Jump to content

Cryptograhic Service won't start on XP2 Machine

jsmply

By jsmply
in Resolved Malware Removal Logs

 Share

Recommended Posts

jsmply

jsmply

Posted
Posted

Hi Everyone,

Exile360 has requested I start a new thread for an issue that has occurred on an XP SP2 workstation I have. I first became suspicious of the problem from Combofix when it found that several files failed sigcheck. I did some digging and found out that the reason is because Cryptographic services are not running. I have tried all the normal stuff and none of that helped. I seem to have the same exact thing going on as the poster in this other MBAM Forum thread:

http://www.malwarebytes.org/forums/index.p...20104&st=60

However, Exile360 (who was one of the main contributors on that thread) requested I start a new thread here as he does not have an XP2 machine available. Would someone mind giving me a hand with this issue?

LonnyRJ requested I check a registry entry as he believed the problem was only in SP3. This is the entry and it matches the regststry on my machine exactly:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc

Description REG_SZ @%SystemRoot%\system32\cryptsvc.dll,-1002

Thanks in advance!

Link to post
Share on other sites
LonnyRJ

LonnyRJ

Posted
Posted

Hi jsmply

check these two keys also

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler

Look for the @ symbol in the Description value

Description REG_SZ @%SystemRoot%\system32\cryptsvc.dll,-1002

are they there to ?

Is the PC home or pro ?

Link to post
Share on other sites
Jacktivity

Jacktivity

Posted
Posted

Here is a copy of my entries off an XP Pro SP2 machine, if it helps.

Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Parameters

Class Name: <NO CLASS>

Last Write Time: 6/22/2009 - 8:38 AM

Value 0

Name: ServiceDll

Type: REG_EXPAND_SZ

Data: %SystemRoot%\System32\cryptsvc.dll

Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon\Parameters

Class Name: <NO CLASS>

Last Write Time: 6/22/2009 - 8:38 AM

Value 0

Name: ServiceDll

Type: REG_EXPAND_SZ

Data: %SystemRoot%\System32\seclogon.dll

Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler

Class Name: <NO CLASS>

Last Write Time: 8/6/2009 - 12:11 AM

Name: ImagePath

Type: REG_EXPAND_SZ

Data: %SystemRoot%\system32\spoolsv.exe

I don't see any @ signs, nor any -1002

Link to post
Share on other sites
LonnyRJ

LonnyRJ

Posted
Posted

Ok jsmply, here we go

First:

Launch Notepad (not wordpad or other text editor), and copy and paste the contents of the code box below into a new text file.

Save it as file name: "fixme.reg" (not including the word code). Save as file type: All files (*.*) and save it on your Desktop.

REGEDIT4;[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc]"Description"="Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start."[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon]"Description"="Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start."[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler]"DisplayName"="Print Spooler""Description"="Loads files to memory for later printing.";

Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.

Second:

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This is because Security Software may see some components ComboFix uses (prep.com for example)as suspicious and blocks the tool, or even deletes it.

Please visit HERE if you don't know how. http://www.bleepingcomputer.com/forums/topic114351.html

After posting combofix's LOG dont forget to re-enable your Antivirus/Antispyware/Firewall software.

Third:

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

(Ignore the google adds, go to the top and center of page for instructions)

When you download the file rename it slightly, example combo--fix.exe (As you download not afterwords)

Post the log from ComboFix in your next reply.

Link to post
Share on other sites
jsmply

jsmply

Posted
  • Author
Posted

Thank you Lonny. Is this regedit fix safe to run on XP2? Also, is there any risk in these fixes? I just want to make sure as I only have access to the machine via LogMeIn right now as the machine resides in the bosses office and due to sensitive information in the area, he only wants me to have remote access except for critical system problems. Like I said, the machine "works" right now . . . I just want to make sure none of these processes run the risk of crippling it. I seem to recall running Combofix a few times via LogMeIn on other systems, but just wanted to verify.

Also, the regedit process is to repair the problem, correct? Just so I understand, what are we running combofix for here?

Thanks!

Ok jsmply, here we go

First:

Launch Notepad (not wordpad or other text editor), and copy and paste the contents of the code box below into a new text file.

Save it as file name: "fixme.reg" (not including the word code). Save as file type: All files (*.*) and save it on your Desktop.

REGEDIT4;[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc]"Description"="Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start."[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon]"Description"="Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start."[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler]"DisplayName"="Print Spooler""Description"="Loads files to memory for later printing.";

Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.

Second:

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This is because Security Software may see some components ComboFix uses (prep.com for example)as suspicious and blocks the tool, or even deletes it.

Please visit HERE if you don't know how. http://www.bleepingcomputer.com/forums/topic114351.html

After posting combofix's LOG dont forget to re-enable your Antivirus/Antispyware/Firewall software.

Third:

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

(Ignore the google adds, go to the top and center of page for instructions)

When you download the file rename it slightly, example combo--fix.exe (As you download not afterwords)

Post the log from ComboFix in your next reply.

Link to post
Share on other sites
jsmply

jsmply

Posted
  • Author
Posted
Thank you Lonny. Is this regedit fix safe to run on XP2? Also, is there any risk in these fixes? I just want to make sure as I only have access to the machine via LogMeIn right now as the machine resides in the bosses office and due to sensitive information in the area, he only wants me to have remote access except for critical system problems. Like I said, the machine "works" right now . . . I just want to make sure none of these processes run the risk of crippling it. I seem to recall running Combofix a few times via LogMeIn on other systems, but just wanted to verify.

Also, the regedit process is to repair the problem, correct? Just so I understand, what are we running combofix for here?

Thanks!

Also, I see we are making changes to the spooler registry entries. Right now the printers (including shared printers that are connected to this machine) work just fine on the network. Does that mean anything? Will this disrupt any shared printers that are connected to this machine?

I just want to make sure the fix doesn't cause more harm than good.

Thanks!

Link to post
Share on other sites
jsmply

jsmply

Posted
  • Author
Posted
Also, I see we are making changes to the spooler registry entries. Right now the printers (including shared printers that are connected to this machine) work just fine on the network. Does that mean anything? Will this disrupt any shared printers that are connected to this machine?

I just want to make sure the fix doesn't cause more harm than good.

Thanks!

One last reply and then I will wait for your answer. The Spooler description reads as follows: "@%Systemroot%\system32\spoolsv.exe, -2" and I also notice that directly underneath it, the display name as an @ sign also, the display name reads "@%Systemroot%\system32\spoolsv.exe, -1" .

Does that help at all? I just want to clarify all details before running the fix and causing an issue. Thanks!

Link to post
Share on other sites
jsmply

jsmply

Posted
  • Author
Posted
Post back jsmply

Hi LonnyRJ, sorry for the delayed response. The boss is out of town for a while so I won't have access to the machine again for a bit. Do you mind if I keep the thread open?

Just to clarify, I see parts of the regfile that mention the printer spooler. The printer spooler is currently working fine on this machine with LOTS of attached printers, some shared. Will the reg file compromise any of that? I went ahead and ran just the crypsrvs part of the regfile before the boss left town (while I was waiting for your reply) but that alone didn't fix it.

I take it Combofix has been updated to fix this problem in Windows XP2 and XP3? That will be my next step here. Thanks and again I'm really sorry for the delay. The boss left town unexectadly and I have no access to that office.

Link to post
Share on other sites
LonnyRJ

LonnyRJ

Posted
Posted

"Will the reg file compromise any of that?"

No

"I take it Combofix has been updated to fix this problem in Windows XP2 and XP3?"

Yes it has been.

Having said that there is always a risk running any fix's and since you appear to be using a company PC

please ask the appropriate personnel before attempting any repairs.

Link to post
Share on other sites
jsmply

jsmply

Posted
  • Author
Posted
"Will the reg file compromise any of that?"

No

"I take it Combofix has been updated to fix this problem in Windows XP2 and XP3?"

Yes it has been.

Having said that there is always a risk running any fix's and since you appear to be using a company PC

please ask the appropriate personnel before attempting any repairs.

Thanks Ronny. I will run the updates when the boss is back in the office as it's his machine. Should I leave this thread open or just assume this is the fix and open a new one when/if this does not correct the repair?

Thanks!

Link to post
Share on other sites
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.