Unbelievably insidious, evil, unstoppable virus causing Explorer to restart over and over

Factual Questions
1

I’m typing this from another computer. I am in Queens, NY where I brought my laptop (Vista) with the intention of working on a story here. Just about a half hour ago I was tinkering around with ULead video studio, when all of a sudden the program stopped working, and then Explorer started crashing and then restarting, over and over and over again. Like literally every two seconds. The desktop would flash, I’d be unable to even access stuff in the Start menu - it would just keep restarting, crashing, restarting, crashing. RunDLL also restarted and crashed over and over again.

I turned off the computer, started it in Safe Mode, and the same fucking thing happened even in Safe Mode! I somehow, miraculously, reached the System Restore menu, only to find that I could not turn the System Restore on from Safe Mode. I restarted it in normal mode, and by some very fast clicking, managed to open the system protection window before it could close; I realized then, to my horror, that System Restore had been turned off for the entirety I had been running that system, and I didn’t even have a single restore point to restore to!

I have absolutely no idea what to do. I don’t have a Vista CD so I can’t do a reinstall (fortunately I backed up most of the important stuff so wouldn’t lose too much data.) Is there ANY way of me curtailing this awful, evil, nerve-wracking and frustrating problem, short of taking it in to a computer shop (and being from out of town, and not knowing the local computer shops, having no idea what kind of service I’m going to get or when the damn thing is going to be fixed.) I leave on the 22nd and I really need to be able to use this laptop while I’m here.

I swear to God, and I’m absolutely serious, I think that people who make computer viruses should get prison time. (Actually, I think they should be flayed alive, but I don’t think that’s a popular practice here.) Goddammit, they are committing a serious crime by cutting off peoples’ access to the technology that they depend on for their livelihoods every day. In my mind they are like vandals who go into your house or store, cut every electrical wire, disconnect the utilities, break all the windows, destroy the front door, and set the building on fire.

2

Do you have CD burning capabilities on the machine you’re at now? If so, you could try downloading a rescue CD (I don’t know any good ones offhand, but I found this one through quick googling), and boot your laptop with it, then see what you can do from there.

3

No, not really. Right now I’m running AVG from the command prompt. Is there any chance of that fixing this evil thing, or is this one of those things so severe that the only solution is a re-fucking-formatting?

4

Sounds like you have the same thing as this guy, so try following his instructions.

The Sysinternals Suite is available here and Unlocker here.

If you have large USB stick handy you could run Ubuntu (instructions) to give you a platform to run an anti-virus program (AV options).

5

OK, thanks for that link. I am now online, on safe mode, on my laptop and I downloaded those programs. Unfortunately I’m not as tech savvy as the guy who posted the walkthrough on how to do it, so if one of you could explain it in even simpler terms (how to delete the .DLLs in the registry, use Unlocker, whatever) that would be great. I don’t understand that guy’s post as well as some others might be able to so I’m going to have to try to pull some Apollo 13 shit here and see if someone can take me through this step by step.

6

Trying, but it’s absolutely maddening that he doesn’t bother mentioning the names of the specific DLLs that need to be deleted. There are about nine billion DLLs and I can’t sort through them all in once lifetime.

7

Okey dokey. His explanation wasn’t very illuminating so I’m a little in the dark too.

First things first. Unzip the SysinternalsSuite.zip. If you can only access the command line, download unzip.exe and save to C:\some_folder\ (cmd - "MD C:\some_folder") also save the SysinternalsSuite.zip there.

Move to that directory "CD C:\some_folder" then unzip via “unzip Sysinternalssuite”

Then run “autoruns”. Look for the dodgy .exe under the logon tab and delete. Hopefully it’ll be fairly obvious if you are familiar with your startup items.

8

Do you mean they don’t?! How can that not be a crime punishable by prison?

9

In order to sort through the dlls move to the next ‘Explorer’ tab. Legitimate ones are signed by Microsoft Corporation, others by legitimate programs and amongst them or the unknowns are your virus insertions. Google ones you are unsure about and can’t link to a program you’ve installed, or post them here.

10

Under “User” do I want to be in NT AUTHORITY SYSTEM, NT AUTHORITY NETWORK SERVICE, NT AUTHORITY LOCAL SERVICE, or Owner PC-Owner?

11

Owner PC-Owner.

12

OK - I’m finding several suspiciously UN-verified “nvshext.dll” files, supposedly from NVidia - however there are other Nvidia files that ARE verified. Does this mean the “nvshext.dll” file is actually malware and I should get rid of it? I hesitate to get rid of any NVidia file since it’s my 3D card which is vital to the computer’s functioning, but it is unverified and maybe this is the culprit.

I should add these are the ONLY un-verified .dlls I could find in the entire list. Two unverified EXEs also exist - qttask.exe from Apple Quicktime and pdvdserv.exe from PowerDvd.

13

Unlikely, as you say it looks like an NVidea dll. Have you found the crypt32.dll? Check under the ‘Everything’ tab. Pay extra attention to ones not in the system32 folder.

14

Nope - can’t find crypt32.dll anywhere. Even did a search for it.

15

OK I did find Crypt32.dll - not in the system insider program, but just in the simple Start menu search. It’s in the System32 folder - should I delete it? However, under Properties, it says it’s an official Microsoft file and it was last modified 8/13/2009.

16

Run “procexp” from C:\some_folder. View->lower pane and check the dlls associated with any processes which seem suspicious.

Also is the computer stable using a diagnostic setup? (available from “msconfig”)

Edit: having checked, crypt32.dll is part of Windows Crypto API so do not delete it.

17

Not sure what you mean by the procexp thing - how do I run that?

18

Using the command line move to the directory where you unzipped the Sysinternals Suite (i.e. “CD C:\some_folder” hit enter, then type “procexp” and again hit enter.

19

To help us see what you’re seeing install HijackThis.

then type "cd c:\program files rend micro\hijackthis" in the command line + enter key
type “hijackthis /autolog” + enter, post the log text here.

20

No, the computer is not stable in diagnostic mode. Same crash/restart shit. And now I can’t even connect to the internet (I’m back to using that other computer again.) I don’t think I can fix this. It’s just not in the cards. I’m going to just have to eat the repair bill (if I can even find a computer repair shop here in Queens where they speak English), and remain frustrated and pissed off that I keep falling victim to these goddamn awful viruses to which there seems to be no antidote but system re-installation.