Resolved WMP and other issues

Might not matter, but are you rebooting your computer after each fix attempt? Perhaps that is necessary for certain fixes to "take ".

Also, in the MS KB article I referenced, there are THREE steps. I would follow all three steps carefully.

The regsvr32 lines you pasted from Evan's suggestion are similar but they're not the same as the articles I referenced. I have not researched the differences.

That's not your only issue...

If you try to start WMP and you still get the WMP error, please PASTE the details from Event Viewer for that error. The exact wording might help us locate a solution.

The exact wording (and exact error codes) of any/ALL error messages (along with descriptions of what you did to produce the error messages) may be helpful.

 

I had actually performed the other steps earlier as it was referenced in another link. Sorry for not mentioning that. I have rebooted after every fix attempt, and my computer is still hanging on shutdown requiring manual powering off. I seem to have some issues opening administrative tools right now, but I'm going to restart and see if that helps me open up event viewer.

So far, it looks like every error message I get matches with http://www.malwarebytes.org/forums/index.php?showtopic=20104 and I've followed the same steps with the same result.

 

I did get into event viewer. While I keep getting "internal application error" when attempting to start WMP, I get no recording in Event viewer. Sometimes I attempt to run it and it starts up a welcome to windows media 10 and gives me options to customize but then shuts down on internal application error once I hit continue from setting options. WMP11 installation attempts to run but says that setup cannot be completed successfully. Neither of these are showing up in event viewer but I literally have hundreds of
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 8/2/2009
Time: 12:26:08 PM
User: N/A
Computer: HAMLET
Description:
The CryptSvc service failed to start due to the following error:
%%1290

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I did just run sfc /scannow and nothing changed.

 

That's the first time in THIS thread you mentioned using SFC, I think. I noticed you had run it near the beginning of your malware removal efforts here but you apparently canceled. Here are the listed events from your July 24 post in the Malware Removal forum.

I find it interesting you cancelled SFC at the same time as the WMP error. I wonder if that's somehow related to your current issue with WMP.

I suspect you canceled because you do not have a genuine Windows XP CD handy. Correct?

EDIT:

I'm confused about what original SFC results you are referring to when you say "nothing changed ".

 

I've been thinking about your issues almost constantly over the last couple days.

Let's take a look in your Services window and make sure Cryptographic Services is not disabled.

1. Click Start > Run
2. Type [FONT= "Courier New"]services.msc[/FONT] in the "Open" field.
3. Click OK.

Cryptographic Services "Startup Type" should be "Automatic ". Please check and let us know.

Cryptographic Services should display as "Started" under the "Status" header (but I suspect it is blank).

 

I did cancel due to not having a CD which I was prompted for. When I say that nothing changed I meant that the same errors are still occuring. Crypto is Automatic, but is in fact not started. I get an error 1290: 0x50a when attempting to start.

This service was running until near the end of the cleaning my computer process - I briefly had the issues that the malware caused fixed and everything that is currently broken working. I can't be sure what step caused the crypto problem.

 

I just finished doing what was recommended as a registry entry (which the person there hasn't gotten to yet), looks like I have the same problem, but doing the registry change did not change the problem.

 

I looked up the error 1290 and got this on a site:


The service start failed since one or more services in the same process have an incompatible service SID type setting. A service with restricted service SID type can only coexist in the same process with other services with a restricted SID type. If the service SID type for this service was just configured, the hosting process must be restarted in order to start this service.

I don't know what that means or how to fix it.

 

I found that too after Googling 1290: 0x50a.

I looked at the Cryptographic Services in my computer (Windows XP Home SP3) and found that the service depends on the Remote Procedure Call (RPC) service.

How about checking your Services window to be sure your RPC is "Automatic" and "Started "?


BTW, I also found eldo's other thread at the Malwarebytes forums where eldo was helped by "Advanced Setup" in removing malware. I've been poking around the links in that thread too.

 

RPC is running, RPC locator just underneath it is not. Not sure if it is necessary, and left it alone.

