As a computer technician, one of the most common things I do is clean up computers once they have been infected, compromised, hacked or just plain old mistreated. That said, most of the machines we see are fairly routine, and although they can take a good chunk of time to clean up, they generally aren't "difficult". However, every once in a while a tricky one will come along. For example, we just had a machine in that, on the surface, seemed like a relatively simple trojan infection. I manually removed several obvious files from the \WINDOWS\SYSTEM32 folder that were not part of any legit program - Windows or otherwise, removed the corresponding calling references from the system registry and figured I was all but a full virus scan away from putting this one to bed. When the machine was restarted though, Windows would not fully load. Instead, it stopped at a blue screen error which read as follows: Stop: c0000135 Unable To Locate Component. "This application has failed to start because baseagul32 was not found. Re-installing the application may fix this problem. The machine would not start in safe mode or standard mode and trying the last known good configuration made no difference, so I spent about an hour banging my head against a wall trying to figure out what program baseagul32 belonged to and came up empty. Eventually I turned to my trusty old ERD Commander 2005 CD - which, by the way, is an awesome tool to have in your arsenal. Anyway, when I started the machine up with ERD Commander, I launched the built-in registry editor - which imports the registry hives automatically from the Windows installation it finds on the local drive - and proceeded to search for the missing "baseagul32" file. Searching the keys only didn't find anything, but once I chose to search the data a hit was found (but it took ages to search through all the data fields). The filename was found in the WINDOWS key under HKEY_LOCAL_MACHINE\ControlSet2\Control\Session Manager\SubSystems as well as HKEY_LOCAL_MACHINE\CurrentControlSet\Control\Session Manager\SubSystems but I wasn't sure what should really be in this registry entry until I looked at another machine running Windows XP. Apparently the trojan uses names with the letters "base" followed by some random letters and ending with "32". Doing some more searching on the net revealed that others have had the same problem after removing the trojan identified as Klone.T. Some example file names I've seen quoted include: baseokfrf32, baseagul32, basevml32 and basehoe32, but of course the letters between base and 32 are random, so it could appear as anything. Some suggested booting with any CD, including the Windows XP CD (using repair console) and simply copying the legit file basesrv.dll to base????32.dll which should work, but the proper way would be to edit the registry entry to include the appropriate file name of basesrv.dll instead of the trojan with the random name base????32.dll. Of course if I had searched Google a little more before wasting all sorts of time fixing this thing, I would have found this link on inanis.net which detailed a straight forward way to fix the very same problem.
|
|||
 |
computers suck... No, seriously, they really do. |
|
|
|