View Full Version : Command Service
Hello,
My PC was recently infected with a trojan/virus called drsmartload which was carried by something called ErrorSafe. SpyBot identified this, DSO Exploit and something called Command Service (i donīt know what this is !). I seem to have successfully got rid of drsmartload and DSO Exploit but iīm unable to get rid of Command Service from the 3 registery keys that are identified, SpyBot identifies them, tells me it has been able to delete one of the keys (the 003 KEY) but says it is unable to delete the other 2 as they may be in use as part of the memory. When i reboot SpyBot and it checks again it identifies all 3 as being back ! These are the results.
Command Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdServices
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdServices
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdServices
My system is XP with SP2. I use AvastAntiVirus, SpywareBlaster, AdAware SE, Registery Mechanic (free version) and i have just downloaded Ewido. The only application which identifies Command Service is SpyBot.
Is it Malware\Spyware\Trojan\Virus ? If so could someone please advise me how to get rid of it ?
Iīm not very techie and it has taken me a week to get this far so any help in solving this one would be very much appreciated.
Thanks in advance.
My apologies, i have just been browsing around some of your other forums and did a search in the SpyBot forum for Command Service and found the answers to my question above. :o
It seems like it is a false positive (iīm off to find out what that is).
The last week certainly has been a learning curve for me about the workings of PCīs.
Keep up the good work people.
:beerbeerb
Me again :o
Iīm not so sure it is a false positive having read this >>>>>>
"It is a false possitive unless a 020 cmdservice command.exe is also present"
and the ending of my alerts did not end in "mchInjDrv".
I am confused, could someone please address my original question above.
I have all the latest downloads for all my applications.
Thanks.
Hello again, please find my HijackThis report below. Thanks.
Logfile of HijackThis v1.99.1
Scan saved at 17:19:19, on 09/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://bbc.co.uk/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Telefonica Kit ADSL USB\CnxDslTb.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136039374688
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136039326288
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37500.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{81337949-BA04-41E8-8B74-B9731395733F}: NameServer = 80.58.0.33,80.58.32.97
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
LonnyRJones
2006-01-12, 12:06
Hi Kabeja
I suggest you uninstall this program via addremove programs then delete its folder
C:\Program Files\Spyware Cleaner
There will be a correction soon to target cmdServices correctly. you can either wait or if your familur with regedit we can delete it manualy ?
Its only a leftover i believe.
Hello,
I have already identified and removed spyware cleaner from my system with SpyBot and removed the relevant files.
Command Service still remains and i have tried to do it manually via the regedit but with no luck, as i said earlier SpyBot manages to get rid of the 03 string but on reboot itīs all back ! Having said that it does not seem to be posing too much of a problem (unless it can be used by a malicious code to enter the system ? ). Could you tell me what it is a leftover from ?
If you know a way of removing it manually using regedit i would be willing to give it a go.
Many thanks.
LonnyRJones
2006-01-12, 13:07
Hi
Command service = is an advertising company
Its not in your Hijackthis log, so it is not active.
What happens when you attempt to delete cmdservice manualy using regedit ? error message ?
Hello,
No, not an error message but a Warning window, it says,
Some problems couldnīt be fixed; the reason could be that the associated files are still in use (in memory).
This could be fixed after a restart.
May Spybot- S&D run on your next system startup ?......Y/N
Spybot fixes the 03 string but on reboot it can not get rid of CommandService. Usually the 03 string is still not there at this point but after using the PC for a while it is there when i run a Spybot check !
When i try to fix it manually using regedit it is actually in a sub folder of cmdServices called Enum and when i try to delete it from this i get an Error deleting values message which says...Unable to delete all specified values.
Hope this is of some use to you.
Thanks.
LonnyRJones
2006-01-13, 04:24
Hi
Could you export and post the cmdservice key from currentcontrolset
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService
Open regedit and navigate to the cmdservice key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService
If you have trouble deleting a key. Then click once on the key name to highlight it and Rightclick > Permissions. Then make sure you are Administrator and give yourself Full Control of that key. place a check next to allow full control (if its not there already)
You might need to click advanced and place a check next to [x] inherit from parent the permissions that apply to child objects. Click Apply then ok untill your back at the suspect service key , right click and delete the key
Close the registry editor when done.
You might need to change permisions on the cmdservice\enum key
Its only nessesary to have deleted the bad key under currentcontrolset but
if these are present we might as well delete them also.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdService
Hello again,
I followed your instructions and changed permissions, i then found the current control set\cmdService key and this time it let me delete it :bigthumb: I then checked the 01\02\03 keys but they had gone already. I did not need to change permission on the cmdService\EDUM key.
I then ran another Spybot check and the CommandService reappeared but when i checked them this time all three keys were deleted by Spybot. :bigthumb:
I then rebooted the PC and ran another Spybot check and this time it came back as "no immediate threats found. :bigthumb:
It appears CommandService has gone. :o)
Do i need to reset the permissions back to where it was previously ?
Many, many thanks for all your patience and help, keep up the good work.
Gratefully yours,
Kabeja. :beerbeerb
LonnyRJones
2006-01-13, 15:19
Hi Kabeja.
which branch did you change permision on ?
I suggested changing them on the cmdservice key itself or its enum key if nessesary, no where else.
Hello Lonny,
I changed the permission on the cmdService key then opened the edum key and deleted the cmdService part in the edum key which had been the problem, before i changed this permission it had not been possible to delete this key, after permission was changed i was able to delete the part i wanted. It was not necessary to change permission on the edum key. I did not change permission on any other keys.
Do i need to reset the permission back to where it was ?
Thanks,
Kabeja.
LonnyRJones
2006-01-13, 16:00
:)
Im confused, If the cmdservice key is deleted how can we change permisions back ? the enum key your refering to was just under cmdservice correct
Like:
HKLM\SYSTEM\CurrentControlSet\Services\cmdServices\enum
Hello Lonny,
Let me try and articulate this (sorry, i did say i was not much of a techie !)
I located the cmd\services key in the left hand column of the registery,
I then changed permission on it,
I then opened up the enum key which gave me a set of keys in the right hand column of the registery,
I then located the key in the right hand column which i had been unsuccessfully trying to delete and was this time successful in deleting.
I then closed the registery and reran Spybot twice with it coming back clean on the second run (after reboot). I did not check the registery afterwards.
I assumed i had only deleted the relevant key (in the right hand column) within edum.
I have just checked the registery and found that both the cmdServices key and its enum have both gone (deleted presumably). So i now realise i can not change the permission back :o
There were other keys (in the right hand column) within these two keys, were they integral to my system or only relevant to the cmdServices key and its edum ?
Sorry for any confusion and i hope the above explains what i did.
Cheers,
Kabeja.
PS. My system seems to be operating very well. :)
LonnyRJones
2006-01-13, 16:48
Ok, Good
No not to worry if you only changed permisions on cmdservice or its subkeys
If there are no problems i think we are finished ?
Hello Lonny,
No further problems here. Thank you once again for your time and advice, much appreciated mate.
Great support forum, keep up the good work.
Cheers,
Kabeja.
As the problem appears to be resolved this topic will be archived.
If you need it re-opened please pm me or one of the forum mods.
Glad we could help. :bigthumb: