BSOD due to base????32

  • Thread starter Thread starter John Doe
  • Start date Start date
J

John Doe

There is some sort of infector going around that injects itself into the
boot sequence of XP that randomly names itself "base????32" (where the last
4 or 5 letters are random, but the first 4 are always base & the last 2 are
always 32) & causes the machine to fail on boot up because it cannot find
this file:

STOP: c0000135 {Unable To Locate Component}
This application has failed to start because baseokfrf32 was not found.
Re-installing the application may fix this problem.

This usually occurs after removing the winantivituspro infector (clearly the
anti-malware people haven't figured out how to remove this properly yet!).

Any ideas on how to repair this issue without having to do an XP repair
install? Or where XP gets the command to look for the file? I can't seem
to find a "boot.sys" or any such file that references it, and obviously
can't go into the registry to look for it . . .

I've tried going into the Recovery Console & doing fixboot, fixmbr, chkdsk
/p /r etc but no good.
 
Try msconfig.exe to avoid running this file at start-up.

If you are unsure how to do this a web search for msconfig +windows +startup
will find you a tutorial on troubleshooting start-up problems.
--
Regards,
Newell White


"John Doe" wrote:

> There is some sort of infector going around that injects itself into the
> boot sequence of XP that randomly names itself "base????32" (where the last
> 4 or 5 letters are random, but the first 4 are always base & the last 2 are
> always 32) & causes the machine to fail on boot up because it cannot find
> this file:
>
> STOP: c0000135 {Unable To Locate Component}
> This application has failed to start because baseokfrf32 was not found.
> Re-installing the application may fix this problem.
>
> This usually occurs after removing the winantivituspro infector (clearly the
> anti-malware people haven't figured out how to remove this properly yet!).
>
> Any ideas on how to repair this issue without having to do an XP repair
> install? Or where XP gets the command to look for the file? I can't seem
> to find a "boot.sys" or any such file that references it, and obviously
> can't go into the registry to look for it . . .
>
> I've tried going into the Recovery Console & doing fixboot, fixmbr, chkdsk
> /p /r etc but no good.
>
>
>
>
 
It does not show up in msconfig, nor sysinternals' process explorer,
autoruns, etc.

It's in the boot sequence somewhere can anyone knowledgeable about the XP
boot sequence shed any light on this? Where can I start looking for this
reference & remove it?

STOP: c0000135 {Unable To Locate Component}
This application has failed to start because baseokfrf32 was not found.
Re-installing the application may fix this problem.


"Newell White" wrote in message
news:DF3088C9-092A-479C-9ECB-0AD1FF1DEFEB@microsoft.com...
> Try msconfig.exe to avoid running this file at start-up.
>
> If you are unsure how to do this a web search for msconfig +windows
> +startup
> will find you a tutorial on troubleshooting start-up problems.
> --
> Regards,
> Newell White
>
>
> "John Doe" wrote:
>
>> There is some sort of infector going around that injects itself into the
>> boot sequence of XP that randomly names itself "base????32" (where the
>> last
>> 4 or 5 letters are random, but the first 4 are always base & the last 2
>> are
>> always 32) & causes the machine to fail on boot up because it cannot find
>> this file:
>>
>> STOP: c0000135 {Unable To Locate Component}
>> This application has failed to start because baseokfrf32 was not found.
>> Re-installing the application may fix this problem.
>>
>> This usually occurs after removing the winantivituspro infector (clearly
>> the
>> anti-malware people haven't figured out how to remove this properly
>> yet!).
>>
>> Any ideas on how to repair this issue without having to do an XP repair
>> install? Or where XP gets the command to look for the file? I can't
>> seem
>> to find a "boot.sys" or any such file that references it, and obviously
>> can't go into the registry to look for it . . .
>>
>> I've tried going into the Recovery Console & doing fixboot, fixmbr,
>> chkdsk
>> /p /r etc but no good.
>>
>>
>>
>>
 
