Continuous Explorer Restarting Virus/Trojan

Came across this little bugger in my manager’s pc. The whole thing is that after logging into windows, the windows explorer continuously restart and exits. You can click the start button, open something but will naturally kill itself when explorer exits. You can’t even open the drives and folders normally since it will close sooner or later, anything running under Explorer.exe will die when Explorer.exe dies. Simplest way around the folder and drives is using the good ol’ command prompt. Did this and amazingly it didn’t die, thank God for command prompts. As usual scouring the RECYCLER folder for hidden trojans resulted in a no show, next was the usual system32 and system folder under windows folder. These little buggers get smarter everyday. There weren’t and hidden files so I was already assuming the exe file is there and ran through windows startup using the registry. Using autoruns from sysinternals, found one of the problems, a rogue exe is started everytime the system starts. Deleted the entry from the registry, located the file under system32 folder and also removed it.

That didn’t fixed the problem.

There was something else running when windows starts up. Next target… DLLs. Amazingly, there were dlls that was out-of-placed and curiously named. Example crypt32.dll that wasn’t signed by microsoft. Removed the entry and tried to remove the dll. No luck, its being used. Next tool that was very useful was Unlocker. I ‘unlocked’ the hook for the dll and restarted. Still didn’t fix it but I was getting close. There were two more dlls I found that was very suspicious. I tried to kill one and removed, the other regenerated the dll. I try to unhook the other dll, the whole pc restarts. Smart bugger. Thank goodness for safe mode. Restarted in safe mode and use unlocker again to unhook the dll. Removed one of the dll and its entry in the registry. Good… it didn’t restart… just a countdown for a system shutdown.. freaking dll.

The system restarted and good news is the dll that forced the shutdown wasn’t regenerated. Last dll was a bit simpler. Used unlocker to unhook the dll, deleting was not successful, though unlocker had a feature to delete the dll after a restart. Selected the option and waited. Thankfully, the whole ordeal ended there. All three dlls didn’t regenerate after that.

Note to PC users who watch videos from torrent ( Heroes, Prison break…). If it asks you to download a player to run the video you downloaded.. DON’T!!

Slow update…

Well, its been a month… or more? of no updates… been busy for a while cleaning codes and installing some pcs. I was thinking of posting those extjs codes I used that gave me some ‘wtf?!’ or ‘doh!’ moments in the past….we’ll see. I’m also currently compiling the documentations on how I set up a replication master-slaver server on 3 different locations and replicate through SSH. I’ll be posting that later on also.

MySQL Slave Failed to Open the Relay Log

This problem is a little tricky, there are possible fixes that MySQL website has stated. Sad to say, the one’s I read in the forum and site didn’t fix my problem. What I encountered was that the relay-bin from my MySQL slave server has already been ‘rotated’, meaning deleted from the folder. This happens when the slave has been disconnected from the master for quite a long time already and has not replicated anything. A simple way to fix this is to flush the logs, but make sure the slave is stopped before using this command…


Bring in a fresh copy of the database from the master-server and update the slave-server database. THIS IS IMPORTANT! Since if you don’t update the slave database, you will not have the data from the time you were disconnected until you reset the relay logs. So UPDATE YOUR SLAVE WITH THE LATEST DATABASE FROM THE MASTER!

Now when the logs are flushed,all the relay-bin logs will be deleted when the slave is started again. Usually, this fixes the problem, but when you start the slave and the failed relay log error is still there, now you have to do some more desperate measures… reset the slave. This is what I had to do to fully restore my MySQL slave server. Reseting the slaves restores all the settings to default… password, username, relay-log, port, table to replicate, etc… So better to have a copy of your settings first before actually do a slave reset. When your ready to rest the slave, do the command…


after which you should restore all your setting with a command something like…


now start your server with…


check your slave server with…


look for …

Slave_IO_Running: Yes
Slave_SQL_Running: Yes

both should be YES, if not, check your syslog if there are other errors encountered. I’ll leave this until here since this is what I encountered and I was able to fix it.

Edit 5/14/11:

There is a possible change that after executing the CHANGE MASTER command that you’ll receive this error below…

ERROR 1201 (HY000): Could not initialize master info structure; more error messages can be found in the MySQL error log

This can occur when the relay logs under /var/lib/mysql were not properly cleaned and are still there. The next thing is to delete them manually, log back in to mysql, refresh logs, reset slave then execute the CHANGE MASTER command again. The file to delete would be .This should work now. Sometimes I don’t know why mysql can’t reset the slave logs.

