Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
4017 Views 10 Replies Latest reply: Apr 22, 2011 4:08 AM by ConorD62 RSS 1 2 Previous Next
snakemx Newcomer 4 posts since
Apr 17, 2011
Currently Being Moderated

Apr 17, 2011 10:29 PM

Help with Trojan Horse

Windows 7 home premium SP1

McAfee Antivirus

Spybot S&D

 

 

Tree days ago i let my brother use my laptop and click on some wierd link and got infected with this virus.

 

1.- I ran a complete scan with McAffe and discover some malaware, got rid of them but immediately another problem emerged

 

2.- Security Center cant be started. I though that McAffe would blocked it but i was wrong. I made a check up with spybot and found this entry:

 

HKLM\System\CurrentControlSet\Services\wscsvc\Start!=W=2

HKLM\System\CurrentControlSet\Services\wscsvc\Start!=W=2 (64 bit)

SpyBot S&D shows that the above line is a security breach, and it directs me

to this line in the registry.

 

I thought in going on safe mode and be able to destroy it but i was wrong, i ran a full scan with McAffe and found nothing, but saw that the Real Time Scanning was off and cant turned it on. I ran a scan with spybot on safe mode and continues popping that message and i keep getting the error. I checked up with dell support center aplication and show that McAffe firewall true status is "false" and i cant activate it either.

 

There are changes made in the antivirus, firewall, and SP1 update settings that shut them down. Any advice on how to correct the registry entries would be appreciated. I used Control Panel / Security settings, but the firewall was "locked OFF", and it would appear that I have lost administrator privileges to reset the firewall to "ON". Is it possible that the mscsvc key controls these settings?

 

 

Question. It seems that the wscsvc was an added entry created by the trojan, but im not that sure. Can i delete the entry?

 

I saved the spybot result scan ill attach them if you want to check them out

 

Please help

 

Message was edited by: snakemx on 4/17/11 10:21:16 AM CDT

 

Message was edited by: snakemx on 4/17/11 10:21:57 AM CDT

 

Message was edited by: snakemx on 4/17/11 10:24:24 AM CDT

 

Message was edited by: snakemx on 4/17/11 10:24:54 AM CDT

 

Message was edited by: snakemx on 4/17/11 11:56:58 AM CDT

 

Message was edited by: snakemx on 4/17/11 10:29:28 PM CDT
  • Hayton Volunteer Moderator 4,590 posts since
    Sep 27, 2010
    Currently Being Moderated
    1. Apr 17, 2011 2:48 PM (in response to snakemx)
    Re: Help with Trojan Horse

    snakemx wrote:

     

    Windows 7 home premium SP1 / McAfee Antivirus / Spybot S&D

     

    I made a check up with spybot and found this entry:

    HKLM\System\CurrentControlSet\Services\wscsvc\Start!=W=2

    HKLM\System\CurrentControlSet\Services\wscsvc\Start!=W=2 (64 bit)

     

    SpyBot S&D shows that the above line is a security breach, and it directs me to this line in the registry.

     

    wscsvc : "Monitors system security settings and configurations."

    For more information see http://localservicenetworkrestricted.svchost-exe.net/windows-security-center-ser vice

     

    Don't delete the wscsvc entry from the registry. It's not advisable. You can examine the registry entries in more detail by using regedit, but be very cautious about changing anything.

     

    Your Spybot output shows the following relevant information :

    Microsoft.WindowsSecurityCenter_disabled: [SBI $2E20C9A9] Settings (Registry change, nothing done)

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start

     

     

    Service (registry key): wscsvc

    Registry path: \SYSTEM\CurrentControlSet\Services\

    Display name: Security Center

    Description: @%SystemRoot%\System32\wscsvc.dll,-201

    Object name: NT AUTHORITY\LocalService

    Image path: %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted

    Image size: 20992

    Image MD5: 54A47F6B5E09A77E61649109C6A08866

    Control Set: CurrentControlSet

    Start: 4

    Type: 32

    Error Control: 1

    Depends On services: RpcSs,WinMgmt

     

     

    You might want to download a utility to check that the MD5 of the file is correct :

    http://www.softpedia.com/get/System/File-Management/MD5-Checker.shtml or

    http://download.cnet.com/MD5-Checker/3010-2092_4-10410639.html?tag=metaData;spec sBox

     

    The Spybot output is just showing that Windows Security Center is disabled. If you've got a McAfee firewall running this is how it should be. That's not your problem. As for Spybot : if you are running TeaTimer, disable it. It clashes with McAfee.

     

    The output from running Spybot :

    I recommend that you look closely at the list of Browser Helper Objects in Internet Explorer and only keep enabled those which you genuinely need. In particular, I would be inclined to disable or remove the one that shows as "uTorrentBar Toolbar". Many toolbars are associated with adware and/or spyware.

     

    ActiveX : your version of Java is up to date, but if you don't actually need Java then you could uninstall it without losing much in the way of functionality. Java exploits are one of the ways your PC can become infected.

     

    Browser start & search pages list : search.conduit.com is your IE Start Page. Are you happy with this?

     

    If you've got a Trojan that is disabling your McAfee installation, try the following :

    - First, run MVT to check that your McAfee installation is undamaged and up to date; then go to the Windows Update page and download any outstanding Microsoft updates, both Critical and Optional.

    - Then, if you can open your McAfee Security Center, find the PC Optimization tab and run a QuickClean. If you can't do that then use the standard Windows utilities to clean up your file system; then run chkdsk (or equivalent on Vista). Basically, get rid of any junk to avoid misleading messages from scans.

    - Join the GetSusp Group (https://community.mcafee.com/groups/getsusp30-beta-feedback?view=overview) to get and run GetSusp. This will produce a listing of non-whitelisted activity on your PC, so you may get some false positives from it. General feedback is that it's a very useful tool.

    - Download and run the latest version of Malwarebytes to clean up anything that McAfee overlooks.


    Volunteer Moderator  Leeds, UK
    No PM's please
  • ConorD62 Champion 586 posts since
    Apr 9, 2010
    Currently Being Moderated
    3. Apr 17, 2011 5:42 PM (in response to snakemx)
    Re: Help with Trojan Horse

    Real time Scanning doesn't run in Safe mode.

     


    If you need any help, please send me a message, the same goes for any malware questions.
  • Hayton Volunteer Moderator 4,590 posts since
    Sep 27, 2010
    Currently Being Moderated
    5. Apr 18, 2011 11:38 AM (in response to snakemx)
    Re: Help with Trojan Horse

    Okay, good. Malwarebytes has identified the fake antivirus program and dealt with it. Tracking cookies are a nuisance, but McAfee, Malwarebytes and others can deal with those.

     

    The most important thing is to get hold of every security update from Microsoft, McAfee, Firefox, Chrome, Java, Adobe, and all the rest just as soon as they come out. This is a game of cat-and-mouse, and the bad guys always have the advantage of surprise. The best we can do at the moment is to close off the loopholes as soon as they get noticed.


    Volunteer Moderator  Leeds, UK
    No PM's please
  • Hayton Volunteer Moderator 4,590 posts since
    Sep 27, 2010
    Currently Being Moderated
    7. Apr 21, 2011 8:50 PM (in response to snakemx)
    Re: Help with Trojan Horse

    A warning about Malwarebytes : it comes in two versions. The free scanner, that you run just when you need to find and fix a problem, is okay with McAfee. But the other version - the one you have to pay for, the one that runs all the time - is not okay. If you try to run them both at the same time they will produce conflicts. If you notice a problem, stop Malwarebytes but don't stop McAfee.

     

    I have a quote from a Malwarebytes developer which says that Malwarebytes is not designed to be an anti-virus tool, and cannot replace an anti-virus solution (like McAfee).


    Volunteer Moderator  Leeds, UK
    No PM's please
  • ConorD62 Champion 586 posts since
    Apr 9, 2010
    Currently Being Moderated
    8. Apr 21, 2011 9:43 PM (in response to Hayton)
    Re: Help with Trojan Horse

    It will not conflict next year,

     

    If the trusted list comes back, then you can trusts items,

     

    You can put the McAfee drivers/folders in the Exclusions for Malwarebytes and vice versa for McAfee,

     

    This works for every other AV with MBAM PRO, so it should with McAfee.


    If you need any help, please send me a message, the same goes for any malware questions.
  • Peacekeeper Volunteer Moderator 21,334 posts since
    Nov 23, 2002
    Currently Being Moderated
    9. Apr 21, 2011 11:35 PM (in response to ConorD62)
    Re: Help with Trojan Horse

    Isn't the issue is that both real time scannerstry to scan the same file at the same time that causes the issue I think.


    Tony
    Volunteer Moderator
    Mcafee Total Protection 7.0 beta, Windows 8 64bit
    No Unrequested PMs please
    Do you have an idea for improving McAfee products? Please share it in the new Ideas community space!  NOTE: You must register an account first.

1 2 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points