"John Doe" wrote in message
news:uwYWO8XxIHA.1240@TK2MSFTNGP02.phx.gbl...
> There is some sort of infector going around that injects itself into
> the boot sequence of XP that randomly names itself "base????32" (where
> the last 4 or 5 letters are random, but the first 4 are always base &
> the last 2 are always 32) & causes the machine to fail on boot up
> because it cannot find this file:
>
> STOP: c0000135 {Unable To Locate Component}
> This application has failed to start because baseokfrf32 was not
> found. Re-installing the application may fix this problem.
>
> This usually occurs after removing the winantivituspro infector
> (clearly the anti-malware people haven't figured out how to remove
> this properly yet!).
>
> Any ideas on how to repair this issue without having to do an XP
> repair install? Or where XP gets the command to look for the file? I
> can't seem to find a "boot.sys" or any such file that references it,
> and obviously can't go into the registry to look for it . . .
>
> I've tried going into the Recovery Console & doing fixboot, fixmbr,
> chkdsk /p /r etc but no good.

This Stop error usually means a corrupt registry...
Try this:
How to recover from a corrupted registry that prevents Windows XP from
starting:
http://support.microsoft.com/default.aspx?...307545&sd=tech

-jen
 
John Doe wrote:

> It does not show up in msconfig, nor sysinternals' process explorer,
> autoruns, etc.
>
> It's in the boot sequence somewhere can anyone knowledgeable about the XP
> boot sequence shed any light on this? Where can I start looking for this
> reference & remove it?
>
> STOP: c0000135 {Unable To Locate Component}
> This application has failed to start because baseokfrf32 was not found.
> Re-installing the application may fix this problem.

It sounds like a service and/or driver. Look in Services
(Start>Run>services.msc) and see if anything appears there. If not, try
clean-boot troubleshooting:

Clean boot in Windows XP - http://support.microsoft.com/kb/310353
Clean-boot advanced troubleshooting in Windows XP -
http://support.microsoft.com/kb/316434

You didn't say (or I missed it) whether you can get into Safe Mode or Last
Known Good Configuration. If you can't do either of those things, then
you'll need to access the registry from outside Windows. A Bart's PE or ERD
Commander can do it.

Malke
--
MS-MVP
Elephant Boy Computers
www.elephantboycomputers.com
Don't Panic!
 
From: "John Doe"

| There is some sort of infector going around that injects itself into the
| boot sequence of XP that randomly names itself "base????32" (where the last
| 4 or 5 letters are random, but the first 4 are always base & the last 2 are
| always 32) & causes the machine to fail on boot up because it cannot find
| this file:
|
| STOP: c0000135 {Unable To Locate Component}
| This application has failed to start because baseokfrf32 was not found.
| Re-installing the application may fix this problem.
|
| This usually occurs after removing the winantivituspro infector (clearly the
| anti-malware people haven't figured out how to remove this properly yet!).
|
| Any ideas on how to repair this issue without having to do an XP repair
| install? Or where XP gets the command to look for the file? I can't seem
| to find a "boot.sys" or any such file that references it, and obviously
| can't go into the registry to look for it . . .
|
| I've tried going into the Recovery Console & doing fixboot, fixmbr, chkdsk
| /p /r etc but no good.
|

This sounds like a SubSys Trojan.

It loads via...
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\windows

Example of text in an infected PC:
-----------------------------------
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512,512
Windows=On SubSystemType=Windows ServerDll=basevml32,1
ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2
ProfileControl=Off MaxRequestThreads=16

Example of correct text:
----------------------------
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512,512
Windows=On SubSystemType=Windows ServerDll=basesrv,1
ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2
ProfileControl=Off MaxRequestThreads=16



Note in the infected PC line ServerDll=basevml32
basevml32.dll is the Trojan. It will load and subsequently load basesrv.dll which is
legitimate and thus injects itself into the process.

The problem is it sounds like the DLL was removed and thus can NOT be loaded and therefore a
BSoD.

If you canNOT edit the Registry such that baseokfrf32.dll is not loaded but basesrv.dll is
properly loaded then you will have to repair the OS.



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
From: "John Doe"

| There is some sort of infector going around that injects itself into the
| boot sequence of XP that randomly names itself "base????32" (where the last
| 4 or 5 letters are random, but the first 4 are always base & the last 2 are
| always 32) & causes the machine to fail on boot up because it cannot find
| this file:
|
| STOP: c0000135 {Unable To Locate Component}
| This application has failed to start because baseokfrf32 was not found.
| Re-installing the application may fix this problem.
|
| This usually occurs after removing the winantivituspro infector (clearly the
| anti-malware people haven't figured out how to remove this properly yet!).
|
| Any ideas on how to repair this issue without having to do an XP repair
| install? Or where XP gets the command to look for the file? I can't seem
| to find a "boot.sys" or any such file that references it, and obviously
| can't go into the registry to look for it . . .
|
| I've tried going into the Recovery Console & doing fixboot, fixmbr, chkdsk
| /p /r etc but no good.
|

Afterthought:

Boot into the Windows Recovery Console and logon as the Administrator and then go to
%windir%\system32

Copy basesrv.dll to baseokfrf32.dll

Then reboot the PC. See if that will allow the PC to load properly.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
I'll check it out - thanx!

"jen" wrote in message
news:e8m0JdaxIHA.2292@TK2MSFTNGP03.phx.gbl...
> "John Doe" wrote in message
> news:uwYWO8XxIHA.1240@TK2MSFTNGP02.phx.gbl...
>> There is some sort of infector going around that injects itself into the
>> boot sequence of XP that randomly names itself "base????32" (where the
>> last 4 or 5 letters are random, but the first 4 are always base & the
>> last 2 are always 32) & causes the machine to fail on boot up because it
>> cannot find this file:
>>
>> STOP: c0000135 {Unable To Locate Component}
>> This application has failed to start because baseokfrf32 was not found.
>> Re-installing the application may fix this problem.
>>
>> This usually occurs after removing the winantivituspro infector (clearly
>> the anti-malware people haven't figured out how to remove this properly
>> yet!).
>>
>> Any ideas on how to repair this issue without having to do an XP repair
>> install? Or where XP gets the command to look for the file? I can't
>> seem to find a "boot.sys" or any such file that references it, and
>> obviously can't go into the registry to look for it . . .
>>
>> I've tried going into the Recovery Console & doing fixboot, fixmbr,
>> chkdsk /p /r etc but no good.
>
> This Stop error usually means a corrupt registry...
> Try this:
> How to recover from a corrupted registry that prevents Windows XP from
> starting:
> http://support.microsoft.com/default.aspx?...307545&sd=tech
>
> -jen
>
 
Thanx - I'll check out these resources. I shoulda mentioned, I cannot get
into safe mode, last known good, or anything. I'll try a Bart PE build &
see what that does for me once I boot up using Bart, 1) how do I access the
Registry, & 2) where am I looking to remove this offencer?

"Malke" wrote in message
news:uvXjAfaxIHA.1936@TK2MSFTNGP04.phx.gbl...
> John Doe wrote:
>
>> It does not show up in msconfig, nor sysinternals' process explorer,
>> autoruns, etc.
>>
>> It's in the boot sequence somewhere can anyone knowledgeable about the
>> XP
>> boot sequence shed any light on this? Where can I start looking for this
>> reference & remove it?
>>
>> STOP: c0000135 {Unable To Locate Component}
>> This application has failed to start because baseokfrf32 was not found.
>> Re-installing the application may fix this problem.
>
> It sounds like a service and/or driver. Look in Services
> (Start>Run>services.msc) and see if anything appears there. If not, try
> clean-boot troubleshooting:
>
> Clean boot in Windows XP - http://support.microsoft.com/kb/310353
> Clean-boot advanced troubleshooting in Windows XP -
> http://support.microsoft.com/kb/316434
>
> You didn't say (or I missed it) whether you can get into Safe Mode or Last
> Known Good Configuration. If you can't do either of those things, then
> you'll need to access the registry from outside Windows. A Bart's PE or
> ERD
> Commander can do it.
>
> Malke
> --
> MS-MVP
> Elephant Boy Computers
> www.elephantboycomputers.com
> Don't Panic!
 
thanx - I'll try booting using Bart & see if I can locate this stuff!

"David H. Lipman" wrote in message
news:%230aKVbbxIHA.524@TK2MSFTNGP05.phx.gbl...
> From: "John Doe"
>
> | There is some sort of infector going around that injects itself into the
> | boot sequence of XP that randomly names itself "base????32" (where the
> last
> | 4 or 5 letters are random, but the first 4 are always base & the last 2
> are
> | always 32) & causes the machine to fail on boot up because it cannot
> find
> | this file:
> |
> | STOP: c0000135 {Unable To Locate Component}
> | This application has failed to start because baseokfrf32 was not found.
> | Re-installing the application may fix this problem.
> |
> | This usually occurs after removing the winantivituspro infector (clearly
> the
> | anti-malware people haven't figured out how to remove this properly
> yet!).
> |
> | Any ideas on how to repair this issue without having to do an XP repair
> | install? Or where XP gets the command to look for the file? I can't
> seem
> | to find a "boot.sys" or any such file that references it, and obviously
> | can't go into the registry to look for it . . .
> |
> | I've tried going into the Recovery Console & doing fixboot, fixmbr,
> chkdsk
> | /p /r etc but no good.
> |
>
> This sounds like a SubSys Trojan.
>
> It loads via...
> HKLMSYSTEMCurrentControlSetControlSession ManagerSubSystemswindows
>
> Example of text in an infected PC:
> -----------------------------------
> %SystemRoot%system32csrss.exe ObjectDirectory=Windows
> SharedSection=1024,3072,512,512
> Windows=On SubSystemType=Windows ServerDll=basevml32,1
> ServerDll=winsrv:UserServerDllInitialization,3
> ServerDll=winsrv:ConServerDllInitialization,2
> ProfileControl=Off MaxRequestThreads=16
>
> Example of correct text:
> ----------------------------
> %SystemRoot%system32csrss.exe ObjectDirectory=Windows
> SharedSection=1024,3072,512,512
> Windows=On SubSystemType=Windows ServerDll=basesrv,1
> ServerDll=winsrv:UserServerDllInitialization,3
> ServerDll=winsrv:ConServerDllInitialization,2
> ProfileControl=Off MaxRequestThreads=16
>
>
>
> Note in the infected PC line ServerDll=basevml32
> basevml32.dll is the Trojan. It will load and subsequently load
> basesrv.dll which is
> legitimate and thus injects itself into the process.
>
> The problem is it sounds like the DLL was removed and thus can NOT be
> loaded and therefore a
> BSoD.
>
> If you canNOT edit the Registry such that baseokfrf32.dll is not loaded
> but basesrv.dll is
> properly loaded then you will have to repair the OS.
>
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
 
Thanx - I'll try that after I try Bart . . .

"David H. Lipman" wrote in message
news:Oau%23zcbxIHA.4952@TK2MSFTNGP05.phx.gbl...
> From: "John Doe"
>
> | There is some sort of infector going around that injects itself into the
> | boot sequence of XP that randomly names itself "base????32" (where the
> last
> | 4 or 5 letters are random, but the first 4 are always base & the last 2
> are
> | always 32) & causes the machine to fail on boot up because it cannot
> find
> | this file:
> |
> | STOP: c0000135 {Unable To Locate Component}
> | This application has failed to start because baseokfrf32 was not found.
> | Re-installing the application may fix this problem.
> |
> | This usually occurs after removing the winantivituspro infector (clearly
> the
> | anti-malware people haven't figured out how to remove this properly
> yet!).
> |
> | Any ideas on how to repair this issue without having to do an XP repair
> | install? Or where XP gets the command to look for the file? I can't
> seem
> | to find a "boot.sys" or any such file that references it, and obviously
> | can't go into the registry to look for it . . .
> |
> | I've tried going into the Recovery Console & doing fixboot, fixmbr,
> chkdsk
> | /p /r etc but no good.
> |
>
> Afterthought:
>
> Boot into the Windows Recovery Console and logon as the Administrator and
> then go to
> %windir%system32
>
> Copy basesrv.dll to baseokfrf32.dll
>
> Then reboot the PC. See if that will allow the PC to load properly.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
 
John Doe wrote:

> Thanx - I'll check out these resources. I shoulda mentioned, I cannot get
> into safe mode, last known good, or anything. I'll try a Bart PE build &
> see what that does for me once I boot up using Bart, 1) how do I access
> the Registry, & 2) where am I looking to remove this offencer?

I think this is what you're looking for with a Bart's. With an ERD Commander
(old expensive software no longer available unfortunately since MS bought
Winternals) you can edit the host system directly. I think David Lipman
told you where to look, didn't he?

Registry - edit for other users (MVP Doug Knox)

From an account with Administrator level access

1) Click Start, Run and enter REGEDIT
2) In Regedit, highlight the HKEY_USERS key and go to File, Load Hive.
3) Use the File Open dialog to go to the Documents and Settings\
folder, where is the account you wish to modify.
4) Highlight the NTUSER.DAT file in this folder (usually a hidden file) and
select Open.
5) You'll be prompted to enter a "Key name". You can use whatever you wish,
but I use the User's logon name.
6) You can now expand the Hive you just loaded and make any needed changes.
7) When finished, highlight this Hive again and go to File, Unload Hive.

NOTE: You MUST unload the Hive prior to logging on to the users account.
Otherwise XP may have trouble loading the user's profile.

Malke
--
MS-MVP
Elephant Boy Computers
www.elephantboycomputers.com
Don't Panic!
 
I'll try this as well. Still gotta put together a Bart CD, then try getting
in, then try findinh the registry file(s), etc . . .

"Malke" wrote in message
news:esaS0DdxIHA.4492@TK2MSFTNGP02.phx.gbl...
> John Doe wrote:
>
>> Thanx - I'll check out these resources. I shoulda mentioned, I cannot
>> get
>> into safe mode, last known good, or anything. I'll try a Bart PE build &
>> see what that does for me once I boot up using Bart, 1) how do I access
>> the Registry, & 2) where am I looking to remove this offencer?
>
> I think this is what you're looking for with a Bart's. With an ERD
> Commander
> (old expensive software no longer available unfortunately since MS bought
> Winternals) you can edit the host system directly. I think David Lipman
> told you where to look, didn't he?
>
> Registry - edit for other users (MVP Doug Knox)
>
> From an account with Administrator level access
>
> 1) Click Start, Run and enter REGEDIT
> 2) In Regedit, highlight the HKEY_USERS key and go to File, Load Hive.
> 3) Use the File Open dialog to go to the Documents and Settings
> folder, where is the account you wish to modify.
> 4) Highlight the NTUSER.DAT file in this folder (usually a hidden file)
> and
> select Open.
> 5) You'll be prompted to enter a "Key name". You can use whatever you
> wish,
> but I use the User's logon name.
> 6) You can now expand the Hive you just loaded and make any needed
> changes.
> 7) When finished, highlight this Hive again and go to File, Unload Hive.
>
> NOTE: You MUST unload the Hive prior to logging on to the users account.
> Otherwise XP may have trouble loading the user's profile.
>
> Malke
> --
> MS-MVP
> Elephant Boy Computers
> www.elephantboycomputers.com
> Don't Panic!
 
From: "John Doe"

| I'll try this as well. Still gotta put together a Bart CD, then try getting
| in, then try findinh the registry file(s), etc . . .
|

The Recovery Console may get you there faster if you try my suggestion of copying the DLL.

"Boot into the Windows Recovery Console and logon as the Administrator and then go to
%windir%\system32

Copy basesrv.dll to baseokfrf32.dll

Then reboot the PC. See if that will allow the PC to load properly."

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
I am having this same problem on a client's computer. It was infected with
WinAntiVirus Pro as well. The file it is referencing on this system is
basehoe32.

John, did you find a solution that worked for you?

"John Doe" wrote:

> There is some sort of infector going around that injects itself into the
> boot sequence of XP that randomly names itself "base????32" (where the last
> 4 or 5 letters are random, but the first 4 are always base & the last 2 are
> always 32) & causes the machine to fail on boot up because it cannot find
> this file:
>
> STOP: c0000135 {Unable To Locate Component}
> This application has failed to start because baseokfrf32 was not found.
> Re-installing the application may fix this problem.
>
> This usually occurs after removing the winantivituspro infector (clearly the
> anti-malware people haven't figured out how to remove this properly yet!).
>
> Any ideas on how to repair this issue without having to do an XP repair
> install? Or where XP gets the command to look for the file? I can't seem
> to find a "boot.sys" or any such file that references it, and obviously
> can't go into the registry to look for it . . .
>
> I've tried going into the Recovery Console & doing fixboot, fixmbr, chkdsk
> /p /r etc but no good.
>
>
>
>
 
Nevermind, I got it working. Followed Lipman's post. I edited the registry
offline, System Hive, changed basehoe32 to basesrv in that particular
registry entry and voila!

Thank you!

BTW, I just pulled the drive, hooked it up to another computer and loaded
the System hive. No need for special software.

"Kyle Johnson" wrote:

> I am having this same problem on a client's computer. It was infected with
> WinAntiVirus Pro as well. The file it is referencing on this system is
> basehoe32.
>
> John, did you find a solution that worked for you?
>
> "John Doe" wrote:
>
> > There is some sort of infector going around that injects itself into the
> > boot sequence of XP that randomly names itself "base????32" (where the last
> > 4 or 5 letters are random, but the first 4 are always base & the last 2 are
> > always 32) & causes the machine to fail on boot up because it cannot find
> > this file:
> >
> > STOP: c0000135 {Unable To Locate Component}
> > This application has failed to start because baseokfrf32 was not found.
> > Re-installing the application may fix this problem.
> >
> > This usually occurs after removing the winantivituspro infector (clearly the
> > anti-malware people haven't figured out how to remove this properly yet!).
> >
> > Any ideas on how to repair this issue without having to do an XP repair
> > install? Or where XP gets the command to look for the file? I can't seem
> > to find a "boot.sys" or any such file that references it, and obviously
> > can't go into the registry to look for it . . .
> >
> > I've tried going into the Recovery Console & doing fixboot, fixmbr, chkdsk
> > /p /r etc but no good.
> >
> >
> >
> >
 
Here's the ONLY solution that's worked for me so far (all the "Popular"
antimalware programs ignore this one so far):

Download combofix, vundofix, virtumondebegone, & SiRi's virtumonde removers,
then boot into safe mode, then run each of them, then boot from the OS
Install CD & do a "repair re-installation" of the OS< then do all the
updates.


"Kyle Johnson" wrote in message
news:D643486D-5F25-4F5E-846E-A0C62C6A7175@microsoft.com...
>I am having this same problem on a client's computer. It was infected with
> WinAntiVirus Pro as well. The file it is referencing on this system is
> basehoe32.
>
> John, did you find a solution that worked for you?
>
> "John Doe" wrote:
>
>> There is some sort of infector going around that injects itself into the
>> boot sequence of XP that randomly names itself "base????32" (where the
>> last
>> 4 or 5 letters are random, but the first 4 are always base & the last 2
>> are
>> always 32) & causes the machine to fail on boot up because it cannot find
>> this file:
>>
>> STOP: c0000135 {Unable To Locate Component}
>> This application has failed to start because baseokfrf32 was not found.
>> Re-installing the application may fix this problem.
>>
>> This usually occurs after removing the winantivituspro infector (clearly
>> the
>> anti-malware people haven't figured out how to remove this properly
>> yet!).
>>
>> Any ideas on how to repair this issue without having to do an XP repair
>> install? Or where XP gets the command to look for the file? I can't
>> seem
>> to find a "boot.sys" or any such file that references it, and obviously
>> can't go into the registry to look for it . . .
>>
>> I've tried going into the Recovery Console & doing fixboot, fixmbr,
>> chkdsk
>> /p /r etc but no good.
>>
>>
>>
>>
 
From: "John Doe"

| Here's the ONLY solution that's worked for me so far (all the "Popular"
| antimalware programs ignore this one so far):
|
| Download combofix, vundofix, virtumondebegone, & SiRi's virtumonde removers,
| then boot into safe mode, then run each of them, then boot from the OS
| Install CD & do a "repair re-installation" of the OS< then do all the
| updates.
|

S!ri's SmitfraudFix is NOT for the Vundo Trojan/Virtuomonde adware also known as the
WinFixer family. It is geared for ZLob/FakeAlert/Rendos malware associted with the
SmitFraud family.

BTW: Norman has now released Vundo Trojan removal tool.
http://download.norman.no/public/Norman_Vundo_Cleaner.exe
http://www.norman.com/Virus/Virus_removal_tools/52658/en

Additionally, MBAM (MalwareBytes Anti Malware utility) is also *very* effective on the
WinFixer family.
http://www.malwarebytes.org/mbam/program/mbam-setup.exe


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
Thanks david that worked like a charm!!! stupid viruses anyway!!




"David H. Lipman" wrote:

> From: "John Doe"
>
> | There is some sort of infector going around that injects itself into the
> | boot sequence of XP that randomly names itself "base????32" (where the last
> | 4 or 5 letters are random, but the first 4 are always base & the last 2 are
> | always 32) & causes the machine to fail on boot up because it cannot find
> | this file:
> |
> | STOP: c0000135 {Unable To Locate Component}
> | This application has failed to start because baseokfrf32 was not found.
> | Re-installing the application may fix this problem.
> |
> | This usually occurs after removing the winantivituspro infector (clearly the
> | anti-malware people haven't figured out how to remove this properly yet!).
> |
> | Any ideas on how to repair this issue without having to do an XP repair
> | install? Or where XP gets the command to look for the file? I can't seem
> | to find a "boot.sys" or any such file that references it, and obviously
> | can't go into the registry to look for it . . .
> |
> | I've tried going into the Recovery Console & doing fixboot, fixmbr, chkdsk
> | /p /r etc but no good.
> |
>
> This sounds like a SubSys Trojan.
>
> It loads via...
> HKLMSYSTEMCurrentControlSetControlSession ManagerSubSystemswindows
>
> Example of text in an infected PC:
> -----------------------------------
> %SystemRoot%system32csrss.exe ObjectDirectory=Windows SharedSection=1024,3072,512,512
> Windows=On SubSystemType=Windows ServerDll=basevml32,1
> ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2
> ProfileControl=Off MaxRequestThreads=16
>
> Example of correct text:
> ----------------------------
> %SystemRoot%system32csrss.exe ObjectDirectory=Windows SharedSection=1024,3072,512,512
> Windows=On SubSystemType=Windows ServerDll=basesrv,1
> ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2
> ProfileControl=Off MaxRequestThreads=16
>
>
>
> Note in the infected PC line ServerDll=basevml32
> basevml32.dll is the Trojan. It will load and subsequently load basesrv.dll which is
> legitimate and thus injects itself into the process.
>
> The problem is it sounds like the DLL was removed and thus can NOT be loaded and therefore a
> BSoD.
>
> If you canNOT edit the Registry such that baseokfrf32.dll is not loaded but basesrv.dll is
> properly loaded then you will have to repair the OS.
>
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
>
 
Back
Top