View Full Version : Win7 - Security Centre service missing after malware infection

08-03-2011, 12:48 PM
Got a PC here, had NOD32 installed on it :xmouth: and some darn cunning malware managed to sneak past and plant itself, it did all kinds of fun stuff, like vanish internet options, change the about:blank page and put all sorts in the hosts file, break the .exe file association, totally kill NOD, and remove any sign of the security center service off the PC.

I've got pretty much all that sorted, everything appears to be running perfectly, except the security center won't work, and the service doesn't show up in the service list.

I've done a bit of googling, but havn't been able to find anything useful among the thousands of posts about security center not starting.

I've tried a sfc.

Anyone seen this before or knows of a fix? Thanks. :)

Speedy Gonzales
08-03-2011, 01:12 PM
This may help post 6 (http://www.sevenforums.com/system-security/102491-can-not-turn-windows-security-center-service.html)

Run this command from an elevated command to create the SC:

sc create wscsvc type= share start= delayed-auto error= normal binPath="C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted" depend=RpcSc/WinMgmt obj= "NT AUTHORITY\LocalService" DisplayName= "Security Center"

From Jesper's post, this should provide the right security descriptor:

sc sdset wscsvc

There is a reg file for WinXP online. Dont know if it applies to Win7 tho

08-03-2011, 01:26 PM
Thanks Speedy, unfortunately that doesn't seem to work in Win7, also that reg key they were talking about is missing altogether from this PC too, the malware has had a real field day. I'll move the key over from mine and see if that helps matters at all.

Speedy Gonzales
08-03-2011, 01:26 PM
Get this reg file post 2 (http://answers.microsoft.com/en-us/windows/forum/windows_7-security/windows-security-center-service-has-been-removed/47b55525-f0be-4434-95c3-265fbba64807). Looks like this fixes it. It MAY work with 32 bit as well

08-03-2011, 01:27 PM
Never had the problem personally, but have you tried running the PC in the Admin account or strat, type in wscui.cpl -- does it open ?

Others have said combofix cured it, this would indicate the PC still has some sort of infection, there are a few about these days that kill ANY AV, no matter what it is ( ain't they fun) :)

Another possible suggestion - Same problem - First one here (http://answers.microsoft.com/en-us/windows/forum/windows_7-security/the-windows-security-center-service-cant-be/4d176d1c-e397-4570-bc88-8f0083f458b1)

OR This here (http://windowsxp.mvps.org/wscsvcfix.htm), its for XP but may work - its eitehr going to work or spit it out :yuck:

Bit like the a customers PC I have here, needs XP LAN drivers to get W7 to work ;)

08-03-2011, 01:32 PM
Moving the whole

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\servic es\wscsvc

Key from my PC to the other one has fixed the issue. Thanks for you help guys, Speedy, that first thread you pointed me to lead me to that key so that's great, and the second one was the key.

Wainui, the file I could have downloaded in that second link you provided is that key I moved - it's exactly the same thing. Great minds think alike (or fools seldom differ, I can never remember which applies.):p :thumbs:

Cheers guys!

Speedy Gonzales
08-03-2011, 01:33 PM
Try the reg file I posted

This. Save this as a reg file, run it / allow it / reboot

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\servic es\wscsvc]
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00, 52,00,6f,00,6f,00,\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d ,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00 ,78,00,65,00,20,00,2d,00,\
6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65 ,00,72,00,76,00,69,00,63,\
00,65,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00 ,52,00,65,00,73,00,74,00,\
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,57,00, 69,00,6e,00,\
"ObjectName"="NT AUTHORITY\\LocalService"
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,68,00,61,00,6e,00,67,00, 65,00,4e,\
00,6f,00,74,00,69,00,66,00,79,00,50,00,72,00,69,00 ,76,00,69,00,6c,00,65,00,\
67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65 ,00,72,00,73,00,6f,00,6e,\
00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00 ,6c,00,65,00,67,00,65,00,\
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00, 00,14,00,00,\
00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00 ,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\servic es\wscsvc\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00, 52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00 ,6d,00,33,00,32,00,5c,00,\
77,00,73,00,63,00,73,00,76,00,63,00,2e,00,64,00,6c ,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\servic es\wscsvc\Security]
"Security"=hex:01,00,14,80,c8,00,00,00,d4,00,00,00,14,00,00, 00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01 ,00,00,00,00,00,01,00,00,\
00,00,02,00,98,00,06,00,00,00,00,00,14,00,fd,01,02 ,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00 ,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,9d,01,02,00,01,01,00,00,00 ,00,00,05,04,00,00,00,00,\
00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00 ,00,00,00,00,14,00,00,01,\
00,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,28 ,00,15,00,00,00,01,06,00,\
00,00,00,00,05,50,00,00,00,49,59,9d,77,91,56,e5,55 ,dc,f4,e2,0e,a7,8b,eb,ca,\
7b,42,13,56,01,01,00,00,00,00,00,05,12,00,00,00,01 ,01,00,00,00,00,00,05,12,\

08-03-2011, 01:44 PM
Yeah, Speedy, what you posted is the whole HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\servic es\wscsvc key - exactly what I exported from my PC and imported to the other one. Works perfectly. :thumbs:

Speedy Gonzales
08-03-2011, 01:45 PM
Sweet !

08-03-2011, 02:04 PM
Sweet that its fixed.

Great minds think alike (or fools seldom differ, I can never remember which applies.)

I prefer the second one :p That way theres an excuse when it all turns pear shaped -- I dunno - I dumb :D