Microsoft Security Center

[jerryhillman]

I have a Win XP home 2.6GHz computer using prodigy, yahoo internet
dial up. Spybot on a scan gave the following problem:

"microsoftwindowssecurity center_disabled"
"Settings"
HKEY_LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc|Start=W=2

"Registry Change"

I also suspect someone has hijacked by E-Mail name as I am getting
notices of e-mail failure for thing I never sent and it uses my E-Mail address.

What does all this mean and how do I fix it. I had SpyBot fix the registry problem. Should I get rid of my current e-mail address?

Thanks, Jerry

[fink]

I also suspect someone has hijacked by E-Mail name as I am getting
notices of e-mail failure for thing I never sent and it uses my E-Mail address.

Not uncommon these days. Anyone who has your email address in their address book could have been infected with a worm and then it used your address randomly to send itself out to everyone else in the address book. Not a lot you can do but wait until the person who's infected finds out or you could change your email address. It would be nearly impossible to figure out who's responsible.. I'd wait a little while longer though, those things usually don't last forever... Just a few more days maybe/hopefully.

It's also possible that your address was just simply stolen from some list and used illegally but I'd still wait a few days before taking the drastic step of changing your current address and letting everybody you know about it.

[LindaHewitt]

Normally, it says incorrect password. When you send email that is not encrypted, then it is easy for the bots to capture your email address. I use Mailwasher Pro to preview my email while it is stil on my ISP's server, and I just delete these. These malware idiots are just trying to get you to click on the URLs, where they can put malware on your computer.

Cheers,

Linda

[jerryhillman]

I ran several scans on my computer which showed nothing wrong. Then
it happened again after spybot caught it the first time and removed it.
Would changing my password help? What is this mean:

"microsoftwindowssecurity center_disabled"
"Settings"
HKEY_LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc|Start=W=2

How are they getting to my computer?

Thanks, Jerry

[SpywareDr]

According to CastleCops and Bleeping Computer, wscsvc.exe is trouble:

http://www.castlecops.com/s11667-wscsvc_exe.html
http://www.bleepingcomputer.com/star...exe-12888.html

Recommend following the instructions on this VirtualDr page:

http://discussions.virtualdr.com/sho...d.php?t=167915

and then let one of our experts take a look at your HijackThis log.

[jerryhillman]

I have not be able to remove the wscsvc.exe. Spybot reports it disables
the Microsoft Windows Security Center and fixes the problem with the registry
but does not remove the problem. I have followed the advice given at this
site and downloaded EWIDO anti Spyware and installed it. Got the updates
then ran the program in safe mode. The wscsvc.exe was not found. I also
ran Ad Aware, System Mechanic 5 spyware program, and Avast anti virus.
None of these programs found the virus. Is this a virus or start-up program
installed by spyware? I need HELP in finding a tool that removes this problem
from my computer. Below is the log of what the EWIDO anti spy program
found: If possible please get back with how I can fix my computer.

Also why is did I have to run EWIDO in safe mode? Should the other programs
I have on this computer also be run in safe mode?

********************************************************
Log:


+ Scan result:



