PDA

View Full Version : Combofix ballsup in Vista wscsvc.dll



wratterus
07-08-2009, 11:39 AM
Right, someone else was cleaning out spyware, ran Combofix through, and it seems to have removed the wscsvc.dll file. (Windows security center.)

I've tried re-registering every dll file I can find, clearing repositories, reinstalling SPs, none of it has made any difference.

When the Security Centre service (or what's left of it) is opened, the message 'The specified device instance handle does not correspond to a present device' comes up, and none of the service properties will open.

I'm going to overwrite the file with a copy from another vista installation and see if that works, apart from that I'm out of ideas. Thought I'd post this as it seems I'm not the only one (http://www.bleepingcomputer.com/forums/topic246994.html) with this issue, and a resolution might help someone else. :badpc:

Blam
07-08-2009, 11:50 AM
Have you tried performing a repair(upgrade) install?

I've seen this before. The nasty viruses infect integral system files.

Blam

wratterus
07-08-2009, 11:55 AM
Does Vista allow you to upgrade itself? (eg do the same as an XP repair-reinstall)? A normal repair does nothing, why can't Vista be like XP in this respect! :p

Speedy Gonzales
07-08-2009, 12:03 PM
Run trojan remover in safe mode / networking, (if this is 32 bit), click on scan, see what else it can find. Select all options under the utils menu. They / You should have tried other methods first (before using comobofix)

wratterus
07-08-2009, 12:11 PM
I'm all too well aware of that Speedy. :p

Already run TR through, the PC is clean as a whistle.

I've also taken ownership of the folder and subcontainers, and it wont let me change the files, also looks like this is an issue without a resolution too, so no replacing the file.

I'm interested in what you mentioned earlier Blam about the upgrade, is it possible to do that in the same way XP would do a repair-reinstall? I always thought you couldn't do that in Vista.

Running VHP here.

Blam
07-08-2009, 12:13 PM
Run trojan remover in safe mode / networking, (if this is 32 bit), click on scan, see what else it can find. Select all options under the utils menu. They / You should have tried other methods first (before using comobofix)

The file was infected. TR obviously did not detect it and Combofix did. It likely that other System Files were/are infected also.

In cases like these a clean install is best. But if you're desperate, a repair(upgrade) install *may* be able to fix it. Have you tried sfc /scannow yet? Its possible the System File Checker executable is infected too, so : s

Wratterus. Read this:
http://www.vistax64.com/tutorials/88236-repair-install-vista.html

Blam

Speedy Gonzales
07-08-2009, 12:14 PM
What version of Vista is it? Altho it may not matter its probably the same file (wscsvc.dll ). Did you manage to extract that file?

Blam
07-08-2009, 12:16 PM
If you really need to extract that file from a Vista DVD mount the WIMs and copy it from there.

wratterus
07-08-2009, 12:18 PM
In cases like these a clean install is best. But if you're desperate, a repair(upgrade) install *may* be able to fix it. Have you tried sfc /scannow yet? Its possible the System File Checker executable is infected too, so : s

Wratterus. Read this:
http://www.vistax64.com/tutorials/88236-repair-install-vista.html

Blam

Done SFC. I'm 99.9% confident there aren't any more infected files on the machine, at least nothing active.

Thanks for that link, got SP2 installed, looks like i'd better go back to SP1 then try the upgrade with a SP1 disk I have here.

Will also clone the drive before going any further. :p

The issue is not getting hold of another wscsvc.dll file, it's not being able to remove the old one. (just realized I said the file had been removed in the first post. Corrupted or ****ed would have been the better use of words, as it's still there...)

Thanks for the help...

Speedy Gonzales
07-08-2009, 12:31 PM
Take ownership of the file first (http://www.howtogeek.com/howto/windows-vista/how-to-delete-a-system-file-in-windows-vista/)

wratterus
07-08-2009, 12:38 PM
Take ownership of the file first (http://www.howtogeek.com/howto/windows-vista/how-to-delete-a-system-file-in-windows-vista/)

Ahh, I had forgotten about (I)cacls.

The command mentioned there seems to be correct but won't work, just trying again now.

takeown /f directory_name /r /d y
icacls directory_name /grant administrators:F /t


^^ That worked. The built-in help provided about the icacls command doesn't seem to be right! :lol:

Replaced the file - the whole security center stopped working, allowed me to turn it on again, but went straight back to the same situation. I'll do a clone, and try Blam's idea of a repair. Any other ideas please do let me know, I'm keen as to solve this one! :p

wratterus
07-08-2009, 01:09 PM
Ah well...customer needs their PC back. I just turned off the security center notifications.

Wish I had found a resolution to this issue, definitely going to keep the repair/upgrade in mind for the future though. :thumbs: