Manual restore from Chest

[tslugmo]

This has happened a couple time now, where on a boot scan, Avast mistakenly places a system file in the chest, then it won't boot into Windows anymore.  The only option is to view the drive on another machine.  So far I've figured out the location of the chest, and the index.xml file which I believe tells me the renamed file name and the previous name, so I thought I could just rename it back to the original name, then copy it back to the original location, but that doesn't seem to work.  First BSOD said missing file, then after copy of file back to system32 folder, 2nd BSOD said Bad Image (not a valid windows image).

I'm assuming <ChestID> is the new file name, <OrigFileName> is the old file name, and the entry goes between <ChestEntry> and </ChestEntry>, in which case, I'm not sure what I've done wrong unless there's also a permissions thing or something.

file was C:\WINDOWS\system32\basebfgct32.dll, I renamed and uploaded to totalvirus.com, came out clean.  Thoughts?

Thanks.

[Lisandro]

If you have a second computer, copy and paste all files in the Chest folder in the second computer, restore the file from Chest to an USB (or floppy) drive and paste back on the original computer.
I've asked for a way to boot a computer and restore files into Chest. But programmers couldn't give me (and other users) another answer for that.

[psw]

This shit is loaded by modifying [HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]

Originally key Windows should be like this
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

But this malware substitute basesrv,1 by its own baseXXXX32,1

In this case deleting this malware results to impossibility to load both safe and normal mode. You should load from LiveCD and substitute back in the registry Windows key the original value basesrv
And any AV program shouldn't make simple deletion of this file. Simultaneous registry correction required.

[tslugmo]

This shit is loaded by modifying [HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]

Originally key Windows should be like this
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

But this malware substitute basesrv,1 by its own baseXXXX32,1

In this case deleting this malware results to impossibility to load both safe and normal mode. You should load from LiveCD and substitute back in the registry Windows key the original value basesrv
And any AV program shouldn't make simple deletion of this file. Simultaneous registry correction required.

That's awesome advice.  Unfortunately I don't know how to edit the registry without being in Windows.  Does it matter what LiveCD I use?  Can you give me a step-by-step once I boot to one?  I really appreciate your help.

[psw]

There is a simple way without registry editing. You loading from LiveCD and manually copy WINDOWS\system32\basesrv.dll into WINDOWS\system32\basebfgct32.dll (this name is for your case only). In general this name can be different on different systems, it should be the same which used in registry; common malware name baseXXXX32.dll where XXXX - variable part.
This copying should be enough to subsequent loading your system  normally.

[igor]

Do you remember the name of the malware?
(Or, psw, do you know of a sample?)
Thanks.