stop: 0000135 {unable to located component}

**btcomm** · May 16th, 2008, 11:48 PM

I was cleaning spyware and adware out of a computer. It had some rootkits that I got rid of. I was scanning with super anti spyware and it found a trojan dropper 4 or something. The file was located in c:\windows\system32 it was a dll file. I clicked next to remove it. Said it had to reboot when the computer came back up it gave me this error on a blue screen.

stop: 0000135 {unable to locate component}

This is displayed on a blue screen.

It lists the file name that superantispyware found as the trojan and when I search for this file on google it comes up with nothing, so it definitely was a trojan.

You can't do anything but turn the computer off at that point. It will not boot into safe mode it gets the same error.

So what I'm wondering is first off if anyone has seen this before what would I have to do so that windows is not pointing to this file anymore. Second where does super anti spyware keep it's quarantined files in the file system? Perhaps I put the file back and then figure out a way to get rid of it.

**Broni** · May 17th, 2008, 12:36 AM

What is the name of that file?

**btcomm** · May 17th, 2008, 01:27 AM

The file name is BASEMRE32.DLL and it is located in system32 folder. It is listed as a trojan.dropper/base

I was actually able to get the file out of quarantine and put it back, the machine boots up but of course it still seeing this file run in memory.

**Broni** · May 17th, 2008, 01:32 AM

Download HijackThis:
http://www.trendsecure.com/portal/en...kthis/download
Click on Download HijackThis Installer
Post HijackTHis log.

**btcomm** · May 17th, 2008, 10:04 AM

Well, I already installed Hijack this and hijackthis makes no reference to this file anywhere.

It is possible that it is able to hide it's entries, there was a rootkit that was hiding it's self before I removed it with avg rootkit software.

**Broni** · May 17th, 2008, 08:02 PM

You can try to rerun HJT, but this time rename hijackthis.exe to something like btcomm.exe.

**lgbpop** · May 17th, 2008, 09:30 PM

Originally Posted by btcomm

Well, I already installed Hijack this and hijackthis makes no reference to this file anywhere.

It is possible that it is able to hide it's entries, there was a rootkit that was hiding it's self before I removed it with avg rootkit software.

Many instances of malware use multiple names, and also quite often will create files with unrelated names. Just because you don't see the file name doesn't mean you are 100% clean. Your best bet is to post the logfile here for a look.

**btcomm** · May 17th, 2008, 11:31 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:29:02 PM, on 5/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\George\Desktop\jackson.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 2272 bytes

As you can see there isn't much in there, jackson.exe is what I named hijackthis.

Has anyone ever run into spyware that once removed gives you a bluescreen that says.

stop: 0000135 {unable to located component}
This application has failed to start because basemre32
was not found. Re-installing the application may fix
this problem.

Replace basemre32 with whatever file was infecting the system.

I have never seen this before, I don't understand what is telling this file it needs to be there for windows to start up.

**Broni** · May 17th, 2008, 11:59 PM

Upload that file to: http://www.virustotal.com/

**Broni** · May 18th, 2008, 12:04 AM

The good news is, that there is nothing in HJT log, which would indicate any infection. I see, you posted at SAS forum, and you got one reply. Let's see what they have to say.

**btcomm** · May 18th, 2008, 12:35 AM

AntiVir 7.8.0.17 2008.05.13 TR/Agent.AGKK.32
Authentium 5.1.0.4 2008.05.14 -
Avast 4.8.1169.0 2008.05.12 -
AVG 7.5.0.516 2008.05.13 -
BitDefender 7.2 2008.05.08 Trojan.Agent.AGKK
CAT-QuickHeal 9.50 2008.05.12 -
ClamAV 0.92.1 2008.05.13 -
DrWeb 4.44.0.09170 2008.05.13 -
eSafe 7.0.15.0 2008.05.12 -
eTrust-Vet 31.4.5784 2008.05.13 -
Ewido 4.0 2008.05.13 -
F-Prot 4.4.2.54 2008.05.13 W32/Agent.AZ.gen!Eldorado
F-Secure 6.70.13260.0 2008.05.13 -
Fortinet 3.14.0.0 2008.05.13 -
GData 2.0.7306.1023 2008.05.14 -
Ikarus T3.1.1.26.0 2008.05.13 Trojan.Agent.AGKK
Kaspersky 7.0.0.125 2008.05.13 -
McAfee 5293 2008.05.12 -
Microsoft 1.3408 2008.05.13 -
NOD32v2 3095 2008.05.13 -
Norman 5.80.02 2008.05.09 -
Panda 9.0.0.4 2008.05.12 Suspicious file
Prevx1 V2 2008.05.18 Cloaked Malware
Rising 20.44.12.00 2008.05.13 -
Sophos 4.29.0 2008.05.13 Troj/Agent-GXR
Sunbelt 3.0.1114.0 2008.05.12 -
Symantec 10 2008.05.13 -
TheHacker 6.2.92.309 2008.05.13 -
VBA32 3.12.6.6 2008.05.13 -
VirusBuster 4.3.26:9 2008.05.12 -
Webwasher-Gateway 6.6.2 2008.05.13 Trojan.Agent.AGKK.32

Even though the hijackthis log comes up with nothing for sure this file is bad and it's running in the background and somehow the system has been modified to not boot up without it.

**Train** · May 18th, 2008, 09:59 AM

Time for a clean install ???
I would save what I wanted and do just that.

**lgbpop** · May 18th, 2008, 10:59 AM

Originally Posted by btcomm

Even though the hijackthis log comes up with nothing for sure this file is bad and it's running in the background and somehow the system has been modified to not boot up without it.

Kinda hard to tell about the HJT log, what with all the removed entries.

Might as well do the clean install, as that's really the only sure way of removed every trace of a rootkit.

**btcomm** · May 18th, 2008, 11:04 AM

Yeah, I actually did a clean install last night.

**Train** · May 18th, 2008, 12:09 PM

Originally Posted by btcomm

Yeah, I actually did a clean install last night.

Does everything seem to work OK now?

If not, let us know.

Thread: stop: 0000135 {unable to located component}

Thread Tools

Search Thread

Display

stop: 0000135 {unable to located component}

Thread Information

Users Browsing this Thread

Posting Permissions