MySQL: Query Real Values from Delimiter-Separated-String-IDs

I had a problem in using a string-comma-separated-value returned from a query in an “IN” statement. I used the IDs from one table, concat them into a comma separated value and insert them into another table. Baaaad idea… Now when I query that value, I can’t use it directly into an “IN” statement to retrieve their real values since its a string being returned from the query, the “IN” statement will not compare all the values inside as a set, but it will compare it as a string.

SELECT value FROM my_table WHERE my_id IN (‘1, 2, 3’) is NOT equivalent to SELECT value FROM my_table WHERE my_id IN (‘1’, ‘2’, ‘3’)

So, if you have a table containing values 1 to 3, the first query will return only 1 while the second query will return all values; 1, 2 and 3.

I Googled around and found out that MySQL does not have a native equivalent of PHP’s explode() function. Crap… I had to do it the hard war and create a MySQL stored function to ‘explode’ the values from its delimiter, query the right value from the other table using the exploded IDs, concat them back together and return them as a string.

Below is the function I was able to patch together from different codes I found in the MySQL forum. I added comments below as to make things clearer. I named the function splitAndTranslate since that’s what I was really trying to implement. You can make up your own modifications and function name.

DROP FUNCTION IF EXISTS `splitAndTranslate` //
CREATE FUNCTION splitAndTranslate(str TEXT, delim VARCHAR(124))
	DECLARE i INT DEFAULT 0;	-- total number of delimiters
	DECLARE ctr INT DEFAULT 0;	-- counter for the loop
	DECLARE str_len INT;		-- string length,self explanatory
	DECLARE out_str text DEFAULT '';	-- return string holder
	DECLARE temp_str text DEFAULT '';	-- temporary string holder
  	DECLARE temp_val VARCHAR(255) DEFAULT '';	-- temporary string holder for query
	-- get length
	SET str_len=LENGTH(str);	
	SET i = (LENGTH(str)-LENGTH(REPLACE(str, delim, '')))/LENGTH(delim) + 1;	
		-- get total number delimeters and add 1
		-- add 1 since total separated values are 1 more than the number of delimiters
	-- start of while loop
	WHILE(ctr<i) DO
		-- add 1 to the counter, which will also be used to get the value of the string
		SET ctr=ctr+1; 
		-- get value separated by delimiter using ctr as the index
		SET temp_str = REPLACE(SUBSTRING(SUBSTRING_INDEX(str, delim, ctr), LENGTH(SUBSTRING_INDEX(str, delim,ctr - 1)) + 1), delim, '');
		-- query real value and insert into temporary value holder, temp_str contains the exploded ID    		
		SELECT <real_value_column> INTO temp_val FROM <my_table> WHERE <table_id>=temp_str;
		-- concat real value into output string separated by delimiter
    		SET out_str=CONCAT(out_str, temp_val, ',');
	-- end of while loop
	-- trim delimiter from end of string
	SET out_str=TRIM(TRAILING delim FROM out_str);
	RETURN(out_str);	-- return 

After creating the stored function, you can now use it normally like any MySQL function inside a query. So what I now do with the new function is…

SELECT splitAndTranslate( g.comma_separated_ids ) real_values FROM my_group_table g;

Thanks to Chris Stubben in the MySQL Forum, I used and modified his code to fit my need.

Java 5 JDK and Jakarta Tomcat 5.5 in Ubuntu Server Installation

These are the steps I took to install Jakarta Tomkat 5.5 in conjunction with Java 2 SDK in Ubuntu server.

  1. Login as root, you can also use “su” though I prefer to login as root.
  2. apt-get install sun-java5-jdk
    • This will install Java 2 SDK (1.5), ubuntu will start downloading packages that are not found in your system.
  3. apt-get install tomcat5.5 tomcat5.5-admin tomcat5.5-webapps
    • Of course jakarta-tomcat 5.5, I’m using 5.5 since this supports java 1.5
  4. Now here’s the tricky part, location for Java and jakarta-tomcat
    • Java’s location is in /usr/lib/jvm/java-1.5.0-sun
    • Jakarta-Tomcat’s location is in /usr/share/tomcat5.5
      • We will need these location for the export configurations to be written in the .bashrc
  5. Now, open .bashrc in your favorite text editor, I used vim
  6. At the end of the file add these:

    export JAVA_HOME=/usr/lib/jvm/java-1.5.0-sun
    export CLASSPATH="/usr/share/tomcat5.5/common/lib/jsp-api.jar;/usr/share/tomcat5.5/common/lib/servlet-api.jar"
    export CATALINA_HOME=/usr/share/tomcat5.5
  7. Now save the file and exit, then log back in. This is required for the export script to be set.
  8. Before starting the server, the default port the installer set is 8180 instead of the 8080 port that Tomcat uses. To change this, go to /usr/share/tomcat5.5/conf/ and open the file server.xml. Locate the line:

    ...Connector port="8180" maxHttpHeaderSize="8192"...

    and change 8180 to 8080. Save and exit. Now your ready to test the server.
  9. Now try the server if it starts, /usr/share/tomcat5.5/bin/ You should see something like this:

    Using CATALINA_BASE: /usr/share/tomcat5.5
    Using CATALINA_HOME: /usr/share/tomcat5.5
    Using CATALINA_TMPDIR: /usr/share/tomcat5.5/temp
    Using JRE_HOME: /usr/lib/jvm/java-1.5.0-sun
  10. Shutting down the server is just /usr/share/tomcat5.5/bin/
  11. Now, during installation of tomcat, Ubuntu automatically adds a startup and shutdown script for ubuntu to use as it starts up or shutsdown in /etc/init.d/ folder. Filename is tomcat5.5. As the server finishes starting up, you will notice tomcat isn’t running at all. One possible problem is that the script didn’t use the correct path for the java 2 sdk. You can check the boot log in /var/log/. Check if during boot up, tomcat5.5 encountered problems. For the problem stated above, you can fix this by going to /etc/default/ and edit the tomcat5.5 file. Locate the line:


    remove the ‘#’ and change it to…


    or wherever your java directory is.After that, restart the server and see if tomcat was successfully started.

    /etc/init.d/tomcat5.5 status

Edit: Problem encountered:

  • Tomcat does not load in Ubuntu 8.04
    Found a little problem loading Tomcat 5.5 under Ubuntu 8.04, it either fails or white screen just appears. I don’t know what happened from 6.04 to 8.04 but once I compared the init.d/tomcat5.5 startup script from 6.04 and 8.04, there WERE changes to the scripts. I replaced the new tomcat5.5 script in 8.04 with the old one from 6.04 and the server started properly after a server restart. I don’t know why but this may have something to do with permissions and I have yet to trace the script.

  • java.lang.ClassNotFoundException: org.apache.jasper.tagplugins.jstl.If
    • The problem here is that the above name is incomplete… what it should have been is org.apache.jasper.tagplugins.jstl.core.*
    • Now, to fix the problem, locate /var/lib/tomcat5.5/webapps/jsp-examples/WEB-INF/tagPlugins.xml and open it with your text editor… I used vim. Now edit each line of code that has org.apache.jasper.tagplugins.jstl in it and add “.core” after jstl. What you will see after editing the code will be…
    • org.apache.taglibs.standard.tag.rt.core.IfTag










  • SEVERE: The scratchDir you specified: [folder_path] is unusable.
    • Sidenote: took me 2 days to figure out why this was happening (X_x)
    • Based from the Catalina logs, the folders under webapps was not accessible by tomcat5.
    • Now looking under all processes running ( ps command ), most bootup services were running under root (mysql, apache, etc ) but tomcat5 was not.
    • If I start tomcat5 when I logged into the console as root, the problem disappears. This lead me to believe this might have been the Tomcat5 user was not given the correct privileges.
    • Work-around 1: Elevate Tomcat5 user to root access level.
    • Work-around 2: Go to /etc/init.d/ and open Tomcat5.5 under any text editor ( I used vim ). Locate the line TOMCAT5_USER=tomcat55 and change it to TOMCAT5_USER=root . Restart your server or you can also execute the restart command for Tomcat5.5 in init.d folder


Delayed projects…

Seems like I’ve been slacking for one year on slickdev’s updates. Been pretty much busy with other web sites and developments that I couldn’t find much time for any development for this site. Hopefully within a few days, I’ll be able to restart this site with my scripts and developments.

Friendster Script

Well, seems like a problem crept into a friend’s Friendster account. Everything in her page disappeared, or so it seems. The problem lay inside the shoutbox. A rouge script has inserted a small CSS script inside and made every “Div” element invisible. How? I dont know. I made this script for her to run under greasemonkey. This will rewrite what’s inside the shoutbox and let her rewrite whats inside back to normal.

The greasemonkey script can be found under the script page or here.

SysAdmin Appreciation Day

Mom, Dad, grandparents.. etc.. they get there special day every year….So what about us? those who take care of your internet connection, your workstation, making sure there’s no virus, spam etc… 😀 So every year, the last Friday of July, we have SysAdmin Appreciation Day. 😀

One day of appreciation is all we ask. 😉


Welcome to SlickDev. This is my personal site for Web and Software development. Here I will upload and share my scripts, plugins as well as mods to websites and softwares. Fell free to email and/or leave a comment below.

Thanks and do come back for updates!