13 replies to this topic

[jsmply]

Hi Everyone,

Exile360 has requested I start a new thread for an issue that has occurred on an XP SP2 workstation I have. I first became suspicious of the problem from Combofix when it found that several files failed sigcheck. I did some digging and found out that the reason is because Cryptographic services are not running. I have tried all the normal stuff and none of that helped. I seem to have the same exact thing going on as the poster in this other MBAM Forum thread:

http://www.malwarebytes.org/forums/index.p...20104&st=60

However, Exile360 (who was one of the main contributors on that thread) requested I start a new thread here as he does not have an XP2 machine available. Would someone mind giving me a hand with this issue?

LonnyRJ requested I check a registry entry as he believed the problem was only in SP3. This is the entry and it matches the regststry on my machine exactly:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc
Description REG_SZ @%SystemRoot%\system32\cryptsvc.dll,-1002

Thanks in advance!

[LonnyRJ]

Hi jsmply
check these two keys also
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler
Look for the @ symbol in the Description value
Description REG_SZ @%SystemRoot%\system32\cryptsvc.dll,-1002
are they there to ?
Is the PC home or pro ?

[Jacktivity]

Here is a copy of my entries off an XP Pro SP2 machine, if it helps.



Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Parameters
Class Name: <NO CLASS>
Last Write Time: 6/22/2009 - 8:38 AM
Value 0
Name: ServiceDll
Type: REG_EXPAND_SZ
Data: %SystemRoot%\System32\cryptsvc.dll





Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon\Parameters
Class Name: <NO CLASS>
Last Write Time: 6/22/2009 - 8:38 AM
Value 0
Name: ServiceDll
Type: REG_EXPAND_SZ
Data: %SystemRoot%\System32\seclogon.dll





Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler
Class Name: <NO CLASS>
Last Write Time: 8/6/2009 - 12:11 AM
Name: ImagePath
Type: REG_EXPAND_SZ
Data: %SystemRoot%\system32\spoolsv.exe


I don't see any @ signs, nor any -1002

[jsmply]

Thanks Jack. I definitely have the @ sign and the 1002. Lonny, this is XP Pro SP2. Thanks!

[LonnyRJ]

Ok jsmply, here we go
First:
Launch Notepad (not wordpad or other text editor), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the word code). Save as file type: All files (*.*) and save it on your Desktop.

REGEDIT4
;
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc]
"Description"="Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start."
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon]
"Description"="Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start."
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler]
"DisplayName"="Print Spooler"
"Description"="Loads files to memory for later printing."
;

Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.



Second:
Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This is because Security Software may see some components ComboFix uses (prep.com for example)as suspicious and blocks the tool, or even deletes it.
Please visit HERE if you don't know how. http://www.bleepingc...opic114351.html

After posting combofix's LOG dont forget to re-enable your Antivirus/Antispyware/Firewall software.

Third:
Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix
(Ignore the google adds, go to the top and center of page for instructions)
When you download the file rename it slightly, example combo--fix.exe (As you download not afterwords)

Post the log from ComboFix in your next reply.

[jsmply]

Thank you Lonny. Is this regedit fix safe to run on XP2? Also, is there any risk in these fixes? I just want to make sure as I only have access to the machine via LogMeIn right now as the machine resides in the bosses office and due to sensitive information in the area, he only wants me to have remote access except for critical system problems. Like I said, the machine "works" right now . . . I just want to make sure none of these processes run the risk of crippling it. I seem to recall running Combofix a few times via LogMeIn on other systems, but just wanted to verify.

Also, the regedit process is to repair the problem, correct? Just so I understand, what are we running combofix for here?

Thanks!

LonnyRJ, on Aug 7 2009, 12:21 AM, said:

Ok jsmply, here we go
First:
Launch Notepad (not wordpad or other text editor), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the word code). Save as file type: All files (*.*) and save it on your Desktop.

REGEDIT4
;
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc]
"Description"="Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start."
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon]
"Description"="Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start."
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler]
"DisplayName"="Print Spooler"
"Description"="Loads files to memory for later printing."
;

Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.



Second:
Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This is because Security Software may see some components ComboFix uses (prep.com for example)as suspicious and blocks the tool, or even deletes it.
Please visit HERE if you don't know how. http://www.bleepingc...opic114351.html

After posting combofix's LOG dont forget to re-enable your Antivirus/Antispyware/Firewall software.

Third:
Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix
(Ignore the google adds, go to the top and center of page for instructions)
When you download the file rename it slightly, example combo--fix.exe (As you download not afterwords)

Post the log from ComboFix in your next reply.

[jsmply]

jsmply, on Aug 7 2009, 12:29 AM, said:

Thank you Lonny. Is this regedit fix safe to run on XP2? Also, is there any risk in these fixes? I just want to make sure as I only have access to the machine via LogMeIn right now as the machine resides in the bosses office and due to sensitive information in the area, he only wants me to have remote access except for critical system problems. Like I said, the machine "works" right now . . . I just want to make sure none of these processes run the risk of crippling it. I seem to recall running Combofix a few times via LogMeIn on other systems, but just wanted to verify.

Also, the regedit process is to repair the problem, correct? Just so I understand, what are we running combofix for here?

Thanks!

Also, I see we are making changes to the spooler registry entries. Right now the printers (including shared printers that are connected to this machine) work just fine on the network. Does that mean anything? Will this disrupt any shared printers that are connected to this machine?

I just want to make sure the fix doesn't cause more harm than good.

Thanks!

[jsmply]

jsmply, on Aug 7 2009, 12:33 AM, said:

Also, I see we are making changes to the spooler registry entries. Right now the printers (including shared printers that are connected to this machine) work just fine on the network. Does that mean anything? Will this disrupt any shared printers that are connected to this machine?

I just want to make sure the fix doesn't cause more harm than good.

Thanks!

One last reply and then I will wait for your answer. The Spooler description reads as follows: "@%Systemroot%\system32\spoolsv.exe, -2" and I also notice that directly underneath it, the display name as an @ sign also, the display name reads "@%Systemroot%\system32\spoolsv.exe, -1" .

Does that help at all? I just want to clarify all details before running the fix and causing an issue. Thanks!

[LonnyRJ]

Hi

Combofix will fix the important parts, the reg file is language specific and also needs to be ran

You be fine, combofix creates a windows system restore point to ensure your pc will have backups

[LonnyRJ]

Post back jsmply

[jsmply]

LonnyRJ, on Aug 10 2009, 09:48 AM, said:

Post back jsmply

Hi LonnyRJ, sorry for the delayed response. The boss is out of town for a while so I won't have access to the machine again for a bit. Do you mind if I keep the thread open?

Just to clarify, I see parts of the regfile that mention the printer spooler. The printer spooler is currently working fine on this machine with LOTS of attached printers, some shared. Will the reg file compromise any of that? I went ahead and ran just the crypsrvs part of the regfile before the boss left town (while I was waiting for your reply) but that alone didn't fix it.

I take it Combofix has been updated to fix this problem in Windows XP2 and XP3? That will be my next step here. Thanks and again I'm really sorry for the delay. The boss left town unexectadly and I have no access to that office.

[LonnyRJ]

"Will the reg file compromise any of that?"
No
"I take it Combofix has been updated to fix this problem in Windows XP2 and XP3?"
Yes it has been.

Having said that there is always a risk running any fix's and since you appear to be using a company PC
please ask the appropriate personnel before attempting any repairs.

[jsmply]

LonnyRJ, on Aug 10 2009, 09:21 PM, said:

"Will the reg file compromise any of that?"
No
"I take it Combofix has been updated to fix this problem in Windows XP2 and XP3?"
Yes it has been.

Having said that there is always a risk running any fix's and since you appear to be using a company PC
please ask the appropriate personnel before attempting any repairs.

Thanks Ronny. I will run the updates when the boss is back in the office as it's his machine. Should I leave this thread open or just assume this is the fix and open a new one when/if this does not correct the repair?

Thanks!

[LonnyRJ]

We can leave the thread open, not a problem.

Surf safe