Jump to content

Suspect false Disabled.Cryptsvc


FunnyMoney

Recommended Posts

When I run Malwarebytes in Windows Safe Mode sometimes I get Disabled.Cryptsvc.

 
Registry Data Items Detected: 1
HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc|Start (Disabled.Cryptsvc) -> Bad: (4) Good: (2) -> Quarantined and repaired successfully.
 
And if I run it again...it looks ok. I later ran it again in Windows Safe Mode and got another Disabled.Cryptsvc. I looked at my registry and validated that it was set to 4 before I let Malwarebytes correct it. And validated that it did change it to 2. (4 = disabled and 2= automatic). I wondered what could be changing this so I tried various things on my computer in Normal Windows mode and kept checking to see if my registry and my services.msc had changed. Nothing I did changed this value from 2. Even when I went to Windows Safe Mode, just before I ran Malwarebytes again, I checked my registry and services.msc and it showed it was set to the correct setting of 2. So when I run malwarebytes it pops up with the same thing..the Disable.Cryptsvc change to 4 again. 
 
One thing that happened one time..just after going to Safe mode...it did a chkdsk..I let it complete and then did Malwarebytes...it did not show a problem right after that...but when I went back to Windows Normal mode then back to Safe mode and ran Malwarebytes again...I got the problem again. I think this might be a false positive...but I guess it could be a rootkit that is setting this condition...???
 
I am running Windows 7 Home edition.

mbam-log-2013-12-19 (19-51-41).txt

mbam-log-2013-12-29 (23-21-53).txt

mbam-log-2013-12-30 (13-27-34).txt

mbam-log-2013-12-30 (19-44-44).txt

mbam-log-2013-12-30 (19-52-34).txt

mbam-log-2013-12-30 (20-00-37).txt

mbam-log-2013-12-29 (23-12-41).txt

Link to post
Share on other sites

I downloaded and ran Malwarebytes Rootkit program. I got a pop-up that said: Registry value "AppInit_Dlls has been found, which may be caused by Rootkit. I answered "No" to fixing this because I checked and found that AppInit_Dlls is a valid Microsoft dll.  MBAR continued to run and scanned my system. It found no rootkits. I ran this in Windows 7 home normal mode...not safe mode. I may try that next.

Link to post
Share on other sites

  • Staff

Hi,

 

The Cryptographic Services don't run in Windows safe mode, so it looks like it has changed its startup type here to disabled when run in safe mode - and that's what is being triggered by Malwarebytes.

This isn't really a false positive, but in your case, it's nothing to worry about since you've run it & triggered this from Windows safe mode. Fixing what mbam found sets the startup to automatic (enabled) again.

Main reason why this is targetted is because some malware do disable this service, so since we cannot determine whether this service is disabled by malware or because you run in Windows safe mode, hence why we detect anyway, just to make sur. As I explained, quarantining this doesn't delete anything here, it just corrects the startup type again for this service.

 

As for the Appinit_DLLs, this isn't necessarily a Microsoft dll, as a matter of fact; Microsoft doesn't put in any DLLs there. It's mainly third party programs that have an appinit_dlls valuedata set there.

The Appinit_DLLs is loaded into each user mode process on the system, so basically almost any process. This is why malware uses this approach a lot (sets a dll under appinit_dlls), so it's basically loaded into almost every process, hence why mbar alerts you of this, that there's an appinit_dlls valuedata present and loaded.

You can always verify which dll is loaded there if you look under the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows - Appinit_DLLs valuedata there

 

This is also why the AppInit_DLLs mechanism is not a recommended approach for legitimate applications because it can lead to system deadlocks and performance problems. Since Windows Vista, this value has been disabled by default, and is only being enabled again when a certain program makes use of it (which is not recommended). Since Windows 7, for every usage of the Appinit_DLLs, it also requires the dll to be code signed.

Microsoft also recommends people to not use the Appinit_DLLs feauture: http://support.microsoft.com/kb/197571

 

 

 

We do not recommend that applications use this feature or rely on this feature. There are other techniques that can be used to achieve similar results.

 

Unfortunately, there are still some legitimate apps that want to use this appinit_dlls, while it's usage is not recommended. For example Nvidia is a good example here.

In your case here, there's nothing to worry if the appinit_dlls valuedata is indeed pointing to a legitimate dll.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.