It's beginning to appear that all the steps I've taken are not adequately repairing the problem with cryptographic services and I should attempt some kind of windows reinstallation. I do have important files backed up to an external drive, but I do not have a windows CD as it did not come with my computer.

 

I have a hunch...but I wouldn't dare edit a registry key unless someone can confirm it's probably safe to do so. I would also prepare for the worst...just in case. Since you're considering a repair/reinstall anyway, the following stuff might be of interest.

Over at the Malwarebytes discussion...

exile360 provided a batch file (with instructions) in post #5 for creating output of a Crypto registry key.

eldo apparently used that batch file to produce the following output in post #6:

I also used that batch file on my own computer (Windows XP Home SP3) and my output does NOT include any of the stuff shown in red above.

To me, that red stuff appears to be "restricted" stuff that your Google search turned up regarding "incompatible service SID type setting ".

Also, my output has one line in the first section (immediately below the "Type REG_DWORD 0x20" line) that says,

I wonder what output you would have if you run that batch file on your computer.

 

RPC Locator is not running in my computer either so that looks OK anyway.

 

I did run that batch file a while ago and got the same result as he did, but pasting here for completeness.


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc
DependOnService REG_MULTI_SZ RpcSs\0\0
Description REG_SZ @%SystemRoot%\system32\cryptsvc.dll,-1002
DisplayName REG_SZ CryptSvc
ErrorControl REG_DWORD 0x1
ImagePath REG_EXPAND_SZ %SystemRoot%\system32\svchost.exe -k netsvcs
ObjectName REG_SZ LocalSystem
Start REG_DWORD 0x2
Type REG_DWORD 0x20
ServiceSidType REG_DWORD 0x1
RequiredPrivileges REG_MULTI_SZ SeChangeNotifyPrivilege\0SeCreateGlobalPrivilege\0SeImpersonatePrivilege\0\0
FailureActions REG_BINARY 80510100000000000000000003000000140000000100000060EA000000000000000000000000000000000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\cryptsvc.dll
ServiceMain REG_SZ CryptServiceMain
ServiceDllUnloadOnStop REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Security
Security REG_BINARY 00000E0001

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Enum
0 REG_SZ Root\LEGACY_CRYPTSVC\0000
Count REG_DWORD 0x1
NextInstance REG_DWORD 0x1

It really appears that this problem is not going to be fixable unless someone more experienced in this comes along, or until I do some kind of windows reinstall, which I really don't know how to do without the CD.

 

I did the bat that exile posted and got this as a return:


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc
DependOnService REG_MULTI_SZ RpcSs\0\0
Description REG_SZ @%SystemRoot%\system32\cryptsvc.dll,-1002
DisplayName REG_SZ CryptSvc
ErrorControl REG_DWORD 0x1
ImagePath REG_EXPAND_SZ %SystemRoot%\system32\svchost.exe -k netsvcs
ObjectName REG_SZ LocalSystem
Start REG_DWORD 0x2
Type REG_DWORD 0x20
ServiceSidType REG_DWORD 0x1
RequiredPrivileges REG_MULTI_SZ SeChangeNotifyPrivilege\0SeCreateGlobalPrivilege\0SeImpersonatePrivilege\0\0
FailureActions REG_BINARY 80510100000000000000000003000000140000000100000060EA000000000000000000000000000000000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\cryptsvc.dll
ServiceMain REG_SZ CryptServiceMain
ServiceDllUnloadOnStop REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Security
Security REG_BINARY 00000E0001

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Enum
0 REG_SZ Root\LEGACY_CRYPTSVC\0000
Count REG_DWORD 0x1
NextInstance REG_DWORD 0x1

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon
Description REG_SZ @%SystemRoot%\system32\seclogon.dll,-7000
DisplayName REG_SZ Secondary Logon
ErrorControl REG_DWORD 0x0
ImagePath REG_EXPAND_SZ %SystemRoot%\System32\svchost.exe -k netsvcs
Objectname REG_SZ LocalSystem
Start REG_DWORD 0x2
Type REG_DWORD 0x120
RequiredPrivileges REG_MULTI_SZ SeTcbPrivilege\0SeRestorePrivilege\0SeBackupPrivilege\0SeAssignPrimaryTokenPrivilege\0SeIncreaseQuotaPrivilege\0SeImpersonatePrivilege\0\0
FailureActions REG_BINARY 805101000000000000000000030000001400000001000000C0D4010001000000E09304000000000000000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon\Parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\seclogon.dll
ServiceMain REG_SZ SvcEntry_Seclogon
ServiceDllUnloadOnStop REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon\Security
Security REG_BINARY 01001480900000009C000000140000003000000002001C000100000002801400FF010F000101000000000001000000000200600004000000000014008D01020001010000000000050B000000000018009D0102000102000000000005200000002302000000001800FF010F000102000000000005200000002002000000001400FD010200010100000000000512000000010100000000000512000000010100000000000512000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon\Enum
0 REG_SZ Root\LEGACY_SECLOGON\0000
Count REG_DWORD 0x1
NextInstance REG_DWORD 0x1

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler
DependOnService REG_MULTI_SZ RPCSS\0\0
Description REG_SZ @%systemroot%\system32\spoolsv.exe,-2
DisplayName REG_SZ @%systemroot%\system32\spoolsv.exe,-1
ErrorControl REG_DWORD 0x1
FailureActions REG_BINARY 80510100000000000000000003000000E8470C000100000060EA00000100000060EA00000000000000000000
Group REG_SZ SpoolerGroup
ImagePath REG_EXPAND_SZ %SystemRoot%\system32\spoolsv.exe
ObjectName REG_SZ LocalSystem
Start REG_DWORD 0x2
Type REG_DWORD 0x110
ServiceSidType REG_DWORD 0x1
RequiredPrivileges REG_MULTI_SZ SeTcbPrivilege\0SeImpersonatePrivilege\0SeAuditPrivilege\0SeChangeNotifyPrivilege\0SeLoadDriverPrivilege\0SeAssignPrimaryTokenPrivilege\0\0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler\Parameters

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler\Performance
Close REG_SZ PerfClose
Collect REG_SZ PerfCollect
Collect Timeout REG_DWORD 0x7d0
Library REG_SZ winspool.drv
Object List REG_SZ 1450
Open REG_SZ PerfOpen
Open Timeout REG_DWORD 0xfa0
WbemAdapFileSignature REG_BINARY BD83ABA61E8ACCC8D9FFB869F29418CE
WbemAdapFileTime REG_BINARY 002952E37A79C401
WbemAdapFileSize REG_DWORD 0x23c00
WbemAdapStatus REG_DWORD 0x0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler\Security
Security REG_BINARY 01001480900000009C000000140000003000000002001C000100000002801400FF010F000101000000000001000000000200600004000000000014008D01020001010000000000050B000000000018009D0102000102000000000005200000002302000000001800FF010F000102000000000005200000002002000000001400FD010200010100000000000512000000010100000000000512000000010100000000000512000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler\Enum
0 REG_SZ Root\LEGACY_SPOOLER\0000
Count REG_DWORD 0x1
NextInstance REG_DWORD 0x1

 

I followed up on exile's help and ran his fix and think it's fixed. Thanks for your help.http://www.malwarebytes.org/forums/index.php?showtopic=20104&st=40

 

That's GREAT News!!! I'm assuming you have Cryptographic Services running again.

I'll do some more studying of that thread now. Since I joined that forum, I can also download that FixServices_v2.zip file and see if I can figure out what exile (and LonnyRJ) did.

How about your Windows Updates and Media Player? Are those working well too?
.
.
.

 

Windows updates appear to be working, WMP11 installed and is running normally. I am still unable to connect to my network at my house, but that happens occassionally.

 

YIPPEE!!! I'm relieved and glad the sun is brighter for you these days.

I'm truly impressed with your patience through all of this.

I posted a longwinded message over at the Malwarebytes thread looking for some more information about the "what" and "why" of it it all. We'll see if we get anything to go on.

Anyway, I'm glad things are about normal for you now. I can obsess about something else.

Now, at the risk of being pushy, I think now would be a good time to fortify your computer against future infections. Of course, that's up to you.

BTW,