Guest John Doe Posted June 3, 2008 Posted June 3, 2008 There is some sort of infector going around that injects itself into the boot sequence of XP that randomly names itself "base????32" (where the last 4 or 5 letters are random, but the first 4 are always base & the last 2 are always 32) & causes the machine to fail on boot up because it cannot find this file: STOP: c0000135 {Unable To Locate Component} This application has failed to start because baseokfrf32 was not found. Re-installing the application may fix this problem. This usually occurs after removing the winantivituspro infector (clearly the anti-malware people haven't figured out how to remove this properly yet!). Any ideas on how to repair this issue without having to do an XP repair install? Or where XP gets the command to look for the file? I can't seem to find a "boot.sys" or any such file that references it, and obviously can't go into the registry to look for it . . . I've tried going into the Recovery Console & doing fixboot, fixmbr, chkdsk /p /r etc but no good. Quote
Guest Newell White Posted June 3, 2008 Posted June 3, 2008 Try msconfig.exe to avoid running this file at start-up. If you are unsure how to do this a web search for msconfig +windows +startup will find you a tutorial on troubleshooting start-up problems. -- Regards, Newell White "John Doe" wrote: <span style="color:blue"> > There is some sort of infector going around that injects itself into the > boot sequence of XP that randomly names itself "base????32" (where the last > 4 or 5 letters are random, but the first 4 are always base & the last 2 are > always 32) & causes the machine to fail on boot up because it cannot find > this file: > > STOP: c0000135 {Unable To Locate Component} > This application has failed to start because baseokfrf32 was not found. > Re-installing the application may fix this problem. > > This usually occurs after removing the winantivituspro infector (clearly the > anti-malware people haven't figured out how to remove this properly yet!). > > Any ideas on how to repair this issue without having to do an XP repair > install? Or where XP gets the command to look for the file? I can't seem > to find a "boot.sys" or any such file that references it, and obviously > can't go into the registry to look for it . . . > > I've tried going into the Recovery Console & doing fixboot, fixmbr, chkdsk > /p /r etc but no good. > > > > </span> Quote
Guest John Doe Posted June 3, 2008 Posted June 3, 2008 It does not show up in msconfig, nor sysinternals' process explorer, autoruns, etc. It's in the boot sequence somewhere; can anyone knowledgeable about the XP boot sequence shed any light on this? Where can I start looking for this reference & remove it? STOP: c0000135 {Unable To Locate Component} This application has failed to start because baseokfrf32 was not found. Re-installing the application may fix this problem. "Newell White" <NewellWhite@discussions.microsoft.com> wrote in message news:DF3088C9-092A-479C-9ECB-0AD1FF1DEFEB@microsoft.com...<span style="color:blue"> > Try msconfig.exe to avoid running this file at start-up. > > If you are unsure how to do this a web search for msconfig +windows > +startup > will find you a tutorial on troubleshooting start-up problems. > -- > Regards, > Newell White > > > "John Doe" wrote: ><span style="color:green"> >> There is some sort of infector going around that injects itself into the >> boot sequence of XP that randomly names itself "base????32" (where the >> last >> 4 or 5 letters are random, but the first 4 are always base & the last 2 >> are >> always 32) & causes the machine to fail on boot up because it cannot find >> this file: >> >> STOP: c0000135 {Unable To Locate Component} >> This application has failed to start because baseokfrf32 was not found. >> Re-installing the application may fix this problem. >> >> This usually occurs after removing the winantivituspro infector (clearly >> the >> anti-malware people haven't figured out how to remove this properly >> yet!). >> >> Any ideas on how to repair this issue without having to do an XP repair >> install? Or where XP gets the command to look for the file? I can't >> seem >> to find a "boot.sys" or any such file that references it, and obviously >> can't go into the registry to look for it . . . >> >> I've tried going into the Recovery Console & doing fixboot, fixmbr, >> chkdsk >> /p /r etc but no good. >> >> >> >> </span></span> Quote
Guest jen Posted June 3, 2008 Posted June 3, 2008 "John Doe" <johndoe@microsoft.com> wrote in message news:uwYWO8XxIHA.1240@TK2MSFTNGP02.phx.gbl...<span style="color:blue"> > There is some sort of infector going around that injects itself into > the boot sequence of XP that randomly names itself "base????32" (where > the last 4 or 5 letters are random, but the first 4 are always base & > the last 2 are always 32) & causes the machine to fail on boot up > because it cannot find this file: > > STOP: c0000135 {Unable To Locate Component} > This application has failed to start because baseokfrf32 was not > found. Re-installing the application may fix this problem. > > This usually occurs after removing the winantivituspro infector > (clearly the anti-malware people haven't figured out how to remove > this properly yet!). > > Any ideas on how to repair this issue without having to do an XP > repair install? Or where XP gets the command to look for the file? I > can't seem to find a "boot.sys" or any such file that references it, > and obviously can't go into the registry to look for it . . . > > I've tried going into the Recovery Console & doing fixboot, fixmbr, > chkdsk /p /r etc but no good.</span> This Stop error usually means a corrupt registry... Try this: How to recover from a corrupted registry that prevents Windows XP from starting: http://support.microsoft.com/default.aspx?...;307545&sd=tech -jen Quote
Guest Malke Posted June 3, 2008 Posted June 3, 2008 John Doe wrote: <span style="color:blue"> > It does not show up in msconfig, nor sysinternals' process explorer, > autoruns, etc. > > It's in the boot sequence somewhere; can anyone knowledgeable about the XP > boot sequence shed any light on this? Where can I start looking for this > reference & remove it? > > STOP: c0000135 {Unable To Locate Component} > This application has failed to start because baseokfrf32 was not found. > Re-installing the application may fix this problem.</span> It sounds like a service and/or driver. Look in Services (Start>Run>services.msc) and see if anything appears there. If not, try clean-boot troubleshooting: Clean boot in Windows XP - http://support.microsoft.com/kb/310353 Clean-boot advanced troubleshooting in Windows XP - http://support.microsoft.com/kb/316434 You didn't say (or I missed it) whether you can get into Safe Mode or Last Known Good Configuration. If you can't do either of those things, then you'll need to access the registry from outside Windows. A Bart's PE or ERD Commander can do it. Malke -- MS-MVP Elephant Boy Computers www.elephantboycomputers.com Don't Panic! Quote
Guest David H. Lipman Posted June 3, 2008 Posted June 3, 2008 From: "John Doe" <johndoe@microsoft.com> | There is some sort of infector going around that injects itself into the | boot sequence of XP that randomly names itself "base????32" (where the last | 4 or 5 letters are random, but the first 4 are always base & the last 2 are | always 32) & causes the machine to fail on boot up because it cannot find | this file: | | STOP: c0000135 {Unable To Locate Component} | This application has failed to start because baseokfrf32 was not found. | Re-installing the application may fix this problem. | | This usually occurs after removing the winantivituspro infector (clearly the | anti-malware people haven't figured out how to remove this properly yet!). | | Any ideas on how to repair this issue without having to do an XP repair | install? Or where XP gets the command to look for the file? I can't seem | to find a "boot.sys" or any such file that references it, and obviously | can't go into the registry to look for it . . . | | I've tried going into the Recovery Console & doing fixboot, fixmbr, chkdsk | /p /r etc but no good. | This sounds like a SubSys Trojan. It loads via... HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\windows Example of text in an infected PC: ----------------------------------- %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512,512 Windows=On SubSystemType=Windows ServerDll=basevml32,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16 Example of correct text: ---------------------------- %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16 Note in the infected PC line; ServerDll=basevml32 basevml32.dll is the Trojan. It will load and subsequently load basesrv.dll which is legitimate and thus injects itself into the process. The problem is it sounds like the DLL was removed and thus can NOT be loaded and therefore a BSoD. If you canNOT edit the Registry such that baseokfrf32.dll is not loaded but basesrv.dll is properly loaded then you will have to repair the OS. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest David H. Lipman Posted June 3, 2008 Posted June 3, 2008 From: "John Doe" <johndoe@microsoft.com> | There is some sort of infector going around that injects itself into the | boot sequence of XP that randomly names itself "base????32" (where the last | 4 or 5 letters are random, but the first 4 are always base & the last 2 are | always 32) & causes the machine to fail on boot up because it cannot find | this file: | | STOP: c0000135 {Unable To Locate Component} | This application has failed to start because baseokfrf32 was not found. | Re-installing the application may fix this problem. | | This usually occurs after removing the winantivituspro infector (clearly the | anti-malware people haven't figured out how to remove this properly yet!). | | Any ideas on how to repair this issue without having to do an XP repair | install? Or where XP gets the command to look for the file? I can't seem | to find a "boot.sys" or any such file that references it, and obviously | can't go into the registry to look for it . . . | | I've tried going into the Recovery Console & doing fixboot, fixmbr, chkdsk | /p /r etc but no good. | Afterthought: Boot into the Windows Recovery Console and logon as the Administrator and then go to; %windir%\system32 Copy; basesrv.dll to baseokfrf32.dll Then reboot the PC. See if that will allow the PC to load properly. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest John Doe Posted June 3, 2008 Posted June 3, 2008 I'll check it out - thanx! "jen" <jen@example.com> wrote in message news:e8m0JdaxIHA.2292@TK2MSFTNGP03.phx.gbl...<span style="color:blue"> > "John Doe" <johndoe@microsoft.com> wrote in message > news:uwYWO8XxIHA.1240@TK2MSFTNGP02.phx.gbl...<span style="color:green"> >> There is some sort of infector going around that injects itself into the >> boot sequence of XP that randomly names itself "base????32" (where the >> last 4 or 5 letters are random, but the first 4 are always base & the >> last 2 are always 32) & causes the machine to fail on boot up because it >> cannot find this file: >> >> STOP: c0000135 {Unable To Locate Component} >> This application has failed to start because baseokfrf32 was not found. >> Re-installing the application may fix this problem. >> >> This usually occurs after removing the winantivituspro infector (clearly >> the anti-malware people haven't figured out how to remove this properly >> yet!). >> >> Any ideas on how to repair this issue without having to do an XP repair >> install? Or where XP gets the command to look for the file? I can't >> seem to find a "boot.sys" or any such file that references it, and >> obviously can't go into the registry to look for it . . . >> >> I've tried going into the Recovery Console & doing fixboot, fixmbr, >> chkdsk /p /r etc but no good.</span> > > This Stop error usually means a corrupt registry... > Try this: > How to recover from a corrupted registry that prevents Windows XP from > starting: > http://support.microsoft.com/default.aspx?...;307545&sd=tech > > -jen > </span> Quote
Guest John Doe Posted June 3, 2008 Posted June 3, 2008 Thanx - I'll check out these resources. I shoulda mentioned, I cannot get into safe mode, last known good, or anything. I'll try a Bart PE build & see what that does for me; once I boot up using Bart, 1) how do I access the Registry, & 2) where am I looking to remove this offencer? "Malke" <malke@invalid.invalid> wrote in message news:uvXjAfaxIHA.1936@TK2MSFTNGP04.phx.gbl...<span style="color:blue"> > John Doe wrote: ><span style="color:green"> >> It does not show up in msconfig, nor sysinternals' process explorer, >> autoruns, etc. >> >> It's in the boot sequence somewhere; can anyone knowledgeable about the >> XP >> boot sequence shed any light on this? Where can I start looking for this >> reference & remove it? >> >> STOP: c0000135 {Unable To Locate Component} >> This application has failed to start because baseokfrf32 was not found. >> Re-installing the application may fix this problem.</span> > > It sounds like a service and/or driver. Look in Services > (Start>Run>services.msc) and see if anything appears there. If not, try > clean-boot troubleshooting: > > Clean boot in Windows XP - http://support.microsoft.com/kb/310353 > Clean-boot advanced troubleshooting in Windows XP - > http://support.microsoft.com/kb/316434 > > You didn't say (or I missed it) whether you can get into Safe Mode or Last > Known Good Configuration. If you can't do either of those things, then > you'll need to access the registry from outside Windows. A Bart's PE or > ERD > Commander can do it. > > Malke > -- > MS-MVP > Elephant Boy Computers > www.elephantboycomputers.com > Don't Panic! </span> Quote
Guest John Doe Posted June 3, 2008 Posted June 3, 2008 thanx - I'll try booting using Bart & see if I can locate this stuff! "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:%230aKVbbxIHA.524@TK2MSFTNGP05.phx.gbl...<span style="color:blue"> > From: "John Doe" <johndoe@microsoft.com> > > | There is some sort of infector going around that injects itself into the > | boot sequence of XP that randomly names itself "base????32" (where the > last > | 4 or 5 letters are random, but the first 4 are always base & the last 2 > are > | always 32) & causes the machine to fail on boot up because it cannot > find > | this file: > | > | STOP: c0000135 {Unable To Locate Component} > | This application has failed to start because baseokfrf32 was not found. > | Re-installing the application may fix this problem. > | > | This usually occurs after removing the winantivituspro infector (clearly > the > | anti-malware people haven't figured out how to remove this properly > yet!). > | > | Any ideas on how to repair this issue without having to do an XP repair > | install? Or where XP gets the command to look for the file? I can't > seem > | to find a "boot.sys" or any such file that references it, and obviously > | can't go into the registry to look for it . . . > | > | I've tried going into the Recovery Console & doing fixboot, fixmbr, > chkdsk > | /p /r etc but no good. > | > > This sounds like a SubSys Trojan. > > It loads via... > HKLMSYSTEMCurrentControlSetControlSession ManagerSubSystemswindows > > Example of text in an infected PC: > ----------------------------------- > %SystemRoot%system32csrss.exe ObjectDirectory=Windows > SharedSection=1024,3072,512,512 > Windows=On SubSystemType=Windows ServerDll=basevml32,1 > ServerDll=winsrv:UserServerDllInitialization,3 > ServerDll=winsrv:ConServerDllInitialization,2 > ProfileControl=Off MaxRequestThreads=16 > > Example of correct text: > ---------------------------- > %SystemRoot%system32csrss.exe ObjectDirectory=Windows > SharedSection=1024,3072,512,512 > Windows=On SubSystemType=Windows ServerDll=basesrv,1 > ServerDll=winsrv:UserServerDllInitialization,3 > ServerDll=winsrv:ConServerDllInitialization,2 > ProfileControl=Off MaxRequestThreads=16 > > > > Note in the infected PC line; ServerDll=basevml32 > basevml32.dll is the Trojan. It will load and subsequently load > basesrv.dll which is > legitimate and thus injects itself into the process. > > The problem is it sounds like the DLL was removed and thus can NOT be > loaded and therefore a > BSoD. > > If you canNOT edit the Registry such that baseokfrf32.dll is not loaded > but basesrv.dll is > properly loaded then you will have to repair the OS. > > > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > > </span> Quote
Guest John Doe Posted June 3, 2008 Posted June 3, 2008 Thanx - I'll try that after I try Bart . . . "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:Oau%23zcbxIHA.4952@TK2MSFTNGP05.phx.gbl...<span style="color:blue"> > From: "John Doe" <johndoe@microsoft.com> > > | There is some sort of infector going around that injects itself into the > | boot sequence of XP that randomly names itself "base????32" (where the > last > | 4 or 5 letters are random, but the first 4 are always base & the last 2 > are > | always 32) & causes the machine to fail on boot up because it cannot > find > | this file: > | > | STOP: c0000135 {Unable To Locate Component} > | This application has failed to start because baseokfrf32 was not found. > | Re-installing the application may fix this problem. > | > | This usually occurs after removing the winantivituspro infector (clearly > the > | anti-malware people haven't figured out how to remove this properly > yet!). > | > | Any ideas on how to repair this issue without having to do an XP repair > | install? Or where XP gets the command to look for the file? I can't > seem > | to find a "boot.sys" or any such file that references it, and obviously > | can't go into the registry to look for it . . . > | > | I've tried going into the Recovery Console & doing fixboot, fixmbr, > chkdsk > | /p /r etc but no good. > | > > Afterthought: > > Boot into the Windows Recovery Console and logon as the Administrator and > then go to; > %windir%system32 > > Copy; basesrv.dll to baseokfrf32.dll > > Then reboot the PC. See if that will allow the PC to load properly. > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > > </span> Quote
Guest Malke Posted June 3, 2008 Posted June 3, 2008 John Doe wrote: <span style="color:blue"> > Thanx - I'll check out these resources. I shoulda mentioned, I cannot get > into safe mode, last known good, or anything. I'll try a Bart PE build & > see what that does for me; once I boot up using Bart, 1) how do I access > the Registry, & 2) where am I looking to remove this offencer?</span> I think this is what you're looking for with a Bart's. With an ERD Commander (old expensive software no longer available unfortunately since MS bought Winternals) you can edit the host system directly. I think David Lipman told you where to look, didn't he? Registry - edit for other users (MVP Doug Knox) From an account with Administrator level access 1) Click Start, Run and enter REGEDIT 2) In Regedit, highlight the HKEY_USERS key and go to File, Load Hive. 3) Use the File Open dialog to go to the Documents and Settings\<username> folder, where <username> is the account you wish to modify. 4) Highlight the NTUSER.DAT file in this folder (usually a hidden file) and select Open. 5) You'll be prompted to enter a "Key name". You can use whatever you wish, but I use the User's logon name. 6) You can now expand the Hive you just loaded and make any needed changes. 7) When finished, highlight this Hive again and go to File, Unload Hive. NOTE: You MUST unload the Hive prior to logging on to the users account. Otherwise XP may have trouble loading the user's profile. Malke -- MS-MVP Elephant Boy Computers www.elephantboycomputers.com Don't Panic! Quote
