system.ini explained?

[Janno]

I am using the advanced mode and find the spyware I need to kill off identified as being in the system.ini file. However, when I look at the system.ini file in Windows (Windows XP SP2 OS), there is no entry there. Does the system.ini mean something different in Spybot than it does for us old DOS people?

The problem was a dll named nuclabdll.dll that kept launching. It did not matter if I deleted it or if I unchecked it, it kept putting itself back. I found out it was a rootkit virus and figured out a way to clean it (or at least keep it at bay). However, I need to know what the SpyBot startup screen was trying to tell me: where it found nuclab in a system.ini file.

Thanks for any help you can offer.

[md usa spybot fan]

I am using the advanced mode and find the spyware I need to kill off identified as being in the system.ini file. However, when I look at the system.ini file in Windows (Windows XP SP2 OS), there is no entry there. Does the system.ini mean something different in Spybot than it does for us old DOS people?

From:

• A Collection Of Autostart Locations, by Tony Kleinkramer
  http://forums.subratam.org/index.php...er&f=29&t=1063

3. System.ini

[boot]
Shell=Explorer.exe file.exe

Windows XP/NT/2000

During system startup, Windows XP, NT and Windows 2000 consult the "Shell" registry value at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, to determine the name of the executable that should be loaded as the Shell.

By default, this value specifies Explorer.exe.

This can also be specified on a per-user-profile basis (i.e., the corresponding registry key/value under HKEY_CURRENT_USER).

Example of malware using this startup method:

http://www.symantec.com/avcenter/ven...r.nithsys.html
http://www.symantec.com/avcenter/ven...or.nibu.h.html
http://www.trendmicro.com/vinfo/viru...%2EBDD&VSect=T
http://securityresponse.symantec.com...ss.trojan.html

Additionally, (thank you, Gkweb) Explorer.exe is searched by the system at boot, starting from the root C:\ and finishing at C:\windows\explorer.exe

If malware is named "explorer.exe" and is placed in the root of the drive, the file will be launched without the necessity of modifying any boot files, and it can then launch the real explorer.exe without any notice from the user.

However, I need to know what the SpyBot startup screen was trying to tell me: ….

From the information on Spybot's System Startup screen:

This list displays all programs that will be started along with Windows if you power on your system. …

If you don't understand the entries, I suggest that you leave them alone!!!

Remember the warning that you received when you when into Advanced mode:

Warning

The advanced mode of Spybot-S&D offers more options than the default mode; but those also include some that can do harm to your system if you are not sure what you are doing. Do you really want to switch to advanced mode?

[Yes] [No]

[md usa spybot fan]

From your post here:

• nuclab rootkit
  http://forums.spybot.info/showthread.php?t=7488

There is a virus that Trend finds as TSPY_GOLDUN.GEN. It cannot be cleaned or quarantined...just identified. It launches a service from the nuclab.sys file in Windows. The service runs stealth and is running in Safe mode. …

I suggest you consider posting in the Malware Removal forum and having someone take a look at your system and help you with the problem.

The instructions for running preliminary scans, producing logs and posting in that forum are outlined in the following reference:

• BEFORE you POST and Who will advise you. Preliminary Steps!
  http://forums.spybot.info/showthread.php?t=288

After completing those steps, start a new thread (topic) in the following forum (making sure to include the HijackThis and online scan logs produced from the instructions above):

• Malware Removal
  http://forums.spybot.info/forumdisplay.php?f=22

[Janno]

If you don't understand the entries, I suggest that you leave them alone!!!

I was not saying I did not understand the entries...simply where SpyBot was finding them. As an old DOS person, system.ini means something entirely different.

Thanks for your prompt response. I will also review the Autostart document.

RE: nuclab and Malware Removal forum
I managed to delete it. I was including it in the list of things that it would be nice for SpyBot to be able to detect. That was what I thought the forum named "New or Undetected" would refer to. Sorry for being a newbie...

[Janno]

I just reviewed the Autostart document:

A Collection Of Autostart Locations, by Tony Kleinkramer
http://forums.subratam.org/index.php...er&f=29&t=1063

This thing is great! I only knew about maybe half of these locations. I printed a copy and it is now in my briefcase.

Thanks for including the link. And thanks to Tony Kleinkramer for putting it together!

[Jolyon]

your system.ini file might be corrupted due to malware...
Following process can help you to restore the system.ini and win.ini file:

If you are using Windows 95/98 and are in Windows

Click Start
Click Shutdown
Choose to restart the computer in MS-DOS mode and click ok.

Once at the MS-DOS prompt type the below commands to restore the system.ini

cd\windows <press enter>
ren system.ini system.ch <press enter>

If after attempting to rename the system.ini you receive File not found, continue to follow the below steps.

ren system.--- system.ini <press enter>

If after attempting to type the above command you receive file not found, follow the below instructions. If you do not receive a message your system.ini should be restored to its original state.

dir system.*

If you see a file other than system.ch such as system.bak or system.000, follow the above instructions but replace the --- with the appropriate extension on your computer.

Once at the MS-DOS prompt type the below commands to restore the win.ini

cd\windows <press enter>
ren win.ini win.ch <press enter>

If after attempting to rename the win.ini you receive File not found, continue to follow the below steps.

ren win.--- win.ini <press enter>

If after attempting to type the above command you receive file not found, follow the below instructions. If you do not receive a message your win.ini should be restored to its original state.

dir win.*

If you see a file other then win.ch or win.com such as win.bak or win.000, follow the above instructions but replace the --- with the appropriate extension on your computer.

Restore files back

If you encounter additional errors or at any time you wish to use the files you renamed you can simply rename the original files, by reversing the above commands. Below are examples of renaming the files back if you so desire.

ren system.ch system.ini

ren win.ch win.ini

This should not be necessary unless you encountered issues while following the above steps or after restoring the original system.ini and win.ini.

[tashi]

2006-09-20

however, when i look at the system.ini file in windows (windows xp sp2 os), there is no entry there.

your system.ini file might be corrupted due to malware...
Following process can help you to restore the system.ini and win.ini file:

if you are using windows 95/98 and are in windows