BSOD due to base????32

K

Kerry Brown

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:eKqdtfByIHA.6096@TK2MSFTNGP06.phx.gbl...
> From: "Indiana" <Indiana@discussions.microsoft.com>
>
> | Thanks david that worked like a charm!!! stupid viruses anyway!!
> |
>
> YW
>
> Interesting how I am seeing a recent flurry of what appears to be variants
> of the SubSys
> type of Trojan.
>

I've seen two computers in the past week with problems that may be related.
They wouldn't boot, both had blue screens with a STOP 8E. I removed the
drives to try and copy data off prior to fixing the problem. Any Windows
computer that tried to access these drives got the same BSOD even when the
drive was connected via a USB adapter. Linux could see the file structure
but not access any files. It appeared the bootsector and partition table was
corrupted. I zeroed out sector 0 and was able to recover some data after
that. The drives tested fine with several hd testing programs. The hardware
on both computers checked out OK. Both customers said the last thing they
saw was something that sounded like a typical rougue antispyware
hijack/extortion. They fell for it and clicked on scan my computer now. On
the next boot the problem occurred. It looks like something is trying to
alter the partition table in an attempt to hide but failing miserably.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/
 
D

David H. Lipman

From: "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m>

| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
| news:eKqdtfByIHA.6096@TK2MSFTNGP06.phx.gbl...
>> From: "Indiana" <Indiana@discussions.microsoft.com>
>>
|>> Thanks david that worked like a charm!!! stupid viruses anyway!!
|>>
>> YW
>>
>> Interesting how I am seeing a recent flurry of what appears to be variants
>> of the SubSys
>> type of Trojan.
>>
| I've seen two computers in the past week with problems that may be related.
| They wouldn't boot, both had blue screens with a STOP 8E. I removed the
| drives to try and copy data off prior to fixing the problem. Any Windows
| computer that tried to access these drives got the same BSOD even when the
| drive was connected via a USB adapter. Linux could see the file structure
| but not access any files. It appeared the bootsector and partition table was
| corrupted. I zeroed out sector 0 and was able to recover some data after
| that. The drives tested fine with several hd testing programs. The hardware
| on both computers checked out OK. Both customers said the last thing they
| saw was something that sounded like a typical rougue antispyware
| hijack/extortion. They fell for it and clicked on scan my computer now. On
| the next boot the problem occurred. It looks like something is trying to
| alter the partition table in an attempt to hide but failing miserably.
|

I would have used the hard disk manufacturer's diagnostic tool such as SeaTools and WDDiag.

Some adware has been known to muck with the MBR, etc.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
S

Scattx

Here is the solution for BSOD for base****32 virus

If you come across the virus and you are still have access to your computer
all you have to do is: click on start, run: type in regedit once in the
registry go to: HKLM-System-CurrentControlset-Control-Session
Manager-Subsystems edit the windows string Remove base**** put in basesrv it
should read (%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows
SharedSection=1024,3072,512 Windows=On SubSystemType=Windows
ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3
ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off
MaxRequestThreads=16)

If you cannot get into your system or it blue screens. You will have to
install the harddrive into a working Windows xp computer as a secondary
harddrive or if you have a usb adapter as a external usb drive.
follow these steps: Simply run Regedit click the HKLM key and from the
"file" menu you should see an option to load hive.

Browse to the desired hive on the hard-drive you connected (ensure that you
have access to where the hives are stored, for XP it will be in the
"windows\system32\config\system" . It will request a name, name this temp,
Then click load hive. You will see the temp key loaded in the registry. Now
make the necessary changes indicated here: click on start, run: type in
regedit once in the registry go to:
HKLM-System-CurrentControlset-Control-Session Manager-Subsystems edit the
windows string Remove base**** put in basesrv it should read
(%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows
SharedSection=1024,3072,512 Windows=On SubSystemType=Windows
ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3
ServerDll=winsrv:ConServerDllInitialization,2
ProfileControl=OffMaxRequestThreads=16)

Next : Click on the temp hive you just created then click on the file menu
in regedit then select unload hive. Viola!!! install drive back into the
computer it came from and you are backup and running.