Guest John Doe Posted June 4, 2008 Posted June 4, 2008 I'll try this as well. Still gotta put together a Bart CD, then try getting in, then try findinh the registry file(s), etc . . . "Malke" <malke@invalid.invalid> wrote in message news:esaS0DdxIHA.4492@TK2MSFTNGP02.phx.gbl...<span style="color:blue"> > John Doe wrote: ><span style="color:green"> >> Thanx - I'll check out these resources. I shoulda mentioned, I cannot >> get >> into safe mode, last known good, or anything. I'll try a Bart PE build & >> see what that does for me; once I boot up using Bart, 1) how do I access >> the Registry, & 2) where am I looking to remove this offencer?</span> > > I think this is what you're looking for with a Bart's. With an ERD > Commander > (old expensive software no longer available unfortunately since MS bought > Winternals) you can edit the host system directly. I think David Lipman > told you where to look, didn't he? > > Registry - edit for other users (MVP Doug Knox) > > From an account with Administrator level access > > 1) Click Start, Run and enter REGEDIT > 2) In Regedit, highlight the HKEY_USERS key and go to File, Load Hive. > 3) Use the File Open dialog to go to the Documents and Settings<username> > folder, where <username> is the account you wish to modify. > 4) Highlight the NTUSER.DAT file in this folder (usually a hidden file) > and > select Open. > 5) You'll be prompted to enter a "Key name". You can use whatever you > wish, > but I use the User's logon name. > 6) You can now expand the Hive you just loaded and make any needed > changes. > 7) When finished, highlight this Hive again and go to File, Unload Hive. > > NOTE: You MUST unload the Hive prior to logging on to the users account. > Otherwise XP may have trouble loading the user's profile. > > Malke > -- > MS-MVP > Elephant Boy Computers > www.elephantboycomputers.com > Don't Panic! </span> Quote
Guest David H. Lipman Posted June 4, 2008 Posted June 4, 2008 From: "John Doe" <johndoe@microsoft.com> | I'll try this as well. Still gotta put together a Bart CD, then try getting | in, then try findinh the registry file(s), etc . . . | The Recovery Console may get you there faster if you try my suggestion of copying the DLL. "Boot into the Windows Recovery Console and logon as the Administrator and then go to; %windir%\system32 Copy; basesrv.dll to baseokfrf32.dll Then reboot the PC. See if that will allow the PC to load properly." -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Kyle Johnson Posted June 5, 2008 Posted June 5, 2008 I am having this same problem on a client's computer. It was infected with WinAntiVirus Pro as well. The file it is referencing on this system is basehoe32. John, did you find a solution that worked for you? "John Doe" wrote: <span style="color:blue"> > There is some sort of infector going around that injects itself into the > boot sequence of XP that randomly names itself "base????32" (where the last > 4 or 5 letters are random, but the first 4 are always base & the last 2 are > always 32) & causes the machine to fail on boot up because it cannot find > this file: > > STOP: c0000135 {Unable To Locate Component} > This application has failed to start because baseokfrf32 was not found. > Re-installing the application may fix this problem. > > This usually occurs after removing the winantivituspro infector (clearly the > anti-malware people haven't figured out how to remove this properly yet!). > > Any ideas on how to repair this issue without having to do an XP repair > install? Or where XP gets the command to look for the file? I can't seem > to find a "boot.sys" or any such file that references it, and obviously > can't go into the registry to look for it . . . > > I've tried going into the Recovery Console & doing fixboot, fixmbr, chkdsk > /p /r etc but no good. > > > > </span> Quote
Guest Kyle Johnson Posted June 5, 2008 Posted June 5, 2008 Nevermind, I got it working. Followed Lipman's post. I edited the registry offline, System Hive, changed basehoe32 to basesrv in that particular registry entry and voila! Thank you! BTW, I just pulled the drive, hooked it up to another computer and loaded the System hive. No need for special software. "Kyle Johnson" wrote: <span style="color:blue"> > I am having this same problem on a client's computer. It was infected with > WinAntiVirus Pro as well. The file it is referencing on this system is > basehoe32. > > John, did you find a solution that worked for you? > > "John Doe" wrote: > <span style="color:green"> > > There is some sort of infector going around that injects itself into the > > boot sequence of XP that randomly names itself "base????32" (where the last > > 4 or 5 letters are random, but the first 4 are always base & the last 2 are > > always 32) & causes the machine to fail on boot up because it cannot find > > this file: > > > > STOP: c0000135 {Unable To Locate Component} > > This application has failed to start because baseokfrf32 was not found. > > Re-installing the application may fix this problem. > > > > This usually occurs after removing the winantivituspro infector (clearly the > > anti-malware people haven't figured out how to remove this properly yet!). > > > > Any ideas on how to repair this issue without having to do an XP repair > > install? Or where XP gets the command to look for the file? I can't seem > > to find a "boot.sys" or any such file that references it, and obviously > > can't go into the registry to look for it . . . > > > > I've tried going into the Recovery Console & doing fixboot, fixmbr, chkdsk > > /p /r etc but no good. > > > > > > > > </span></span> Quote
Guest John Doe Posted June 5, 2008 Posted June 5, 2008 Here's the ONLY solution that's worked for me so far (all the "Popular" antimalware programs ignore this one so far): Download combofix, vundofix, virtumondebegone, & SiRi's virtumonde removers, then boot into safe mode, then run each of them, then boot from the OS Install CD & do a "repair re-installation" of the OS< then do all the updates. "Kyle Johnson" <Kyle Johnson@discussions.microsoft.com> wrote in message news:D643486D-5F25-4F5E-846E-A0C62C6A7175@microsoft.com...<span style="color:blue"> >I am having this same problem on a client's computer. It was infected with > WinAntiVirus Pro as well. The file it is referencing on this system is > basehoe32. > > John, did you find a solution that worked for you? > > "John Doe" wrote: ><span style="color:green"> >> There is some sort of infector going around that injects itself into the >> boot sequence of XP that randomly names itself "base????32" (where the >> last >> 4 or 5 letters are random, but the first 4 are always base & the last 2 >> are >> always 32) & causes the machine to fail on boot up because it cannot find >> this file: >> >> STOP: c0000135 {Unable To Locate Component} >> This application has failed to start because baseokfrf32 was not found. >> Re-installing the application may fix this problem. >> >> This usually occurs after removing the winantivituspro infector (clearly >> the >> anti-malware people haven't figured out how to remove this properly >> yet!). >> >> Any ideas on how to repair this issue without having to do an XP repair >> install? Or where XP gets the command to look for the file? I can't >> seem >> to find a "boot.sys" or any such file that references it, and obviously >> can't go into the registry to look for it . . . >> >> I've tried going into the Recovery Console & doing fixboot, fixmbr, >> chkdsk >> /p /r etc but no good. >> >> >> >> </span></span> Quote
Guest David H. Lipman Posted June 5, 2008 Posted June 5, 2008 From: "John Doe" <johndoe@microsoft.com> | Here's the ONLY solution that's worked for me so far (all the "Popular" | antimalware programs ignore this one so far): | | Download combofix, vundofix, virtumondebegone, & SiRi's virtumonde removers, | then boot into safe mode, then run each of them, then boot from the OS | Install CD & do a "repair re-installation" of the OS< then do all the | updates. | S!ri's SmitfraudFix is NOT for the Vundo Trojan/Virtuomonde adware also known as the WinFixer family. It is geared for ZLob/FakeAlert/Rendos malware associted with the SmitFraud family. BTW: Norman has now released Vundo Trojan removal tool. http://download.norman.no/public/Norman_Vundo_Cleaner.exe http://www.norman.com/Virus/Virus_removal_tools/52658/en Additionally, MBAM (MalwareBytes Anti Malware utility) is also very effective on the WinFixer family. http://www.malwarebytes.org/mbam/program/mbam-setup.exe -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Indiana Posted June 6, 2008 Posted June 6, 2008 Thanks david that worked like a charm!!! stupid viruses anyway!! "David H. Lipman" wrote: <span style="color:blue"> > From: "John Doe" <johndoe@microsoft.com> > > | There is some sort of infector going around that injects itself into the > | boot sequence of XP that randomly names itself "base????32" (where the last > | 4 or 5 letters are random, but the first 4 are always base & the last 2 are > | always 32) & causes the machine to fail on boot up because it cannot find > | this file: > | > | STOP: c0000135 {Unable To Locate Component} > | This application has failed to start because baseokfrf32 was not found. > | Re-installing the application may fix this problem. > | > | This usually occurs after removing the winantivituspro infector (clearly the > | anti-malware people haven't figured out how to remove this properly yet!). > | > | Any ideas on how to repair this issue without having to do an XP repair > | install? Or where XP gets the command to look for the file? I can't seem > | to find a "boot.sys" or any such file that references it, and obviously > | can't go into the registry to look for it . . . > | > | I've tried going into the Recovery Console & doing fixboot, fixmbr, chkdsk > | /p /r etc but no good. > | > > This sounds like a SubSys Trojan. > > It loads via... > HKLMSYSTEMCurrentControlSetControlSession ManagerSubSystemswindows > > Example of text in an infected PC: > ----------------------------------- > %SystemRoot%system32csrss.exe ObjectDirectory=Windows SharedSection=1024,3072,512,512 > Windows=On SubSystemType=Windows ServerDll=basevml32,1 > ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 > ProfileControl=Off MaxRequestThreads=16 > > Example of correct text: > ---------------------------- > %SystemRoot%system32csrss.exe ObjectDirectory=Windows SharedSection=1024,3072,512,512 > Windows=On SubSystemType=Windows ServerDll=basesrv,1 > ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 > ProfileControl=Off MaxRequestThreads=16 > > > > Note in the infected PC line; ServerDll=basevml32 > basevml32.dll is the Trojan. It will load and subsequently load basesrv.dll which is > legitimate and thus injects itself into the process. > > The problem is it sounds like the DLL was removed and thus can NOT be loaded and therefore a > BSoD. > > If you canNOT edit the Registry such that baseokfrf32.dll is not loaded but basesrv.dll is > properly loaded then you will have to repair the OS. > > > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > > > </span> Quote
Guest David H. Lipman Posted June 6, 2008 Posted June 6, 2008 From: "Indiana" <Indiana@discussions.microsoft.com> | Thanks david that worked like a charm!!! stupid viruses anyway!! | YW Interesting how I am seeing a recent flurry of what appears to be variants of the SubSys type of Trojan. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Kerry Brown Posted June 7, 2008 Posted June 7, 2008 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:eKqdtfByIHA.6096@TK2MSFTNGP06.phx.gbl...<span style="color:blue"> > From: "Indiana" <Indiana@discussions.microsoft.com> > > | Thanks david that worked like a charm!!! stupid viruses anyway!! > | > > YW > > Interesting how I am seeing a recent flurry of what appears to be variants > of the SubSys > type of Trojan. ></span> I've seen two computers in the past week with problems that may be related. They wouldn't boot, both had blue screens with a STOP 8E. I removed the drives to try and copy data off prior to fixing the problem. Any Windows computer that tried to access these drives got the same BSOD even when the drive was connected via a USB adapter. Linux could see the file structure but not access any files. It appeared the bootsector and partition table was corrupted. I zeroed out sector 0 and was able to recover some data after that. The drives tested fine with several hd testing programs. The hardware on both computers checked out OK. Both customers said the last thing they saw was something that sounded like a typical rougue antispyware hijack/extortion. They fell for it and clicked on scan my computer now. On the next boot the problem occurred. It looks like something is trying to alter the partition table in an attempt to hide but failing miserably. -- Kerry Brown MS-MVP - Windows Desktop Experience: Systems Administration http://www.vistahelp.ca/phpBB2/ Quote
Guest David H. Lipman Posted June 7, 2008 Posted June 7, 2008 From: "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c a m> | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message | news:eKqdtfByIHA.6096@TK2MSFTNGP06.phx.gbl...<span style="color:blue"><span style="color:green"> >> From: "Indiana" <Indiana@discussions.microsoft.com> >></span></span> |>> Thanks david that worked like a charm!!! stupid viruses anyway!! |>><span style="color:blue"><span style="color:green"> >> YW >> >> Interesting how I am seeing a recent flurry of what appears to be variants >> of the SubSys >> type of Trojan. >></span></span> | I've seen two computers in the past week with problems that may be related. | They wouldn't boot, both had blue screens with a STOP 8E. I removed the | drives to try and copy data off prior to fixing the problem. Any Windows | computer that tried to access these drives got the same BSOD even when the | drive was connected via a USB adapter. Linux could see the file structure | but not access any files. It appeared the bootsector and partition table was | corrupted. I zeroed out sector 0 and was able to recover some data after | that. The drives tested fine with several hd testing programs. The hardware | on both computers checked out OK. Both customers said the last thing they | saw was something that sounded like a typical rougue antispyware | hijack/extortion. They fell for it and clicked on scan my computer now. On | the next boot the problem occurred. It looks like something is trying to | alter the partition table in an attempt to hide but failing miserably. | I would have used the hard disk manufacturer's diagnostic tool such as SeaTools and WDDiag. Some adware has been known to muck with the MBR, etc. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Scattx Posted June 20, 2008 Posted June 20, 2008 Here is the solution for BSOD for base 32 virus If you come across the virus and you are still have access to your computer all you have to do is: click on start, run: type in regedit once in the registry go to: HKLM-System-CurrentControlset-Control-Session Manager-Subsystems edit the windows string Remove base put in basesrv it should read (%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16) If you cannot get into your system or it blue screens. You will have to install the harddrive into a working Windows xp computer as a secondary harddrive or if you have a usb adapter as a external usb drive. follow these steps: Simply run Regedit click the HKLM key and from the "file" menu you should see an option to load hive. Browse to the desired hive on the hard-drive you connected (ensure that you have access to where the hives are stored, for XP it will be in the "windows\system32\config\system" . It will request a name, name this temp, Then click load hive. You will see the temp key loaded in the registry. Now make the necessary changes indicated here: click on start, run: type in regedit once in the registry go to: HKLM-System-CurrentControlset-Control-Session Manager-Subsystems edit the windows string Remove base put in basesrv it should read (%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=OffMaxRequestThreads=16) Next : Click on the temp hive you just created then click on the file menu in regedit then select unload hive. Viola!!! install drive back into the computer it came from and you are backup and running. I'd suggest ensuring you have the necessary backups and backup each hive you intend on editing. Quote
Guest David H. Lipman Posted June 20, 2008 Posted June 20, 2008 From: "Scattx" <Scattx@discussions.microsoft.com> | Here is the solution for BSOD for base 32 virus Read my responses. I gave the instructions already and this is a Trojan and NOT a virus. | | If you come across the virus and you are still have access to your computer | all you have to do is: click on start, run: type in regedit once in the | registry go to: HKLM-System-CurrentControlset-Control-Session | Manager-Subsystems edit the windows string Remove base put in basesrv it | should read (%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows | SharedSection=1024,3072,512 Windows=On SubSystemType=Windows | ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 | ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off | MaxRequestThreads=16) | < snip > -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Bob J Posted June 25, 2008 Posted June 25, 2008 How do you work on the registry of the secondary drive? When I open regedit (either through Run or attempted access through the secondary hdd of windows\system32\) it opens the registry of the primary drive. How do I get around this? "Scattx" wrote: <span style="color:blue"> > Here is the solution for BSOD for base 32 virus > > If you come across the virus and you are still have access to your computer > all you have to do is: click on start, run: type in regedit once in the > registry go to: HKLM-System-CurrentControlset-Control-Session > Manager-Subsystems edit the windows string Remove base put in basesrv it > should read (%SystemRoot%system32csrss.exe ObjectDirectory=Windows > SharedSection=1024,3072,512 Windows=On SubSystemType=Windows > ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 > ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off > MaxRequestThreads=16) > > If you cannot get into your system or it blue screens. You will have to > install the harddrive into a working Windows xp computer as a secondary > harddrive or if you have a usb adapter as a external usb drive. > follow these steps: Simply run Regedit click the HKLM key and from the > "file" menu you should see an option to load hive. > > Browse to the desired hive on the hard-drive you connected (ensure that you > have access to where the hives are stored, for XP it will be in the > "windowssystem32configsystem" . It will request a name, name this temp, > Then click load hive. You will see the temp key loaded in the registry. Now > make the necessary changes indicated here: click on start, run: type in > regedit once in the registry go to: > HKLM-System-CurrentControlset-Control-Session Manager-Subsystems edit the > windows string Remove base put in basesrv it should read > (%SystemRoot%system32csrss.exe ObjectDirectory=Windows > SharedSection=1024,3072,512 Windows=On SubSystemType=Windows > ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 > ServerDll=winsrv:ConServerDllInitialization,2 > ProfileControl=OffMaxRequestThreads=16) > > Next : Click on the temp hive you just created then click on the file menu > in regedit then select unload hive. Viola!!! install drive back into the > computer it came from and you are backup and running. > > I'd suggest ensuring you have the necessary backups and backup each hive you > intend on editing. > > > > </span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.