1 2 Previous Next 10 Replies Latest reply: Apr 22, 2011 4:08 AM by ConorD62 RSS

    Help with Trojan Horse

      Windows 7 home premium SP1

      McAfee Antivirus

      Spybot S&D

       

       

      Tree days ago i let my brother use my laptop and click on some wierd link and got infected with this virus.

       

      1.- I ran a complete scan with McAffe and discover some malaware, got rid of them but immediately another problem emerged

       

      2.- Security Center cant be started. I though that McAffe would blocked it but i was wrong. I made a check up with spybot and found this entry:

       

      HKLM\System\CurrentControlSet\Services\wscsvc\Start!=W=2

      HKLM\System\CurrentControlSet\Services\wscsvc\Start!=W=2 (64 bit)

      SpyBot S&D shows that the above line is a security breach, and it directs me

      to this line in the registry.

       

      I thought in going on safe mode and be able to destroy it but i was wrong, i ran a full scan with McAffe and found nothing, but saw that the Real Time Scanning was off and cant turned it on. I ran a scan with spybot on safe mode and continues popping that message and i keep getting the error. I checked up with dell support center aplication and show that McAffe firewall true status is "false" and i cant activate it either.

       

      There are changes made in the antivirus, firewall, and SP1 update settings that shut them down. Any advice on how to correct the registry entries would be appreciated. I used Control Panel / Security settings, but the firewall was "locked OFF", and it would appear that I have lost administrator privileges to reset the firewall to "ON". Is it possible that the mscsvc key controls these settings?

       

       

      Question. It seems that the wscsvc was an added entry created by the trojan, but im not that sure. Can i delete the entry?

       

      I saved the spybot result scan ill attach them if you want to check them out

       

      Please help

       

      Message was edited by: snakemx on 4/17/11 10:21:16 AM CDT

       

      Message was edited by: snakemx on 4/17/11 10:21:57 AM CDT

       

      Message was edited by: snakemx on 4/17/11 10:24:24 AM CDT

       

      Message was edited by: snakemx on 4/17/11 10:24:54 AM CDT

       

      Message was edited by: snakemx on 4/17/11 11:56:58 AM CDT

       

      Message was edited by: snakemx on 4/17/11 10:29:28 PM CDT
        • 1. Re: Help with Trojan Horse
          Hayton

          snakemx wrote:

           

          Windows 7 home premium SP1 / McAfee Antivirus / Spybot S&D

           

          I made a check up with spybot and found this entry:

          HKLM\System\CurrentControlSet\Services\wscsvc\Start!=W=2

          HKLM\System\CurrentControlSet\Services\wscsvc\Start!=W=2 (64 bit)

           

          SpyBot S&D shows that the above line is a security breach, and it directs me to this line in the registry.

           

          wscsvc : "Monitors system security settings and configurations."

          For more information see http://localservicenetworkrestricted.svchost-exe.net/windows-security-center-ser vice

           

          Don't delete the wscsvc entry from the registry. It's not advisable. You can examine the registry entries in more detail by using regedit, but be very cautious about changing anything.

           

          Your Spybot output shows the following relevant information :

          Microsoft.WindowsSecurityCenter_disabled: [SBI $2E20C9A9] Settings (Registry change, nothing done)

            HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start

           

           

          Service (registry key): wscsvc

          Registry path: \SYSTEM\CurrentControlSet\Services\

          Display name: Security Center

          Description: @%SystemRoot%\System32\wscsvc.dll,-201

          Object name: NT AUTHORITY\LocalService

          Image path: %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted

          Image size: 20992

          Image MD5: 54A47F6B5E09A77E61649109C6A08866

          Control Set: CurrentControlSet

          Start: 4

          Type: 32

          Error Control: 1

          Depends On services: RpcSs,WinMgmt

           

           

          You might want to download a utility to check that the MD5 of the file is correct :

          http://www.softpedia.com/get/System/File-Management/MD5-Checker.shtml or

          http://download.cnet.com/MD5-Checker/3010-2092_4-10410639.html?tag=metaData;spec sBox

           

          The Spybot output is just showing that Windows Security Center is disabled. If you've got a McAfee firewall running this is how it should be. That's not your problem. As for Spybot : if you are running TeaTimer, disable it. It clashes with McAfee.

           

          The output from running Spybot :

          I recommend that you look closely at the list of Browser Helper Objects in Internet Explorer and only keep enabled those which you genuinely need. In particular, I would be inclined to disable or remove the one that shows as "uTorrentBar Toolbar". Many toolbars are associated with adware and/or spyware.

           

          ActiveX : your version of Java is up to date, but if you don't actually need Java then you could uninstall it without losing much in the way of functionality. Java exploits are one of the ways your PC can become infected.

           

          Browser start & search pages list : search.conduit.com is your IE Start Page. Are you happy with this?

           

          If you've got a Trojan that is disabling your McAfee installation, try the following :

          - First, run MVT to check that your McAfee installation is undamaged and up to date; then go to the Windows Update page and download any outstanding Microsoft updates, both Critical and Optional.

          - Then, if you can open your McAfee Security Center, find the PC Optimization tab and run a QuickClean. If you can't do that then use the standard Windows utilities to clean up your file system; then run chkdsk (or equivalent on Vista). Basically, get rid of any junk to avoid misleading messages from scans.

          - Join the GetSusp Group (https://community.mcafee.com/groups/getsusp30-beta-feedback?view=overview) to get and run GetSusp. This will produce a listing of non-whitelisted activity on your PC, so you may get some false positives from it. General feedback is that it's a very useful tool.

          - Download and run the latest version of Malwarebytes to clean up anything that McAfee overlooks.

          • 2. Re: Help with Trojan Horse

            I went to check that McAffe firewall was running on normal mode but when i enter on safe ode i found out this:

            Security Breach.png

            When choosing to "turn on" it just turns on for a couple of seconds and then reboot again. Ill check now with the MD5 application and see if something is wrong. Ill paste the results i get.

            • 3. Re: Help with Trojan Horse
              ConorD62

              Real time Scanning doesn't run in Safe mode.

               

               

              • 4. Re: Help with Trojan Horse

                Well seems its finally cleared or at least under control, got no more the windows security center warning.

                 

                I follow the suggestion of hayton and scanned directly with McAffe the wscsvc and found 3 tracking cokies, downloades hitman pro, malawarebyte and SuperAntiSpyware.

                 

                Here is the screenshot of what malawarebyte found:

                 

                Ill added the log to, if anyone wants to check it.

                 

                Security Breach 06.png

                 

                Message was edited by: snakemx on 4/17/11 10:37:13 PM CDT
                • 5. Re: Help with Trojan Horse
                  Hayton

                  Okay, good. Malwarebytes has identified the fake antivirus program and dealt with it. Tracking cookies are a nuisance, but McAfee, Malwarebytes and others can deal with those.

                   

                  The most important thing is to get hold of every security update from Microsoft, McAfee, Firefox, Chrome, Java, Adobe, and all the rest just as soon as they come out. This is a game of cat-and-mouse, and the bad guys always have the advantage of surprise. The best we can do at the moment is to close off the loopholes as soon as they get noticed.

                  • 6. Re: Help with Trojan Horse

                    Got everything updated now, Malawarebites is running since start of windows same as McAffe. I think its long go now but ill keep in touch if anything comes out ill post it

                    • 7. Re: Help with Trojan Horse
                      Hayton

                      A warning about Malwarebytes : it comes in two versions. The free scanner, that you run just when you need to find and fix a problem, is okay with McAfee. But the other version - the one you have to pay for, the one that runs all the time - is not okay. If you try to run them both at the same time they will produce conflicts. If you notice a problem, stop Malwarebytes but don't stop McAfee.

                       

                      I have a quote from a Malwarebytes developer which says that Malwarebytes is not designed to be an anti-virus tool, and cannot replace an anti-virus solution (like McAfee).

                      • 8. Re: Help with Trojan Horse
                        ConorD62

                        It will not conflict next year,

                         

                        If the trusted list comes back, then you can trusts items,

                         

                        You can put the McAfee drivers/folders in the Exclusions for Malwarebytes and vice versa for McAfee,

                         

                        This works for every other AV with MBAM PRO, so it should with McAfee.

                        • 9. Re: Help with Trojan Horse
                          Peacekeeper

                          Isn't the issue is that both real time scannerstry to scan the same file at the same time that causes the issue I think.

                          1 2 Previous Next