Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

PC Issues after Malware removal; internet, cryptsrv,


  • Please log in to reply

#1
kmarjak82

kmarjak82

    Member

  • Member
  • PipPip
  • 33 posts
Hi,
I recently had an infection, Packed.Generic.200, and worked through the Virus, Spyware and Trojan Removal forum to clean-up my laptop. I was then referred to this forum to help correct the other issues that popped up during the clean-up.

During the infection removal process, the laptop also began to experience (or develop) other issues that I’m hoping you can help me to address and correct, or point me in the right direction to remediate. These issues were not present before the start of the removal process.

The PC issue’s right now are as follows, XP SP3, listed in no particular order.

1. On shutdown, the laptop does not shutdown and requires a hard power down, by holding down the power button, to turn off. The laptop goes as far as the “Saving your settings…” prompt and then hangs.

2. On shutdown, before a hard power down, a dialog box is displayed with the error “svchost.exe error on shutdown. The instruction as "0x73d223b5" referenced memory at "0x73d223b5". The memory could not be "written".

3. On startup, the internet connection no longer works. The wireless router is available but the connection status is defined as "Limited or no connectivity". Repair does not correct. This went out after a ComboFix.

4. On startup, a dialog box is display indicating the error
“Data Exception Prevention.
To help protect you computer, Windows has closed this program.
Generic Host Process for Win32 Services

5. On startup, I noticed the following error in the alert log: “The @%SystemRoot%\system32\cryptsvc.dll,-1001 service failed to start due to the following error: %%1290”. I also found an article referencing this error and it veered into file signatures. I ran a SIGVERF and many files are reported as not signed.

6. On startup, NIS identifies yet the Packed.Generic.200 virus being found. I’m thinking, since the logs are clean from the virus removal, something is stuck in NIS yet. Anyway, I wanted to list this too.

With the “limited or no connectivity” I cannot establish an internet connection. I’m running programs by transferring via a thumb drive. The “cryptsvc” error is bothering me along with the thought of what else is wrong that hasn't been found yet.

Is there any help you can provide or some feasible direction to take?

Thanks in advance,
Ken
  • 0

Advertisements


#2
happyrock

happyrock

    Tech Moderator

  • Retired Staff
  • 9,285 posts
To protect your computer from old system files, Microsoft created a special service that is built into the operating system. This service monitors your system files, and if one is replaced or deleted, ICS will automatically restore the system file.

SFC works in conjunction with a utility called Windows File Protection that keeps the system file cache: (%Systemroot%\System32\Dllcache) uppdated with the newest Microsoft Approved files as they are installed on your system. I prefer to use the system backup for the ability to roll back to a former configuration however.

To manually invoke the system file checker, be sure you have administrative access then go to the command prompt and type:

sfc /scannow

The system will immediately begin to check all the current system files and restore the cached approved copies. You may be asked to insert the Windows CD as well during the restore.

NOTE.. Keep in mind that after you perform a system file restore you should install the newest service pack updates so you are running the most current, Microsoft approved system files.
  • 0

#3
kmarjak82

kmarjak82

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Hi Happyrock,

I just ran the "sfc /scannow" command as administrator and rebooted. On start-up, I still have the same issues. I ran the sigverif command and it still lists 2500+ files as unsigned. The CryptSvr and Security Center services will not start.

On a side note, I was able to get the internet connection working somehow.

Thanks in advance for your assistance.
Ken
  • 0

#4
WillyRok

WillyRok

    Member

  • Member
  • PipPip
  • 12 posts
Did you get this resolved? I have exactly the same symptoms after removing braviax.exe and need help to resolve.
Thanks,
Bill
  • 0

#5
kmarjak82

kmarjak82

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
The "sfc /scannow" did not resolve my issues.


Thanks,
Ken
  • 0

#6
WillyRok

WillyRok

    Member

  • Member
  • PipPip
  • 12 posts
I just discovered the reason for these problems on my laptop: It's because the virus is not removed. It just popped back up in the systray after I used A Sprint Mobile Broadband card to connect to the Internet.
  • 0

#7
happyrock

happyrock

    Tech Moderator

  • Retired Staff
  • 9,285 posts
WillyRok ...please start your own topic...although your symptoms may sound similar the solutions can be quite different...go here for the lowdown
WillyRok...Please go to Malware and Spyware Cleaning Guide...
HERE....

