cmd prompt help

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by jarcher, Jun 9, 2004.

  1. jarcher

    jarcher I can't handle a title

    I go to my cmd prompt, change dir., and type DIR , apparently showing me all the things in that folder. As the list is now complete I can only view T -Z. I need S. I am looking for a file that My Trend Micro cannot fix or remove. I tried via cmd prompt but acesses is denied. So I'm trying to see if it even exists. I can't find it through search, it's not hidden. So i'ts got to be somewhere, right?

    I've taken all suggestions here,

    http://www.majorgeeks.com/vb/showthread.php?t=34201

    done everything i'm told
     
    jarcher, Jun 9, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    jarcher,

    You should not be duplicating a thread for a problem you already have ask questions on. You are going to wind up with duplicate requests for info and duplicate procedures to follow which wastes everyone's time. You should remain in that thread unless a totally different issues arises. Then you would post a new thread. And each time you begin a new thread always give system info and a complete problem description.

    From a comand prompt you can always just scroll backup. Also, you could just enter dir s*
    I thought you were looking for a file called imscan.dll. Or are you still looking for SQLNIN.dll?
    Stop wasting your time with command prompt and uses windows file search (from Start, Search).
    If you cannot delete it when you find it, it may be in use. Boot in safe mode, search again, and then try deleting it. Otherwise try the DelLater utility: http://www.diamondcs.com.au/index.php?page=dellater You need to know the full path to the file. That's where using search pays off. According to your other thread the full path is: C:\WINDOWS\SYSTEM32\SQLNIN.dll

    If you don't know how to boot in safe mode, see this: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
     
    chaslang, Jun 9, 2004
    #2
  3. jarcher

    jarcher I can't handle a title

    yea, sorry about the new thread,
    I searched hundreds of times using start, search but it could not be found. so I decided to look using the cmd prompt.
    I did find it thruogh the command prompt, and finally in search and yes it says it is in use. but how do I determine what is using it? when i went to safe mode it was nowhere.
    imscan.dll
    that was an accadent
    I had allready taken care of it. it was stuck on my paste when i was searching for it. and every time i right clicked, copy, paste it would never change. eg. I would copy the word fish and it would paste scrotum so i would copy cheese and it would still be scrotum. But i fixed it.
     
    jarcher, Jun 9, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It could be that the file contains hidden characters too. Even at the beginning or end their could even be a space.

    Try again in safe mode but when searching do a more global tpye search like:

    *qlni*

    This should find anything with those characters in the middle. If you find it, try deleting it now.
    By the way this will work at the command prompt too:

    dir *qlni*
    and del *qlni*

    should work (obviously you need to be in the directory were the file was seen before). Just make sure you do not have more then one match to this before using the del *qlni*
     
    chaslang, Jun 10, 2004
    #4
  5. jarcher

    jarcher I can't handle a title

    no, that to did not work.
    I cant find it in safe mode.
    no matter how I look, why?
     
    jarcher, Jun 10, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay so if you boot normal mode and try what I said, what do you get.
     
    chaslang, Jun 10, 2004
    #6
  7. jarcher

    jarcher I can't handle a title

    in the cmd prompt access is denied
    in windows it is being used
     
    jarcher, Jun 10, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I want you to try two more things:

    1) boot normal and then click Start, Run, and enter msconfig in the open box and click OK. Now the System Configuraton Utility is running. Click on the SYSTEM.INI tab and take a look at what you see there. See if anything looks strange. Repeat for the WIN.INI tab. Then click on the services tab and see if any of the items in here look strange. For most of them, the manufacturer will be Microsoft. After that click on the Startup tab, again check for anything the looks unusual especially if you see anything that somewhat matches the problem file. Give me some feedback on these steps.

