 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Forum / Security / Viruses / July 2008BSOD due to base????32
There is some sort of infector going around that injects itself into the boot sequence of XP that randomly names itself "base????32" (where the last 4 or 5 letters are random, but the first 4 are always base & the last 2 are always 32) & causes the machine to fail on boot up because it cannot find this file: STOP: c0000135 {Unable To Locate Component} This application has failed to start because baseokfrf32 was not found. Re-installing the application may fix this problem. This usually occurs after removing the winantivituspro infector (clearly the anti-malware people haven't figured out how to remove this properly yet!). Any ideas on how to repair this issue without having to do an XP repair install? Or where XP gets the command to look for the file? I can't seem to find a "boot.sys" or any such file that references it, and obviously can't go into the registry to look for it . . . I've tried going into the Recovery Console & doing fixboot, fixmbr, chkdsk /p /r etc but no good. Try msconfig.exe to avoid running this file at start-up. If you are unsure how to do this a web search for msconfig +windows +startup will find you a tutorial on troubleshooting start-up problems.  SignatureRegards, Newell White > There is some sort of infector going around that injects itself into the > boot sequence of XP that randomly names itself "base????32" (where the last [quoted text clipped - 16 lines] > I've tried going into the Recovery Console & doing fixboot, fixmbr, chkdsk > /p /r etc but no good. It does not show up in msconfig, nor sysinternals' process explorer, autoruns, etc. It's in the boot sequence somewhere; can anyone knowledgeable about the XP boot sequence shed any light on this? Where can I start looking for this reference & remove it? STOP: c0000135 {Unable To Locate Component} This application has failed to start because baseokfrf32 was not found. Re-installing the application may fix this problem. > Try msconfig.exe to avoid running this file at start-up. > [quoted text clipped - 28 lines] >> chkdsk >> /p /r etc but no good. > It does not show up in msconfig, nor sysinternals' process explorer, > autoruns, etc. [quoted text clipped - 6 lines] > This application has failed to start because baseokfrf32 was not found. > Re-installing the application may fix this problem. It sounds like a service and/or driver. Look in Services (Start>Run>services.msc) and see if anything appears there. If not, try clean-boot troubleshooting: Clean boot in Windows XP - http://support.microsoft.com/kb/310353 Clean-boot advanced troubleshooting in Windows XP - http://support.microsoft.com/kb/316434 You didn't say (or I missed it) whether you can get into Safe Mode or Last Known Good Configuration. If you can't do either of those things, then you'll need to access the registry from outside Windows. A Bart's PE or ERD Commander can do it. Malke SignatureMS-MVP Elephant Boy Computers www.elephantboycomputers.com Don't Panic! Thanx - I'll check out these resources. I shoulda mentioned, I cannot get into safe mode, last known good, or anything. I'll try a Bart PE build & see what that does for me; once I boot up using Bart, 1) how do I access the Registry, & 2) where am I looking to remove this offencer? >> It does not show up in msconfig, nor sysinternals' process explorer, >> autoruns, etc. [quoted text clipped - 23 lines] > > Malke > Thanx - I'll check out these resources. I shoulda mentioned, I cannot get > into safe mode, last known good, or anything. I'll try a Bart PE build & > see what that does for me; once I boot up using Bart, 1) how do I access > the Registry, & 2) where am I looking to remove this offencer? I think this is what you're looking for with a Bart's. With an ERD Commander (old expensive software no longer available unfortunately since MS bought Winternals) you can edit the host system directly. I think David Lipman told you where to look, didn't he? Registry - edit for other users (MVP Doug Knox) From an account with Administrator level access 1) Click Start, Run and enter REGEDIT 2) In Regedit, highlight the HKEY_USERS key and go to File, Load Hive. 3) Use the File Open dialog to go to the Documents and Settings\<username> folder, where <username> is the account you wish to modify. 4) Highlight the NTUSER.DAT file in this folder (usually a hidden file) and select Open. 5) You'll be prompted to enter a "Key name". You can use whatever you wish, but I use the User's logon name. 6) You can now expand the Hive you just loaded and make any needed changes. 7) When finished, highlight this Hive again and go to File, Unload Hive. NOTE: You MUST unload the Hive prior to logging on to the users account. Otherwise XP may have trouble loading the user's profile. Malke SignatureMS-MVP Elephant Boy Computers www.elephantboycomputers.com Don't Panic! I'll try this as well. Still gotta put together a Bart CD, then try getting in, then try findinh the registry file(s), etc . . . >> Thanx - I'll check out these resources. I shoulda mentioned, I cannot >> get [quoted text clipped - 30 lines] > > Malke From: "John Doe" <johndoe@microsoft.com> | I'll try this as well. Still gotta put together a Bart CD, then try getting | in, then try findinh the registry file(s), etc . . . The Recovery Console may get you there faster if you try my suggestion of copying the DLL. "Boot into the Windows Recovery Console and logon as the Administrator and then go to; %windir%\system32 Copy; basesrv.dll to baseokfrf32.dll Then reboot the PC. See if that will allow the PC to load properly." SignatureDave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > There is some sort of infector going around that injects itself into > the boot sequence of XP that randomly names itself "base????32" (where [quoted text clipped - 17 lines] > I've tried going into the Recovery Console & doing fixboot, fixmbr, > chkdsk /p /r etc but no good. This Stop error usually means a corrupt registry... Try this: How to recover from a corrupted registry that prevents Windows XP from starting: http://support.microsoft.com/default.aspx?scid=kb;en-us;307545&sd=tech -jen I'll check it out - thanx! >> There is some sort of infector going around that injects itself into the >> boot sequence of XP that randomly names itself "base????32" (where the [quoted text clipped - 25 lines] > > -jen From: "John Doe" <johndoe@microsoft.com> | There is some sort of infector going around that injects itself into the | boot sequence of XP that randomly names itself "base????32" (where the last [quoted text clipped - 16 lines] | I've tried going into the Recovery Console & doing fixboot, fixmbr, chkdsk | /p /r etc but no good. This sounds like a SubSys Trojan. It loads via... HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\windows Example of text in an infected PC: ----------------------------------- %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512,512 Windows=On SubSystemType=Windows ServerDll=basevml32,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16 Example of correct text: ---------------------------- %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16 Note in the infected PC line; ServerDll=basevml32 basevml32.dll is the Trojan. It will load and subsequently load basesrv.dll which is legitimate and thus injects itself into the process. The problem is it sounds like the DLL was removed and thus can NOT be loaded and therefore a BSoD. If you canNOT edit the Registry such that baseokfrf32.dll is not loaded but basesrv.dll is properly loaded then you will have to repair the OS. SignatureDave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp thanx - I'll try booting using Bart & see if I can locate this stuff! > From: "John Doe" <johndoe@microsoft.com> > [quoted text clipped - 61 lines] > but basesrv.dll is > properly loaded then you will have to repair the OS. Thanks david that worked like a charm!!! stupid viruses anyway!! > From: "John Doe" <johndoe@microsoft.com> > [quoted text clipped - 47 lines] > If you canNOT edit the Registry such that baseokfrf32.dll is not loaded but basesrv.dll is > properly loaded then you will have to repair the OS. From: "Indiana" <Indiana@discussions.microsoft.com> | Thanks david that worked like a charm!!! stupid viruses anyway!! YW Interesting how I am seeing a recent flurry of what appears to be variants of the SubSys type of Trojan. SignatureDave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > From: "Indiana" <Indiana@discussions.microsoft.com> > [quoted text clipped - 5 lines] > of the SubSys > type of Trojan. I've seen two computers in the past week with problems that may be related. They wouldn't boot, both had blue screens with a STOP 8E. I removed the drives to try and copy data off prior to fixing the problem. Any Windows computer that tried to access these drives got the same BSOD even when the drive was connected via a USB adapter. Linux could see the file structure but not access any files. It appeared the bootsector and partition table was corrupted. I zeroed out sector 0 and was able to recover some data after that. The drives tested fine with several hd testing programs. The hardware on both computers checked out OK. Both customers said the last thing they saw was something that sounded like a typical rougue antispyware hijack/extortion. They fell for it and clicked on scan my computer now. On the next boot the problem occurred. It looks like something is trying to alter the partition table in an attempt to hide but failing miserably. SignatureKerry Brown MS-MVP - Windows Desktop Experience: Systems Administration http://www.vistahelp.ca/phpBB2/ From: "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> >> From: "Indiana" <Indiana@discussions.microsoft.com> >> [quoted text clipped - 19 lines] | the next boot the problem occurred. It looks like something is trying to | alter the partition table in an attempt to hide but failing miserably. I would have used the hard disk manufacturer's diagnostic tool such as SeaTools and WDDiag. Some adware has been known to muck with the MBR, etc. SignatureDave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp From: "John Doe" <johndoe@microsoft.com> | There is some sort of infector going around that injects itself into the | boot sequence of XP that randomly names itself "base????32" (where the last [quoted text clipped - 16 lines] | I've tried going into the Recovery Console & doing fixboot, fixmbr, chkdsk | /p /r etc but no good. Afterthought: Boot into the Windows Recovery Console and logon as the Administrator and then go to; %windir%\system32 Copy; basesrv.dll to baseokfrf32.dll Then reboot the PC. See if that will allow the PC to load properly. SignatureDave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Thanx - I'll try that after I try Bart . . . > From: "John Doe" <johndoe@microsoft.com> > [quoted text clipped - 35 lines] > > Then reboot the PC. See if that will allow the PC to load properly. I am having this same problem on a client's computer. It was infected with WinAntiVirus Pro as well. The file it is referencing on this system is basehoe32. John, did you find a solution that worked for you? > There is some sort of infector going around that injects itself into the > boot sequence of XP that randomly names itself "base????32" (where the last [quoted text clipped - 16 lines] > I've tried going into the Recovery Console & doing fixboot, fixmbr, chkdsk > /p /r etc but no good. Nevermind, I got it working. Followed Lipman's post. I edited the registry offline, System Hive, changed basehoe32 to basesrv in that particular registry entry and voila! Thank you! BTW, I just pulled the drive, hooked it up to another computer and loaded the System hive. No need for special software. > I am having this same problem on a client's computer. It was infected with > WinAntiVirus Pro as well. The file it is referencing on this system is [quoted text clipped - 22 lines] > > I've tried going into the Recovery Console & doing fixboot, fixmbr, chkdsk > > /p /r etc but no good. Here's the ONLY solution that's worked for me so far (all the "Popular" antimalware programs ignore this one so far): Download combofix, vundofix, virtumondebegone, & SiRi's virtumonde removers, then boot into safe mode, then run each of them, then boot from the OS Install CD & do a "repair re-installation" of the OS< then do all the updates. >I am having this same problem on a client's computer. It was infected with > WinAntiVirus Pro as well. The file it is referencing on this system is [quoted text clipped - 28 lines] >> chkdsk >> /p /r etc but no good. From: "John Doe" <johndoe@microsoft.com> | Here's the ONLY solution that's worked for me so far (all the "Popular" | antimalware programs ignore this one so far): [quoted text clipped - 3 lines] | Install CD & do a "repair re-installation" of the OS< then do all the | updates. S!ri's SmitfraudFix is NOT for the Vundo Trojan/Virtuomonde adware also known as the WinFixer family. It is geared for ZLob/FakeAlert/Rendos malware associted with the SmitFraud family. BTW: Norman has now released Vundo Trojan removal tool. http://download.norman.no/public/Norman_Vundo_Cleaner.exe http://www.norman.com/Virus/Virus_removal_tools/52658/en Additionally, MBAM (MalwareBytes Anti Malware utility) is also *very* effective on the WinFixer family. http://www.malwarebytes.org/mbam/program/mbam-setup.exe SignatureDave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Here is the solution for BSOD for base****32 virus If you come across the virus and you are still have access to your computer all you have to do is: click on start, run: type in regedit once in the registry go to: HKLM-System-CurrentControlset-Control-Session Manager-Subsystems edit the windows string Remove base**** put in basesrv it should read (%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16) If you cannot get into your system or it blue screens. You will have to install the harddrive into a working Windows xp computer as a secondary harddrive or if you have a usb adapter as a external usb drive. follow these steps: Simply run Regedit click the HKLM key and from the "file" menu you should see an option to load hive. Browse to the desired hive on the hard-drive you connected (ensure that you have access to where the hives are stored, for XP it will be in the "windows\system32\config\system" . It will request a name, name this temp, Then click load hive. You will see the temp key loaded in the registry. Now make the necessary changes indicated here: click on start, run: type in regedit once in the registry go to: HKLM-System-CurrentControlset-Control-Session Manager-Subsystems edit the windows string Remove base**** put in basesrv it should read (%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=OffMaxRequestThreads=16) Next : Click on the temp hive you just created then click on the file menu in regedit then select unload hive. Viola!!! install drive back into the computer it came from and you are backup and running. I'd suggest ensuring you have the necessary backups and backup each hive you intend on editing. From: "Scattx" <Scattx@discussions.microsoft.com> | Here is the solution for BSOD for base****32 virus Read my responses. I gave the instructions already and this is a Trojan and NOT a virus. | If you come across the virus and you are still have access to your computer | all you have to do is: click on start, run: type in regedit once in the [quoted text clipped - 5 lines] | ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off | MaxRequestThreads=16) < snip > SignatureDave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp How do you work on the registry of the secondary drive? When I open regedit (either through Run or attempted access through the secondary hdd of windows\system32\) it opens the registry of the primary drive. How do I get around this? > Here is the solution for BSOD for base****32 virus > [quoted text clipped - 34 lines] > I'd suggest ensuring you have the necessary backups and backup each hive you > intend on editing. From: "Bob J" <Bob J@discussions.microsoft.com> | How do you work on the registry of the secondary drive? When I open regedit | (either through Run or attempted access through the secondary hdd of | windows\system32\) it opens the registry of the primary drive. How do I get | around this? What is the text in the BSoD error message ? Specifically, this part... This application has failed to start because XXXXXX was not found. SignatureDave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp It's the identical problem as John Doe's (I've been following this discussion while trying to repair an infected hdd) ... "... application failed to start because basetdf32 was not found." When I attempt to access the registry, as mentioned below, and follow the path to the Subsystem the text does not appear corrupted. This is what leads me to believe I'm viewing the registry of the primary drive. btw ... The other suggestion given to John Doe was to build a Bart PE, but I've got an OEM version (Bart builds not recommended for OEM). > From: "Bob J" <Bob J@discussions.microsoft.com> > [quoted text clipped - 7 lines] > > This application has failed to start because XXXXXX was not found. From: "Bob J" <BobJ@discussions.microsoft.com> | It's the identical problem as John Doe's (I've been following this discussion | while trying to repair an infected hdd) ... "... application failed to start | because basetdf32 was not found." | When I attempt to access the registry, as mentioned below, and follow the | path to the Subsystem the text does not appear corrupted. This is what leads | me to believe I'm viewing the registry of the primary drive. | btw ... The other suggestion given to John Doe was to build a Bart PE, but | I've got an OEM version (Bart builds not recommended for OEM). Boot from the Windows Recovery Console. Go to; c:\windows\system32 [ or c:\winnt\system32 ] Copy; basesrv.dll to baseokfrf32.dll Then reboot the PC. See if that will allow the PC to load properly. SignatureDave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp I'll need a little guidance here as I'm unfamiliar with DOS. I think I may have left a step out. I don't get a BSOD, but it hangs just before the logon screen (the mouse is present and responsive). Same thing happens if I try to boot into SafeMode. Here's what I did after booting to Recovery ... c:\windows\system32>copy basesrv.dll basetdf32.dll (returned a message something like "1 copy created" I obviously missed something here. > From: "Bob J" <BobJ@discussions.microsoft.com> > [quoted text clipped - 16 lines] > > Then reboot the PC. See if that will allow the PC to load properly. From: "Bob J" <BobJ@discussions.microsoft.com> | I'll need a little guidance here as I'm unfamiliar with DOS. I think I may | have left a step out. I don't get a BSOD, but it hangs just before the logon | screen (the mouse is present and responsive). Same thing happens if I try to | boot into SafeMode. | Here's what I did after booting to Recovery ... | c:\windows\system32>copy basesrv.dll basetdf32.dll | (returned a message something like "1 copy created" | I obviously missed something here. The first thing to understand it is NOT DOS. There is no DOS under a NT based OS. Your system may be hosed and you will have to perform a repair install. SignatureDave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > From: "Bob J" <BobJ@discussions.microsoft.com> > [quoted text clipped - 12 lines] > > Your system may be hosed and you will have to perform a repair install. did I write the command correctly or how would it be written? From: "Bob J" <BobJ@discussions.microsoft.com> | did I write the command correctly or how would it be written? The following was correct. c:\windows\system32>copy basesrv.dll basetdf32.dll SignatureDave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.