C:\Program Files\Microsoft AntiSpyware\Quarantine\A0DDAEC1-3732-4EF6-AF3C-CB48C7\5965DBF1-EC88-4A36-94BA-20E195 -> Adware.BMCentral : No action taken.
C:\Program Files\DogpileToolbar -> Adware.Dogpile : No action taken.
C:\Program Files\DogpileToolbar\tbinstall.log -> Adware.Dogpile : No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DogpileToolbar -> Adware.Dogpile : No action taken.
:mozilla.10:C:\Documents and Settings\Guest\Application Data\Mozilla\Profiles\jerry.hillman\7vuj4km3.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.11:C:\Documents and Settings\Guest\Application Data\Mozilla\Profiles\jerry.hillman\7vuj4km3.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.126:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.12:C:\Documents and Settings\Guest\Application Data\Mozilla\Profiles\jerry.hillman\7vuj4km3.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.13:C:\Documents and Settings\Guest\Application Data\Mozilla\Profiles\jerry.hillman\7vuj4km3.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.60:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.61:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.62:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.63:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.64:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.65:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.66:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.67:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.68:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.69:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.6:C:\Documents and Settings\Guest\Application Data\Mozilla\Profiles\jerry.hillman\7vuj4km3.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.70:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.71:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.72:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.73:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.74:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.75:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.76:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.77:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.78:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.79:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.7:C:\Documents and Settings\Guest\Application Data\Mozilla\Profiles\jerry.hillman\7vuj4km3.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.8:C:\Documents and Settings\Guest\Application Data\Mozilla\Profiles\jerry.hillman\7vuj4km3.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.9:C:\Documents and Settings\Guest\Application Data\Mozilla\Profiles\jerry.hillman\7vuj4km3.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.85:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Ad-logics : No action taken.
:mozilla.91:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Adtech : No action taken.
:mozilla.92:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Adtech : No action taken.
:mozilla.56:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.57:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.58:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.59:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.128:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Centrport : No action taken.
:mozilla.129:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Centrport : No action taken.
:mozilla.130:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Centrport : No action taken.
:mozilla.17:C:\Documents and Settings\Guest\Application Data\Mozilla\Profiles\jerry.hillman\7vuj4km3.slt\cookies.txt -> TrackingCookie.Centrport : No action taken.
:mozilla.18:C:\Documents and Settings\Guest\Application Data\Mozilla\Profiles\jerry.hillman\7vuj4km3.slt\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.19:C:\Documents and Settings\Guest\Application Data\Mozilla\Profiles\jerry.hillman\7vuj4km3.slt\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.20:C:\Documents and Settings\Guest\Application Data\Mozilla\Profiles\jerry.hillman\7vuj4km3.slt\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.269:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.45:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.46:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.47:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.48:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.49:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.50:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.51:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.52:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.53:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.6:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.159:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Esomniture : No action taken.
:mozilla.160:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Esomniture : No action taken.
:mozilla.82:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Esomniture : No action taken.
:mozilla.109:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.110:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.111:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.23:C:\Documents and Settings\Guest\Application Data\Mozilla\Profiles\jerry.hillman\7vuj4km3.slt\cookies.txt -> TrackingCookie.Goclick : No action taken.
:mozilla.80:C:\Documents and Settings\Guest\Application Data\Mozilla\Profiles\jerry.hillman\7vuj4km3.slt\cookies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.81:C:\Documents and Settings\Guest\Application Data\Mozilla\Profiles\jerry.hillman\7vuj4km3.slt\cookies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.82:C:\Documents and Settings\Guest\Application Data\Mozilla\Profiles\jerry.hillman\7vuj4km3.slt\cookies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.41:C:\Documents and Settings\Guest\Application Data\Mozilla\Profiles\jerry.hillman\7vuj4km3.slt\cookies.txt -> TrackingCookie.Overture : No action taken.
:mozilla.87:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.88:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.89:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.90:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.244:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.245:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.246:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.167:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Ru4 : No action taken.
:mozilla.21:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.22:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.23:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.24:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.86:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.258:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.259:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.260:C:\Documents and Settings\GERALD HILLMAN\Application Data\Mozilla\Profiles\jerry.hillman\cuipxffp.slt\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.55:C:\Documents and Settings\Guest\Application Data\Mozilla\Profiles\jerry.hillman\7vuj4km3.slt\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.


::Report end

[fink]

Running in safe mode is usually recommended if an a/v or spyware scanner has found some malware but can't remove it because the process is in use and it can't be disabled. Safe mode doesn't allow the virus to load/run when Windows starts so the scanner can delete it.

In your Ewido scan I see that Windows defender has quarantined
Adware.BMcentral so you can ignore that for now since it's now benign and Ewido has also found and ignored Dogpile toolbar which you can uninstall by the looks of it yourself from add/remove programs if you want to.

The rest is a bunch of cookies which you can delete but are not a major threat and would not be causing any of the problems you're having.

Do a file search on your computer for wscsvc or wscsvc.exe and see if you can find it and if you do submit it here...

http://virusscan.jotti.org/ for analysis.

Also, let us see a hijackthis scan as requested and have a look at this thread directly from spybots forums about the security center warning..

http://forums.spybot.info/showthread.php?t=6119

and..

http://forums.spybot.info/showthread.php?t=205

[jerryhillman]

A file search did not list it but I have determined that each time I start
the computer my registry gets changed and if I run spybot I can change
it back. This has been identified as a trojan. I need to find out what start-up
program is doing this and remove it and the trojan. I ran autoruns.exe and so
many startup were listed I did not know where to look. I have determined
wscvc.exe was added by a password stealing Banker TROJAN. How do I find
and remove it from my computer?

Thanks, Jerry

[fink]

let us see a hijackthis scan

http://www.thespykiller.co.uk/files/hijackthis_sfx.exe

[jerryhillman]

I just read the two spybot sites about false notifications or whatever they are.
This is the notice I get every time I boot up:


"microsoftwindowssecurity center_disabled"
"Settings"
HKEY_LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc|Start=W=2

After reading the spybot site I am not sure I have a virus or trojan?
But why is the security center being disabled and is that important.?
Is the wscsve.exe a virus or trogan. Why is wscsve.exe being reported
by spybot?

Thanks, Jerry

[fink]

let us see a hijackthis scan