Windows 7 home premium SP1
Tree days ago i let my brother use my laptop and click on some wierd link and got infected with this virus.
1.- I ran a complete scan with McAffe and discover some malaware, got rid of them but immediately another problem emerged
2.- Security Center cant be started. I though that McAffe would blocked it but i was wrong. I made a check up with spybot and found this entry:
HKLM\System\CurrentControlSet\Services\wscsvc\Start!=W=2 (64 bit)
SpyBot S&D shows that the above line is a security breach, and it directs me
to this line in the registry.
I thought in going on safe mode and be able to destroy it but i was wrong, i ran a full scan with McAffe and found nothing, but saw that the Real Time Scanning was off and cant turned it on. I ran a scan with spybot on safe mode and continues popping that message and i keep getting the error. I checked up with dell support center aplication and show that McAffe firewall true status is "false" and i cant activate it either.
There are changes made in the antivirus, firewall, and SP1 update settings that shut them down. Any advice on how to correct the registry entries would be appreciated. I used Control Panel / Security settings, but the firewall was "locked OFF", and it would appear that I have lost administrator privileges to reset the firewall to "ON". Is it possible that the mscsvc key controls these settings?
Question. It seems that the wscsvc was an added entry created by the trojan, but im not that sure. Can i delete the entry?
I saved the spybot result scan ill attach them if you want to check them out
Message was edited by: snakemx on 4/17/11 10:21:16 AM CDT
Message was edited by: snakemx on 4/17/11 10:21:57 AM CDT
Message was edited by: snakemx on 4/17/11 10:24:24 AM CDT
Message was edited by: snakemx on 4/17/11 10:24:54 AM CDT
Message was edited by: snakemx on 4/17/11 11:56:58 AM CDT
Message was edited by: snakemx on 4/17/11 10:29:28 PM CDT
Windows 7 home premium SP1 / McAfee Antivirus / Spybot S&D
I made a check up with spybot and found this entry:
HKLM\System\CurrentControlSet\Services\wscsvc\Start!=W=2 (64 bit)
SpyBot S&D shows that the above line is a security breach, and it directs me to this line in the registry.
wscsvc : "Monitors system security settings and configurations."
For more information see http://localservicenetworkrestricted.svchost-exe.net/windows-security-center-ser vice
Don't delete the wscsvc entry from the registry. It's not advisable. You can examine the registry entries in more detail by using regedit, but be very cautious about changing anything.
Your Spybot output shows the following relevant information :
Microsoft.WindowsSecurityCenter_disabled: [SBI $2E20C9A9] Settings (Registry change, nothing done)
Service (registry key): wscsvc
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Security Center
Object name: NT AUTHORITY\LocalService
Image path: %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted
Image size: 20992
Image MD5: 54A47F6B5E09A77E61649109C6A08866
Control Set: CurrentControlSet
Error Control: 1
Depends On services: RpcSs,WinMgmt
You might want to download a utility to check that the MD5 of the file is correct :
The Spybot output is just showing that Windows Security Center is disabled. If you've got a McAfee firewall running this is how it should be. That's not your problem. As for Spybot : if you are running TeaTimer, disable it. It clashes with McAfee.
The output from running Spybot :
I recommend that you look closely at the list of Browser Helper Objects in Internet Explorer and only keep enabled those which you genuinely need. In particular, I would be inclined to disable or remove the one that shows as "uTorrentBar Toolbar". Many toolbars are associated with adware and/or spyware.
ActiveX : your version of Java is up to date, but if you don't actually need Java then you could uninstall it without losing much in the way of functionality. Java exploits are one of the ways your PC can become infected.
Browser start & search pages list : search.conduit.com is your IE Start Page. Are you happy with this?
If you've got a Trojan that is disabling your McAfee installation, try the following :
- First, run MVT to check that your McAfee installation is undamaged and up to date; then go to the Windows Update page and download any outstanding Microsoft updates, both Critical and Optional.
- Then, if you can open your McAfee Security Center, find the PC Optimization tab and run a QuickClean. If you can't do that then use the standard Windows utilities to clean up your file system; then run chkdsk (or equivalent on Vista). Basically, get rid of any junk to avoid misleading messages from scans.
- Join the GetSusp Group (https://community.mcafee.com/groups/getsusp30-beta-feedback?view=overview) to get and run GetSusp. This will produce a listing of non-whitelisted activity on your PC, so you may get some false positives from it. General feedback is that it's a very useful tool.
- Download and run the latest version of Malwarebytes to clean up anything that McAfee overlooks.
Well seems its finally cleared or at least under control, got no more the windows security center warning.
I follow the suggestion of hayton and scanned directly with McAffe the wscsvc and found 3 tracking cokies, downloades hitman pro, malawarebyte and SuperAntiSpyware.
Here is the screenshot of what malawarebyte found:
Ill added the log to, if anyone wants to check it.
Message was edited by: snakemx on 4/17/11 10:37:13 PM CDT
Okay, good. Malwarebytes has identified the fake antivirus program and dealt with it. Tracking cookies are a nuisance, but McAfee, Malwarebytes and others can deal with those.
The most important thing is to get hold of every security update from Microsoft, McAfee, Firefox, Chrome, Java, Adobe, and all the rest just as soon as they come out. This is a game of cat-and-mouse, and the bad guys always have the advantage of surprise. The best we can do at the moment is to close off the loopholes as soon as they get noticed.
A warning about Malwarebytes : it comes in two versions. The free scanner, that you run just when you need to find and fix a problem, is okay with McAfee. But the other version - the one you have to pay for, the one that runs all the time - is not okay. If you try to run them both at the same time they will produce conflicts. If you notice a problem, stop Malwarebytes but don't stop McAfee.
I have a quote from a Malwarebytes developer which says that Malwarebytes is not designed to be an anti-virus tool, and cannot replace an anti-virus solution (like McAfee).
It will not conflict next year,
If the trusted list comes back, then you can trusts items,
You can put the McAfee drivers/folders in the Exclusions for Malwarebytes and vice versa for McAfee,
This works for every other AV with MBAM PRO, so it should with McAfee.
Isn't the issue is that both real time scannerstry to scan the same file at the same time that causes the issue I think.