That will help you clean up 80 percent of all problems by yourself. If at the end of the process you are still having difficulty (and you may not be) follow the instructions start a new topic
here
post the OTListIt2 and Rooter logs ...
The "Topic Title" should contain the name of the infection that you are having a problem with...Use the "Topic Description" to include more details. This will help you get faster responses as some people are more familiar with certain infections....

if you are unable to download or run ANY of the tools...try downloading them on another computer and put them on a flash drive or cd and try installing them that way..
no joy...
start a new topic and let them know you can't run any of the tools..
  • 0

#8
happyrock

happyrock

    Tech Moderator

  • Retired Staff
  • 9,285 posts
kmarjak82...follow the same link and steps I posted for WillyRok for malware removal and after the malware guys give you a all clear your still having problems come back here and let me know and we will continue on...
  • 0

#9
kmarjak82

kmarjak82

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Hi Happyrock,

I did receive the all clear from the Malware removal forum from Rorschach112. Here is a link to that topic : http://www.geekstogo...00-t246398.html.

Also, and just an fyi, there is a forum topic in the MalwareBytes forum that lists the same problem sympthoms as my non-starting CryptSvc process. They do seem to have some registry correction zip.

I'll wait for your instructions.


Thanks,
Ken
  • 0

#10
happyrock

happyrock

    Tech Moderator

  • Retired Staff
  • 9,285 posts
then a repair is in order...go here for the how to guide...
  • 0

Advertisements


#11
kmarjak82

kmarjak82

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Thanks Happyrock for the feedback.

I do not have the XP CD's themselves but the XP install media does look to be on the harddrive ion the i386 folder. I'll need to research to figure out how to create the bootable CD. I'll read the instructions you've provided and will give it a whirl.

thanks,
k
  • 0

#12
happyrock

happyrock

    Tech Moderator

  • Retired Staff
  • 9,285 posts
try this...
Please download this zip file to your desktop
  • Locate Export.zip and unzip it to your desktop
  • Now locate Export.cmd and double click it to run the script
  • A black command window will open briefly then close, this is normal
  • When complete a Notepad file will open, please copy and paste the entire contents into your next reply
Note: A copy of the Notepad file can be found at C:\export.txt. You can delete it, along with the zip and cmd files after posting the contents here...

also can you do a search on your computer for ...netcfgx.dll...make sure the search includes hidden files and folders...
  • 0

#13
rshaffer61

rshaffer61

    Moderator

  • Moderator
  • 34,114 posts
kmarjak82 just checked the Malware Topic and Rorschach112 never did declare your system healthy.
This was due to not being able to connect to the requested scans online. It looks like the topic was closed due to lack of feedback.
  • 0

#14
kmarjak82

kmarjak82

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Hi,

Here is the output of the execution of the export.cmd :

Export.cmd
Run at: 14:02:11.92
On Sun 08/09/2009

Run from C:\Documents and Settings\Dad





Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cryptsvc]
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00,00,00
"Description"="@%SystemRoot%\\system32\\cryptsvc.dll,-1002"
"DisplayName"="CryptSvc"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"ObjectName"="LocalSystem"
"Start"=dword:00000002
"Type"=dword:00000020
"ServiceSidType"=dword:00000001
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
00,01,00,00,00,60,ea,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,68,00,61,00,6e,00,67,00,65,00,4e,\
00,6f,00,74,00,69,00,66,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
67,00,65,00,00,00,53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,00,6c,\
00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,\
65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,00,61,\
00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,\
00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cryptsvc\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
63,00,72,00,79,00,70,00,74,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,\
00
"ServiceMain"="CryptServiceMain"
"ServiceDllUnloadOnStop"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cryptsvc\Security]
"Security"=hex:00,00,0e,00,01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cryptsvc\Enum]
"0"="Root\\LEGACY_CRYPTSVC\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001



Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon]
"Description"="@%SystemRoot%\\system32\\seclogon.dll,-7000"
"DisplayName"="Secondary Logon"
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"Objectname"="LocalSystem"
"Start"=dword:00000002
"Type"=dword:00000120
"RequiredPrivileges"=hex(7):53,00,65,00,54,00,63,00,62,00,50,00,72,00,69,00,76,\
00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,52,00,65,00,73,00,74,00,\
6f,00,72,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,\
00,53,00,65,00,42,00,61,00,63,00,6b,00,75,00,70,00,50,00,72,00,69,00,76,00,\
69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,41,00,73,00,73,00,69,00,67,\
00,6e,00,50,00,72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,00,65,00,\
6e,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,\
00,49,00,6e,00,63,00,72,00,65,00,61,00,73,00,65,00,51,00,75,00,6f,00,74,00,\
61,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,\
00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,00,61,00,74,00,65,00,50,00,\
72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
73,00,65,00,63,00,6c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,00,\
00
"ServiceMain"="SvcEntry_Seclogon"
"ServiceDllUnloadOnStop"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,\
23,02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon\Enum]
"0"="Root\\LEGACY_SECLOGON\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001



Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler]
"DependOnService"=hex(7):52,00,50,00,43,00,53,00,53,00,00,00,00,00,00,00
"Description"="@%systemroot%\\system32\\spoolsv.exe,-2"
"DisplayName"="@%systemroot%\\system32\\spoolsv.exe,-1"
"ErrorControl"=dword:00000001
"FailureActions"=hex:3f,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,e8,47,0c,\
00,01,00,00,00,60,e1,00,00,01,00,00,00,60,e1,00,00,00,00,00,00,00,00,00,00
"Group"="SpoolerGroup"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,70,00,6f,00,6f,00,6c,00,73,00,76,00,2e,00,65,00,78,00,65,00,00,00
"ObjectName"="LocalSystem"
"Start"=dword:00000002
"Type"=dword:00000110
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,54,00,63,00,62,00,50,00,72,00,69,00,76,\
00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,\
72,00,73,00,6f,00,6e,00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,\
00,65,00,67,00,65,00,00,00,53,00,65,00,41,00,75,00,64,00,69,00,74,00,50,00,\
72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,43,00,68,\
00,61,00,6e,00,67,00,65,00,4e,00,6f,00,74,00,69,00,66,00,79,00,50,00,72,00,\
69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,4c,00,6f,00,61,\
00,64,00,44,00,72,00,69,00,76,00,65,00,72,00,50,00,72,00,69,00,76,00,69,00,\
6c,00,65,00,67,00,65,00,00,00,53,00,65,00,41,00,73,00,73,00,69,00,67,00,6e,\
00,50,00,72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,00,65,00,6e,00,\
50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler\Performance]
"Close"="PerfClose"
"Collect"="PerfCollect"
"Collect Timeout"=dword:000007d0
"Library"="winspool.drv"
"Object List"="1450"
"Open"="PerfOpen"
"Open Timeout"=dword:00000fa0
"WbemAdapFileSignature"=hex:bd,3f,1b,16,1e,81,cc,c8,d9,ff,b8,69,f2,3f,18,ce
"WbemAdapFileTime"=hex:00,29,52,e3,71,79,c4,01
"WbemAdapFileSize"=dword:00023c00
"WbemAdapStatus"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,\
23,02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler\Enum]
"0"="Root\\LEGACY_SPOOLER\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001



Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"DisplayName"="Security Center"
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,77,00,69,00,6e,00,\
6d,00,67,00,6d,00,74,00,00,00,00,00,00,00
"ObjectName"="LocalSystem"
"Description"="Monitors system security settings and configurations."
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,68,00,61,00,6e,00,67,00,65,00,4e,\
00,6f,00,74,00,69,00,66,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,\
00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
00,00,00,00
"DelayedAutoStart"=dword:00000001
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Parameters]
"ServiceDll"=hex(2):25,00,53,00,59,00,53,00,54,00,45,00,4d,00,52,00,4f,00,4f,\
00,54,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
77,00,73,00,63,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00
"ServiceDllUnloadOnStop"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Enum]
"0"="Root\\LEGACY_WSCSVC\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
  • 0

#15
happyrock

happyrock

    Tech Moderator

  • Retired Staff
  • 9,285 posts

also can you do a search on your computer for ...netcfgx.dll...make sure the search includes hidden files and folders...

did you do this search yet
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP