PDA

View Full Version : CmdService can not be cleaned by SpyBot!!



franz
2006-01-31, 06:39
Hi,

I have been using SpyBot for a couple of weeks now. Since the first time it has been founding and unable to clean cmdService in two of my registry keys as follows:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

I used HijackThis (downloaded from download.com) and ran it on my machine. The log file is included below:

My Internet has become quite sluggish. I am not sure if it is because of the cmdService or Win2000 SP4 that I just recently installed.

I would really appreciate, if you could help me to clean my machine from cmdService.

Many thanks in advance.

Fran.

===========================================
Logfile of HijackThis v1.99.1
Scan saved at 11:45:44 PM, on 1/30/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\zstatus.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\AntiSpyWare\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://top-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://top-find4u.com/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://top-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9A969D50-D0BB-ADF0-0F99-C940F7EFA7B7} - C:\WINNT\jcyrapqp.dll (file missing)
O2 - BHO: BigMeanGorilla.MadAsHell - {FBD2EBD0-E6DF-456E-B300-A4D10A90C683} - C:\WINNT\System32\{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Search - {907E1502-EFF2-7A17-A925-A599C066CF87} - C:\WINNT\jcyrapqp.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Wcnehdh] C:\Program Files\Rmxdc\Pscmulx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iblbppr] C:\WINNT\iblbppr.exe
O4 - HKLM\..\Run: [BDBBBEC0BFC0BEC5] 7A787B7D7C7D7B.exe
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\kcqoyr.exe reg_run
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O4 - HKCU\..\Run: [Miae] "C:\Program Files\dsee\sred.exe" -vt yazr
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000122.exe
O4 - HKCU\..\Run: [CMMan] "C:\Program Files\CMMan\CMMan.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138144031559
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138143999873
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: SBHookSvc - Unknown owner - C:\PROGRA~1\NETASS~1\SMARTB~1\SBHookSvc.exe (file missing)
=========================================================

franz
2006-02-01, 04:38
Hi Again,

My computer is getting worse. A lot of advertisement websites open up while I am browsing the internet. The speed of browsing is also very slow. It is really getting out of control. Appreciate your time and help. Thanks.

tashi
2006-02-01, 19:51
Hi there.
Please do not start multiple topics, I removed the new one.
I see you also posted here:
http://forums.spybot.info/showthread.php?t=2149
Please read the 'sticky' topics before posting, that way assistance won't be delayed. ;)

We are sorry for the wait, new infections (not necessarily on your own computer) take longer to clean up.
All malware removal sites are experiencing the same problem with some members waiting a week to be answered.

Please see the pinned sticky topic:
If you have waited three days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836)

Thank you.

LonnyRJones
2006-02-04, 04:33
Hi

Please disable SpybotSD TeaTimer for now and check for updates
To disable SpybotSD TeaTimer:
Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on Resident icon and Uncheck the box next to Teatimer.
"resident tea timer"protection of all-over system settings) active"
Close SpyBot.
Dont turn it back on until we are completely finished.

Start Hijackthis and place a check next to these items If there.
Close all browser windows and shut down all other programs that show in the taskbar.(even Folders)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://top-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://top-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://top-find4u.com/sp.htm
R3 - Default URLSearchHook is missing
O2 - BHO: BigMeanGorilla.MadAsHell - {FBD2EBD0-E6DF-456E-B300-A4D10A90C683} - C:\WINNT\System32\{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll
O4 - HKLM\..\Run: [Wcnehdh] C:\Program Files\Rmxdc\Pscmulx.exe
O4 - HKLM\..\Run: [iblbppr] C:\WINNT\iblbppr.exe
O4 - HKLM\..\Run: 7A787B7D7C7D7B.exe
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\kcqoyr.exe reg_run
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O4 - HKCU\..\Run: [Miae] "C:\Program Files\dsee\sred.exe" -vt yazr
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000122.exe
O4 - HKCU\..\Run: [CMMan] "C:\Program Files\CMMan\CMMan.exe"
====================================
Hit fix checked and close Hijackthis.
[B]Restart the PC into safe mode
http://www.microsoft.com/windows2000/techinfo/administration/management/safemode.asp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Run SpyBot check for and fix any problems found, then run your antivirus program, do a full system scan.
Note: While the programs are scanning do not open any folders
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Restart back to a normal windows session

Post a fresh hijackthis log please, be sure to mention any current problems.

franz
2006-02-04, 06:18
Thanks for the time and attention.

I did follow your steps as directed. I do not have an antivirus, so was unable to perform the virus scan step. I am downloading the AVG antivirus following the suggestion on your website.

When I ran SpyBot in the safemode, it did find the same CmdService in the three registry entries (same as when I ran it in normal Windows mode). The SpyBot did only fix one of the problems and for the other two popped up a message which I have attached. Briefly, it did exactly what it always does when I run SpyBot. Finds the three entries and only fixes one of them. It asks to run SpyBot next time I restart Windows and it actually runs as expected and does exactly the same thing. I have included a new Hijack log below:

=======================================================
Logfile of HijackThis v1.99.1
Scan saved at 11:27:23 PM, on 2/3/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
C:\AntiSpyWare\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9A969D50-D0BB-ADF0-0F99-C940F7EFA7B7} - C:\WINNT\jcyrapqp.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Search - {907E1502-EFF2-7A17-A925-A599C066CF87} - C:\WINNT\jcyrapqp.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138144031559
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138143999873
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: SBHookSvc - Unknown owner - C:\PROGRA~1\NETASS~1\SMARTB~1\SBHookSvc.exe (file missing)

===================================================

LonnyRJones
2006-02-04, 08:19
Hi
Start Hijackthis and place a check next to these items If there.
O2 - BHO: (no name) - {9A969D50-D0BB-ADF0-0F99-C940F7EFA7B7} - C:\WINNT\jcyrapqp.dll (file missing)
O3 - Toolbar: Search - {907E1502-EFF2-7A17-A925-A599C066CF87} - C:\WINNT\jcyrapqp.dll (file missing)
====================================
Hit fix checked and close Hijackthis.

Did you get the lastest SpyBot updates ?
SpyBot wont have problems with it unless the cmdservice regisrty key has a permisions problem.

Please download and unzip Ren-cmdservice to your desktop.
It will only work if the folder is placed on your desktop and extracted.
http://downloads.subratam.org/Lon/ren-cmdservice.zip
Open the ren-cmdservice folder by doubleclicking it and then doubleclick the ren-cmdservice.bat file to run the program.
When the program finishes there will be a logit.txt file in the ren-cmdservice folder post the content of that file on the forum please, then restart your PC and do a check for problems with SpyBot.

franz
2006-02-04, 18:02
I did exactly follow your instructions. The content of the logit.txt is included below:

"Running from C:\Documents and Settings\Faranak\Desktop\ren-cmdservice"

franz
2006-02-04, 18:27
I resarted my PC and ran SpyBot (I regularly update it). It did find the same three CmdService entries and fixed only one. Same as always.

LonnyRJones
2006-02-04, 19:05
Hi

What are the contents of tmp.txt ?

franz
2006-02-04, 23:10
tmp.txt:

"No Image Path Listed in Registry
Running from C:\Documents and Settings\Faranak\Desktop\ren-cmdservice"

LonnyRJones
2006-02-05, 00:54
Thanks

I made some adjustments, delete the one you have, redownload and extract and run the batch file please., same instructions as before.

franz
2006-02-05, 01:59
Thanks. I will restart and run SpyBot now.

logit.txt:

"Running from C:\Documents and Settings\Faranak\Desktop\ren-cmdservice
No Image Path Listed in Registry

Original perms.

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Effective permissions for Registry key HKLM\SYSTEM\CurrentControlSet\Services\cmdservice:
Read NT AUTHORITY\INTERACTIVE
Full access BUILTIN\Administrators


-----------------
Adjusted permisions

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Effective permissions for Registry key HKLM\SYSTEM\CurrentControlSet\Services\cmdservice:
Full access BUILTIN\Administrators
Full access NT AUTHORITY\INTERACTIVE
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access NT AUTHORITY\SYSTEM


-----------------
Deleting cmdservie key
[SWSC] DeleteService FAIL
Delete Network Monitor if present
[SWSC] DeleteService FAIL
-----------------
Commandline utilities (SWReg and SWSC)
Written by Bobbi Flekman © 2005
-----------------
A Backup made was made, bakhive
Finised, Post the logit.txt then restart your PC please
ren-cmdservice.bat edited 2-4-2006
-----------------

franz
2006-02-05, 03:22
Thanks a lot for your help.

SpyBot did not find any CmdService. Does this mean that my PC is completely free of it? If yes, how can I keep it clean and prevent new attacks? There was a link sent by another member of SpyBot reagrding the antivirus, firewall and other usefull softwares to install on our PCs? Should I follow the recommendations? The link is below:

http://forums.spybot.info/showthread.php?t=279

franz
2006-02-05, 04:10
One more question. I have a-squared installed on my PC and I use it to scan my machine on a daily basis. It keeps finding tracking cookies (trace.trackingCookie) and I keep deleting them. Would SpyBot help me with them as well? Any recommendation on those? Thanks.

LonnyRJones
2006-02-05, 05:16
Thats good news

Yes Fallow TonyKlein's advice
Cookies are a minor problem, SpyBots resident SDhelper does prevent some, If you exclude some cookies like for instance this forum's and then use the useage tracks files sets or the all avaiable checks ssd will delete all but your excluded cookie's, sure your already aware of thet.

Delete these files and folders if still present

C:\WINNT\iblbppr.exe
C:\WINNT\7A787B7D7C7D7B.exe
C:\Program Files\System Files
C:\Program Files\dsee
C:\Program Files\Common Files\Windows\mc-110-12-0000122.exe
C:\Program Files\CMMan

Submit this file here> http://www.virustotal.com/flash/index_en.html
C:\WINNT\system32\zstatus.exe
Let us know what was found

franz
2006-02-06, 00:34
Thanks,

Just a little confused: Which file do I need to submit to the website provided below?

And do I run the zstatus.exe? What does it do?

"Submit this file here> http://www.virustotal.com/flash/index_en.html
C:\WINNT\system32\zstatus.exe
Let us know what was found"

LonnyRJones
2006-02-06, 02:40
Hi
C:\WINNT\system32\zstatus.exe
Go to that website and browse to the file select it and submit

Don't execute the file by double-clicking on it

franz
2006-02-06, 17:09
Hi,

I submitted the file and it did not contain any viruses.

Seems like I am OK for now. Thank you very much for all the time and effort. Highly appreciated.

LonnyRJones
2006-02-06, 18:30
Good but send me a copy to please, Unless you know what program it belongs to ?

Zip up and Send to submitlonny AT subratam.org
Replace AT and spaces with @ and include a link back to this thread.

franz
2006-02-09, 05:34
Do I use an external email tool, or is there a method to send an email using this forum?

One more question, should I turn the tea timer back on?

Thanks.

LonnyRJones
2006-02-09, 05:49
Yes an email program or internet service email page

Please do turn on tea timer, thanks for reminding me.

LonnyRJones
2006-02-13, 12:13
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let Me or Tashi know.