I'd suggest ensuring you have the necessary backups and backup each hive you
intend on editing.
 
D

David H. Lipman

From: "Scattx" <Scattx@discussions.microsoft.com>

| Here is the solution for BSOD for base****32 virus

Read my responses. I gave the instructions already and this is a Trojan and NOT a virus.

|
| If you come across the virus and you are still have access to your computer
| all you have to do is: click on start, run: type in regedit once in the
| registry go to: HKLM-System-CurrentControlset-Control-Session
| Manager-Subsystems edit the windows string Remove base**** put in basesrv it
| should read (%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows
| SharedSection=1024,3072,512 Windows=On SubSystemType=Windows
| ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3
| ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off
| MaxRequestThreads=16)
|

< snip >


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
B

Bob J

How do you work on the registry of the secondary drive? When I open regedit
(either through Run or attempted access through the secondary hdd of
windows\system32\) it opens the registry of the primary drive. How do I get
around this?

"Scattx" wrote:

> Here is the solution for BSOD for base****32 virus
>
> If you come across the virus and you are still have access to your computer
> all you have to do is: click on start, run: type in regedit once in the
> registry go to: HKLM-System-CurrentControlset-Control-Session
> Manager-Subsystems edit the windows string Remove base**** put in basesrv it
> should read (%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows
> SharedSection=1024,3072,512 Windows=On SubSystemType=Windows
> ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3
> ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off
> MaxRequestThreads=16)
>
> If you cannot get into your system or it blue screens. You will have to
> install the harddrive into a working Windows xp computer as a secondary
> harddrive or if you have a usb adapter as a external usb drive.
> follow these steps: Simply run Regedit click the HKLM key and from the
> "file" menu you should see an option to load hive.
>
> Browse to the desired hive on the hard-drive you connected (ensure that you
> have access to where the hives are stored, for XP it will be in the
> "windows\system32\config\system" . It will request a name, name this temp,
> Then click load hive. You will see the temp key loaded in the registry. Now
> make the necessary changes indicated here: click on start, run: type in
> regedit once in the registry go to:
> HKLM-System-CurrentControlset-Control-Session Manager-Subsystems edit the
> windows string Remove base**** put in basesrv it should read
> (%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows
> SharedSection=1024,3072,512 Windows=On SubSystemType=Windows
> ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3
> ServerDll=winsrv:ConServerDllInitialization,2
> ProfileControl=OffMaxRequestThreads=16)
>
> Next : Click on the temp hive you just created then click on the file menu
> in regedit then select unload hive. Viola!!! install drive back into the
> computer it came from and you are backup and running.
>
> I'd suggest ensuring you have the necessary backups and backup each hive you
> intend on editing.
>
>
>
>
 
D

David H. Lipman

From: "Bob J" <Bob J@discussions.microsoft.com>

| How do you work on the registry of the secondary drive? When I open regedit
| (either through Run or attempted access through the secondary hdd of
| windows\system32\) it opens the registry of the primary drive. How do I get
| around this?


What is the text in the BSoD error message ?
Specifically, this part...

This application has failed to start because XXXXXX was not found.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
B

Bob J

It's the identical problem as John Doe's (I've been following this discussion
while trying to repair an infected hdd) ... "... application failed to start
because basetdf32 was not found."

When I attempt to access the registry, as mentioned below, and follow the
path to the Subsystem the text does not appear corrupted. This is what leads
me to believe I'm viewing the registry of the primary drive.

btw ... The other suggestion given to John Doe was to build a Bart PE, but
I've got an OEM version (Bart builds not recommended for OEM).

"David H. Lipman" wrote:

> From: "Bob J" <Bob J@discussions.microsoft.com>
>
> | How do you work on the registry of the secondary drive? When I open regedit
> | (either through Run or attempted access through the secondary hdd of
> | windows\system32\) it opens the registry of the primary drive. How do I get
> | around this?
>
>
> What is the text in the BSoD error message ?
> Specifically, this part...
>
> This application has failed to start because XXXXXX was not found.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
>
 
D

David H. Lipman

From: "Bob J" <BobJ@discussions.microsoft.com>

| It's the identical problem as John Doe's (I've been following this discussion
| while trying to repair an infected hdd) ... "... application failed to start
| because basetdf32 was not found."

| When I attempt to access the registry, as mentioned below, and follow the
| path to the Subsystem the text does not appear corrupted. This is what leads
| me to believe I'm viewing the registry of the primary drive.

| btw ... The other suggestion given to John Doe was to build a Bart PE, but
| I've got an OEM version (Bart builds not recommended for OEM).



Boot from the Windows Recovery Console.

Go to c:\windows\system32 [ or c:\winnt\system32 ]

Copy basesrv.dll to baseokfrf32.dll

Then reboot the PC. See if that will allow the PC to load properly.



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
B

Bob J

I'll need a little guidance here as I'm unfamiliar with DOS. I think I may
have left a step out. I don't get a BSOD, but it hangs just before the logon
screen (the mouse is present and responsive). Same thing happens if I try to
boot into SafeMode.

Here's what I did after booting to Recovery ...
c:\windows\system32>copy basesrv.dll basetdf32.dll
(returned a message something like "1 copy created"

I obviously missed something here.

"David H. Lipman" wrote:

> From: "Bob J" <BobJ@discussions.microsoft.com>
>
> | It's the identical problem as John Doe's (I've been following this discussion
> | while trying to repair an infected hdd) ... "... application failed to start
> | because basetdf32 was not found."
>
> | When I attempt to access the registry, as mentioned below, and follow the
> | path to the Subsystem the text does not appear corrupted. This is what leads
> | me to believe I'm viewing the registry of the primary drive.
>
> | btw ... The other suggestion given to John Doe was to build a Bart PE, but
> | I've got an OEM version (Bart builds not recommended for OEM).
>
>
>
> Boot from the Windows Recovery Console.
>
> Go to c:\windows\system32 [ or c:\winnt\system32 ]
>
> Copy basesrv.dll to baseokfrf32.dll
>
> Then reboot the PC. See if that will allow the PC to load properly.
>
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
>
 
D

David H. Lipman

From: "Bob J" <BobJ@discussions.microsoft.com>

| I'll need a little guidance here as I'm unfamiliar with DOS. I think I may
| have left a step out. I don't get a BSOD, but it hangs just before the logon
| screen (the mouse is present and responsive). Same thing happens if I try to
| boot into SafeMode.

| Here's what I did after booting to Recovery ...
| c:\windows\system32>copy basesrv.dll basetdf32.dll
| (returned a message something like "1 copy created"

| I obviously missed something here.


The first thing to understand it is NOT DOS. There is no DOS under a NT based OS.

Your system may be hosed and you will have to perform a repair install.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
B

Bob J

"David H. Lipman" wrote:

> From: "Bob J" <BobJ@discussions.microsoft.com>
>
> | I'll need a little guidance here as I'm unfamiliar with DOS. I think I may
> | have left a step out. I don't get a BSOD, but it hangs just before the logon
> | screen (the mouse is present and responsive). Same thing happens if I try to
> | boot into SafeMode.
>
> | Here's what I did after booting to Recovery ...
> | c:\windows\system32>copy basesrv.dll basetdf32.dll
> | (returned a message something like "1 copy created"
>
> | I obviously missed something here.
>
>
> The first thing to understand it is NOT DOS. There is no DOS under a NT based OS.
>
> Your system may be hosed and you will have to perform a repair install.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
did I write the command correctly or how would it be written?
 
You must log in or register to reply here.

Similar threads

Z
PC loops booting to UEFI bios instead of Windows Boot Manager
Replies
0
Views
19
ZystSH
Z
D
updating to windows 10 32-bit from windows 7 32-bit?
Replies
0
Views
60
Default__585
D
C
Mouse Double Clicking due to a bug in the drivers.
Replies
0
Views
27
Caleb Martin4
C
M
My windows 10 got into BSOD error and I can't access the automatic repair tool as well. Help!!
Replies
0
Views
43
Mariku Huji
M
M
My windows 10 got into BSOD error and I can't access the automatic repair tool as well. Help!!
Replies
0
Views
41
Mariku Huji
M
Back
Top Bottom