B.I.S.S. Forums > LEGITIMATE (basesrv.dll) vs PREDATOR (basesrv32.dll)

Full Version: LEGITIMATE (basesrv.dll) vs PREDATOR (basesrv32.dll)

B.I.S.S. Forums > Malware Research Forum > Malware Playground

Kimberly

Dec 17 2007, 11:55 PM

<h4>

Player 1 - basesrv.dll

</h4>
Filename: basesrv.dll

Status: LEGITIMATE
Windows NT BASE API Server DLL
© Microsoft Corporation. All rights reserved.

<h4>

Player 2 - basesrv32.dll

</h4>
Filename: basesrv32.dll

Status: PREDATOR
File size: 20480 bytes
MD5: e2bfb8baf2b8f646145af3ab267e1b0c
SHA1: 98b619338b22f5bfb709926b8d6def2ea72f05e6
PEiD: -

QUOTE
File basesrv32.dll received on 12.17.2007 23:17:02
AhnLab-V3 2007.12.18.10 2007.12.17 -
AntiVir 7.6.0.45 2007.12.17 HEUR/Crypted
Authentium 4.93.8 2007.12.16 -
Avast 4.7.1098.0 2007.12.17 -
AVG 7.5.0.503 2007.12.17 -
BitDefender 7.2 2007.12.17 -
CAT-QuickHeal 9.00 2007.12.17 -
ClamAV 0.91.2 2007.12.17 -
DrWeb 4.44.0.09170 2007.12.17 -
eSafe 7.0.15.0 2007.12.17 -
eTrust-Vet 31.3.5382 2007.12.17 -
Ewido 4.0 2007.12.17 -
FileAdvisor 1 2007.12.17 -
Fortinet 3.14.0.0 2007.12.17 -
F-Prot 4.4.2.54 2007.12.17 -
F-Secure 6.70.13030.0 2007.12.17 -
Ikarus T3.1.1.15 2007.12.17 -
Kaspersky 7.0.0.125 2007.12.17 -
McAfee 5187 2007.12.17 -
Microsoft 1.3109 2007.12.17 -
NOD32v2 2728 2007.12.17 -
Norman 5.80.02 2007.12.17 -
Panda 9.0.0.4 2007.12.17 Suspicious file
Prevx1 V2 2007.12.17 -
Rising 20.23.02.00 2007.12.17 -
Sophos 4.24.0 2007.12.17 -
Sunbelt 2.2.907.0 2007.12.15 -
Symantec 10 2007.12.17 -
TheHacker 6.2.9.161 2007.12.17 -
VBA32 3.12.2.5 2007.12.17 -
VirusBuster 4.3.26:9 2007.12.17 -
Webwasher-Gateway 6.6.2 2007.12.17 Heuristic.Crypted

______________________________

Filename: load.exe

Status: Drops basesrv32.dll (aka PREDATOR)

File size: 14100 bytes
MD5: c17247380190ee46bde9891aa8f6cb43
SHA1: e894c96bb8b52ade16ebee2c80ecd44e9cf69257
PEiD: -

QUOTE
File load.exe received on 12.17.2007 23:16:48
AhnLab-V3 2007.12.18.10 2007.12.17 -
AntiVir 7.6.0.45 2007.12.17 TR/Crypt.XPACK.Gen
Authentium 4.93.8 2007.12.16 -
Avast 4.7.1098.0 2007.12.17 -
AVG 7.5.0.503 2007.12.17 -
BitDefender 7.2 2007.12.17 -
CAT-QuickHeal 9.00 2007.12.17 (Suspicious) - DNAScan
ClamAV 0.91.2 2007.12.17 -
DrWeb 4.44.0.09170 2007.12.17 -
eSafe 7.0.15.0 2007.12.17 Suspicious File
eTrust-Vet 31.3.5382 2007.12.17 -
Ewido 4.0 2007.12.17 -
FileAdvisor 1 2007.12.17 -
Fortinet 3.14.0.0 2007.12.17 -
F-Prot 4.4.2.54 2007.12.17 -
F-Secure 6.70.13030.0 2007.12.17 -
Ikarus T3.1.1.15 2007.12.17 -
Kaspersky 7.0.0.125 2007.12.17 -
McAfee 5187 2007.12.17 -
Microsoft 1.3109 2007.12.17 -
NOD32v2 2728 2007.12.17 -
Norman 5.80.02 2007.12.17 -
Panda 9.0.0.4 2007.12.17 Suspicious file
Prevx1 V2 2007.12.17 -
Rising 20.23.02.00 2007.12.17 -
Sophos 4.24.0 2007.12.17 -
Sunbelt 2.2.907.0 2007.12.15 -
Symantec 10 2007.12.17 -
TheHacker 6.2.9.161 2007.12.17 -
VBA32 3.12.2.5 2007.12.17 -
VirusBuster 4.3.26:9 2007.12.17 -
Webwasher-Gateway 6.6.2 2007.12.17 Trojan.Crypt.XPACK.Gen

<h4>

Visible signs

</h4>
Does request the use of special tools. See below under Notes.

<h4>

Technical details

</h4>
Registry changes.

A very interesting loading point ... Session Manager\SubSystems
Windows NT Booting : http://www.comptechdoc.org/os/windows/ntws...twsbooting.html

QUOTE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems "Windows"
Old type: REG_EXPAND_SZ
New type: REG_EXPAND_SZ
Old data: (data too large: 271 bytes)
New data: (data too large: 273 bytes)

The normal value for this key is shown below.

QUOTE
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

Our "Predator" modifies that key in order to load itself on boot.

QUOTE
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv32,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

The difference is very subtile ... it's hard to notice it if you are not very familiar with your OS.

Files added.

QUOTE
%System%\basesrv32.dll
Date: 8/4/2004 1:00 PM
Size: 20,480 bytes

Note: %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

<h4>

Notes

</h4>
Upon reboot we have basesrv32.dll loaded instead of basesrv.dll.

Process Explorer does show an additional instance of svchost.exe loaded under a svchost.exe instance.

For more information about mutexes, please refer to the following articles:
http://en.wikipedia.org/wiki/Mutual_exclusion
http://msdn2.microsoft.com/en-us/library/ms684266.aspx

An SREng log may show the basesrv32.dll under running processes.

QUOTE
Running Processes
[PID: 552 / SYSTEM][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\basesrv32.dll] [N/A, ]
[PID: 784 / SYSTEM][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\basesrv32.dll] [N/A, ]

Shortly after boot, svchost.exe requires Internet access.

An additional file is downloaded and installed. At the time of the write-up this file installs a rootkit.

QUOTE
File 2517.exe received on 12.17.2007 23:32:16
AhnLab-V3 2007.12.18.10 2007.12.17 -
AntiVir 7.6.0.45 2007.12.17 -
Authentium 4.93.8 2007.12.16 -
Avast 4.7.1098.0 2007.12.17 -
AVG 7.5.0.503 2007.12.17 -
BitDefender 7.2 2007.12.17 -
CAT-QuickHeal 9.00 2007.12.17 -
ClamAV 0.91.2 2007.12.17 -
DrWeb 4.44.0.09170 2007.12.17 -
eSafe 7.0.15.0 2007.12.17 -
eTrust-Vet 31.3.5382 2007.12.17 -
Ewido 4.0 2007.12.17 -
FileAdvisor 1 2007.12.17 -
Fortinet 3.14.0.0 2007.12.17 -
F-Prot 4.4.2.54 2007.12.17 -
F-Secure 6.70.13030.0 2007.12.17 -
Ikarus T3.1.1.15 2007.12.17 -
Kaspersky 7.0.0.125 2007.12.17 -
McAfee 5187 2007.12.17 -
Microsoft 1.3109 2007.12.17 -
NOD32v2 2728 2007.12.17 -
Norman 5.80.02 2007.12.17 -
Panda 9.0.0.4 2007.12.17 -
Prevx1 V2 2007.12.17 -
Rising 20.23.02.00 2007.12.17 -
Sophos 4.24.0 2007.12.17 -
Sunbelt 2.2.907.0 2007.12.15 -
Symantec 10 2007.12.17 -
TheHacker 6.2.9.161 2007.12.17 -
VBA32 3.12.2.5 2007.12.17 -
VirusBuster 4.3.26:9 2007.12.17 -
Webwasher-Gateway 6.6.2 2007.12.17 -

Additional information
File size: 20480 bytes
MD5: 197ddca9295bee5c16b621b0484a35f9
SHA1: 8447e7208d9d3150ef3d2264f941f86038f7eb01
PEiD: -

Ref: nax.exe (rootkit)
2517.exe is detected as Trojan-Downloader.Win32.Agent.gcs by Kaspersky. (18/12/2007)

<h4>

Rootkit Scan

</h4>
IAT Hooks under the secondary / additional svchost.exe process. This scan was token before 2517.exe arrived on the computer.

QUOTE
GMER 1.0.14.13718 - http://www.gmer.net
Rootkit scan 2007-12-17 20:24:07
Windows 5.1.2600 Service Pack 2

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!LdrLoadDll 7C9161CA 10 Bytes JMP 00403717 C:\WINDOWS\system32\svchost.exe

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] 02071C03
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] 001F101D
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] E4F7EDE6
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] 0000EEF6
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] D4C0C6DF
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] EBE7C3D8
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!GetTokenInformation] 00008B8A
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!OpenProcessToken] 5F49585F
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!OpenThreadToken] 00001D1D
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetServiceStatus] FBFEF5D9
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] BFE6EFFD
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegCloseKey] E6FCD2BF
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] E7FCFAF2
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] E0F2B8E1
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] 00EEF2EC
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrlenW] 696B6B74
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LocalFree] 66783268
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCurrentProcess] 0000007A
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCurrentThread] F4F8EAC3
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetProcAddress] ECF8FAE8
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] C1CFE5B2
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LCMapStringW] 0000D4CA
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!FreeLibrary] F1EAECC1
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrcpyW] A4FCE9E3
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] EAE2EEC6
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrcmpiW] 00AAE7FA
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!ExitProcess] B7B1B1B7
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCommandLineW] 00000000
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] D9FCA2AA
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetProcessHeap] EF80DECE
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!SetErrorMode] C6DFD5C8
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] D9F89489
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] D6D5D1CD
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] 908993DA
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] A1E9E08F
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] A7B5A9AC
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetTickCount] A6ABA1B3
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] 83EDF7AE
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] F294999C
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] E6E5FAE6
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!TerminateProcess] B38EF8EC
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] A9B2B8B5
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LocalAlloc] DAD8C0AC
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrcmpW] 000000CA
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] 898893FA
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtQuerySecurityObject] ADEEEED3
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlFreeHeap] D39C9489
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] 000000CA
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!wcscat] A3D6C4C7
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!wcscpy] 000000AB
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlAllocateHeap] 5F415D19
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] 00000000
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlInitUnicodeString] 6C43744E
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlInitializeSid] 0065736F
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] 4C44544E
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] 4C442E4C
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] 0000004C
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] E1E4F0C7
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] F7DEEBFD
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] 0000A0F0
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlGetAce] 0A03053C
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlImageNtHeader] 00020700
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!wcslen] 00000000
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] F7EADCD1
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlCopySid] E6E7E1F8
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] F2F2F2FA
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] F9CCC2F8
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] E9E6F6F2
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] DAD2E5F9
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerListen] D8C5CFDB
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] C4C1C1EE
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] E7DFDDC3
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] FBEBC2D0
IAT C:\WINDOWS\system32\svchost.exe[1368] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] CECFD4D6

---- EOF - GMER 1.0.14 ----

<h4>

Warning

</h4>
Do not attempt to delete basesrv32.dll yourself, normally you shouldn't even be able to as the file is locked ((using Explorer.exe).

If your antivirus solution does detect basesrv32.dll, try to ignore. If already in quarantine, get it out of there if possible. Do not reboot and seek help on the forums to clean up your computer. If the file is deleted without fixing the loading point, you will get a nice Game Over screen and you PC will be unbootable!

If you can't access internet from another computer and you are facing this BSOD, perform the steps below:

Insert the Windows XP startup disk into the floppy disk drive, or insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.
Select any options that are required to start the computer from the CD-ROM drive if you are prompted.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
If you have a dual-boot or multiple-boot computer, select the installation that you must access from the Recovery Console.
When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.
At the command prompt, type the following command:
Copy %systemroot%\system32\basesrv.dll %systemroot%\system32\basesrv32.dll
Reboot the computer by typing exit at the command prompt, and press ENTER.
Boot into Safe Mode with networking so that your antivirus isn't enabled. Seek assistance on the forums.

Notes:

To start the computer from the Windows XP CD-ROM, you must configure the basic input/output system (BIOS) of the computer to start from your CD-ROM drive.
Obtaining Windows XP Setup boot disks: <a href="http://support.microsoft.com/kb/310994/" target="_blank">http://support.microsoft.com/kb/310994/</a>

A list of ASAP Forums where you can get help:
http://asap.maddoktor2.com/

<h4>

Tools

</h4>
Process Explorer:
http://www.microsoft.com/technet/sysintern...ssexplorer.mspx

SREng:
http://www.kztechs.com/eng/index.html

Thanks fly out to Cretemonster for finding this predator.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.