Please help, AP Holding/Explorer.exe has blocked my laptop

Hello, I hope somebody may help.
I am writing from another computer now because I can no longer excess internet or open any folders using my laptop, not even in safe mode.

First I noticed that it when I turned it off there were still something running that had to be killed, although nothing seemed to be running. I did a scan with Counterspy which found an adware called AP Holding and removed it. Suddenly the photo on my screen got replaced by a colored screen. I ran a quick scan again with Counterspy, and the same adware was found again and again removed. I tried to open a folder in order to turn off the system restore option, however when I tried, Counterspy gave me a message that a known bad trojan called Explorer.exe had been blocked. I was not able to open any folders and suddenly the screen photo was covering the entire screen and I could not do anything. I restarted the machine, it opened as normal and I did a new scan. It found the same adware again, and removed it. And again when I touched a folder or anything the message about Explorer.exe appeared, and the computer got blocked. I tried to restart it, but this time it was immediately blocked by the screen photo. I restarted it in safe mode, which went fine. Here I did a registry clean using CCleaner and RegistryFix, and afterwards I did a new deep scan with Counterspy. After a while it found the same adware again and removed it. The computer got blocked again. I restarted it, but now I don't even get access to it in safe mode, the screen is all black. The only thing I can do is ctr-alt-delete which lists the running processes:

wmiprvse.exe
wuauclt.exe
alg.exe
dllhost.exe
vmnetdhcp.exe
mcrdsv.exe
taskmgr.exe
vmserverdWin32.exe
svchost.exe
vmount2.exe
VsTskMgr.exe
nvsvc32.exe
Mcshield.exe
vmware-authd.exe
USBDeviceService.exe
vmnat.exe
SBAMSvc.exe
naPrdMgr.exe
svchost.exe (this one is listed several times)
ULDCDRSvr.exe
FrameWorkService.exe
lsass.exe
services.exe
winlogon.exe
csrss.exe
smss.exe
GoogleUpdaterService.exe
acs.exe
spoolsv.exe
svchost.exe
ehSched.exe
ehrecvr.exe
btwdins.exe
System

Does anybody know whether I could at least access my computer again by deleting any of these processes?

I am really grateful for any help,
rita

 

Quick question, were you, or are you, running VMWare Workstation, or some other virtual machine application?

 

I don't know so much about virtual machines, but I had a look at the network window with ctrl-alt-delete. The two network cards VMware Network Adapter VMnet8 and VMware Network Adapter VMnet1 have the state 'operational', however 0% of these networks are used. I have never done anything deliberatly in order to use virtual machines.

 

Ok. That explains the vm* processes that were showing up. The two simplest things I can think of are (i) remove the drive from the notebook, put it in an external USB enclosure, and then hook it up to another computer that has anti-virus and antispyware scanning capability and scan the drive that way - by doing it this way, the drive is essentially just a passive data storage device, not a bootable system drive, and any virus or malware residing on it won't get activated, and so should be capable of being found and rooted out, or (ii) format the drive and reinstall the operating system - drastic, but it'll get rid of whatever's infected the computer.

 

(Dumb Q) what happens if you disable Counterspy and try opening something?

 

Thank you both of you. Yes, I see that it would be good to disable Counterspy, because it seems like when it blocked Explorer.exe it has also blocked explorer.exe. However, I am no longer able to acess Counterspy or any other folders or anything at all at the desktop, all I can see when I start the machine now is my photo covering the entire screen, and when I start it in safe mode the screen is all black. That's the problem, explorer is completely blocked. With task manager I have not found any processes related to Counterspy that I know of. So, if nobody has any other ideas I guess I need to go for one of your options Shyster1.

 

should just be counterspy.exe, though

 

Well, counterspy.exe is not there, actually I think I had already disabled the active protection just before explorer got completely blocked, but somehow it must have got blocked anyway, and permanently it seems.

I decided to do a partial system restauration, using F11 with my Packard Bell Easynote. However, after a short time the restauration stopped with an error message: "runtime error 70: permission denied". I restarted the machine, and I assume that some restauring has taken place, now the computer plays a sound when starting for instance, which I had disabled before. But explorer is still not working so the only thing I can see is a grey screen

This is so frustrating! I can't believe that all this could happen only because of this trojan Explorer.exe and the fact that counterspy blocked it. Probably it won't help to do a complete restauration neither. I don't know what to do.

 

If you have the CD, try to do a repair through the install CD.

 

If the system's infected, I don't think a repair via the installation CD is going to be of much help, as the virus/malware will just reinfect whatever gets repaired that way.

 

Hmm...good point. I guess a last resort would be a reformat and reinstall, then.

 

Hello, and thanks for your comments.
Things are now going much better! I realized that with task manager (choosing file and run) I can start any program that I want, even though explorer is not working. Actually explorer.exe had been deleted from my machine. I was able to copy this from another machine, and it is working again At the moment I am doing a million of scans with different recommended antispyware programs. The results so far is that Malwarebytes' Anti-Malware found 15 different Rogue-stuff and one trojan, SUPERAntiSpyware and Panda's ActiveScan have not found anything. I just changed my antivirus program McAfee (which also didn't find anything) to Avast and I am doing a scan with this at the moment.
However, when I did one scan with Counterspy, it found again the adware AP Holding and it removed it, and the next time it found it again, although I had turned off the system restore option before restarting the machine in between. Really strange. And when it had removed this adware, explorer was blocked afterwards, and I had to restart the machine and manually start explorer with task manager to make it work again. According to Counterspy, AP Holding is an adware of elevated risk. Well, I hope that after all my scans the virus will finally be found and removed for good!

 

Actually what helped was to uninstall and reinstall Counterspy... Now it does no longer find this adware and it does no longer block explorer.exe. The problem seems to have started after I upgraded Counterspy to its third version, maybe this wasn't done correctly somehow. Anyway, now everything seems to work well again! Thanks for your efforts to help me.

 

I'm glad to hear you were able to get the system back under your control - it's a terrible feeling when you first realize that something's taken control away from you.

It's possible that what got infected was the copy of Counterspy itself; it sounds like you've done a good job of disinfecting without having to reinstall the OS completely. Congratulations!

 

Indeed, congrats on solving the problem! Not to sound like a show off, but I gave my suggestions assuming you already tried to launch explorer.exe through the Task Manager

 

Thanks! I'm so happy that I didn't have to reinstall the system completely. Yes, it seems like it was Counterspy itself that got infected, it was behaving really strangely. And I should of course have known that I can run programs using task manager, I am quite bad at computer stuff, but at least I've learned a lot more during the last few days!

 

There are some viruses targeting anti-virus software. Trojan.KillAV (Symantec's name for it) is an example.