    2) Run Ad-aware and save the log file. This should give a list of all running processes. Post your Ad-aware log file here.
     
    chaslang, Jun 11, 2004
    #8
  9. jarcher

    jarcher I can't handle a title

    Lavasoft Ad-aware Personal Build 6.181
    Logfile created on :Friday, June 11, 2004 1:31:59 PM
    Created with Ad-aware Personal, free for private use.
    Using reference-file :01R316 11.06.2004
    ______________________________________________________

    Reffile status:
    =========================
    Reference file loaded:
    Reference Number : 01R315 06.06.2004
    Internal build : 247
    File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
    Total size : 1211780 Bytes
    Signature data size : 1191581 Bytes
    Reference data size : 20135 Bytes
    Signatures total : 26553
    Target categories : 10
    Target families : 493
    6-11-2004 1:31:35 PM Performing Webupdate...

    Installing Update...
    Reference file loaded:
    Reference Number : 01R316 11.06.2004
    Internal build : 248
    File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
    Total size : 1233266 Bytes
    Signature data size : 1213039 Bytes
    Reference data size : 20163 Bytes
    Signatures total : 27012
    Target categories : 10
    Target families : 494

    6-11-2004 1:31:50 PM Success.
    Update successfully downlodaded and installed.


    Memory + processor status:
    ==========================
    Number of processors : 1
    Processor architecture : Intel Pentium III
    Memory available:40 %
    Total physical memory:228844 kb
    Available physical memory:91364 kb
    Total page file size:625520 kb
    Available on page file:425608 kb
    Total virtual memory:2097024 kb
    Available virtual memory:2049332 kb
    OS:

    Ad-aware Settings
    =========================
    Set : Activate in-depth scan (Recommended)
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep scan registry
    Set : Scan my IE Favorites for banned URLs
    Set : Scan my Hosts file


    6-11-2004 1:31:59 PM - Scan started. (Custom mode)

    Listing running processes
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    #:1 [smss.exe]
    FilePath : \SystemRoot\System32\
    ThreadCreationTime : 6-10-2004 4:10:17 AM
    BasePriority : Normal


    #:2 [winlogon.exe]
    FilePath : \??\C:\WINDOWS\system32\
    ThreadCreationTime : 6-10-2004 4:10:19 AM
    BasePriority : High


    #:3 [services.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 6-10-2004 4:10:19 AM
    BasePriority : Normal
    FileSize : 99 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Services and Controller app
    InternalName : services.exe
    OriginalFilename : services.exe
    ProductName : Microsoft
    Created on : 6/5/2003 8:06:07 PM
    Last accessed : 6/11/2004 7:25:44 PM
    Last modified : 8/29/2002 12:00:00 PM

    #:4 [lsass.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 6-10-2004 4:10:19 AM
    BasePriority : Normal
    FileSize : 11 KB
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    CompanyName : Microsoft Corporation
    FileDescription : LSA Shell (Export Version)
    InternalName : lsass.exe
    OriginalFilename : lsass.exe
    ProductName : Microsoft
    Created on : 6/5/2003 8:39:00 PM
    Last accessed : 6/11/2004 7:25:45 PM
    Last modified : 8/29/2002 12:00:00 PM

    #:5 [svchost.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 6-10-2004 4:10:20 AM
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 6/5/2003 8:06:18 PM
    Last accessed : 6/11/2004 7:25:44 PM
    Last modified : 8/29/2002 12:00:00 PM

    #:6 [spoolsv.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 6-10-2004 4:10:32 AM
    BasePriority : Normal
    FileSize : 50 KB
    FileVersion : 5.1.2600.0 (XPClient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Spooler SubSystem App
    InternalName : spoolsv.exe
    OriginalFilename : spoolsv.exe
    ProductName : Microsoft
    Created on : 6/5/2003 8:06:16 PM
    Last accessed : 6/11/2004 7:25:45 PM
    Last modified : 8/29/2002 12:00:00 PM

    #:7 [ccevtmgr.exe]
    FilePath : c:\Program Files\Common Files\Symantec Shared\
    ThreadCreationTime : 6-10-2004 4:10:32 AM
    BasePriority : Normal
    FileSize : 309 KB
    FileVersion : 1.03.4
    ProductVersion : 1.03.4
    Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
    CompanyName : Symantec Corporation
    FileDescription : Event Manager Service
    InternalName : ccEvtMgr
    OriginalFilename : ccEvtMgr.exe
    ProductName : Event Manager
    Created on : 11/14/2002 6:44:02 AM
    Last accessed : 6/11/2004 7:23:11 PM
    Last modified : 11/14/2002 6:44:02 AM

    #:8 [nisum.exe]
    FilePath : c:\Program Files\Norton Personal Firewall\
    ThreadCreationTime : 6-10-2004 4:10:32 AM
    BasePriority : Normal
    FileSize : 137 KB
    FileVersion : 6.02.1015
    ProductVersion : 6.02.1015
    Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
    CompanyName : Symantec Corporation
    FileDescription : Norton Internet Security NISUM
    InternalName : NISUM
    OriginalFilename : NISUM.exe
    ProductName : Norton Internet Security
    Created on : 11/15/2002 1:31:24 AM
    Last accessed : 6/11/2004 7:23:11 PM
    Last modified : 11/15/2002 1:31:24 AM

    #:9 [avgserv.exe]
    FilePath : C:\PROGRA~1\Grisoft\AVG6\
    ThreadCreationTime : 6-10-2004 4:10:39 AM
    BasePriority : Normal
    FileSize : 16 KB
    FileVersion : 6.0.1.696
    ProductVersion : 6.0.1.696
    Copyright : Copyright (c) GRISOFT 1998-2004
    CompanyName : GRISOFT s.r.o
    FileDescription : AvgServ - displays notification message
    InternalName : AvgServ
    OriginalFilename : AvgServ
    ProductName : AVG6
    Created on : 6/7/2004 5:28:35 AM
    Last accessed : 6/11/2004 7:23:11 PM
    Last modified : 6/2/2004 12:00:00 PM

    #:10 [navapsvc.exe]
    FilePath : c:\Program Files\Norton AntiVirus\
    ThreadCreationTime : 6-10-2004 4:10:40 AM
    BasePriority : Normal
    FileSize : 113 KB
    FileVersion : 9.05.1015
    ProductVersion : 9.05.1015
    Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
    CompanyName : Symantec Corporation
    FileDescription : Norton AntiVirus Auto-Protect Service
    InternalName : NAVAPSVC
    OriginalFilename : NAVAPSVC.EXE
    ProductName : Norton AntiVirus
    Created on : 11/15/2002 9:41:26 AM
    Last accessed : 6/11/2004 7:23:11 PM
    Last modified : 11/15/2002 9:41:26 AM

    #:11 [tmntsrv.exe]
    FilePath : C:\Program Files\Trend Micro\Internet Security\
    ThreadCreationTime : 6-10-2004 4:10:44 AM
    BasePriority : Normal
    FileSize : 236 KB
    FileVersion : 11.20.0.1311
    ProductVersion : 11.20.0
    Copyright : Copyright (C) 1995-2003 Trend Micro Incorporated. All rights reserved.
    CompanyName : Trend Micro Incorporated.
    FileDescription : Tmntsrv
    InternalName : Tmntsrv
    OriginalFilename : Tmntsrv.exe
    ProductName : Trend Pc-cillin 11
    Created on : 2/10/2004 1:45:50 AM
    Last accessed : 6/11/2004 7:23:11 PM
    Last modified : 2/10/2004 1:45:50 AM

    #:12 [tmproxy.exe]
    FilePath : C:\Program Files\Trend Micro\Internet Security\
    ThreadCreationTime : 6-10-2004 4:10:45 AM
    BasePriority : Normal
    FileSize : 200 KB
    FileVersion : 11.20.0.1311
    ProductVersion : 11.20.0
    Copyright : Copyright (C) 1995-2003 Trend Micro Incorporated. All rights reserved.
    CompanyName : Trend Micro Incorporated.
    FileDescription : TmProxy.exe
    InternalName : TmProxy.exe
    OriginalFilename : TmProxy.exe
    ProductName : Trend Pc-cillin 11
    Created on : 2/10/2004 1:46:58 AM
    Last accessed : 6/11/2004 7:23:11 PM
    Last modified : 2/10/2004 1:46:58 AM

