Microsoft Cryptographic Service

[howsonrt]

The Microsoft Cryptographic Servisde is listed under sevices, but when I run start the following is returned.

When I run 'Start'

I get Error26: the Specified Service could not be found.

I have checked that all the dlls associated with the service are under

WINDOWS\System32

I have also run Microsoft Fix it 50528 which appears to run successfuly the service is still not installed.

The MS Help forum suggested I post a request for help on a malware forum

[Maurice Naggar]

Hello and welcome to the MalwareBytes forums.

My name is Maurice Naggar.

I will be helping you today.

Kindly make sure you are only asking for help here (now) and not at another venue also.

Provide me a link to your thread at the MS Answers forum, so I can review and get up to speed.

Download >> Farbar's Service Scanner utility << and Save to your Desktop.

If using Windows 7 or 8 or Vista, Right-Click on fss.exe and select Run As Administrator.

If using XP, double-click to start.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are checkmarked:

• Internet Services
  
• Windows Firewall
  
• System Restore
  
• Security Center/Action Center
  
• Windows Update
  
• Windows Defender
  
• Other services
  

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.

Copy & Paste contents of FSS.txt into your reply.

[howsonrt]

Good morning Naggar,

I was referred here from the Microsoft Forum, where I first asked the question.

I shall proceed as you suggest, but do tell me if that might cause a problem.

[howsonrt]

Here is the link to the MS Forum

http://answers.microsoft.com/en-us/windows/forum/windows_xp-security/microsoft-cryptographic-service-is-listed-as-part/3c60c841-462f-4b29-b71e-fecf4dc31b1c

[howsonrt]

Farbar Service Scanner Version: 31-05-2013 01

Ran by HowsonRT (administrator) on 10-06-2013 at 08:43:13

Running from "C:\Documents and Settings\HowsonRT\Desktop"

Microsoft Windows XP Service Pack 3 (X86)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo IP is accessible.

Yahoo.com is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall"=DWORD:0

System Restore:

============

System Restore Disabled Policy:

========================

Security Center:

============

Windows Update:

============

cryptsvc Service is not running. Checking service configuration:

The start type of cryptsvc service is OK.

The ImagePath of cryptsvc service is OK.

The ServiceDll of cryptsvc: "%SystemRoot%\System32\cryptsvc.dll".

Windows Autoupdate Disabled Policy:

============================

File Check:

========

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit

C:\WINDOWS\system32\netman.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\srsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit

C:\WINDOWS\system32\wscsvc.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\wuauserv.dll => MD5 is legit

C:\WINDOWS\system32\qmgr.dll => MD5 is legit

C:\WINDOWS\system32\es.dll => MD5 is legit

C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit

C:\WINDOWS\system32\svchost.exe => MD5 is legit

C:\WINDOWS\system32\rpcss.dll => MD5 is legit

C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:

=======

Gpc(6) IPSec(4) NetBT(5) PSched(7) SYMTDI(8) Tcpip(3)

0x080000000400000001000000020000000300000008000000050000000600000007000000

IpSec Tag value is correct.

**** End of log ****

[Maurice Naggar]

Let's start with this.

Download and Save to your Desktop http://download.bleepingcomputer.com/win-services/xp/CryptSvc.reg

Then do a Right-click on it and select Merge

Allow it to merge; press OK if & when presented with a prompt.

Now, do a Logoff and Restart the system.

Check on some key Windows services by using the services management console ( services.msc).

Press Windows-key+R key to start the RUN option.

TYpe in services.msc & Enter

The following services must NOT be *Disabled* in the Startup type.

Automatic Updates

Background Intelligent Transfer Service(BITS)

Cryptographic Services

Remote Procedure Call (RPC)

They need to show a startup type of Manual or Automatic.

Here are the services & their Startup types:

Background Intelligent Transfer Service(BITS) . . . Automatic

Cryptographic Services . . . . . . . . . . . . . . .Automatic

Remote Procedure Call (RPC). . . . . . . . . . . . .Automatic

Windows Update . . . . . . . . . . . . . . . . . . .Automatic

The Status column should show Started for each of these services.

Tell me how yours are showing.

Close Services management console when done.

[howsonrt]

Thank you, Maurice,

The pane that was produced was 'Services'. I could not find Start-up type. Under Services , Cryptographic Services is shewn as Automatic but not started. Attempting to start Cryptographic Services produced a 126 Error "Could not Start Cryptographic Services on local computer". The Specified Module coul dnot be found.

The other services you list are all started.

RTH

[Maurice Naggar]

Hello,

Please confirm that you indeed have downloaded & merged the cryptsvc reg file ...just as I outline in my preceding reply.

Your MS thread (I think) stated that you had "turned off" some windows services. Is that correct?

If yes, tell me what you turned off.

It is not advisable to be looking at running tasks with svchost listed and do things on your own ....unless you are an expert at what you are doing & are conversant with windows services & how windows runs processes.

I need additional logs to hope to see more information.

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Step 3

Download Random's System Information Tool (RSIT) by random/random from here and save it to your desktop.

• Double click on RSIT.exe to run RSIT.
  
• Click Continue at the disclaimer screen.
  
• Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Step 4

Download Security Check by screen317 and save it to your Desktop: here

• Run Security Check
• Follow the onscreen instructions inside of the command window.
• A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

Step 5
Close all open browsers at this point.
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
Do NOT turn off the firewall
Start Internet Explorer
Using Internet Explorer browser only, go to BitDefender Quickscan website:
http://quickscan.bitdefender.com
and click "Start Scan".
Observe your browser in case it shows a notice/message bar to allow download and installation of a tool.
Allow the download and install of qsax.cab from BitDefender. Right-click the IE info bar and select Install to install the BitDefender quick scan module.
If prompted, reply yes to allow it to run.
Press the Allow button and follow prompts.
Press the "Start Scan" once more.
You'll see the EULA in a pop-up window. Click the I accept & then the OK button
Note: The FAQ is here --> http://quickscan.bitdefender.com/faq/
and that QuickScan has no removal capability.
The site boasts a 60-second scan. Do have patience as it likely will take longer.
It may seem to stall at moments, but have patience; it will move on.
You'll see a progress bar at top right of window.
Hopefully you will see a No infections found in the bar-winddow. Press the View Log button.
The log report will show in your text editor. Save the log.
Do a Select ALL, Copy. Then paste contents into your next reply.
Step 6

• Download & SAVE to your Desktop >> Tigzy's RogueKillerfrom here << or
  >> from here <<
  
• Quit all programs that you may have started.
  
• Please disconnect any USB or external drives from the computer before you run this scan!
  
• For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
  For Windows XP, double-click to start.
  
• Wait until Prescan has finished ...
  
• Click on Scan.
  
• Click on Report and copy/paste the content of the notepad into your next reply.

Step 7

RE-Enable your antivirus program.

Copy & Paste contents of Log.txt & Info.txt & Checkup.txt & log from Bitdefender & RogueKiller log.

Use separate replies as needed if logs do not fit into one reply box.

[Maurice Naggar]

How is it going ??

[howsonrt]

 

Thank you Maurice,

I believe that my problem is that I cannot get all  the dlls that support svchost.exe -k netsvcs running. I am fairly convinced that this is not a malware problem.

So thank you for your help.

Ronnie

 

[Maurice Naggar]

Ronnie,

Look at my reply of 15 June 2013. Before we can do anything, I need to have the logs that I listed.

Unless you are an expert in windows internals/windows services, I'd not recommend you hunt down services on your own.

Get us the logs and we can go forward.

Note, if there's no malware, I'll advise you of that, and refer you elsewhere.

[howsonrt]

Thank you, Maurice,

I believe I am taking the wrong direction with this particular query, and wish to cease its pursuit.

Thank you for your help .

 

Ronnie

[Maurice Naggar]

You are welcome.

Cheers.