Symptom
You are running Windows XP and you recently removed some malware. After removing the malware, you get the following message on a blue screen (BSOD):
STOP: C0000135 {Unable to locate component} This application has failed to start because [name] was not found. Reinstalling the application may fix this problem.
… where [name] is a word starting with the letters ‘base’ (not winsrv or user32) and has some random crap on the end of it, and you can’t boot the machine anymore.
Cause
You have inadvertently deleted a file windows ‘thinks’ it needs, but doesn’t really. The malware you removed hijacked a registry entry to ensure it is loaded with every Windows session, so you have to un-hijack the registry it to fix it, basically pointing Windows to the original non-malware version of the file it thinks it needs.
Solution
- Load the hijacked “SYSTEM” hive file on a clean system. (You can do this any way you wish. You can use Windows PE, or another Windows machine; it basically goes like this)
- Get access to the file called “system” on the infected machine in the folder C:\windows\system32\config (the previous path may be different if Windows is installed in a different folder or on a different drive letter)
- Use the clean system to run regedit, highlight the “HKEY_LOCAL_MACHINE” branch at the left, click “File”, then “Load Hive…”, and point it to the “system” file I talked about above.
- Regedit will ask you for a name. Just call it “FIX”.
- Next, navigate to: HKEY_LOCAL_MACHINE\FIX\CurrentControlSet\Control\Session Manager\SubSystems
- The folder above called CurrentControlSet may be called ControlSet1 or ControlSet2, or the like. There may be more than one. If you are unsure which one to use, perform the following steps in all of them.
- At the right, you will see the value at the right called “Windows”. This is the infected registry value. You must replace the value with the following, all on one line:
- At the right, right click on the item called “Windows”, and select “Modify”, then paste in the following value:
- %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
- When done, go back to the top and highlight the FIX folder underneath HKEY_LOCAL_MACHINE. Then click “File” and “Unload Hive…”
- Put your fixed machine back together (i.e. put the hard drive back in it, or throw the fixed system file back in the right place . .. or basically reverse whatever you did to get access to the system file )
- Boot up your fixed computer.
#1 by inanis on November 12, 2008 - 8:58 pm
Robin,
All three of those applications are good for general malware removal. I also suggest a program called HijackThis. I am also partial to AVG Free instead of Avast, but you know, whatever floats your boat!
#2 by Matt on November 15, 2008 - 2:34 pm
Excellent fix. Saved me much time and effort in searching for that in the registry. Your WP theme looks really nice also.
Thanks again.
#3 by Gus on November 16, 2008 - 11:10 am
Hi Inanis, i ran the process using an operating Win XP pro 3 times and the problem is still there. I did a search for the file/component not found by the system (user32.dll). I did a copy of the dll file from the operating hard disk to the broken one and the system booted finally.
There is a non common behavior on the session right now, the system boots fine… but AVG is making the system so slow. I’m trying to uninstall the AVG 8.x from the computer but it’s not possible.
For some reason i can’t start the system in Safe Mode to uninstall the AVG program.
Could you suggest me some procedure to follow it.
Regards,
Gus
#4 by inanis on November 16, 2008 - 11:33 am
A trick to remove AVG: try to re-install the same version you already have installed. The installer program will give you the option to uninstall it. Hop on over to my contact page, shoot me an email and we can continue this there. Its gonna be too long and messy for comments.
http://www.inanis.net/blog/index.php/about/contact-me/
#5 by Matt on November 16, 2008 - 7:31 pm
Gus, you might try going into services(Start-Run-Type “services.msc”-Ok) and stopping the avg services(right click each and select “stop”) before you attempt the uninstall.
#6 by Dan on November 17, 2008 - 12:12 pm
I have the same problem as wendy and am unsure how to load he “SYSTEM” hive onto a clean system. Also now the screen just goes black when I try to turn my pc on (it was blue screening with this error before when i tried to start it), is this another affect of the virus, or due to me opening up the pc and fiddling?
#7 by Dan on November 17, 2008 - 1:18 pm
fixed monitor with no display issue.
#8 by inanis on November 17, 2008 - 7:57 pm
Dan, good question. My comment on July 23rd, 2008 at 4:49 pm is quite explicit on fixing the issue. Also, my comment on August 22nd, 2008 gives a hint on how to access the drive on another computer. Go up, give it a read and see if that helps you. If not, let me know and I will try to write it out using clearer language (a challenge for me, I tend to be obtuse!)
As for it BSODing, and now just giving a black screen, yes, that could be related to what you call “fiddling”. At this point, I cannot officially advise any course of action, simply because of the legal ramifications of doing so. However, I can at the least suggest reversing your steps to see if the BSOD comes back. If so, then your computer isn’t totally busted.
In any case, the black screen could be caused by your trying to start up the system without a hard drive in it. Is that the case?
#9 by inanis on November 17, 2008 - 7:58 pm
Oops. didn’t see the second comment waiting for approval. My bad.
#10 by Dan on November 19, 2008 - 10:27 am
I also get diferent BSOD messages every time (this was just one of the messages i wrote down). Do you think this fix will still work?
#11 by inanis on November 19, 2008 - 7:34 pm
Dan,
If you are getting completely different BSOD messages, you more likely have a hardware problem. I would check out http://www.ultimatebootcd.com/ and grab a copy, burn it and boot to it on the broken computer. Run MemTest86 and see what you get.
#12 by Just Zis Guy, You Know on November 20, 2008 - 11:07 pm
You solved my problem! Many, many, many thanks!
#13 by Just Zis Guy, You Know on November 20, 2008 - 11:09 pm
Perhaps I can give a little something back … while the infected drive is connected to your fix-it computer, you can use Spybot with the “/allhives” command line option to scan the infected registry and remove all sorts of stuff. It won’t fix the exact problem that your fabulous solution addresses, however.
#14 by inanis on November 20, 2008 - 11:10 pm
Thanks for the tip, JZGYK!
#15 by Help Me Please on December 1, 2008 - 6:11 pm
Please can you help me fix this problem too?!
I have the exact same error but I do not understand it, it’s too technical for me. I’m really annoyed since I was in the middle of work and now it just crashed. I did save it luckily. Please can you email me? :s
Thank you so much.
#16 by rdhulipa on December 2, 2008 - 6:56 pm
I have the exact same error (stop: C000135 unable to locate component and the component is symtdi.sys) on Windows Vista SP1 (on a Gateway laptop) most likely after I removed Norton360 (came with 60 day trial and I removed it after wards). Correcting hive on a good system and bringing it back to affected has not helped. Any ideas??
#17 by inanis on December 2, 2008 - 9:21 pm
RDhulipa…
This is a related problem but not the exact same thing. This would require a different custom hack of the registry. I would personally load the hive offline just like before, but instead do a search for symtdi.sys, read all relevant entries as I found them and make an educated guess as to which one to delete/modify. It might involve Class IDs, it might not.
You could also try “faking” windows out by making a copy of some other innocuous system file,
beep.sysfor example, renaming it tosymtdi.sys, and placing it inC:\windows\system32\and/orC:\windows\system32\drivers… but that might not work. It probably won’t make it worse, tho…You may just want to cut your losses and just backup your data and reinstall.
#18 by aychekay on December 12, 2008 - 9:36 am
Looks like AVG Antivirus is at fault in this issue occasionally. It’s been known to delete user32.dll.
#19 by Samhain on December 21, 2008 - 2:28 am
Saved my butt
#20 by Aditya K on December 28, 2008 - 5:48 am
Thanks a lot !!!!!!
I removed Symantic Endpoint protection from My Dell VOSTRO 1510 Laptop, and installed onecare.
I ran a quick scan, it asked for restart to remove some infections, i restarted it …
Hmm, all see is Windows dead Blue Screen with STOP error.
I created a bootable WIN PE and booted from it.
(I tried Bart PE, it gave some errors and closed, i D/L Windows PE 2.0 from Microsoft http://www.microsoft.com/downloads/details.aspx?familyid=c7d4bc6d-15f3-4284-9123-679830d629f2&displaylang=en and followed these directions for creating Bootable Disk http://www.svrops.com/svrops/articles/winvistape2.htm )
Then i followed u r instructions made changes and re booted ….
Its gone… Thanks a lot for saving loads of data and time….
#21 by Ihoxha on December 29, 2008 - 4:36 pm
Hi Inanis,
A friend of my has got this problem as well. The error says that user32.dll is missing and when computer is booted it shows the blue screen with the error. He asked me to have a look into it but I cannot get it working. I tried to reboot it in safe mode but nothing happens. I do not know how to copy the dll from the cd since I am blocked with the blue screen? No command or anything works. Please help me with this problem.
thanks a lot,
Ihoxha.
#22 by inanis on January 1, 2009 - 12:31 pm
Ihoxha said…
Quick Hint: Remove the hard drive from the “broken” machine and attach it to a working machine.
#23 by tom on January 2, 2009 - 9:27 am
Hi
“Quick Hint: Remove the hard drive from the “broken” machine and attach it to a working machine.”
How can I do that??
#24 by Ihoxha on January 5, 2009 - 9:51 am
Thanks for the hint. I shall try that.
#25 by Matt on January 22, 2009 - 12:35 pm
Bacon well and truly saved nice one!
#26 by Erik on January 29, 2009 - 4:43 am
Dear Iranis,
I am in the smae postion like Wendy, below, may you please instruct me then by e mail ?
Erik
Wendy said…
Ok, this is exactly what is happening, but, I dont know how to load a “system” hive fil on a clean system. I am obviously a novice, but have no clue how to do this? I cant even get into safe mode, safe mode with command prompt, etc. I can do NOTHING! Can you give me step by step instructions? Thanks~
12:03 pm – July 9th, 2008
#27 by SSPorts on February 22, 2009 - 3:20 pm
When i try to edit the windows value i get an error saying “Cannot Edit Windows: Error writing values new contents? any suggestions. I pasted into the propper location and everything
#28 by SSPorts on February 22, 2009 - 4:45 pm
ok sorry..in the folder that i wanted to change the reg value, i had to acess permissions and allow full acess (even as an administrator). i did this and made the necessary changes but still have the blue screen. any ideas as to why i can’t boot still?
#29 by inanis on February 25, 2009 - 9:27 pm
SSports, this error tends to be quite wacky. If you have followed the directions and it still BSOD’s, I’m afraid that without directly looking at the computer in question, the only thing I can suggest is to back up the data and reinstall Windows.
#30 by Dave on June 10, 2009 - 12:08 am
I was lucky enough to find this solution. I had exactly the problem described, after removing Klone T. The solution worked to perfection, so thank you to whoever worked it out.
#31 by Joseph on June 18, 2009 - 12:13 am
Thank you for the good (clearly stated) fix
#32 by Jamoke on October 23, 2009 - 6:23 am
The user32.dll fix worked a treat, thanks a-lot you saved me time, money and data. Excellent.