    #:13 [pccpfw.exe]
    FilePath : C:\Program Files\Trend Micro\Internet Security\
    ThreadCreationTime : 6-10-2004 4:10:51 AM
    BasePriority : Normal
    FileSize : 684 KB
    FileVersion : 11.20.0.1311
    ProductVersion : 11.20.0
    Copyright : Copyright (C) 1995-2003 Trend Micro Incorporated. All rights reserved.
    CompanyName : Trend Micro Incorporated.
    FileDescription : PCCPFW
    InternalName : PCCPFW
    OriginalFilename : PCCPFW.exe
    ProductName : Trend Pc-cillin 11
    Created on : 2/10/2004 1:43:00 AM
    Last accessed : 6/11/2004 7:23:11 PM
    Last modified : 2/10/2004 1:43:00 AM

    #:14 [pccguide.exe]
    FilePath : C:\Program Files\Trend Micro\Internet Security\
    ThreadCreationTime : 6-10-2004 4:11:25 AM
    BasePriority : Normal
    FileSize : 928 KB
    FileVersion : 11.20.0.1311
    ProductVersion : 11.20.0
    Copyright : Copyright (C) 1995-2003 Trend Micro Incorporated. All rights reserved.
    CompanyName : Trend Micro Incorporated.
    FileDescription : PCCGuide
    InternalName : PCCGuide
    OriginalFilename : PCCGuide
    ProductName : Trend Pc-cillin 11
    Created on : 2/10/2004 1:40:16 AM
    Last accessed : 6/11/2004 7:23:11 PM
    Last modified : 2/10/2004 1:40:16 AM

    #:15 [explorer.exe]
    FilePath : C:\WINDOWS\
    ThreadCreationTime : 6-11-2004 1:39:33 AM
    BasePriority : Normal
    FileSize : 980 KB
    FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
    ProductVersion : 6.00.2800.1106
    CompanyName : Microsoft Corporation
    FileDescription : Windows Explorer
    InternalName : explorer
    OriginalFilename : EXPLORER.EXE
    ProductName : Microsoft
    Created on : 6/5/2003 8:38:42 PM
    Last accessed : 6/11/2004 7:23:11 PM
    Last modified : 8/29/2002 12:00:00 PM

    #:16 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 6-11-2004 1:40:09 AM
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 6/5/2003 8:06:18 PM
    Last accessed : 6/11/2004 7:25:44 PM
    Last modified : 8/29/2002 12:00:00 PM

    #:17 [avgcc32.exe]
    FilePath : C:\PROGRA~1\Grisoft\AVG6\
    ThreadCreationTime : 6-11-2004 1:41:58 AM
    BasePriority : Normal
    FileSize : 337 KB
    FileVersion : 6, 0, 0, 515
    ProductVersion : 6, 0, 0, 0
    Copyright : Copyright
    CompanyName : GRISOFT s.r.o.
    FileDescription : AVG Control Center
    InternalName : AvgCC32
    OriginalFilename : AvgCC32.EXE
    ProductName : AVG Anti-Virus System
    Created on : 6/7/2004 5:28:35 AM
    Last accessed : 6/11/2004 7:23:11 PM
    Last modified : 6/2/2004 12:00:00 PM

    #:18 [iexplore.exe]
    FilePath : C:\Program Files\Internet Explorer\
    ThreadCreationTime : 6-11-2004 7:23:07 PM
    BasePriority : Normal
    FileSize : 89 KB
    FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
    ProductVersion : 6.00.2800.1106
    CompanyName : Microsoft Corporation
    FileDescription : Internet Explorer
    InternalName : iexplore
    OriginalFilename : IEXPLORE.EXE
    ProductName : Microsoft
    Created on : 6/5/2003 8:38:54 PM
    Last accessed : 6/11/2004 7:23:16 PM
    Last modified : 8/29/2002 12:00:00 PM

