I recently got infected by the fake alert trojan exploiting a flaw in adobe reader handled through firefox when clicking on a URL. I have removed the trojan with malwarebytes and successfully fixed Microsoft Security Essentials, which was also knocked out by the trojan, by re-installing it. However, I still cannot start WSC and the typical fixes I have read regarding starting the service are of no help because the service is missing from the services list. sfc /scannow reports no integrity violations. Winmgmt, RpcSs, and DcomLaunch are running. Net start wscsvc fails: The service name is invalid. wscui.cpl is present in sys32 and launching brings me back to the action center which reports WSC is not running. I do NOT run any third party anti-virus, firewall, etc software, other than malwarebytes which is only run manually from time to time (does not have a live/real time feature). I am running Win 7 32-bit home premium. Trojan removal details: Registry Values Infected: HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\oracle\AppData\Local\dhk.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\oracle\AppData\Local\dhk.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\oracle\AppData\Local\dhk.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\Users\oracle\AppData\Local\dhk.exe" -a "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully. Files Infected: c:\$Recycle.Bin\s-1-5-21-1447159066-810095296-329476815-1000\$RVU1QM3.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\Users\oracle\local settings\temporary internet files\Content.IE5\0OSDICLM\setup[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\Users\oracle\AppData\LocalLow\Sun\Java\deployment\cache\6.0\22\39e1d656-73dbc4bb (Trojan.FakeAlert) -> Quarantined and deleted successfully. Assistance from the community would be greatly appreciated. Please let me know what additional information I can provide for your convenience. Thanks

Hello, any restore point that dates before the appearance of your problem? If yes then use it to restore your system state using a restore point that dates before the infection. You can also perform a repair install and then re-install IE and Firefox. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration

I had tried system restore before posting but that did not resolve the problem. I re-installed Microsoft Security Essentials successfully but don't find a way to reinstall WSC. Firefox has been restored.

i had similar "win7 antispyware" virus, microsoft gave me the same answer and it didn't work,i couldn't even delete then re-install msc after numerous futile attempts i installed a (free) AVI anti-viral on a 30 day trail, they have removed the 30 day restriction after i had 3 "trials" all i need to do is manually update each week,and suffer the adverts whilst doing so,still better than an unprotected computer, still waiting for a microsoft retort if they could have sent one with the continuous crashes, truthfully they aint been much helpgruntgrunt

I had the exact same issue on a fresh installation and got that nasty bugger prior to the updates completing. I have found the solution though. The registry while no longer infected is MISSING the entire string for wscsvc, goes from ws2ifsl to WSearch. Doing a scan on a different machine reveals that there should be a wscsvc in between them. Specifically under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ The keys missing I exported off of the other machine and imported into the affected one and seem to have solved the issue. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc] "DisplayName"="@%SystemRoot%\\System32\\wscsvc.dll,-200" "ErrorControl"=dword:00000001 "ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\ 74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\ 00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\ 6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\ 00,65,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,52,00,65,00,73,00,74,00,\ 72,00,69,00,63,00,74,00,65,00,64,00,00,00 "Start"=dword:00000002 "Type"=dword:00000020 "Description"="@%SystemRoot%\\System32\\wscsvc.dll,-201" "DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,57,00,69,00,6e,00,\ 4d,00,67,00,6d,00,74,00,00,00,00,00 "ObjectName"="NT AUTHORITY\\LocalService" "ServiceSidType"=dword:00000001 "RequiredPrivileges"=hex(7):53,00,65,00,43,00,68,00,61,00,6e,00,67,00,65,00,4e,\ 00,6f,00,74,00,69,00,66,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\ 67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,\ 00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\ 00,00,00,00 "DelayedAutoStart"=dword:00000001 "FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\ 00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00,00,00,00,00,00,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\Parameters] "ServiceDllUnloadOnStop"=dword:00000001 "ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\ 00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\ 77,00,73,00,63,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\Security] "Security"=hex:01,00,14,80,c8,00,00,00,d4,00,00,00,14,00,00,00,30,00,00,00,02,\ 00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ 00,00,02,00,98,00,06,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\ 05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\ 20,02,00,00,00,00,14,00,9d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,\ 00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,00,00,14,00,00,01,\ 00,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,28,00,15,00,00,00,01,06,00,\ 00,00,00,00,05,50,00,00,00,49,59,9d,77,91,56,e5,55,dc,f4,e2,0e,a7,8b,eb,ca,\ 7b,42,13,56,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,\ 00,00,00