Recovering from virus attack, Net.msmq service stopped

[Mugsy]

I got struck by a nasty virus attack the other day. The virus is now gone but the damage remains. A ton of Services were disabled or changed, and the Event Viewer is full of errors I'm slowly trying to fix.

My latest issue: According to the Event Viewer error logs, the "Net.msmq service stopped" (set to Automatic), resulting in four other startup errors. But when I try to enable it, it says "dependency service does not exist or is marked for deletion". The "Dependencies" tab says it has "No dependencies". ???

What "dependency"? I checked my Services and find nothing significant disabled. A search online says I need to restore the contents of the "\Windows\system32\inetsrv\" folder. Mine is empty, and according to an old backup, always has been.

Any idea from anyone on how I get "Net.msmq" working again?

PS: Significant other errors remain. The computer won't power off or reboot after a Shutdown or Restart, and both of my optical drives are disabled in the Device Manager and refuse to be enabled.

 

[Cycloid Torus]

Sorry for your trouble. It's lousy. Based on the degree of damage, I would backup my data, change boot order, boot from an Installation CD, reset my partitions, do a full format, do a clean install and change all my passwords. ... And pray I do not have anything nasty hiding in BIOS.
p.s. https://www.techspot.com/community/...ead-this-before-cleaning-or-formatting.65943/

 

[holdum323]

Hi If you need the ISO files to build your installation media, you can find them here.
https://www.microsoft.com/en-us/software-download/

 

[Mugsy]

Sorry for your trouble. It's lousy. Based on the degree of damage, I would backup my data, change boot order, boot from an Installation CD, reset my partitions, do a full format, do a clean install and change all my passwords. ... And pray I do not have anything nasty hiding in BIOS.
p.s. https://www.techspot.com/community/...ead-this-before-cleaning-or-formatting.65943/

Thanks for the reply, but I am NOT going to do a full reformat/reinstall. This is a fixable issue.

I need a scalpel, not a sledgehammer.

 

[Cycloid Torus]

Black Viper has had a pretty deep description of services and a good description of dependencies...so this may help:
http://www.blackviper.com/
What I read suggests that the service needs to be turned on in 'Programs'.

PS: What OS?

 

[Mugsy]

Black Viper has had a pretty deep description of services and a good description of dependencies...so this may help:
http://www.blackviper.com/
What I read suggests that the service needs to be turned on in 'Programs'.

PS: What OS?

Thanks for the reply.

I'm looking at BV's site but I'm not sure what there might help with my issue.

I'm using 64bit Win7 Home, and the other day I stupidly tried to install some software downloaded off the Internet that had been sitting on my PC for months. I'm a tech, so I should have known better and I can't believe I did something so bleeping stupid. I just assumed my AV software ("Avast Free") would catch anything harmful. I got lazy... and burned for it.

Fortunately, I caught the virus before it did any real harm (like screw with my boot sector or wipe any files), but not before it played havoc with my Services.

With only two exceptions, my computer is behaving almost normally again... 1) I can't turn off the computer or reboot from a normal Windows boot (Safe Mode and Linux have no problem). Shutdown and restart both exit Windows, but it responds as if I put it to sleep. Fans & Lights, but no video. Computer never powers off or reboots. And 2) both of my DVD drives (one DVD, one BD) are disabled (warning symbols in the Device Manager). Double-clicking on them reports:

Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)

A Registry scan reports no problems, and I can't tell if there is a problem with their entries by looking at them. Attempting to update the driver reports I "already have the latest driver." I've "removed" the devices (from the DevMgr) and let Windows rediscover them, but it doesn't get them working again. Opening "My Computer", neither of my Optical drives are there (all HDD/SSD drives and USB drives are present & working.)

So I checked the "Event Viewer" error logs and it reports 11 errors:

Event ID 7003 - Service Control Manager (three cryptic errors):

• The Net.Tcp Listener Adapter service depends the following service: was. This service might not be installed.
• The Net.Pipe Listener Adapter service depends the following service: was. This service might not be installed.
• The Net.Msmq Listener Adapter service depends the following service: msmq. This service might not be installed.

Event ID 7009 having to do with NVIDIA streaming... which is working. The error should go away when the above is fixed.

Event ID 7023 - Service Control Manager: "The Superfetch service terminated with the following error:
The system cannot find the file specified." What file? Your guess is as good as mine. It doesn't say what it was looking for.

Event ID 7026 - Service Control Manager: "The following boot-start or system-start driver(s) failed to load: cdrom".

The following 4 errors:

Event ID - 36887 Schannel - "Schannel error: 70" followed by "Schannel error: 40", both twice upon booting. I suspect one pair of errors per optical drive.

And another Schannel event (36888) reporting: "The following fatal alert was generated: 10. The internal error state is 10." No more info than that. Nothing I've found online about "Schannel" is helpful.

I'm fairly confident once I solve the first 3 (the "Net." errors), everything else will fall into place.

Again, big thanks for the help.

 

[holdum323]

Wow! Sorry I can't resist.Your a tech and you don't have a backup image on cloud or a external? Your trusting Avast to keep you virus free? One layer of protection don't cut it IMHO these days. If you had made a OS image with Macrium Reflect, you could wipe the drive like @Cycloid Torus suggests and be back up and running in less than a hour. I think you like pain. Let us know if you ever get this solved. With all those problems,I don't see how you will ever feel confident in your rig again. You didn't have a nasty virus;you had a nuclear bomb.
Good luck!

 

[Mugsy]

Wow! Sorry I can't resist.Your a tech and you don't have a backup image on cloud or a external?

My last backup is from Early December. I was waiting til March 1st to do my next backup only to get stung that morning. Ack!

If all else fails, I'll have to go back to it, but it needs a lot of updating to get it back up to speed.

 

[DelJo63]

Event ID 7003 - Service Control Manager (three cryptic errors):

• The Net.Tcp Listener Adapter service depends the following service: was. This service might not be installed.
• The Net.Pipe Listener Adapter service depends the following service: was. This service might not be installed.
• The Net.Msmq Listener Adapter service depends the following service: msmq. This service might not be installed.

NONE of these are required by home users - - these are used by systems connected to a Domain service.
I have set all of this to DISABLE long ago.

 

[Mugsy]

NONE of these are required by home users - - these are used by systems connected to a Domain service.
I have set all of this to DISABLE long ago.

Interesting. Thanks for the reply.

I went ahead and switched them to disabled, but it had no effect on my issues. Still won't shutdown/reboot and my optical drives are still disabled.

I'm not sure why they were enabled then. I thought it might have something to do with my home network, but it's still working, so I left them Disabled.

3 down, 7 to go.

 

[Cycloid Torus]

I stumbled across.. http://www.blackviper.com/windows-services/net-msmq-listener-adapter/

BV includes some specific observations about Win7 including something that looks like a command line switch.

No idea if it really applies in your situation.

 

[DelJo63]

3 down, 7 to go.

post more summaries from the system tab in the Event Viewer

 

[Mugsy]

post more summaries from the system tab in the Event Viewer

Thx for the reply. I went to do a Reboot for the most recent state and got a BSOD.

Here is my present situation:

6 errors (plus the highlighted BSOD) left to be solved. The first two (7009 & 7026 detailed above) aren't a concern. "NVidia streaming" seems to be working (if not, no big deal unless it's connected to why I can't Reboot/Shutdown) and the other reporting my cdroms aren't working (scroll to see full image):

That just leaves the two pairs of "Schannel" errors (see: "Event ID - 36887 Schannel" above) which I assume each pair is for each optical drive failing to start.

The "System" log shows the same errors plus a ton of "Information" listings and one warning regarding one of my USB drives:

"The driver \Driver\WUDFRd failed to load for the device WpdBusEnumRoot\UMB\2&37c186b&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_OCZ&PROD_RALLY2&REV_1100#AA04012700354594&0#."

(Flash drive name in bold.)

I don't think the Flash drive error is significant, but I unplugged it just to get rid of the warning.

As you can see from all that, nothing really explains why I can't Shutdown/Reboot, and the BSOD is new and concerning. I scheduled my C: for a Diskcheck on reboot to scan for errors.

Does anything stand out? Thanks again.

 

[DelJo63]

Open the Error 1001 reports (both), copy the details and paste back as follow-up

 

[Mugsy]

Open the Error 1001 reports (both), copy the details and paste back as follow-up

This is what it says:

The computer has rebooted from a bugcheck. The bugcheck was: 0x000000d1 (0x0000000000000024, 0x0000000000000002, 0x0000000000000000, 0xfffff8800689db07). A dump was saved in: C:\windows\Minidump\030518-17019-01.dmp. Report Id: 030518-17019-01.

But the last time of the error was earlier this afternoon, about two reboots ago, so it may no longer be a problem. The dump is an unreadable mess.

 

[holdum323]

Hi ! Those don't help much 0x0000000000000024 https://helpdeskgeek.com/help-desk/instruction-at-referenced-memory-could-not-be-read/
0x0000000000000002 https://answers.microsoft.com/en-us...00000002/5718fb34-85d1-4992-b7cf-86fb47893eab

0x000000d1 https://answers.microsoft.com/en-us...000000d1/3d58c552-183c-4bcf-ae0b-5f40e2416983

 

[Mugsy]

Hi ! Those don't help much

Hmm. Thanks for looking into it.

In the middle of the night last night, it occurred to me that I should check my EV error logs from BEFORE the trouble started to figure out what's new (if anything). These EV errors I'm getting "might not even be connected to my problem."

Sure enough, 5 of the 6 errors existed back when my computer was still working just fine. The four "Schannel" errors (36887) and the "Nvidia Streaming" error (7009) were all there before (dating back to at least mid-February). The only one that's new is the one telling me my CD drivers failed to load (7026).

So, while I would LIKE to solve those other errors, it appears none of them are connected to why my computer won't Power off or Reboot, or why my optical drives are disabled.

Damn. Back to the drawing board. I'll start a new thread. Thanks to all for the help.