    #:19 [ad-aware.exe]
    FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
    ThreadCreationTime : 6-11-2004 7:31:24 PM
    BasePriority : Normal
    FileSize : 668 KB
    FileVersion : 6.0.1.181
    ProductVersion : 6.0.0.0
    Copyright : Copyright
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-aware 6 core application
    InternalName : Ad-aware.exe
    OriginalFilename : Ad-aware.exe
    ProductName : Lavasoft Ad-aware Plus
    Created on : 5/16/2004 8:37:27 PM
    Last accessed : 6/11/2004 7:31:24 PM
    Last modified : 7/13/2003 3:00:20 AM

    Memory scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Started registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Started deep registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

    Possible Browser Hijack attempt Object recognized!
    Type : RegData
    Data : "about:blank"
    Category : Data Miner
    Comment : Possible browser hijack attempt
    Rootkey : HKEY_LOCAL_MACHINE
    Object : Software\Microsoft\Internet Explorer\Main
    Value : Start Page
    Data : "about:blank"


    Deep registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 1
    Objects found so far: 1


    Deep scanning and examining files (C:)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Tracking Cookie Object recognized!
    Type : File
    Data : owner@tribalfusion[1].txt
    Category : Data Miner
    Comment :
    Object : C:\Documents and Settings\Owner\Cookies\

    Created on : 6/11/2004 7:23:24 PM
    Last accessed : 6/11/2004 7:23:24 PM
    Last modified : 6/11/2004 7:23:24 PM



    Disk scan result for C:\
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 2


    Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Hosts file scan result:
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    1 entries scanned.
    New objects :0
    Objects found so far: 2




    Performing conditional scans..
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Conditional scan result:
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 2


    Reanalyzing scan result
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    No objects have been removed from the result list.


    1:39:43 PM Scan complete

    Summary of this scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Total scanning time :00:07:43:750
    Objects scanned :102147
    Objects identified :2
    Objects ignored :0
    New objects :2


    some things questionable.
    Startup ( not running)

    ojbgogjo

    T7ytI?N
    ( The "?" is actually a line going up and down. Its not an "I"," L" a 1, !its just a "_" but up and down. Like a non blinking curser. I don’t know what it is.
     
    jarcher, Jun 11, 2004
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I don't see anything in the Ad-aware running processes that looks bad; however, it is not a good idea to have multiple virus scan applications running. You should choose to keep one or the other.

    Did you mean using msconfig and looking at Startup you saw:

    ojbgogjo

    T7ytI|N

    running (the character you were describing is probably a pipe sign | look above your enter key).
    If these are actually shown as a startup item, what do the Command and Location columns show for these items.
     
    chaslang, Jun 11, 2004
    #10
  11. jarcher

    jarcher I can't handle a title

    yes
    C|\Documents and Settings\Owner\Application Data\Microsoft\sr64\ojbogo.exe
    c|\documents and settings\owner\local settings\temp\T7ti|N.exe
    Both SOFTWARE\Microsoft\Windows\Current Version\Run
    Both are disabled though.

    I usually have one running at a time, some find things that others don't.
     
    jarcher, Jun 11, 2004
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do these filenames remain the same after each reboot or do they change? We may want to run a quick scan with: http://housecall.trendmicro.com/housecall/start_corp.asp



    It may not even be a good idea to have them installed at the same time. In fact I believe McAfee and Norton will even check for each other and refuse to install until the other is removed.
     
    chaslang, Jun 11, 2004
    #12
  13. jarcher

    jarcher I can't handle a title

    what happend was my norton stopped working, and someone suggested something or other. anyway
    I used housecall alot untill then just to be safe, and for awile my ie just shut down everytime i tried to use it. so i finally downloaded it.
    I have a thread somewher thats more into detail on that, but i cant find it.
    my norton keeps telling me to reinstall it, but it came with my pc.so i installed stinger it works.
    infact every time i open something my trend micro is whats telling my about the virus housecall finds nothing.

    and yes file names stay the same at start up
     
    jarcher, Jun 11, 2004
    #13
  14. Adrynalyne

    Adrynalyne Guest

    OMG man...have you not been listening to us? This is the third time you have mislead the members here!

    If you can't give good advice, stay quiet, listen and learn.

    :mad:
     
    Adrynalyne, Jun 11, 2004
    #14
  15. Adrynalyne

    Adrynalyne Guest

    Adrynalyne, Jun 11, 2004
    #15
  16. Adrynalyne

    Adrynalyne Guest


    Works for me.

    I reported this post when I saw what you reccomended.

    You can't help people if you can't learn.


    Three times you have given dangerous advice.

    Three times you were corrected.

    Three times you didn't listen.

    Its obvious you don't want to learn...or help.

    I can understand making a mistake, but when someone corrects you three!!! times, its no longer a mistake, its sheer ignorance.
     
    Adrynalyne, Jun 11, 2004
    #16
  17. Adrynalyne

    Adrynalyne Guest

    Adrynalyne, Jun 11, 2004
    #17
  18. jarcher

    jarcher I can't handle a title

    so what was all that from the first post from wrisal_10 in this thread to here? nothing to concern myself with I suppose?
     
    jarcher, Jun 11, 2004
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No ignore it! Constant bad information as you will see if you look in the other threads. I glad Adryn was around to pickup on this while I was logged out for the last 3 hours.
     
    chaslang, Jun 11, 2004
    #19
  20. Just Playin

    Just Playin MajorGeek

    lighten up. The wisest person is the one unafraid to admit error and accept correction or criticism. And remember, some of these peoplle are experts
     
    Just Playin, Jun 12, 2004
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    And the fool is one that does not learn from their mistakes!
     
    chaslang, Jun 12, 2004
    #21
  22. Adrynalyne

    Adrynalyne Guest

    You both have very wise words. Its a shame that some others cannot see that.
     
    Adrynalyne, Jun 12, 2004
    #22
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We already know that! And rather than continuing with any nasties I'll leave it at that.
     
    chaslang, Jun 12, 2004
    #23
  24. jarcher

    jarcher I can't handle a title

    Wisdom is knowing when to ask for answers, like,

    I'm still having trouble with my thing here but, I have a new development here:

    AVG Resident Shield pops up at start up and every at action
    "Trojan Horse BackBoor .Agent .BA
     Is found in C:\WINDOWS\system32\sqlnin.dll
    To remove this virus, run AVG for windows"

    No quotes, so I run AVG6 and it finds nothing, stumped here

    I am not an educated man, not really. When I think "engineer" I don't picture some guy infront of a PC. I see grease and electrical, hydraulic, mechanical,pneumatic blueprints. I see a tools, BIG machines, cutting tools, mills and lathes. Me personally,I would rather jump out of a plane with a ruck sack and an M16, a couple gernades and a har* o*. than sit in a small cage and look into a small screen and peck all day.
    but these are educated persons, that is why there here. That is why I am here.
    to further educate myself. and my education is bring impeeded ( or how ever it is spelled) by whining. people make mistakes, get over it and move on.

    now anyone who could further assist me, would be most appriciated ^ (sp)
     
    jarcher, Jun 12, 2004
    #24
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Let's try something again I mentioned in your first thread on this but maybe add another step:

    1) If you don't have it download McAfee's Stinger Avert. Get it here: http://www.majorgeeks.com/download4063.html but don't run it yet.
    2) Disable system restore. See this to learn how: http://www.majorgeeks.com/vb/showthread.php?t=31668
    3) Now reboot in safe mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

    4) Now run McAfee's Stinger Avert.

    Let us know if this finds anything or even if nothing is found.
     
    chaslang, Jun 12, 2004
    #25
  26. jarcher

    jarcher I can't handle a title

    i have done that before and i did so again. it didnt find anything, but i noticed that there was no update tab and only scans 41 virus's. is there a way to update?
     
    jarcher, Jun 12, 2004
    #26
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No updates for Stinger. Just new versions when they come out. The current version is v2.2.7 [776,199 bytes] (5/18/2004).

    You may want to repeat the process again (disable system restore, boot in safe mode) and try this scanner from Avast: http://www.majorgeeks.com/download4188.html


    I'm leaning towards trying something totally different here too. Can you give this a try:

    1) Go here and download Registrar lite and install it: http://www.resplendence.com/reglite
    2) Run it, copy and paste the below line to reglite's address bar:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
    3) Click the "go" tab
    4) You will now have the "Appinit_Dlls" value on the right side panel highlighted.
    5) DoubleClick on it, copy and post what you find in the following two fields in
    your next post:
    -Size:
    -Value:
     
    chaslang, Jun 12, 2004
    #27
  28. jarcher

    jarcher I can't handle a title

    size 31
    value C:\WINDOWS\System32\sqlnin.dll
    no sht?
    whats that mean?
     
    jarcher, Jun 12, 2004
    #28
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It means we are going to try another step. Don't log out yet. Give me a chance to write something up.
     
    chaslang, Jun 12, 2004
    #29
  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay we are going to try to get rid of the file. C:\WINDOWS\System32\sqlnin.dll
    To make the file visible so that it can be manipulated and deleted follow the
    steps in order below:

    1) Go to http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm
    and download: "Winfile.zip(WinNT)"
    This is bascically File Manager from the early Windows days.

    2) Run reglite.exe again: type--

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

    into the address bar. (It might even open right to this since it is where you last were working.)

    3) Right click on the Windows folder and rename the Folder Windows to NotWindows
    This folder is highlighted as a light blue (some people call it light purple) folder in the left hand pane of reglite.

    4) Double Click "AppInit_DLLs" again and clear the data value:
    C:\WINDOWS\System32\sqlnin.dll < delete this line , 'Apply' and 'ok' to set.

    5) Rename the NotWindows folder back to its original name Windows

    6) Restart computer

    7) This should make the file visible. See if you can find it in:
    C:\WINDOWS\System32\sqlnin.dll

    8) Next, We need to move the file out of the system32 folder.
    Go to your root drive: C:\ And create a new folder,

    Name it: "junk"
    so you have a folder C:\junk

    Unzip and run the 'Winfile' you previously downloaded. Using winfile
    navigate to System32 folder. You need to navigate by Double clicking to expand.

    When you are in System32, from the top menu select File then Move
    A small window will open. Enter the following in the From and To boxes:

    From: C:\WINDOWS\System32\sqlnin.dll

    To: C:\junk\sqlnin.dll

    And hit ok.

    9) Close Winfile and check in C:\junk for that file.

    10) Reboot

    11) See how things look now. If you have any problems, post a new hijackthis log.

    12) Try a virus scan now and see if it finds that file. If so, move it to a floppy.
    (Let's keep it for awhile to make sure it is not needed for something.)
     
    chaslang, Jun 12, 2004
    #30
  31. jarcher

    jarcher I can't handle a title

    jarcher, Jun 13, 2004
    #31
  32. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

     
    chaslang, Jun 13, 2004
    #32
  33. jarcher

    jarcher I can't handle a title

    well I renamed it badsqlnin.bad and it disapeared
    now i can't find it
     
    jarcher, Jun 13, 2004
    #33
  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are there any file in the C:\junk directory we created? Make sure you have enabled view of hidden and system files in Win Explorer.

    You can also try a file search for *.bad (this would match any filename ending with the extension bad on your PC).

    We don't really need this file as far I'm concerned but it is sort of strange that it would disappear.
     
    chaslang, Jun 13, 2004
    #34
  35. jarcher

    jarcher I can't handle a title

    I did that and its just gone. It was in the junk folder when I changed the filename.
     
    jarcher, Jun 13, 2004
    #35
  36. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! So then can I assume everything is okay with you PC now. No more virus warnings?
     
    chaslang, Jun 13, 2004
    #36
  37. jarcher

    jarcher I can't handle a title

    it would appear so, thank you
     
    jarcher, Jun 13, 2004
    #37
  38. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your welcome J! :) We're done here...on to the next problem! ;)
     
    chaslang, Jun 13, 2004
    #38
  39. jarcher

    jarcher I can't handle a title

    jarcher, Jun 14, 2004
    #39
  40. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I answered.....
     
    chaslang, Jun 14, 2004
    #40

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds