From: "Geoff"
| Which is why I recommended Autoruns in the first place since it allows easy
| access to and backup of such keys. You can even turn them off with a
| checkbox before deleting the key itself if you find you need to restore it.
| Autoruns even works in Safe Mode so if it did BSOD he would still be able
| to fix it there. There are actually very few DLLs that, if missing, will
| cause a BSOD or that couldn't be properly reinstalled with their authentic
| executables by running "SFC /scannow" in safe mode or command line only
| mode. If it gets that bad, a relevel and reinstall was in the making
| anyway. If that were the case, slaving it, pulling off any user essential
| data and programs would be a necessary part of the process since a known
| clean system would be needed to be sure the backup was trustworthy.
The key I am thinking about will not be shown in AutoRuns. The DLL would be named such
as base????32.dll (ex. basevml32.dll)
This is a SubSys trojan and with this trojan, it would be inserted into the following
registry key
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\windows
and would become part of a DLL load chain. The name of malware DLL would be inserted ito
the registry key (such as ServerDll=basevml32) . If you deleted the trojan by putting
the drive in a surrogate PC or by using the Recovery Console the PC would boot into a BSoD
complaining that the DLL could not be found.
Example NT Stop Error:
STOP: c0000135 {Unable To Locate Component}
This application has failed to start because basevml32 was not found.
Re-installing the application may fix this problem.
It loads via...
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\windows
Example of text in an infected PC:
-----------------------------------
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512,512
Windows=On SubSystemType=Windows ServerDll=basevml32,1
ServerDll=winsrv:UserServerDllInitialization,3
ServerDll=winsrv:ConServerDllInitialization,2
ProfileControl=Off MaxRequestThreads=16
Example of correct text:
----------------------------
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512,512
Windows=On SubSystemType=Windows ServerDll=basesrv,1
ServerDll=winsrv:UserServerDllInitialization,3
ServerDll=winsrv:ConServerDllInitialization,2
ProfileControl=Off MaxRequestThreads=16
The above is a real world example taken from my notes. AutoRuns and the System File
Checker are useless in the above scenario. The ONLY way to fix it is either copy
basesrv.dll to basevml32.dll in the Recovery Console or preferrably load the infected OS
and edit the registry and reboot then delete basevml32.dll.
I mention the above because many presume placing an affected drive in a surrogate PC is
one of the best ways to deal with removing malware that may be loaded at run-time.
However, if you do, when you run the Anti malware software it will not correct the
registry of the OS of the affected drive and may leave the OS of the affected drive
impotent. I am NOT saying placing an affected drive in a surrogate PC is not a good
methodology. I am saying that it can have drawbacks and you *must* be prepared for them.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV -
http://www.pctipp.ch/downloads/dl/35905.asp
