Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

AVG (free) v8 removes trojan - now XP won't boot. 1

Status
Not open for further replies.
G0AOZ

G0AOZ

Technical User
Nov 6, 2002
2,342
GB
AVG identifies the file basemlnn32.dll as Trojan horse Agent.MYK and naturally removed it. XP PRO (SP2) now won't boot in Normal or Safe mode. Produces a BSOD STOP c0000135 which tells me it can't load basemlnn32.

The basemlnn32.dll file is located in C:\Windows\System32 and the Registry shows entries for it under:-

HKEY_LOCAL_MACHINE > System > ControlSet001 > Control > Session Manager > SubSystems

Also under ControlSet003 and CurrentControlSet

I have Googled for this file but got no answers, and it doesn't appear on any other XP machines I've looked at.

Anyone any clues please?

ROGER - G0AOZ.
 
Sort by date Sort by votes
do you have your XP restore cd? try getting to the Setup screen (usually F2) and change the boot sequence to CD and no others then do a Repair install.
 
Upvote 0 Downvote
I can't find anything on it either and very little on Agent MYK other than 'its hard to remove'

Is your AVG the free edition?
if it is post this on the AVG Free forum, make sure you list all the details of the machine


If its paid for you should contact AVG Support.

If you really cant get it going in safe mode, then you may be looking at repairing windows, Do you have the install disk?




Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain
 
Upvote 0 Downvote
I was hoping to avoid having to do a repair as this often knocks out the installed programmes...

No, won't run in Safe Mode or Last known Good Configuration etc.

Steve, it's the free edition of AVG as the message title implies! [wink] I've already posted a message on the AVG forum, but no responses. (I "upset" the moderators there a week or two ago, so maybe I'll get no replies...)

I did take the precaution of making a clone of this drive before embarking on a cleanup so I can have a second bite at the cherry, so to speak... Interestingly, Panda Internet Security 2008 didn't "find" this trojan, but then whenever I do a cleanup, I usually run a disk through at least three scanners, and each one often finds something the previous one didn't!

Maybe this is a false positive on the part of AVG? If that's the case, I'll have to look to see if AVG can be programmed to ignore this file. If I right click on this file in Explorer, it just says "Unknown Application" which doesn't help.

ROGER - G0AOZ.
 
Upvote 0 Downvote
Hmm its quite odd, I looked on the M$ support site and found no reference to the dll, and as you say it cannot be found on other XP Installs.

But Panda has a very good reputation, odd for it to find nothing (assume the definitions were up to date?)

Yes sorry, I remember the AVG forum thing now !!

Might be an idea to see if you can boot from the Install CD.






Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain
 
Upvote 0 Downvote
Problem solved now...

AVG forum came up with a couple of modified Registry keys, and after changing those and deleting that file from the system32 folder, all appears to be well again.

Thanks for your support guys...

ROGER - G0AOZ.
 
Upvote 0 Downvote
You see if you stick to the rules the AVG Free forum is OK !!

But you did say that the system would not boot in safe mode ??


Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain
 
Upvote 0 Downvote
Yes, wouldn't boot in Normal, Safe or Last Known Good, etc... Next question? [bigsmile]

ROGER - G0AOZ.
 
Upvote 0 Downvote
OK.
How were you able to retrive/change the registry values?

Ah wait a mo, you used the Cloned drive [smile]

Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain
 
Upvote 0 Downvote
Yup, you guessed correctly! [thumbsup2] I also could've used ERD Commander and merged a new key.

Steve, I always make a clone of a hard drive I'm going to work on, as a security measure. This generally only takes a few minutes of operator time, then I leave the cloning software (usually Acronis) to get on with. It has saved my bacon on more than one occasion when something has gone horribly wrong whilst I was battling to kill off a trojan or virus, etc. As per yesterday...

ROGER - G0AOZ.
 
Upvote 0 Downvote
GFY Roger. A star for your preparedness.

That means "Good For You" for those with their minds in the gutter.

Question to mankind: Has "Last Known Good Configuration" ever worked for anybody...ever?

Tony

Users helping Users...
 
Upvote 0 Downvote
Thanks Tony.

Glad you qualified That means "Good For You"!! [bigsmile]

Don't recall successfully using Last Known Good Configuration in XP. Used it once or twice in NT4 when a daft user set the refresh rate too high! No video!

ROGER - G0AOZ.
 
Upvote 0 Downvote
how about posting the registry fixes, i have the exact same problem and it could save me some time.

Thanks
 
Upvote 0 Downvote
No problem!

I found these entries for basemlnn32.dll under the following Registry keys:-

HKEY_LOCAL_MACHINE > SYSTEM > ControlSet001 > Control > Session Manager > SubSystems:- Windows key:-

REG_EXPAND_SZ %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basemlnn32,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16



HKEY_LOCAL_MACHINE > SYSTEM > ControlSet003 > Control > Session Manager > SubSystems:- Windows key:-

REG_EXPAND_SZ %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basemlnn32,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16



HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > Session Manager > SubSystems:- Windows key:-

REG_EXPAND_SZ %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basemlnn32,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16


Each key was changed to this (below), and then the basemlnn32.dll file was deleted:-

REG_EXPAND_SZ %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16


Hope it works ok for you.

ROGER - G0AOZ.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Shimmy613
  • Locked
  • Question
Avira Free: "Your computer is not secure! A Service is not working correctly"
Replies
14
Views
350
ChrisHirst
ChrisHirst
1DMF
  • Locked
  • Question
AVAST latest free version causing nothing but problems 2
2
Replies
20
Views
306
1DMF
1DMF
BionicJohn
  • Locked
  • Question
URUASY.A Ransomware Trojan - Help needed with removal
Replies
6
Views
119
BionicJohn
BionicJohn
goombawaho
  • Locked
  • Question
Stop Microsoft Security Essentials pop-up on XP machines 1
Replies
9
Views
131
goombawaho
goombawaho
2ffat
  • Locked
  • News
C-Ware Bundled on "ALL" Freeware Sites
Replies
6
Views
115
xit
xit

Part and Inventory Search

Sponsor

Back
Top