with the power button, after which "AntiMalwareDoctor" still was there; removed it and immunized a few more times, and one time was able to restart. Even after restart, though, "AntiMalwareDoctor" was still there. I cannot navigate anywhere, cannot install Windows updates, cannot download ERUNT or save a DSS log.
Sorry about the length of the history, but I am hoping it helps suggest a solution.
Hi,
Please download exeHelper (http://www.raktor.net/exeHelper/exeHelper.com) to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says Error deleting file, please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
Any luck with DDS now?
MJWolter
2010-10-31, 17:34
Assuming that I would not be able to use the Internet on the infected laptop, I downloaded exeHelper to a USB drive. When turned on the infected laptop, AntiMalware doctor was still busy at work. I put the USB drive in, went to the folder where I had downloaded the exeHelper, and attempted to open it; it said that the file was not found.
I gave that up and, being unable to eject the USB drive because Windows Explorer was, as usual, trying to shut down, tried to get a browser on the infected laptop. To my surprise, I succeeded.
I first attempted to navigate to http://www.raktor.net/exeHelper/exeHelper.com, but the page could not be displayed.
I then navigated to the Safer-Networking forum, found your reply, and clicked on that link. My McAfee program warned me that the site contained files that some might consider spyware or Trojans, or something like that, and I told it to continue. I chose save, designated the desktop as destination, and downloaded 99% of the file to the desktop before a window popped up saying that the action needed my permission. I clicked "continue," and the same window popped up. After about 25 reiterations of this, I gave up.
Then McAfee told me that I had a Trojan and that I should close all windows and restart. The infected laptop has restarted and a message popped up, saying the Trojan had been removed; I tried to get the name, but the message closed and left only a black screen with a cursor. Except for the light indicating hard drive activity, nothing showed up, so I powered it down.
When I restarted, I got pretty much the same thing: Black screen, cursor, a lot going on with the hard drive, a briefly flashed "McAfee" logo, and then nothing. In case McAfee is running a scan, I have left the PC on. It has now been about five minutes.
MJWolter
2010-10-31, 17:39
The infected PC is otherwise totally nonresponsive. The black screen and cursor continues.
MJWolter
2010-10-31, 17:47
A minimized window appeared. I restored it, and it said, "Microsoft Windows/Host Process for Windows Services stopped working and was closed. A problem caused the application to stop working correctly. Windows will notify you if a solution is available. [Close]."
I closed. A window popped up saying "Problem Reports and Solutions." It offerd a link to Windows Update. I clicked on that, and a window popped up saying, "::{21EC2020-3AEA-1069-A2DD-08002D30309D}\::{36EEF7DB-88AD-4E81-AD49-0E313F0C35FB} Application not found [OK]."
I clicked "OK" on that and the apparently well-meaning "Problem Reports and Solutions" window closed.
Now just the cursor, the black, and the hard drive.
Doesn't sound promising. Are you able to boot into any mode successfully?
MJWolter
2010-10-31, 21:37
By pressing F11 repeatedly after powering down and then up, I was able to get a choice between "Launch Startup Repair" and "Start Windows Normally." I chose "Launch Startup Repair." I got: "Winpeshl.exe - Application Error/ The application failed to initialize properly (0xc0000142). Click OK to terminate the application. [OK]."
Because the first time I tried this, I had gotten three choices, not two (though, because I had failed to make a selection, it had defaulted to "Start Windows Normally" and produced the same black screen), I hit "OK" and tried again. I got the same two choices, for which I made the same selection and this time, got an apparent login for "Other User." I have never set up another user on the damaged laptop. I still have that on the screen, and I am loath to do anything without expert advice. What next?
Hi,
That could be the default administrator account. If it's possible to log in via that account please do. By the way, what Windows version you have installed there?
MJWolter
2010-11-01, 13:11
Thank you; I will try that on my return home. Should the password (because the default administrator account, if any, was never provided me for input) be the same as the user account I did set up? The operating system is Windows Vista.
Default account should be administrator with no password on it. Do you have Vista installation disk available?
MJWolter
2010-11-03, 01:44
The damaged laptop now always shows two startup modes when I power up. It defaults to Startup Repair and proceeds with that if I make no other choice. The user that comes up is either blank or "other user." I have tried blank user name and password, my name for user name and blank password, administrator for user name and blank password, and my actual user name and password. Nothing is recognized.
I did not get any disks with the laptop.
Do you have any friend with same Vista version disk as you do? That might help in getting system back to state where logs can be taken.
MJWolter
2010-11-07, 18:58
Thank you for your help with this. No, but I do have a maintenance agreement from Staples, where I bought the laptop. I will try taking it to them and giving them a printout of the information I have gotten to date on this issue; hopefully, they will have the software I need to revive the operating system. Recognizing that they are a commercial operation, but also that they will be trying to restore to function a PC used in a home environment, can they contact you for assistance?
Hi,
That's still business related and we volunteers don't offer support for commercial companies. Anyway, I believe they have a working way to fix the issue.
Due to inactivity, this thread will now be closed.
Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.