Re: BSOD due to base????32

From: "John Doe" <johndoe@xxxxxxxxxxxxx>

| There is some sort of infector going around that injects itself into the
| boot sequence of XP that randomly names itself "base????32" (where the last
| 4 or 5 letters are random, but the first 4 are always base & the last 2 are
| always 32) & causes the machine to fail on boot up because it cannot find
| this file:
|
| STOP: c0000135 {Unable To Locate Component}
| This application has failed to start because baseokfrf32 was not found.
| Re-installing the application may fix this problem.
|
| This usually occurs after removing the winantivituspro infector (clearly the
| anti-malware people haven't figured out how to remove this properly yet!).
|
| Any ideas on how to repair this issue without having to do an XP repair
| install? Or where XP gets the command to look for the file? I can't seem
| to find a "boot.sys" or any such file that references it, and obviously
| can't go into the registry to look for it . . .
|
| I've tried going into the Recovery Console & doing fixboot, fixmbr, chkdsk
| /p /r etc but no good.
|

This sounds like a SubSys Trojan.

It loads via...
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\windows

Example of text in an infected PC:
-----------------------------------
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512,512
Windows=On SubSystemType=Windows ServerDll=basevml32,1
ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2
ProfileControl=Off MaxRequestThreads=16

Example of correct text:
----------------------------
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512,512
Windows=On SubSystemType=Windows ServerDll=basesrv,1
ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2
ProfileControl=Off MaxRequestThreads=16



Note in the infected PC line; ServerDll=basevml32
basevml32.dll is the Trojan. It will load and subsequently load basesrv.dll which is
legitimate and thus injects itself into the process.

The problem is it sounds like the DLL was removed and thus can NOT be loaded and therefore a
BSoD.

If you canNOT edit the Registry such that baseokfrf32.dll is not loaded but basesrv.dll is
properly loaded then you will have to repair the OS.



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


.

Relevant Pages

  • BSOD due to base????32
    ... There is some sort of infector going around that injects itself into the ... boot sequence of XP that randomly names itself "base????32" (where the last ... This usually occurs after removing the winantivituspro infector (clearly the ... Any ideas on how to repair this issue without having to do an XP repair ...
    (microsoft.public.security.virus)
  • Re: BSOD due to base????32
    ... Thanks david that worked like a charm!!! ... | This usually occurs after removing the winantivituspro infector (clearly the ... It will load and subsequently load basesrv.dll which is ... legitimate and thus injects itself into the process. ...
    (microsoft.public.security.virus)
  • Re: BSOD due to base????32
    ... | There is some sort of infector going around that injects itself into the ... | Any ideas on how to repair this issue without having to do an XP repair ... It will load and subsequently load ... legitimate and thus injects itself into the process. ...
    (microsoft.public.security.virus)
  • Re: BSOD due to base????32
    ... | There is some sort of infector going around that injects itself into the ... | Any ideas on how to repair this issue without having to do an XP repair ... Boot into the Windows Recovery Console and logon as the Administrator and ...
    (microsoft.public.security.virus)
  • Re: need help for virus on Windows XP
    ... You can see the Registry locations that load the infector. ... You can rename the sysldr32.exe to something else or delete the Registry leafs. ...
    (microsoft.public.security.virus)